├── .gitignore ├── Dockerfile ├── Makefile ├── PROJECT ├── README.md ├── SUPPORT.md ├── bundle ├── bundle.Dockerfile ├── manifests │ ├── consoledefenders.pcc.paloaltonetworks.com.crd.yaml │ ├── consoles.pcc.paloaltonetworks.com.crd.yaml │ ├── defenders.pcc.paloaltonetworks.com.crd.yaml │ └── pcc-operator.v0.2.0.clusterserviceversion.yaml ├── metadata │ └── annotations.yaml └── tests │ └── scorecard │ └── config.yaml ├── config ├── crd │ ├── bases │ │ ├── pcc.paloaltonetworks.com_consoledefenders.yaml │ │ ├── pcc.paloaltonetworks.com_consoles.yaml │ │ └── pcc.paloaltonetworks.com_defenders.yaml │ └── kustomization.yaml ├── deploy │ └── kustomization.yaml ├── manager │ ├── kustomization.yaml │ └── manager.yaml ├── manifests │ ├── bases │ │ └── pcc-operator.clusterserviceversion.yaml │ └── kustomization.yaml ├── rbac │ ├── kustomization.yaml │ ├── leader_election_role.yaml │ ├── leader_election_role_binding.yaml │ ├── role.yaml │ ├── role_binding.yaml │ └── service_account.yaml ├── samples │ ├── kustomization.yaml │ ├── pcc_v1alpha1_console.yaml │ ├── pcc_v1alpha1_consoledefender.yaml │ └── pcc_v1alpha1_defender.yaml ├── scorecard │ ├── bases │ │ └── config.yaml │ ├── kustomization.yaml │ └── patches │ │ ├── basic.config.yaml │ │ └── olm.config.yaml └── testing │ ├── debug_logs_patch.yaml │ ├── kustomization.yaml │ ├── manager_image.yaml │ └── pull_policy │ ├── Always.yaml │ ├── IfNotPresent.yaml │ └── Never.yaml ├── docs ├── Kubernetes │ ├── console.yaml │ ├── consoledefender.yaml │ ├── defender.yaml │ ├── kubernetes.md │ ├── offline_kubernetes.md │ ├── operator.yaml │ ├── pcc-credentials.yaml │ └── resource_spec.md ├── OpenShift │ ├── catalogsource.yaml │ ├── console.yaml │ ├── consoledefender.yaml │ ├── defender.yaml │ ├── offline_openshift.md │ ├── openshift.md │ ├── pcc-credentials.yaml │ └── resource_spec.md └── README.md ├── licenses ├── prisma-oss-licenses.txt └── twistlock-license.pdf ├── molecule ├── default │ ├── converge.yml │ ├── create.yml │ ├── destroy.yml │ ├── kustomize.yml │ ├── molecule.yml │ ├── prepare.yml │ ├── tasks │ │ ├── console_test.yml │ │ ├── consoledefender_test.yml │ │ └── defender_test.yml │ └── verify.yml └── kind │ ├── converge.yml │ ├── create.yml │ ├── destroy.yml │ └── molecule.yml ├── openshift-extras.txt ├── requirements.yml ├── roles ├── console │ ├── tasks │ │ └── main.yml │ └── vars │ │ └── main.yml ├── consoledefender │ ├── tasks │ │ └── main.yml │ └── vars │ │ └── main.yml └── defender │ ├── tasks │ └── main.yml │ └── vars │ └── main.yml ├── scripts ├── update_annotations.rb └── update_csv.rb └── watches.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | # Binaries for programs and plugins 4 | *.exe 5 | *.exe~ 6 | *.dll 7 | *.so 8 | *.dylib 9 | bin 10 | 11 | # editor and IDE paraphernalia 12 | .idea 13 | *.swp 14 | *.swo 15 | *~ 16 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM quay.io/operator-framework/ansible-operator:v1.14.0 2 | 3 | ARG VERSION 4 | ARG RELEASE=1 5 | 6 | # Switch to root to update image 7 | # 1001 is the ansible user 8 | # source: https://github.com/operator-framework/operator-sdk/blob/master/images/ansible-operator/Dockerfile#L24 9 | USER 0 10 | RUN dnf upgrade -y \ 11 | && dnf clean all \ 12 | && rm -rf /var/cache/{dnf,yum} 13 | USER 1001 14 | 15 | ### Required OpenShift Labels 16 | LABEL name="Prisma Cloud Compute Operator" \ 17 | vendor="Palo Alto Networks" \ 18 | version=$VERSION \ 19 | release=$RELEASE \ 20 | summary="Deploy Prisma Cloud Compute for cloud-native security in your clusters." \ 21 | description="This operator will deploy Console and Defender to the cluster." 22 | 23 | COPY requirements.yml ${HOME}/requirements.yml 24 | RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \ 25 | && chmod -R ug+rwx ${HOME}/.ansible 26 | 27 | # Required Licenses 28 | COPY licenses /licenses 29 | 30 | COPY watches.yaml ${HOME}/watches.yaml 31 | COPY roles/ ${HOME}/roles/ 32 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # VERSION defines the project version for the bundle. 2 | VERSION ?= 0.2.0 3 | 4 | # CHANNELS define the bundle channels used in the bundle. 5 | ifdef CHANNELS 6 | BUNDLE_CHANNELS = --channels=$(CHANNELS) 7 | else 8 | BUNDLE_CHANNELS = --channels=stable 9 | endif 10 | 11 | # DEFAULT_CHANNEL defines the default channel used in the bundle. 12 | ifdef DEFAULT_CHANNEL 13 | BUNDLE_DEFAULT_CHANNEL = --default-channel=$(DEFAULT_CHANNEL) 14 | else 15 | BUNDLE_DEFAULT_CHANNEL = --default-channel=stable 16 | endif 17 | 18 | BUNDLE_METADATA_OPTS = $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) 19 | 20 | # OPERATOR_IMAGE_BASE defines the docker.io namespace and part of the image name for remote images. 21 | # This variable is used to construct full image tags for bundle and catalog images. 22 | OPERATOR_IMAGE_BASE ?= quay.io/prismacloud/pcc-operator 23 | 24 | # Image URL to use all building/pushing image targets 25 | OPERATOR_IMG ?= $(OPERATOR_IMAGE_BASE):v$(VERSION) 26 | 27 | all: help 28 | 29 | 30 | # The help target prints out all targets with their descriptions organized 31 | # beneath their categories. The categories are represented by '##@' and the 32 | # target descriptions by '##'. The awk commands is responsible for reading the 33 | # entire set of makefiles included in this invocation, looking for lines of the 34 | # file as xyz: ## something, and then pretty-format the target and help. Then, 35 | # if there's a line with ##@ something, that gets pretty-printed as a category. 36 | # More info on the usage of ANSI control characters for terminal formatting: 37 | # https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters 38 | # More info on the awk command: 39 | # http://linuxcommand.org/lc3_adv_awk.php 40 | help: ## Print this text 41 | @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[$$()% a-zA-Z_-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) 42 | 43 | 44 | ############ 45 | # OPERATOR # 46 | ############ 47 | 48 | operator-build: ## Build operator image 49 | docker build -t $(OPERATOR_IMG) --build-arg VERSION=v$(VERSION) . 50 | 51 | operator-push: ## Push operator image 52 | docker push $(OPERATOR_IMG) 53 | 54 | deploy: kustomize ## Deploy to cluster specified in ~/.kube/config 55 | cd config/manager && $(KUSTOMIZE) edit set image controller=$(OPERATOR_IMG) 56 | $(KUSTOMIZE) build config/deploy | kubectl apply -f - 57 | 58 | undeploy: ## Remove from cluster specified in ~/.kube/config 59 | $(KUSTOMIZE) build config/deploy | kubectl delete -f - 60 | 61 | 62 | ########## 63 | # BUNDLE # 64 | ########## 65 | 66 | BUNDLE_IMG ?= $(OPERATOR_IMAGE_BASE)-bundle:v$(VERSION) 67 | 68 | .PHONY: manifests 69 | manifests: kustomize operator-build operator-push ## Generate manifests and update image reference 70 | operator-sdk generate kustomize manifests -q 71 | repo_digest=$$(docker inspect --format '{{ .RepoDigests }}' $(OPERATOR_IMG) | grep -Eo 'quay.io/prismacloud/pcc-operator@sha256:\w{64}') \ 72 | && scripts/update_csv.rb "$$repo_digest" \ 73 | && cd config/manager && $(KUSTOMIZE) edit set image controller="$$repo_digest" \ 74 | 75 | .PHONY: bundle 76 | bundle: manifests ## Generate bundle then validate generated files 77 | $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle --manifests --version $(VERSION) $(BUNDLE_METADATA_OPTS) 78 | cd bundle/manifests \ 79 | && rm -f pcc-operator.v*.clusterserviceversion.yaml \ 80 | && mv pcc-operator.clusterserviceversion.yaml pcc-operator.v$(VERSION).clusterserviceversion.yaml \ 81 | && mv pcc.paloaltonetworks.com_consoledefenders.yaml consoledefenders.pcc.paloaltonetworks.com.crd.yaml \ 82 | && mv pcc.paloaltonetworks.com_consoles.yaml consoles.pcc.paloaltonetworks.com.crd.yaml \ 83 | && mv pcc.paloaltonetworks.com_defenders.yaml defenders.pcc.paloaltonetworks.com.crd.yaml 84 | operator-sdk bundle validate bundle 85 | 86 | .PHONY: bundle-build 87 | bundle-build: ## Build bundle image 88 | cd bundle && docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . 89 | 90 | .PHONY: bundle-push 91 | bundle-push: ## Push bundle image 92 | docker push $(BUNDLE_IMG) 93 | 94 | 95 | ########### 96 | # CATALOG # 97 | ########### 98 | 99 | # A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0). 100 | # These images MUST exist in a registry and be pull-able. 101 | BUNDLE_IMGS ?= $(BUNDLE_IMG) 102 | 103 | # The image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=example.com/operator-catalog:v0.2.0). 104 | CATALOG_IMG ?= $(OPERATOR_IMAGE_BASE)-catalog:v$(VERSION) 105 | 106 | # Set CATALOG_BASE_IMG to an existing catalog image tag to add $BUNDLE_IMGS to that image. 107 | ifneq ($(origin CATALOG_BASE_IMG), undefined) 108 | FROM_INDEX_OPT := --from-index $(CATALOG_BASE_IMG) 109 | endif 110 | 111 | .PHONY: catalog-build 112 | catalog-build: opm ## Build a catalog image by adding bundle images to an empty catalog using the operator package manager tool, 'opm' 113 | $(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT) 114 | 115 | .PHONY: catalog-push 116 | catalog-push: ## Push the catalog image 117 | docker push $(CATALOG_IMG) 118 | 119 | 120 | ############ 121 | # BINARIES # 122 | ############ 123 | 124 | OS := $(shell uname -s | tr '[:upper:]' '[:lower:]') 125 | ARCH := $(shell uname -m | sed 's/x86_64/amd64/') 126 | 127 | .PHONY: kustomize 128 | KUSTOMIZE = $(shell pwd)/bin/kustomize 129 | kustomize: ## Download kustomize locally if necessary. 130 | ifeq (,$(wildcard $(KUSTOMIZE))) 131 | ifeq (,$(shell which kustomize 2>/dev/null)) 132 | @{ \ 133 | set -e ;\ 134 | mkdir -p $(dir $(KUSTOMIZE)) ;\ 135 | curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.5.4/kustomize_v3.5.4_$(OS)_$(ARCH).tar.gz | \ 136 | tar xzf - -C bin/ ;\ 137 | } 138 | else 139 | KUSTOMIZE = $(shell which kustomize) 140 | endif 141 | endif 142 | 143 | .PHONY: opm 144 | OPM = ./bin/opm 145 | opm: ## Download opm locally if necessary. 146 | ifeq (,$(wildcard $(OPM))) 147 | ifeq (,$(shell which opm 2>/dev/null)) 148 | @{ \ 149 | set -e ;\ 150 | mkdir -p $(dir $(OPM)) ;\ 151 | curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.17.5/$(OS)-$(ARCH)-opm ;\ 152 | chmod +x $(OPM) ;\ 153 | } 154 | else 155 | OPM = $(shell which opm) 156 | endif 157 | endif 158 | -------------------------------------------------------------------------------- /PROJECT: -------------------------------------------------------------------------------- 1 | domain: paloaltonetworks.com 2 | layout: 3 | - ansible.sdk.operatorframework.io/v1 4 | plugins: 5 | manifests.sdk.operatorframework.io/v2: {} 6 | scorecard.sdk.operatorframework.io/v2: {} 7 | projectName: pcc-operator 8 | resources: 9 | - api: 10 | crdVersion: v1 11 | namespaced: true 12 | domain: paloaltonetworks.com 13 | group: pcc 14 | kind: Console 15 | version: v1alpha1 16 | - api: 17 | crdVersion: v1 18 | namespaced: true 19 | domain: paloaltonetworks.com 20 | group: pcc 21 | kind: Defender 22 | version: v1alpha1 23 | - api: 24 | crdVersion: v1 25 | namespaced: true 26 | domain: paloaltonetworks.com 27 | group: pcc 28 | kind: ConsoleDefender 29 | version: v1alpha1 30 | version: "3" 31 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Prisma Cloud Compute Operator 2 | 3 | --- 4 | 5 | **IMPORTANT: Please see [SUPPORT.md](SUPPORT.md) for the official support policy for the contents of this repository.