1. Overview

The following is an example of Infrastructure as Code (IaC) for the automated deployment of a Console and Defenders within a Kubernetes cluster using an Ansible playbook. This requires a docker host, Prisma Cloud Compute license and kubectl administrative access to the Kubernetes cluster. The Ansible playbook must run on a host that is able to route to the Console service’s ClusterIP address to perform the required API calls to configure the Console. Use of this Ansible playbook does not imply any rights to Palo Alto Networks products and/or services.

2. Requirements

This sample IaC deployment runs on a unix based host with the following requirements:

3. Process

automated deployment

4. Ansible playbook

Pull the Ansible playbook from here. Update the variables in the vars: section in K8s-Console-Defender-deployment-ansible.yaml.

  • twistlock_registry_token: <license_token>

  • twistlock_license: <license>

  • twistlock_install_version: <version_to_deploy, e.g. "21_04_421">

  • user: <first_admin_username>

  • password: <first_admin_password>

  • storage_class: <k8s_storage_class_for_dynamic_persistent_volume>

  • namespace: <namespace>

5. Execution

On the unix host, sudo to root and run the command ansible-playbook K8s-Console-Defender-deployment-ansible.yaml

The supporting files will be written to the /root/twistlock directory.

6. Post execution

Once the playbook has successfully completed, establish communications to the twistlock-console service’s management-port-https port (default 8083/TCP) using a Kubernetes LoadBalancer or your organization’s approved cluster ingress technology.