Prisma Cloud Compute: How to use kubeconfig credentials to deploy the defender to an AKS cluster

Learn how to generate kubeconfig credentials, upload them to the console and use it to deploy Defender DaemonSets to AKS (Azure Kubernetes Clusters) automatically from the console.

• Prisma Cloud Compute Enterprise Edition

• Prisma Cloud Compute Self-Hosted

• Azure Kubernetes Clusters (AKS Clusters)

Part 1: Create the kubeconfig file
 

1. Use the az aks get-credentials command to get the kubeconfig definition for your AKS cluster.

az aks get-credentials --resource-groupmyResourceGroup --namemyAKSCluster --admin

Note that the user or service account in your kubeconfig must have permissions to create and delete the following resources:

• ClusterRole
• ClusterRoleBinding
• DaemonSet
• Secret
• ServiceAccount

# az aks get-credentials --resource-group jm-rg --name jm-pcc-new --admin
Merged "jm-pcc-new-admin" as current context in /home/jill/.kube/config

Note down the location of the config file.

2. Use the kubectl config view command to verify that the context for the cluster shows that the admin configuration information has been applied.

# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://jm-pcc-new:443
  name: jm-pcc-new
contexts:
- context:
    cluster: jm-pcc-new
    user: clusterUser_JM-RG_jm-pcc-new
  name: jm-pcc-new
- context:
    cluster: jm-pcc-new
    user: clusterAdmin_JM-RG_jm-pcc-new
  name: jm-pcc-new-admin
kind: Config
preferences: {}
users:
- name: clusterAdmin_JM-RG_jm-pcc-new
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    token: REDACTED
- name: clusterUser_JM-RG_jm-pcc-new
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    token: REDACTED

3. Go to the location/directory where the config file was stored in Step #1 and copy it's contents.

 
Part 2: Import the kubeconfig file into the Prisma Cloud Compute console.

1. ​​​On the Prisma Cloud Compute console, go to Manage > Authentication > Credentials Store and click on + Add credential.

2. On the Create new credential screen, give it a name and description and select Type as Kubeconfig.

 

3. On the Kubeconfig field, paste the contents of the config file you copied from Part 1 Step 3.
4. Save the new credential.

Part 3: Deploy the Defender Daemonset using the newly imported kubeconfig credential.

1. Go to Manage > Defenders > Manage > DaemonSets.
2. You will notice clusters related to the credential type kubeconfig will now be seen on the screen.
3. For each cluster in the table, click on Actions > Deploy.
4. A wizard screen called Deploy Defenders as a DaemonSet will pop up. Ensure the proper setting is configured for all the indicated fields. If the cluster nodes use the Container Runtime Interface (CRI), ensure that the matching option is chosen at this time to prevent connectivity issues.

5. Click on Deploy.
6. You should now see a Success status on the clusters using the kubeconfig credential and see the defender version that was deployed.

• kubeconfig is a YAML file that contains either a username and password combination or a secure token that when read programmatically removes the need for the Kubernetes client to ask for interactive authentication. kubeconfig is the secure and standard method to enable access to your Kubernetes clusters.
• Prisma Cloud doesn’t currently support kubeconfig credentials for Google Kubernetes Engine (GKE) or AWS Elastic Kubernetes Service(EKS). The kubeconfig for these clusters require an external binary for authentication (specifically the Google Cloud SDK and aws-iam-authenticator, respectively), and Prisma Cloud Console doesn’t ship with these binaries. 

Related documentation may also be found here:

• Credential Store - Kubeconfig
• Install Cluster Container Defender