** 6 | 7 | --- 8 | 9 | This the Palo Alto Networks official repository for the [Ansible Operator](https://operatorhub.io/operator/pcc-operator) for the deployment and upgrade of a Prisma Cloud Compute Console and Defenders within a Kubernetes Cluster. 10 | 11 | Operator Souces: 12 | - [Kubernetes Operator](https://github.com/k8s-operatorhub/community-operators/tree/main/operators/pcc-operator) 13 | - [RedHat OpenShift Community Operator](https://github.com/redhat-openshift-ecosystem/community-operators-prod/tree/main/operators/pcc-operator) 14 | 15 | 16 | Deployment scenario examples: 17 | - [Kubernetes cluster with Internet access](./docs/Kubernetes/kubernetes.md) 18 | - [Kubernetes cluster within an isolated environment](./docs/Kubernetes/offline_kubernetes.md) 19 | - [Openshift cluster with Internet access](./docs/OpenShift/openshift.md) 20 | - [Openshift cluster within an isolated environment](./docs/OpenShift/offline_openshift.md) 21 | 22 | 23 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | Community Supported 2 | 3 | The software and templates in the repo are released under an as-is, best effort, 4 | support policy. This software should be seen as community supported and Palo 5 | Alto Networks will contribute our expertise as and when possible. We do not 6 | provide technical support or help in using or troubleshooting the components of 7 | the project through our normal support options such as Palo Alto Networks 8 | support teams, or ASC (Authorized Support Centers) partners and backline support 9 | options. The underlying product used (the VM-Series firewall) by the scripts or 10 | templates are still supported, but the support is only for the product 11 | functionality and not for help in deploying or using the template or script 12 | itself. Unless explicitly tagged, all projects or work posted in our GitHub 13 | repository (at https://github.com/PaloAltoNetworks) or sites other than our 14 | official Downloads page on https://support.paloaltonetworks.com are provided 15 | under the best effort policy. 16 | -------------------------------------------------------------------------------- /bundle/bundle.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM scratch 2 | 3 | # Core bundle labels. 4 | LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 5 | LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ 6 | LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ 7 | LABEL operators.operatorframework.io.bundle.package.v1=pcc-operator 8 | LABEL operators.operatorframework.io.bundle.channels.v1=stable 9 | LABEL operators.operatorframework.io.bundle.channel.default.v1=stable 10 | LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.14.0 11 | LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 12 | LABEL operators.operatorframework.io.metrics.project_layout=ansible.sdk.operatorframework.io/v1 13 | 14 | # Labels for testing. 15 | LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 16 | LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ 17 | 18 | # Labels for OpenShift. 19 | # https://redhat-connect.gitbook.io/certified-operator-guide/ocp-deployment/operator-metadata/bundle-directory 20 | LABEL com.redhat.delivery.backport=true 21 | LABEL com.redhat.delivery.operator.bundle=true 22 | LABEL com.redhat.openshift.versions=v4.6 23 | 24 | # Copy files to locations specified by labels. 25 | COPY manifests /manifests/ 26 | COPY metadata /metadata/ 27 | COPY tests/scorecard /tests/scorecard/ 28 | -------------------------------------------------------------------------------- /bundle/manifests/consoledefenders.pcc.paloaltonetworks.com.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | creationTimestamp: null 5 | name: consoledefenders.pcc.paloaltonetworks.com 6 | spec: 7 | group: pcc.paloaltonetworks.com 8 | names: 9 | kind: ConsoleDefender 10 | listKind: ConsoleDefenderList 11 | plural: consoledefenders 12 | singular: consoledefender 13 | scope: Namespaced 14 | versions: 15 | - name: v1alpha1 16 | schema: 17 | openAPIV3Schema: 18 | properties: 19 | spec: 20 | properties: 21 | consoleConfig: 22 | properties: 23 | imageName: 24 | type: string 25 | imagePullSecret: 26 | type: string 27 | nodeLabels: 28 | type: string 29 | persistentVolumeLabels: 30 | type: string 31 | persistentVolumeStorage: 32 | type: string 33 | runAsUser: 34 | default: false 35 | type: boolean 36 | serviceType: 37 | type: string 38 | storageClass: 39 | type: string 40 | type: object 41 | credentials: 42 | properties: 43 | accessToken: 44 | pattern: ^[0-9a-z]{32}$ 45 | type: string 46 | license: 47 | type: string 48 | password: 49 | type: string 50 | username: 51 | type: string 52 | type: object 53 | defenderConfig: 54 | properties: 55 | cluster: 56 | type: string 57 | collectPodLabels: 58 | default: false 59 | type: boolean 60 | docker: 61 | default: true 62 | type: boolean 63 | dockerSocketPath: 64 | type: string 65 | imageName: 66 | type: string 67 | imagePullSecret: 68 | type: string 69 | monitorIstio: 70 | default: false 71 | type: boolean 72 | monitorServiceAccounts: 73 | default: true 74 | type: boolean 75 | nodeLabels: 76 | type: string 77 | privileged: 78 | default: false 79 | type: boolean 80 | project: 81 | type: string 82 | proxyAddress: 83 | type: string 84 | proxyCa: 85 | type: string 86 | proxyPassword: 87 | type: string 88 | proxyUsername: 89 | type: string 90 | selinuxEnabled: 91 | default: false 92 | type: boolean 93 | toleration: 94 | default: false 95 | type: boolean 96 | tolerationEffect: 97 | default: NoSchedule 98 | type: string 99 | tolerationKey: 100 | default: node-role.kubernetes.io/master 101 | type: string 102 | type: object 103 | namespace: 104 | type: string 105 | orchestrator: 106 | pattern: ^(?:kubernetes|openshift)$ 107 | type: string 108 | toolBundleUrl: 109 | type: string 110 | version: 111 | pattern: ^\d{2}_\d{2}_\d{1,5}$ 112 | type: string 113 | type: object 114 | type: object 115 | served: true 116 | storage: true 117 | status: 118 | acceptedNames: 119 | kind: "" 120 | plural: "" 121 | conditions: null 122 | storedVersions: null 123 | -------------------------------------------------------------------------------- /bundle/manifests/consoles.pcc.paloaltonetworks.com.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | creationTimestamp: null 5 | name: consoles.pcc.paloaltonetworks.com 6 | spec: 7 | group: pcc.paloaltonetworks.com 8 | names: 9 | kind: Console 10 | listKind: ConsoleList 11 | plural: consoles 12 | singular: console 13 | scope: Namespaced 14 | versions: 15 | - name: v1alpha1 16 | schema: 17 | openAPIV3Schema: 18 | properties: 19 | spec: 20 | properties: 21 | consoleConfig: 22 | properties: 23 | imageName: 24 | type: string 25 | imagePullSecret: 26 | type: string 27 | nodeLabels: 28 | type: string 29 | persistentVolumeLabels: 30 | type: string 31 | persistentVolumeStorage: 32 | type: string 33 | runAsUser: 34 | default: false 35 | type: boolean 36 | serviceType: 37 | type: string 38 | storageClass: 39 | type: string 40 | type: object 41 | credentials: 42 | properties: 43 | accessToken: 44 | pattern: ^[0-9a-z]{32}$ 45 | type: string 46 | license: 47 | type: string 48 | password: 49 | type: string 50 | username: 51 | type: string 52 | type: object 53 | namespace: 54 | type: string 55 | orchestrator: 56 | pattern: ^(?:kubernetes|openshift)$ 57 | type: string 58 | toolBundleUrl: 59 | type: string 60 | version: 61 | pattern: ^\d{2}_\d{2}_\d{1,5}$ 62 | type: string 63 | type: object 64 | type: object 65 | served: true 66 | storage: true 67 | status: 68 | acceptedNames: 69 | kind: "" 70 | plural: "" 71 | conditions: null 72 | storedVersions: null 73 | -------------------------------------------------------------------------------- /bundle/manifests/defenders.pcc.paloaltonetworks.com.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | creationTimestamp: null 5 | name: defenders.pcc.paloaltonetworks.com 6 | spec: 7 | group: pcc.paloaltonetworks.com 8 | names: 9 | kind: Defender 10 | listKind: DefenderList 11 | plural: defenders 12 | singular: defender 13 | scope: Namespaced 14 | versions: 15 | - name: v1alpha1 16 | schema: 17 | openAPIV3Schema: 18 | properties: 19 | spec: 20 | properties: 21 | credentials: 22 | properties: 23 | password: 24 | type: string 25 | username: 26 | type: string 27 | type: object 28 | defenderConfig: 29 | properties: 30 | cluster: 31 | type: string 32 | clusterAddress: 33 | type: string 34 | collectPodLabels: 35 | default: false 36 | type: boolean 37 | consoleAddress: 38 | type: string 39 | docker: 40 | default: true 41 | type: boolean 42 | dockerSocketPath: 43 | type: string 44 | imageName: 45 | type: string 46 | imagePullSecret: 47 | type: string 48 | monitorIstio: 49 | default: false 50 | type: boolean 51 | monitorServiceAccounts: 52 | default: true 53 | type: boolean 54 | nodeLabels: 55 | type: string 56 | privileged: 57 | default: false 58 | type: boolean 59 | project: 60 | type: string 61 | proxyAddress: 62 | type: string 63 | proxyCa: 64 | type: string 65 | proxyPassword: 66 | type: string 67 | proxyUsername: 68 | type: string 69 | selinuxEnabled: 70 | default: false 71 | type: boolean 72 | toleration: 73 | default: false 74 | type: boolean 75 | tolerationEffect: 76 | default: NoSchedule 77 | type: string 78 | tolerationKey: 79 | default: node-role.kubernetes.io/master 80 | type: string 81 | type: object 82 | namespace: 83 | type: string 84 | orchestrator: 85 | pattern: ^(?:kubernetes|openshift)$ 86 | type: string 87 | toolBundleUrl: 88 | type: string 89 | version: 90 | pattern: ^\d{2}_\d{2}_\d{1,5}$ 91 | type: string 92 | type: object 93 | type: object 94 | served: true 95 | storage: true 96 | status: 97 | acceptedNames: 98 | kind: "" 99 | plural: "" 100 | conditions: null 101 | storedVersions: null 102 | -------------------------------------------------------------------------------- /bundle/manifests/pcc-operator.v0.2.0.clusterserviceversion.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: ClusterServiceVersion 3 | metadata: 4 | annotations: 5 | alm-examples: |- 6 | [ 7 | { 8 | "apiVersion": "pcc.paloaltonetworks.com/v1alpha1", 9 | "kind": "Console", 10 | "metadata": { 11 | "name": "pcc-console", 12 | "namespace": "twistlock" 13 | }, 14 | "spec": { 15 | "consoleConfig": { 16 | "serviceType": "ClusterIP" 17 | }, 18 | "namespace": "twistlock", 19 | "version": "21_08_520" 20 | } 21 | }, 22 | { 23 | "apiVersion": "pcc.paloaltonetworks.com/v1alpha1", 24 | "kind": "ConsoleDefender", 25 | "metadata": { 26 | "name": "pcc-consoledefender", 27 | "namespace": "twistlock" 28 | }, 29 | "spec": { 30 | "consoleConfig": { 31 | "serviceType": "ClusterIP" 32 | }, 33 | "defenderConfig": { 34 | "docker": false 35 | }, 36 | "namespace": "twistlock", 37 | "version": "21_08_520" 38 | } 39 | }, 40 | { 41 | "apiVersion": "pcc.paloaltonetworks.com/v1alpha1", 42 | "kind": "Defender", 43 | "metadata": { 44 | "name": "pcc-defender", 45 | "namespace": "twistlock" 46 | }, 47 | "spec": { 48 | "defenderConfig": { 49 | "clusterAddress": "twistlock-console.example.com", 50 | "consoleAddress": "https://twistlock-console.example.com:8083", 51 | "docker": false 52 | }, 53 | "namespace": "twistlock", 54 | "version": "21_08_520" 55 | } 56 | } 57 | ] 58 | capabilities: Seamless Upgrades 59 | categories: Security 60 | containerImage: quay.io/prismacloud/pcc-operator@sha256:b8fcfbd6c51286c874e00db1bd35523386cec406fa4050ef44c0a887730cf9b8 61 | createdAt: "2021-11-15" 62 | description: Deploy Prisma Cloud Compute for cloud-native security in your clusters 63 | operators.openshift.io/infrastructure-features: '["Disconnected"]' 64 | operators.operatorframework.io/builder: operator-sdk-v1.14.0 65 | operators.operatorframework.io/project_layout: ansible.sdk.operatorframework.io/v1 66 | repository: https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator 67 | support: pcc-integrations@paloaltonetworks.com 68 | name: pcc-operator.v0.2.0 69 | namespace: placeholder 70 | spec: 71 | apiservicedefinitions: {} 72 | customresourcedefinitions: 73 | owned: 74 | - description: Install the Prisma Cloud Compute Console and Defenders 75 | displayName: Console and Defenders 76 | kind: ConsoleDefender 77 | name: consoledefenders.pcc.paloaltonetworks.com 78 | specDescriptors: 79 | - description: Namespace in which the Console and Defenders will be deployed. 80 | This should be the same namespace as the operator itself. Default is twistlock. 81 | displayName: Namespace 82 | path: namespace 83 | - description: Orchestrator being used. Must be "kubernetes" or "openshift". 84 | displayName: Orchestrator 85 | path: orchestrator 86 | - description: URL of the tool bundle containing twistcli, the tool used to 87 | generate Prisma Cloud Compute YAML files. Can either be an isolated upgrade 88 | tarball or a release tarball URL. 89 | displayName: Tool Bundle URL 90 | path: toolBundleUrl 91 | - description: Version of Prisma Cloud Compute to install. 92 | displayName: Version 93 | path: version 94 | - description: Sensitive data to be used during installation. Be aware that 95 | these credentials will be visible in the custom resource spec. Secrets can 96 | be used instead if preferred. 97 | displayName: Credentials 98 | path: credentials 99 | - description: 32-character lowercase access token included in the license bundle. 100 | displayName: Access Token 101 | path: credentials.accessToken 102 | - description: Product license included in the license bundle. 103 | displayName: License 104 | path: credentials.license 105 | - description: Password to be used for the initial local administrator user. 106 | It is highly recommended that you change the password for this user in the 107 | Prisma Cloud Compute Console after install. 108 | displayName: Password 109 | path: credentials.password 110 | - description: Username to be used for the initial local administrator user. 111 | displayName: Username 112 | path: credentials.username 113 | - description: Console configuration 114 | displayName: Console Installation Options 115 | path: consoleConfig 116 | - description: Secret needed to pull the Console image when using a private 117 | registry. 118 | displayName: Image Pull Secret 119 | path: consoleConfig.imagePullSecret 120 | - description: Console image to deploy. If no value is specified, the image 121 | is pulled from the Prisma Cloud Compute registry. 122 | displayName: Image Name 123 | path: consoleConfig.imageName 124 | - description: Label to use as a nodeSelector for Console. Specify a label and 125 | value (e.g. "kubernetes.io/hostname=node-name"). 126 | displayName: Node Selector Label 127 | path: consoleConfig.nodeLabels 128 | - description: Label to match the PVC to the PV. 129 | displayName: Persistent Volume Label 130 | path: consoleConfig.persistentVolumeLabels 131 | - description: Storage size of the PV (default "100Gi"). 132 | displayName: Persistent Volume Storage 133 | path: consoleConfig.persistentVolumeStorage 134 | - description: Run Console as UID 2674 (requires manual pre-configuration of 135 | ownership and permissions of the PV). 136 | displayName: Run as User 137 | path: consoleConfig.runAsUser 138 | - description: Service type for exposing Console. Supported values are "ClusterIP", 139 | "NodePort", and "LoadBalancer". 140 | displayName: Service Type 141 | path: consoleConfig.serviceType 142 | - description: StorageClass to use when dynamically provisioning a PV for Console. 143 | A PV is dynamically provisioned if twistcli cannot find the PV specified 144 | with the Persistent Volume Label option. If no StorageClass is specified, 145 | the default StorageClass is used. 146 | displayName: Storage Class 147 | path: consoleConfig.storageClass 148 | - description: Defender configuration 149 | displayName: Defender Installation Options 150 | path: defenderConfig 151 | - description: Whether or not to collect Pod labels. 152 | displayName: Collect Pod Labels 153 | path: defenderConfig.collectPodLabels 154 | - description: Hook into Docker runtime. Enable only if the cluster is using 155 | Docker. 156 | displayName: Docker 157 | path: defenderConfig.docker 158 | - description: Path to docker.sock. Ignore if not using Docker. 159 | displayName: Docker Socket Path 160 | path: defenderConfig.dockerSocketPath 161 | - description: Secret needed to pull the Defender image when using a private 162 | registry. 163 | displayName: Image Pull Secret 164 | path: defenderConfig.imagePullSecret 165 | - description: Defender image to deploy. If no value is specified, the image 166 | is pulled from the Prisma Cloud Compute registry. 167 | displayName: Image Name 168 | path: defenderConfig.imageName 169 | - description: Whether or not to monitor Istio. 170 | displayName: Monitor Istio 171 | path: defenderConfig.monitorIstio 172 | - description: Whether or not to monitor ServiceAccounts. 173 | displayName: Monitor Service Accounts 174 | path: defenderConfig.monitorServiceAccounts 175 | - description: 'Label to use as a nodeSelector for Defenders. Specify a label 176 | and value (e.g. ''kubernetes.io/hostname: "node-name"'').' 177 | displayName: Node Selector Labels 178 | path: defenderConfig.nodeLabels 179 | - description: Run Defender in privileged mode. 180 | displayName: Privileged 181 | path: defenderConfig.privileged 182 | - description: Project to which Defenders will connect. 183 | displayName: Project 184 | path: defenderConfig.project 185 | - description: Proxy address for Defender-to-Console communication. 186 | displayName: Proxy Address 187 | path: defenderConfig.proxyAddress 188 | - description: Proxy's CA certificate for Console to trust, encoded in base64. 189 | Required when using TLS-intercept proxies. 190 | displayName: Proxy CA 191 | path: defenderConfig.proxyCa 192 | - description: Password for authenticating with the proxy. 193 | displayName: Proxy Password 194 | path: defenderConfig.proxyPassword 195 | - description: Username for authenticating with the proxy. 196 | displayName: Proxy Username 197 | path: defenderConfig.proxyUsername 198 | - description: Use the spc_t SELinux type. 199 | displayName: SELinux 200 | path: defenderConfig.selinuxEnabled 201 | - description: Deploy Defenders with a toleration. 202 | displayName: Toleration 203 | path: defenderConfig.toleration 204 | - description: Taint key that the toleration applies to. 205 | displayName: Toleration Key 206 | path: defenderConfig.tolerationKey 207 | - description: Taint effect to match. 208 | displayName: Toleration Effect 209 | path: defenderConfig.tolerationEffect 210 | version: v1alpha1 211 | - description: Install the Prisma Cloud Compute Console 212 | displayName: Console 213 | kind: Console 214 | name: consoles.pcc.paloaltonetworks.com 215 | specDescriptors: 216 | - description: Namespace in which the Console and Defenders will be deployed. 217 | This should be the same namespace as the operator itself. Default is twistlock. 218 | displayName: Namespace 219 | path: namespace 220 | - description: Orchestrator being used. Must be "kubernetes" or "openshift". 221 | displayName: Orchestrator 222 | path: orchestrator 223 | - description: URL of the tool bundle containing twistcli, the tool used to 224 | generate Prisma Cloud Compute YAML files. Can either be an isolated upgrade 225 | tarball or a release tarball URL. 226 | displayName: Tool Bundle URL 227 | path: toolBundleUrl 228 | - description: Version of Prisma Cloud Compute to install. 229 | displayName: Version 230 | path: version 231 | - description: Sensitive data to be used during installation. Be aware that 232 | these credentials will be visible in the custom resource spec. Secrets can 233 | be used instead if preferred. 234 | displayName: Credentials 235 | path: credentials 236 | - description: 32-character lowercase access token included in the license bundle. 237 | displayName: Access Token 238 | path: credentials.accessToken 239 | - description: Product license included in the license bundle. 240 | displayName: License 241 | path: credentials.license 242 | - description: Password to be used for the initial local administrator user. 243 | It is highly recommended that you change the password for this user in the 244 | Prisma Cloud Compute Console after install. 245 | displayName: Password 246 | path: credentials.password 247 | - description: Username to be used for the initial local administrator user. 248 | displayName: Username 249 | path: credentials.username 250 | - description: Console configuration 251 | displayName: Console Installation Options 252 | path: consoleConfig 253 | - description: Secret needed to pull the Console image when using a private 254 | registry. 255 | displayName: Image Pull Secret 256 | path: consoleConfig.imagePullSecret 257 | - description: Console image to deploy. If no value is specified, the image 258 | is pulled from the Prisma Cloud Compute registry. 259 | displayName: Image Name 260 | path: consoleConfig.imageName 261 | - description: Label to use as a nodeSelector for Console. Specify a label and 262 | value (e.g. "kubernetes.io/hostname=node-name"). 263 | displayName: Node Selector Label 264 | path: consoleConfig.nodeLabels 265 | - description: Label to match the PVC to the PV. 266 | displayName: Persistent Volume Label 267 | path: consoleConfig.persistentVolumeLabels 268 | - description: Storage size of the PV (default "100Gi"). 269 | displayName: Persistent Volume Storage 270 | path: consoleConfig.persistentVolumeStorage 271 | - description: Run Console as UID 2674 (requires manual pre-configuration of 272 | ownership and permissions of the PV). 273 | displayName: Run as User 274 | path: consoleConfig.runAsUser 275 | - description: Service type for exposing Console. Supported values are "ClusterIP", 276 | "NodePort", and "LoadBalancer". 277 | displayName: Service Type 278 | path: consoleConfig.serviceType 279 | - description: StorageClass to use when dynamically provisioning a PV for Console. 280 | A PV is dynamically provisioned if twistcli cannot find the PV specified 281 | with the Persistent Volume Label option. If no StorageClass is specified, 282 | the default StorageClass is used. 283 | displayName: Storage Class 284 | path: consoleConfig.storageClass 285 | version: v1alpha1 286 | - description: Install Prisma Cloud Compute Defenders 287 | displayName: Defenders 288 | kind: Defender 289 | name: defenders.pcc.paloaltonetworks.com 290 | specDescriptors: 291 | - description: Namespace in which the Console and Defenders will be deployed. 292 | This should be the same namespace as the operator itself. Default is twistlock. 293 | displayName: Namespace 294 | path: namespace 295 | - description: Orchestrator being used. Must be "kubernetes" or "openshift". 296 | displayName: Orchestrator 297 | path: orchestrator 298 | - description: URL of the tool bundle containing twistcli, the tool used to 299 | generate Prisma Cloud Compute YAML files. Can either be an isolated upgrade 300 | tarball or a release tarball URL. 301 | displayName: Tool Bundle URL 302 | path: toolBundleUrl 303 | - description: Version of Prisma Cloud Compute to install. 304 | displayName: Version 305 | path: version 306 | - description: Sensitive data to be used during installation. Be aware that 307 | these credentials will be visible in the custom resource spec. Secrets can 308 | be used instead if preferred. 309 | displayName: Credentials 310 | path: credentials 311 | - description: Password of a Prisma Cloud Compute user with the ability to install 312 | Defenders. 313 | displayName: Password 314 | path: credentials.password 315 | - description: Username of a Prisma Cloud Compute user with the ability to install 316 | Defenders. 317 | displayName: Username 318 | path: credentials.username 319 | - description: Defender configuration 320 | displayName: Defender Installation Options 321 | path: defenderConfig 322 | - description: Host name used by Defender to verify Console certificate. Must 323 | be one of the SANs listed at Manage > Defenders > Names. 324 | displayName: Cluster Address 325 | path: defenderConfig.clusterAddress 326 | - description: Whether or not to collect Pod labels. 327 | displayName: Collect Pod Labels 328 | path: defenderConfig.collectPodLabels 329 | - description: Hook into Docker runtime. Enable only if the cluster is using 330 | Docker. 331 | displayName: Docker 332 | path: defenderConfig.docker 333 | - description: URL of the Console. 334 | displayName: Console Address 335 | path: defenderConfig.consoleAddress 336 | - description: Path to docker.sock. Ignore if not using Docker. 337 | displayName: Docker Socket Path 338 | path: defenderConfig.dockerSocketPath 339 | - description: Secret needed to pull the Defender image when using a private 340 | registry. 341 | displayName: Image Pull Secret 342 | path: defenderConfig.imagePullSecret 343 | - description: Defender image to deploy. If no value is specified, the image 344 | is pulled from the Prisma Cloud Compute registry. 345 | displayName: Image Name 346 | path: defenderConfig.imageName 347 | - description: Whether or not to monitor Istio. 348 | displayName: Monitor Istio 349 | path: defenderConfig.monitorIstio 350 | - description: Whether or not to monitor ServiceAccounts. 351 | displayName: Monitor Service Accounts 352 | path: defenderConfig.monitorServiceAccounts 353 | - description: 'Label to use as a nodeSelector for Defenders. Specify a label 354 | and value (e.g. ''kubernetes.io/hostname: "node-name"'').' 355 | displayName: Node Selector Labels 356 | path: defenderConfig.nodeLabels 357 | - description: Run Defender in privileged mode. 358 | displayName: Privileged 359 | path: defenderConfig.privileged 360 | - description: Project to which Defenders will connect. 361 | displayName: Project 362 | path: defenderConfig.project 363 | - description: Proxy address for Defender-to-Console communication. 364 | displayName: Proxy Address 365 | path: defenderConfig.proxyAddress 366 | - description: Proxy's CA certificate for Console to trust, encoded in base64. 367 | Required when using TLS-intercept proxies. 368 | displayName: Proxy CA 369 | path: defenderConfig.proxyCa 370 | - description: Password for authenticating with the proxy. 371 | displayName: Proxy Password 372 | path: defenderConfig.proxyPassword 373 | - description: Username for authenticating with the proxy. 374 | displayName: Proxy Username 375 | path: defenderConfig.proxyUsername 376 | - description: Use the spc_t SELinux type. 377 | displayName: SELinux 378 | path: defenderConfig.selinuxEnabled 379 | - description: Deploy Defenders with a toleration. 380 | displayName: Toleration 381 | path: defenderConfig.toleration 382 | - description: Taint key that the toleration applies to. 383 | displayName: Toleration Key 384 | path: defenderConfig.tolerationKey 385 | - description: Taint effect to match. 386 | displayName: Toleration Effect 387 | path: defenderConfig.tolerationEffect 388 | version: v1alpha1 389 | description: | 390 | ## Features 391 | - Deploy Console 392 | - Create initial local administrator user 393 | - Add license 394 | - Deploy Defenders 395 | - Support for offline deployments 396 | - Upgrade Console 397 | - Upgrade Defenders 398 | 399 | ## Installation 400 | See the [Prisma Cloud Compute Operator documentation](https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator) for installation guides. 401 | 402 | ## Support 403 | This operator is available "as is," and should be seen as community-supported; however, Palo Alto Networks will continue contributing whenever possible. 404 | Palo Alto Networks does not provide technical support or help with using or troubleshooting the operator through normal support channels. 405 | We encourage you to open GitHub [issues](https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator/issues) and [pull requests](https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator/pulls) to track bugs and feature requests. 406 | 407 | ## Other links 408 | [Prisma Cloud Compute product documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute.html) 409 | 410 | [Prisma Cloud Compute API documentation](https://prisma.pan.dev/api/cloud/cwpp) 411 | displayName: Prisma Cloud Compute Operator 412 | icon: 413 | - base64data: PHN2ZyBpZD0iTGF5ZXJfMSIgZGF0YS1uYW1lPSJMYXllciAxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAzNy44MyA0MC42Ij48ZGVmcz48c3R5bGU+LmNscy0xe2ZpbGw6IzAxMDEwMTt9PC9zdHlsZT48L2RlZnM+PHRpdGxlPlByaXNtYS1jbG91ZC1ibGFjazwvdGl0bGU+PHBvbHlnb24gY2xhc3M9ImNscy0xIiBwb2ludHM9IjIwLjMgMjcuMDcgMjAuMyA4LjI3IDMwLjEyIDI3LjA3IDIwLjMgMjcuMDciLz48cG9seWdvbiBjbGFzcz0iY2xzLTEiIHBvaW50cz0iMjAuMyA4LjI3IDEwLjQ4IDI3LjA3IDIwLjMgMjcuMDcgMjAuMyA0MC42IDAgMjAuMyAxMC4zOCA5LjkyIDEyLjAzIDguMjcgMjAuMyAwIDIwLjMgOC4yNyIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTM3LjgzLDI3LjA3YTYuMDYsNi4wNiwwLDEsMSwwLTEyLjExdjIuNGEzLjY1LDMuNjUsMCwxLDAsMCw3LjNaIi8+PC9zdmc+ 414 | mediatype: image/svg+xml 415 | install: 416 | spec: 417 | clusterPermissions: 418 | - rules: 419 | - apiGroups: 420 | - "" 421 | resources: 422 | - configmaps 423 | - namespaces 424 | - persistentvolumeclaims 425 | - secrets 426 | - serviceaccounts 427 | - services 428 | verbs: 429 | - create 430 | - get 431 | - list 432 | - patch 433 | - watch 434 | - apiGroups: 435 | - apps 436 | resources: 437 | - daemonsets 438 | - deployments 439 | verbs: 440 | - create 441 | - get 442 | - list 443 | - patch 444 | - watch 445 | - apiGroups: 446 | - rbac.authorization.k8s.io 447 | resources: 448 | - clusterroles 449 | - clusterrolebindings 450 | - roles 451 | - rolebindings 452 | verbs: 453 | - create 454 | - get 455 | - list 456 | - patch 457 | - watch 458 | - apiGroups: 459 | - security.openshift.io 460 | resources: 461 | - securitycontextconstraints 462 | verbs: 463 | - create 464 | - get 465 | - list 466 | - patch 467 | - watch 468 | - apiGroups: 469 | - apps 470 | resources: 471 | - replicasets 472 | verbs: 473 | - get 474 | - apiGroups: 475 | - "" 476 | resources: 477 | - endpoints 478 | - pods 479 | - pods/proxy 480 | verbs: 481 | - get 482 | - list 483 | - apiGroups: 484 | - networking.istio.io 485 | resources: 486 | - destinationrules 487 | - gateways 488 | - virtualservices 489 | verbs: 490 | - list 491 | - apiGroups: 492 | - security.istio.io 493 | resources: 494 | - authorizationpolicies 495 | - peerauthentications 496 | verbs: 497 | - list 498 | - apiGroups: 499 | - pcc.paloaltonetworks.com 500 | resources: 501 | - consoles 502 | - consoles/status 503 | - consoles/finalizers 504 | - consoledefenders 505 | - consoledefenders/status 506 | - consoledefenders/finalizers 507 | - defenders 508 | - defenders/status 509 | - defenders/finalizers 510 | verbs: 511 | - create 512 | - delete 513 | - get 514 | - list 515 | - patch 516 | - update 517 | - watch 518 | serviceAccountName: pcc-operator-controller-manager 519 | deployments: 520 | - name: pcc-operator-controller-manager 521 | spec: 522 | replicas: 1 523 | selector: 524 | matchLabels: 525 | control-plane: controller-manager 526 | strategy: {} 527 | template: 528 | metadata: 529 | labels: 530 | control-plane: controller-manager 531 | spec: 532 | containers: 533 | - args: 534 | - --leader-elect 535 | - --leader-election-id=pcc-operator 536 | env: 537 | - name: ANSIBLE_GATHERING 538 | value: explicit 539 | - name: PCC_ACCESS_TOKEN 540 | valueFrom: 541 | secretKeyRef: 542 | key: accessToken 543 | name: pcc-credentials 544 | optional: true 545 | - name: PCC_LICENSE 546 | valueFrom: 547 | secretKeyRef: 548 | key: license 549 | name: pcc-credentials 550 | optional: true 551 | - name: PCC_PASSWORD 552 | valueFrom: 553 | secretKeyRef: 554 | key: password 555 | name: pcc-credentials 556 | optional: true 557 | - name: PCC_USERNAME 558 | valueFrom: 559 | secretKeyRef: 560 | key: username 561 | name: pcc-credentials 562 | optional: true 563 | image: quay.io/prismacloud/pcc-operator@sha256:b8fcfbd6c51286c874e00db1bd35523386cec406fa4050ef44c0a887730cf9b8 564 | imagePullPolicy: Always 565 | livenessProbe: 566 | httpGet: 567 | path: /healthz 568 | port: 6789 569 | initialDelaySeconds: 15 570 | periodSeconds: 20 571 | name: manager 572 | readinessProbe: 573 | httpGet: 574 | path: /readyz 575 | port: 6789 576 | initialDelaySeconds: 5 577 | periodSeconds: 10 578 | resources: {} 579 | securityContext: 580 | allowPrivilegeEscalation: false 581 | securityContext: 582 | runAsNonRoot: true 583 | serviceAccountName: pcc-operator-controller-manager 584 | terminationGracePeriodSeconds: 10 585 | permissions: 586 | - rules: 587 | - apiGroups: 588 | - "" 589 | resources: 590 | - configmaps 591 | verbs: 592 | - get 593 | - list 594 | - watch 595 | - create 596 | - update 597 | - patch 598 | - delete 599 | - apiGroups: 600 | - coordination.k8s.io 601 | resources: 602 | - leases 603 | verbs: 604 | - get 605 | - list 606 | - watch 607 | - create 608 | - update 609 | - patch 610 | - delete 611 | - apiGroups: 612 | - "" 613 | resources: 614 | - events 615 | verbs: 616 | - create 617 | - patch 618 | serviceAccountName: pcc-operator-controller-manager 619 | strategy: deployment 620 | installModes: 621 | - supported: true 622 | type: OwnNamespace 623 | - supported: true 624 | type: SingleNamespace 625 | - supported: false 626 | type: MultiNamespace 627 | - supported: false 628 | type: AllNamespaces 629 | keywords: 630 | - palo 631 | - palo alto 632 | - palo alto networks 633 | - paloalto 634 | - twistlock 635 | - compute 636 | - prisma 637 | - prisma cloud 638 | - prisma cloud compute 639 | - security 640 | - image 641 | - images 642 | - container 643 | - containers 644 | - docker 645 | - podman 646 | - vulnerability 647 | - vulnerabilities 648 | - compliance 649 | - runtime 650 | - scan 651 | - scanning 652 | - monitor 653 | - monitoring 654 | - alert 655 | - alerting 656 | links: 657 | - name: Prisma Cloud 658 | url: https://www.paloaltonetworks.com/prisma/cloud 659 | maintainers: 660 | - email: pcc-integrations@paloaltonetworks.com 661 | name: Wyatt Gill 662 | maturity: alpha 663 | provider: 664 | name: Palo Alto Networks 665 | version: 0.2.0 666 | -------------------------------------------------------------------------------- /bundle/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | # Core bundle annotations. 3 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 4 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 5 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 6 | operators.operatorframework.io.bundle.package.v1: pcc-operator 7 | operators.operatorframework.io.bundle.channels.v1: stable 8 | operators.operatorframework.io.bundle.channel.default.v1: stable 9 | operators.operatorframework.io.metrics.builder: operator-sdk-v1.14.0 10 | operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 11 | operators.operatorframework.io.metrics.project_layout: ansible.sdk.operatorframework.io/v1 12 | 13 | # Annotations for testing. 14 | operators.operatorframework.io.test.mediatype.v1: scorecard+v1 15 | operators.operatorframework.io.test.config.v1: tests/scorecard/ 16 | 17 | # Annotations for OpenShift. 18 | # https://redhat-connect.gitbook.io/certified-operator-guide/ocp-deployment/operator-metadata/bundle-directory 19 | com.redhat.delivery.backport: true 20 | com.redhat.delivery.operator.bundle: true 21 | com.redhat.openshift.versions: v4.6 22 | -------------------------------------------------------------------------------- /bundle/tests/scorecard/config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: scorecard.operatorframework.io/v1alpha3 2 | kind: Configuration 3 | metadata: 4 | name: config 5 | stages: 6 | - parallel: true 7 | tests: 8 | - entrypoint: 9 | - scorecard-test 10 | - basic-check-spec 11 | image: quay.io/operator-framework/scorecard-test:v1.8.0 12 | labels: 13 | suite: basic 14 | test: basic-check-spec-test 15 | storage: 16 | spec: 17 | mountPath: {} 18 | - entrypoint: 19 | - scorecard-test 20 | - olm-bundle-validation 21 | image: quay.io/operator-framework/scorecard-test:v1.8.0 22 | labels: 23 | suite: olm 24 | test: olm-bundle-validation-test 25 | storage: 26 | spec: 27 | mountPath: {} 28 | - entrypoint: 29 | - scorecard-test 30 | - olm-crds-have-validation 31 | image: quay.io/operator-framework/scorecard-test:v1.8.0 32 | labels: 33 | suite: olm 34 | test: olm-crds-have-validation-test 35 | storage: 36 | spec: 37 | mountPath: {} 38 | - entrypoint: 39 | - scorecard-test 40 | - olm-crds-have-resources 41 | image: quay.io/operator-framework/scorecard-test:v1.8.0 42 | labels: 43 | suite: olm 44 | test: olm-crds-have-resources-test 45 | storage: 46 | spec: 47 | mountPath: {} 48 | - entrypoint: 49 | - scorecard-test 50 | - olm-spec-descriptors 51 | image: quay.io/operator-framework/scorecard-test:v1.8.0 52 | labels: 53 | suite: olm 54 | test: olm-spec-descriptors-test 55 | storage: 56 | spec: 57 | mountPath: {} 58 | - entrypoint: 59 | - scorecard-test 60 | - olm-status-descriptors 61 | image: quay.io/operator-framework/scorecard-test:v1.8.0 62 | labels: 63 | suite: olm 64 | test: olm-status-descriptors-test 65 | storage: 66 | spec: 67 | mountPath: {} 68 | storage: 69 | spec: 70 | mountPath: {} 71 | -------------------------------------------------------------------------------- /config/crd/bases/pcc.paloaltonetworks.com_consoledefenders.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: consoledefenders.pcc.paloaltonetworks.com 6 | spec: 7 | group: pcc.paloaltonetworks.com 8 | names: 9 | kind: ConsoleDefender 10 | listKind: ConsoleDefenderList 11 | plural: consoledefenders 12 | singular: consoledefender 13 | scope: Namespaced 14 | versions: 15 | - name: v1alpha1 16 | served: true 17 | storage: true 18 | schema: 19 | openAPIV3Schema: 20 | type: object 21 | properties: 22 | spec: 23 | type: object 24 | properties: 25 | namespace: 26 | type: string 27 | orchestrator: 28 | type: string 29 | pattern: '^(?:kubernetes|openshift)$' 30 | toolBundleUrl: 31 | type: string 32 | version: 33 | type: string 34 | pattern: '^\d{2}_\d{2}_\d{1,5}$' 35 | credentials: 36 | type: object 37 | properties: 38 | accessToken: 39 | type: string 40 | pattern: '^[0-9a-z]{32}$' 41 | license: 42 | type: string 43 | password: 44 | type: string 45 | username: 46 | type: string 47 | consoleConfig: 48 | type: object 49 | properties: 50 | imagePullSecret: 51 | type: string 52 | imageName: 53 | type: string 54 | nodeLabels: 55 | type: string 56 | persistentVolumeLabels: 57 | type: string 58 | persistentVolumeStorage: 59 | type: string 60 | runAsUser: 61 | type: boolean 62 | default: false 63 | serviceType: 64 | type: string 65 | storageClass: 66 | type: string 67 | defenderConfig: 68 | type: object 69 | properties: 70 | cluster: 71 | type: string 72 | collectPodLabels: 73 | type: boolean 74 | default: false 75 | docker: 76 | type: boolean 77 | default: true 78 | dockerSocketPath: 79 | type: string 80 | imagePullSecret: 81 | type: string 82 | imageName: 83 | type: string 84 | monitorIstio: 85 | type: boolean 86 | default: false 87 | monitorServiceAccounts: 88 | type: boolean 89 | default: true 90 | nodeLabels: 91 | type: string 92 | privileged: 93 | type: boolean 94 | default: false 95 | project: 96 | type: string 97 | proxyAddress: 98 | type: string 99 | proxyCa: 100 | type: string 101 | proxyPassword: 102 | type: string 103 | proxyUsername: 104 | type: string 105 | selinuxEnabled: 106 | type: boolean 107 | default: false 108 | toleration: 109 | type: boolean 110 | default: false 111 | tolerationKey: 112 | type: string 113 | default: node-role.kubernetes.io/master 114 | tolerationEffect: 115 | type: string 116 | default: NoSchedule 117 | -------------------------------------------------------------------------------- /config/crd/bases/pcc.paloaltonetworks.com_consoles.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: consoles.pcc.paloaltonetworks.com 6 | spec: 7 | group: pcc.paloaltonetworks.com 8 | names: 9 | kind: Console 10 | listKind: ConsoleList 11 | plural: consoles 12 | singular: console 13 | scope: Namespaced 14 | versions: 15 | - name: v1alpha1 16 | served: true 17 | storage: true 18 | schema: 19 | openAPIV3Schema: 20 | type: object 21 | properties: 22 | spec: 23 | type: object 24 | properties: 25 | namespace: 26 | type: string 27 | orchestrator: 28 | type: string 29 | pattern: '^(?:kubernetes|openshift)$' 30 | toolBundleUrl: 31 | type: string 32 | version: 33 | type: string 34 | pattern: '^\d{2}_\d{2}_\d{1,5}$' 35 | credentials: 36 | type: object 37 | properties: 38 | accessToken: 39 | type: string 40 | pattern: '^[0-9a-z]{32}$' 41 | license: 42 | type: string 43 | password: 44 | type: string 45 | username: 46 | type: string 47 | consoleConfig: 48 | type: object 49 | properties: 50 | imagePullSecret: 51 | type: string 52 | imageName: 53 | type: string 54 | nodeLabels: 55 | type: string 56 | persistentVolumeLabels: 57 | type: string 58 | persistentVolumeStorage: 59 | type: string 60 | runAsUser: 61 | type: boolean 62 | default: false 63 | serviceType: 64 | type: string 65 | storageClass: 66 | type: string 67 | -------------------------------------------------------------------------------- /config/crd/bases/pcc.paloaltonetworks.com_defenders.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: defenders.pcc.paloaltonetworks.com 6 | spec: 7 | group: pcc.paloaltonetworks.com 8 | names: 9 | kind: Defender 10 | listKind: DefenderList 11 | plural: defenders 12 | singular: defender 13 | scope: Namespaced 14 | versions: 15 | - name: v1alpha1 16 | served: true 17 | storage: true 18 | schema: 19 | openAPIV3Schema: 20 | type: object 21 | properties: 22 | spec: 23 | type: object 24 | properties: 25 | namespace: 26 | type: string 27 | orchestrator: 28 | type: string 29 | pattern: '^(?:kubernetes|openshift)$' 30 | toolBundleUrl: 31 | type: string 32 | version: 33 | type: string 34 | pattern: '^\d{2}_\d{2}_\d{1,5}$' 35 | credentials: 36 | type: object 37 | properties: 38 | username: 39 | type: string 40 | password: 41 | type: string 42 | defenderConfig: 43 | type: object 44 | properties: 45 | cluster: 46 | type: string 47 | clusterAddress: 48 | type: string 49 | collectPodLabels: 50 | type: boolean 51 | default: false 52 | consoleAddress: 53 | type: string 54 | docker: 55 | type: boolean 56 | default: true 57 | dockerSocketPath: 58 | type: string 59 | imagePullSecret: 60 | type: string 61 | imageName: 62 | type: string 63 | monitorIstio: 64 | type: boolean 65 | default: false 66 | monitorServiceAccounts: 67 | type: boolean 68 | default: true 69 | nodeLabels: 70 | type: string 71 | privileged: 72 | type: boolean 73 | default: false 74 | project: 75 | type: string 76 | proxyAddress: 77 | type: string 78 | proxyCa: 79 | type: string 80 | proxyPassword: 81 | type: string 82 | proxyUsername: 83 | type: string 84 | selinuxEnabled: 85 | type: boolean 86 | default: false 87 | toleration: 88 | type: boolean 89 | default: false 90 | tolerationKey: 91 | type: string 92 | default: node-role.kubernetes.io/master 93 | tolerationEffect: 94 | type: string 95 | default: NoSchedule 96 | -------------------------------------------------------------------------------- /config/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # This kustomization.yaml is not intended to be run by itself, 2 | # since it depends on service name and namespace that are out of this kustomize package. 3 | # It should be run by config 4 | resources: 5 | - bases/pcc.paloaltonetworks.com_consoles.yaml 6 | - bases/pcc.paloaltonetworks.com_defenders.yaml 7 | - bases/pcc.paloaltonetworks.com_consoledefenders.yaml 8 | #+kubebuilder:scaffold:crdkustomizeresource 9 | -------------------------------------------------------------------------------- /config/deploy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Adds namespace to all resources. 2 | namespace: twistlock 3 | 4 | # Value of this field is prepended to the names of all resources, 5 | # e.g. a deployment named "wordpress" becomes "alices-wordpress". 6 | # Note that it should also match with the prefix (text before '-') 7 | # of the namespace field above. 8 | namePrefix: pcc-operator- 9 | 10 | bases: 11 | - ../crd 12 | - ../rbac 13 | - ../manager 14 | -------------------------------------------------------------------------------- /config/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - manager.yaml 6 | 7 | images: 8 | - digest: sha256:b8fcfbd6c51286c874e00db1bd35523386cec406fa4050ef44c0a887730cf9b8 9 | name: controller 10 | newName: quay.io/prismacloud/pcc-operator 11 | -------------------------------------------------------------------------------- /config/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: system 7 | --- 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: controller-manager 12 | namespace: system 13 | labels: 14 | control-plane: controller-manager 15 | spec: 16 | selector: 17 | matchLabels: 18 | control-plane: controller-manager 19 | replicas: 1 20 | template: 21 | metadata: 22 | labels: 23 | control-plane: controller-manager 24 | spec: 25 | securityContext: 26 | runAsNonRoot: true 27 | containers: 28 | - name: manager 29 | image: controller 30 | imagePullPolicy: Always 31 | env: 32 | - name: ANSIBLE_GATHERING 33 | value: explicit 34 | - name: PCC_ACCESS_TOKEN 35 | valueFrom: 36 | secretKeyRef: 37 | name: pcc-credentials 38 | key: accessToken 39 | optional: true 40 | - name: PCC_LICENSE 41 | valueFrom: 42 | secretKeyRef: 43 | name: pcc-credentials 44 | key: license 45 | optional: true 46 | - name: PCC_PASSWORD 47 | valueFrom: 48 | secretKeyRef: 49 | name: pcc-credentials 50 | key: password 51 | optional: true 52 | - name: PCC_USERNAME 53 | valueFrom: 54 | secretKeyRef: 55 | name: pcc-credentials 56 | key: username 57 | optional: true 58 | args: 59 | - "--leader-elect" 60 | - "--leader-election-id=pcc-operator" 61 | securityContext: 62 | allowPrivilegeEscalation: false 63 | livenessProbe: 64 | httpGet: 65 | path: /healthz 66 | port: 6789 67 | initialDelaySeconds: 15 68 | periodSeconds: 20 69 | readinessProbe: 70 | httpGet: 71 | path: /readyz 72 | port: 6789 73 | initialDelaySeconds: 5 74 | periodSeconds: 10 75 | serviceAccountName: controller-manager 76 | terminationGracePeriodSeconds: 10 77 | -------------------------------------------------------------------------------- /config/manifests/bases/pcc-operator.clusterserviceversion.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: ClusterServiceVersion 4 | metadata: 5 | annotations: 6 | alm-examples: "[]" 7 | capabilities: Seamless Upgrades 8 | categories: Security 9 | containerImage: quay.io/prismacloud/pcc-operator@sha256:b8fcfbd6c51286c874e00db1bd35523386cec406fa4050ef44c0a887730cf9b8 10 | createdAt: '2021-11-15' 11 | description: Deploy Prisma Cloud Compute for cloud-native security in your clusters 12 | operators.openshift.io/infrastructure-features: '["Disconnected"]' 13 | operators.operatorframework.io/builder: operator-sdk-v1.14.0 14 | operators.operatorframework.io/project_layout: ansible.sdk.operatorframework.io/v1 15 | repository: https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator 16 | support: pcc-integrations@paloaltonetworks.com 17 | name: pcc-operator.v0.0.0 18 | namespace: placeholder 19 | spec: 20 | apiservicedefinitions: {} 21 | customresourcedefinitions: 22 | owned: 23 | - description: Install the Prisma Cloud Compute Console and Defenders 24 | displayName: Console and Defenders 25 | kind: ConsoleDefender 26 | name: consoledefenders.pcc.paloaltonetworks.com 27 | specDescriptors: 28 | - description: Namespace in which the Console and Defenders will be deployed. 29 | This should be the same namespace as the operator itself. Default is twistlock. 30 | displayName: Namespace 31 | path: namespace 32 | - description: Orchestrator being used. Must be "kubernetes" or "openshift". 33 | displayName: Orchestrator 34 | path: orchestrator 35 | - description: URL of the tool bundle containing twistcli, the tool used to 36 | generate Prisma Cloud Compute YAML files. Can either be an isolated upgrade 37 | tarball or a release tarball URL. 38 | displayName: Tool Bundle URL 39 | path: toolBundleUrl 40 | - description: Version of Prisma Cloud Compute to install. 41 | displayName: Version 42 | path: version 43 | - description: Sensitive data to be used during installation. Be aware that 44 | these credentials will be visible in the custom resource spec. Secrets can 45 | be used instead if preferred. 46 | displayName: Credentials 47 | path: credentials 48 | - description: 32-character lowercase access token included in the license bundle. 49 | displayName: Access Token 50 | path: credentials.accessToken 51 | - description: Product license included in the license bundle. 52 | displayName: License 53 | path: credentials.license 54 | - description: Password to be used for the initial local administrator user. 55 | It is highly recommended that you change the password for this user in the 56 | Prisma Cloud Compute Console after install. 57 | displayName: Password 58 | path: credentials.password 59 | - description: Username to be used for the initial local administrator user. 60 | displayName: Username 61 | path: credentials.username 62 | - description: Console configuration 63 | displayName: Console Installation Options 64 | path: consoleConfig 65 | - description: Secret needed to pull the Console image when using a private 66 | registry. 67 | displayName: Image Pull Secret 68 | path: consoleConfig.imagePullSecret 69 | - description: Console image to deploy. If no value is specified, the image 70 | is pulled from the Prisma Cloud Compute registry. 71 | displayName: Image Name 72 | path: consoleConfig.imageName 73 | - description: Label to use as a nodeSelector for Console. Specify a label and 74 | value (e.g. "kubernetes.io/hostname=node-name"). 75 | displayName: Node Selector Label 76 | path: consoleConfig.nodeLabels 77 | - description: Label to match the PVC to the PV. 78 | displayName: Persistent Volume Label 79 | path: consoleConfig.persistentVolumeLabels 80 | - description: Storage size of the PV (default "100Gi"). 81 | displayName: Persistent Volume Storage 82 | path: consoleConfig.persistentVolumeStorage 83 | - description: Run Console as UID 2674 (requires manual pre-configuration of 84 | ownership and permissions of the PV). 85 | displayName: Run as User 86 | path: consoleConfig.runAsUser 87 | - description: Service type for exposing Console. Supported values are "ClusterIP", 88 | "NodePort", and "LoadBalancer". 89 | displayName: Service Type 90 | path: consoleConfig.serviceType 91 | - description: StorageClass to use when dynamically provisioning a PV for Console. 92 | A PV is dynamically provisioned if twistcli cannot find the PV specified 93 | with the Persistent Volume Label option. If no StorageClass is specified, 94 | the default StorageClass is used. 95 | displayName: Storage Class 96 | path: consoleConfig.storageClass 97 | - description: Defender configuration 98 | displayName: Defender Installation Options 99 | path: defenderConfig 100 | - description: Whether or not to collect Pod labels. 101 | displayName: Collect Pod Labels 102 | path: defenderConfig.collectPodLabels 103 | - description: Hook into Docker runtime. Enable only if the cluster is using 104 | Docker. 105 | displayName: Docker 106 | path: defenderConfig.docker 107 | - description: Path to docker.sock. Ignore if not using Docker. 108 | displayName: Docker Socket Path 109 | path: defenderConfig.dockerSocketPath 110 | - description: Secret needed to pull the Defender image when using a private 111 | registry. 112 | displayName: Image Pull Secret 113 | path: defenderConfig.imagePullSecret 114 | - description: Defender image to deploy. If no value is specified, the image 115 | is pulled from the Prisma Cloud Compute registry. 116 | displayName: Image Name 117 | path: defenderConfig.imageName 118 | - description: Whether or not to monitor Istio. 119 | displayName: Monitor Istio 120 | path: defenderConfig.monitorIstio 121 | - description: Whether or not to monitor ServiceAccounts. 122 | displayName: Monitor Service Accounts 123 | path: defenderConfig.monitorServiceAccounts 124 | - description: 'Label to use as a nodeSelector for Defenders. Specify a label 125 | and value (e.g. ''kubernetes.io/hostname: "node-name"'').' 126 | displayName: Node Selector Labels 127 | path: defenderConfig.nodeLabels 128 | - description: Run Defender in privileged mode. 129 | displayName: Privileged 130 | path: defenderConfig.privileged 131 | - description: Project to which Defenders will connect. 132 | displayName: Project 133 | path: defenderConfig.project 134 | - description: Proxy address for Defender-to-Console communication. 135 | displayName: Proxy Address 136 | path: defenderConfig.proxyAddress 137 | - description: Proxy's CA certificate for Console to trust, encoded in base64. 138 | Required when using TLS-intercept proxies. 139 | displayName: Proxy CA 140 | path: defenderConfig.proxyCa 141 | - description: Password for authenticating with the proxy. 142 | displayName: Proxy Password 143 | path: defenderConfig.proxyPassword 144 | - description: Username for authenticating with the proxy. 145 | displayName: Proxy Username 146 | path: defenderConfig.proxyUsername 147 | - description: Use the spc_t SELinux type. 148 | displayName: SELinux 149 | path: defenderConfig.selinuxEnabled 150 | - description: Deploy Defenders with a toleration. 151 | displayName: Toleration 152 | path: defenderConfig.toleration 153 | - description: Taint key that the toleration applies to. 154 | displayName: Toleration Key 155 | path: defenderConfig.tolerationKey 156 | - description: Taint effect to match. 157 | displayName: Toleration Effect 158 | path: defenderConfig.tolerationEffect 159 | version: v1alpha1 160 | - description: Install the Prisma Cloud Compute Console 161 | displayName: Console 162 | kind: Console 163 | name: consoles.pcc.paloaltonetworks.com 164 | specDescriptors: 165 | - description: Namespace in which the Console and Defenders will be deployed. 166 | This should be the same namespace as the operator itself. Default is twistlock. 167 | displayName: Namespace 168 | path: namespace 169 | - description: Orchestrator being used. Must be "kubernetes" or "openshift". 170 | displayName: Orchestrator 171 | path: orchestrator 172 | - description: URL of the tool bundle containing twistcli, the tool used to 173 | generate Prisma Cloud Compute YAML files. Can either be an isolated upgrade 174 | tarball or a release tarball URL. 175 | displayName: Tool Bundle URL 176 | path: toolBundleUrl 177 | - description: Version of Prisma Cloud Compute to install. 178 | displayName: Version 179 | path: version 180 | - description: Sensitive data to be used during installation. Be aware that 181 | these credentials will be visible in the custom resource spec. Secrets can 182 | be used instead if preferred. 183 | displayName: Credentials 184 | path: credentials 185 | - description: 32-character lowercase access token included in the license bundle. 186 | displayName: Access Token 187 | path: credentials.accessToken 188 | - description: Product license included in the license bundle. 189 | displayName: License 190 | path: credentials.license 191 | - description: Password to be used for the initial local administrator user. 192 | It is highly recommended that you change the password for this user in the 193 | Prisma Cloud Compute Console after install. 194 | displayName: Password 195 | path: credentials.password 196 | - description: Username to be used for the initial local administrator user. 197 | displayName: Username 198 | path: credentials.username 199 | - description: Console configuration 200 | displayName: Console Installation Options 201 | path: consoleConfig 202 | - description: Secret needed to pull the Console image when using a private 203 | registry. 204 | displayName: Image Pull Secret 205 | path: consoleConfig.imagePullSecret 206 | - description: Console image to deploy. If no value is specified, the image 207 | is pulled from the Prisma Cloud Compute registry. 208 | displayName: Image Name 209 | path: consoleConfig.imageName 210 | - description: Label to use as a nodeSelector for Console. Specify a label and 211 | value (e.g. "kubernetes.io/hostname=node-name"). 212 | displayName: Node Selector Label 213 | path: consoleConfig.nodeLabels 214 | - description: Label to match the PVC to the PV. 215 | displayName: Persistent Volume Label 216 | path: consoleConfig.persistentVolumeLabels 217 | - description: Storage size of the PV (default "100Gi"). 218 | displayName: Persistent Volume Storage 219 | path: consoleConfig.persistentVolumeStorage 220 | - description: Run Console as UID 2674 (requires manual pre-configuration of 221 | ownership and permissions of the PV). 222 | displayName: Run as User 223 | path: consoleConfig.runAsUser 224 | - description: Service type for exposing Console. Supported values are "ClusterIP", 225 | "NodePort", and "LoadBalancer". 226 | displayName: Service Type 227 | path: consoleConfig.serviceType 228 | - description: StorageClass to use when dynamically provisioning a PV for Console. 229 | A PV is dynamically provisioned if twistcli cannot find the PV specified 230 | with the Persistent Volume Label option. If no StorageClass is specified, 231 | the default StorageClass is used. 232 | displayName: Storage Class 233 | path: consoleConfig.storageClass 234 | version: v1alpha1 235 | - description: Install Prisma Cloud Compute Defenders 236 | displayName: Defenders 237 | kind: Defender 238 | name: defenders.pcc.paloaltonetworks.com 239 | specDescriptors: 240 | - description: Namespace in which the Console and Defenders will be deployed. 241 | This should be the same namespace as the operator itself. Default is twistlock. 242 | displayName: Namespace 243 | path: namespace 244 | - description: Orchestrator being used. Must be "kubernetes" or "openshift". 245 | displayName: Orchestrator 246 | path: orchestrator 247 | - description: URL of the tool bundle containing twistcli, the tool used to 248 | generate Prisma Cloud Compute YAML files. Can either be an isolated upgrade 249 | tarball or a release tarball URL. 250 | displayName: Tool Bundle URL 251 | path: toolBundleUrl 252 | - description: Version of Prisma Cloud Compute to install. 253 | displayName: Version 254 | path: version 255 | - description: Sensitive data to be used during installation. Be aware that 256 | these credentials will be visible in the custom resource spec. Secrets can 257 | be used instead if preferred. 258 | displayName: Credentials 259 | path: credentials 260 | - description: Password of a Prisma Cloud Compute user with the ability to install 261 | Defenders. 262 | displayName: Password 263 | path: credentials.password 264 | - description: Username of a Prisma Cloud Compute user with the ability to install 265 | Defenders. 266 | displayName: Username 267 | path: credentials.username 268 | - description: Defender configuration 269 | displayName: Defender Installation Options 270 | path: defenderConfig 271 | - description: Host name used by Defender to verify Console certificate. Must 272 | be one of the SANs listed at Manage > Defenders > Names. 273 | displayName: Cluster Address 274 | path: defenderConfig.clusterAddress 275 | - description: Whether or not to collect Pod labels. 276 | displayName: Collect Pod Labels 277 | path: defenderConfig.collectPodLabels 278 | - description: Hook into Docker runtime. Enable only if the cluster is using 279 | Docker. 280 | displayName: Docker 281 | path: defenderConfig.docker 282 | - description: URL of the Console. 283 | displayName: Console Address 284 | path: defenderConfig.consoleAddress 285 | - description: Path to docker.sock. Ignore if not using Docker. 286 | displayName: Docker Socket Path 287 | path: defenderConfig.dockerSocketPath 288 | - description: Secret needed to pull the Defender image when using a private 289 | registry. 290 | displayName: Image Pull Secret 291 | path: defenderConfig.imagePullSecret 292 | - description: Defender image to deploy. If no value is specified, the image 293 | is pulled from the Prisma Cloud Compute registry. 294 | displayName: Image Name 295 | path: defenderConfig.imageName 296 | - description: Whether or not to monitor Istio. 297 | displayName: Monitor Istio 298 | path: defenderConfig.monitorIstio 299 | - description: Whether or not to monitor ServiceAccounts. 300 | displayName: Monitor Service Accounts 301 | path: defenderConfig.monitorServiceAccounts 302 | - description: 'Label to use as a nodeSelector for Defenders. Specify a label 303 | and value (e.g. ''kubernetes.io/hostname: "node-name"'').' 304 | displayName: Node Selector Labels 305 | path: defenderConfig.nodeLabels 306 | - description: Run Defender in privileged mode. 307 | displayName: Privileged 308 | path: defenderConfig.privileged 309 | - description: Project to which Defenders will connect. 310 | displayName: Project 311 | path: defenderConfig.project 312 | - description: Proxy address for Defender-to-Console communication. 313 | displayName: Proxy Address 314 | path: defenderConfig.proxyAddress 315 | - description: Proxy's CA certificate for Console to trust, encoded in base64. 316 | Required when using TLS-intercept proxies. 317 | displayName: Proxy CA 318 | path: defenderConfig.proxyCa 319 | - description: Password for authenticating with the proxy. 320 | displayName: Proxy Password 321 | path: defenderConfig.proxyPassword 322 | - description: Username for authenticating with the proxy. 323 | displayName: Proxy Username 324 | path: defenderConfig.proxyUsername 325 | - description: Use the spc_t SELinux type. 326 | displayName: SELinux 327 | path: defenderConfig.selinuxEnabled 328 | - description: Deploy Defenders with a toleration. 329 | displayName: Toleration 330 | path: defenderConfig.toleration 331 | - description: Taint key that the toleration applies to. 332 | displayName: Toleration Key 333 | path: defenderConfig.tolerationKey 334 | - description: Taint effect to match. 335 | displayName: Toleration Effect 336 | path: defenderConfig.tolerationEffect 337 | version: v1alpha1 338 | description: | 339 | ## Features 340 | - Deploy Console 341 | - Create initial local administrator user 342 | - Add license 343 | - Deploy Defenders 344 | - Support for offline deployments 345 | - Upgrade Console 346 | - Upgrade Defenders 347 | 348 | ## Installation 349 | See the [Prisma Cloud Compute Operator documentation](https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator) for installation guides. 350 | 351 | ## Support 352 | This operator is available "as is," and should be seen as community-supported; however, Palo Alto Networks will continue contributing whenever possible. 353 | Palo Alto Networks does not provide technical support or help with using or troubleshooting the operator through normal support channels. 354 | We encourage you to open GitHub [issues](https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator/issues) and [pull requests](https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator/pulls) to track bugs and feature requests. 355 | 356 | ## Other links 357 | [Prisma Cloud Compute product documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute.html) 358 | 359 | [Prisma Cloud Compute API documentation](https://prisma.pan.dev/api/cloud/cwpp) 360 | displayName: Prisma Cloud Compute Operator 361 | icon: 362 | - base64data: PHN2ZyBpZD0iTGF5ZXJfMSIgZGF0YS1uYW1lPSJMYXllciAxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAzNy44MyA0MC42Ij48ZGVmcz48c3R5bGU+LmNscy0xe2ZpbGw6IzAxMDEwMTt9PC9zdHlsZT48L2RlZnM+PHRpdGxlPlByaXNtYS1jbG91ZC1ibGFjazwvdGl0bGU+PHBvbHlnb24gY2xhc3M9ImNscy0xIiBwb2ludHM9IjIwLjMgMjcuMDcgMjAuMyA4LjI3IDMwLjEyIDI3LjA3IDIwLjMgMjcuMDciLz48cG9seWdvbiBjbGFzcz0iY2xzLTEiIHBvaW50cz0iMjAuMyA4LjI3IDEwLjQ4IDI3LjA3IDIwLjMgMjcuMDcgMjAuMyA0MC42IDAgMjAuMyAxMC4zOCA5LjkyIDEyLjAzIDguMjcgMjAuMyAwIDIwLjMgOC4yNyIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTM3LjgzLDI3LjA3YTYuMDYsNi4wNiwwLDEsMSwwLTEyLjExdjIuNGEzLjY1LDMuNjUsMCwxLDAsMCw3LjNaIi8+PC9zdmc+ 363 | mediatype: image/svg+xml 364 | install: 365 | spec: 366 | deployments: 367 | strategy: '' 368 | installModes: 369 | - supported: true 370 | type: OwnNamespace 371 | - supported: true 372 | type: SingleNamespace 373 | - supported: false 374 | type: MultiNamespace 375 | - supported: false 376 | type: AllNamespaces 377 | keywords: 378 | - palo 379 | - palo alto 380 | - palo alto networks 381 | - paloalto 382 | - twistlock 383 | - compute 384 | - prisma 385 | - prisma cloud 386 | - prisma cloud compute 387 | - security 388 | - image 389 | - images 390 | - container 391 | - containers 392 | - docker 393 | - podman 394 | - vulnerability 395 | - vulnerabilities 396 | - compliance 397 | - runtime 398 | - scan 399 | - scanning 400 | - monitor 401 | - monitoring 402 | - alert 403 | - alerting 404 | links: 405 | - name: Prisma Cloud 406 | url: https://www.paloaltonetworks.com/prisma/cloud 407 | maintainers: 408 | - email: pcc-integrations@paloaltonetworks.com 409 | name: Wyatt Gill 410 | maturity: alpha 411 | provider: 412 | name: Palo Alto Networks 413 | version: 0.0.0 414 | -------------------------------------------------------------------------------- /config/manifests/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # These resources constitute the fully configured set of manifests 2 | # used to generate the 'manifests/' directory in a bundle. 3 | resources: 4 | - bases/pcc-operator.clusterserviceversion.yaml 5 | - ../deploy 6 | - ../samples 7 | - ../scorecard 8 | -------------------------------------------------------------------------------- /config/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | # All RBAC will be applied under this service account in 3 | # the deployment namespace. You may comment out this resource 4 | # if your manager will use a service account that exists at 5 | # runtime. Be sure to update RoleBinding and ClusterRoleBinding 6 | # subjects if changing service account names. 7 | - service_account.yaml 8 | - role.yaml 9 | - role_binding.yaml 10 | - leader_election_role.yaml 11 | - leader_election_role_binding.yaml 12 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - coordination.k8s.io 21 | resources: 22 | - leases 23 | verbs: 24 | - get 25 | - list 26 | - watch 27 | - create 28 | - update 29 | - patch 30 | - delete 31 | - apiGroups: 32 | - "" 33 | resources: 34 | - events 35 | verbs: 36 | - create 37 | - patch 38 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: controller-manager 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: manager-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | - namespaces 12 | - persistentvolumeclaims 13 | - secrets 14 | - serviceaccounts 15 | - services 16 | verbs: 17 | - create 18 | - get 19 | - list 20 | - patch 21 | - watch 22 | - apiGroups: 23 | - apps 24 | resources: 25 | - daemonsets 26 | - deployments 27 | verbs: 28 | - create 29 | - get 30 | - list 31 | - patch 32 | - watch 33 | - apiGroups: 34 | - rbac.authorization.k8s.io 35 | resources: 36 | - clusterroles 37 | - clusterrolebindings 38 | - roles 39 | - rolebindings 40 | verbs: 41 | - create 42 | - get 43 | - list 44 | - patch 45 | - watch 46 | - apiGroups: 47 | - security.openshift.io 48 | resources: 49 | - securitycontextconstraints 50 | verbs: 51 | - create 52 | - get 53 | - list 54 | - patch 55 | - watch 56 | ## 57 | ## For label collection support 58 | ## 59 | - apiGroups: 60 | - apps 61 | resources: 62 | - replicasets 63 | verbs: 64 | - get 65 | ## 66 | ## For monitor Istio support 67 | ## 68 | - apiGroups: 69 | - "" 70 | resources: 71 | - endpoints 72 | - pods 73 | - pods/proxy 74 | verbs: 75 | - get 76 | - list 77 | - apiGroups: 78 | - networking.istio.io 79 | resources: 80 | - destinationrules 81 | - gateways 82 | - virtualservices 83 | verbs: 84 | - list 85 | - apiGroups: 86 | - security.istio.io 87 | resources: 88 | - authorizationpolicies 89 | - peerauthentications 90 | verbs: 91 | - list 92 | ## 93 | ## Rules for pcc.paloaltonetworks.com/v1alpha1, Kind: Console, Kind: ConsoleDefender, Kind: Defender 94 | ## 95 | - apiGroups: 96 | - pcc.paloaltonetworks.com 97 | resources: 98 | - consoles 99 | - consoles/status 100 | - consoles/finalizers 101 | - consoledefenders 102 | - consoledefenders/status 103 | - consoledefenders/finalizers 104 | - defenders 105 | - defenders/status 106 | - defenders/finalizers 107 | verbs: 108 | - create 109 | - delete 110 | - get 111 | - list 112 | - patch 113 | - update 114 | - watch 115 | 116 | #+kubebuilder:scaffold:rules 117 | -------------------------------------------------------------------------------- /config/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: manager-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: manager-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: controller-manager 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/service_account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | -------------------------------------------------------------------------------- /config/samples/kustomization.yaml: -------------------------------------------------------------------------------- 1 | ## Append samples you want in your CSV to this file as resources ## 2 | resources: 3 | - pcc_v1alpha1_console.yaml 4 | - pcc_v1alpha1_defender.yaml 5 | - pcc_v1alpha1_consoledefender.yaml 6 | #+kubebuilder:scaffold:manifestskustomizesamples 7 | -------------------------------------------------------------------------------- /config/samples/pcc_v1alpha1_console.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 2 | kind: Console 3 | metadata: 4 | name: pcc-console 5 | namespace: twistlock 6 | spec: 7 | namespace: twistlock 8 | version: "21_08_520" 9 | consoleConfig: 10 | serviceType: ClusterIP 11 | -------------------------------------------------------------------------------- /config/samples/pcc_v1alpha1_consoledefender.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 2 | kind: ConsoleDefender 3 | metadata: 4 | name: pcc-consoledefender 5 | namespace: twistlock 6 | spec: 7 | namespace: twistlock 8 | version: "21_08_520" 9 | consoleConfig: 10 | serviceType: ClusterIP 11 | defenderConfig: 12 | docker: false 13 | -------------------------------------------------------------------------------- /config/samples/pcc_v1alpha1_defender.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 2 | kind: Defender 3 | metadata: 4 | name: pcc-defender 5 | namespace: twistlock 6 | spec: 7 | namespace: twistlock 8 | version: "21_08_520" 9 | defenderConfig: 10 | clusterAddress: twistlock-console.example.com 11 | consoleAddress: https://twistlock-console.example.com:8083 12 | docker: false 13 | -------------------------------------------------------------------------------- /config/scorecard/bases/config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: scorecard.operatorframework.io/v1alpha3 2 | kind: Configuration 3 | metadata: 4 | name: config 5 | stages: 6 | - parallel: true 7 | tests: [] 8 | -------------------------------------------------------------------------------- /config/scorecard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - bases/config.yaml 3 | patchesJson6902: 4 | - path: patches/basic.config.yaml 5 | target: 6 | group: scorecard.operatorframework.io 7 | version: v1alpha3 8 | kind: Configuration 9 | name: config 10 | - path: patches/olm.config.yaml 11 | target: 12 | group: scorecard.operatorframework.io 13 | version: v1alpha3 14 | kind: Configuration 15 | name: config 16 | #+kubebuilder:scaffold:patchesJson6902 17 | -------------------------------------------------------------------------------- /config/scorecard/patches/basic.config.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /stages/0/tests/- 3 | value: 4 | entrypoint: 5 | - scorecard-test 6 | - basic-check-spec 7 | image: quay.io/operator-framework/scorecard-test:v1.8.0 8 | labels: 9 | suite: basic 10 | test: basic-check-spec-test 11 | -------------------------------------------------------------------------------- /config/scorecard/patches/olm.config.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /stages/0/tests/- 3 | value: 4 | entrypoint: 5 | - scorecard-test 6 | - olm-bundle-validation 7 | image: quay.io/operator-framework/scorecard-test:v1.8.0 8 | labels: 9 | suite: olm 10 | test: olm-bundle-validation-test 11 | - op: add 12 | path: /stages/0/tests/- 13 | value: 14 | entrypoint: 15 | - scorecard-test 16 | - olm-crds-have-validation 17 | image: quay.io/operator-framework/scorecard-test:v1.8.0 18 | labels: 19 | suite: olm 20 | test: olm-crds-have-validation-test 21 | - op: add 22 | path: /stages/0/tests/- 23 | value: 24 | entrypoint: 25 | - scorecard-test 26 | - olm-crds-have-resources 27 | image: quay.io/operator-framework/scorecard-test:v1.8.0 28 | labels: 29 | suite: olm 30 | test: olm-crds-have-resources-test 31 | - op: add 32 | path: /stages/0/tests/- 33 | value: 34 | entrypoint: 35 | - scorecard-test 36 | - olm-spec-descriptors 37 | image: quay.io/operator-framework/scorecard-test:v1.8.0 38 | labels: 39 | suite: olm 40 | test: olm-spec-descriptors-test 41 | - op: add 42 | path: /stages/0/tests/- 43 | value: 44 | entrypoint: 45 | - scorecard-test 46 | - olm-status-descriptors 47 | image: quay.io/operator-framework/scorecard-test:v1.8.0 48 | labels: 49 | suite: olm 50 | test: olm-status-descriptors-test 51 | -------------------------------------------------------------------------------- /config/testing/debug_logs_patch.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: controller-manager 6 | namespace: system 7 | spec: 8 | template: 9 | spec: 10 | containers: 11 | - name: manager 12 | env: 13 | - name: ANSIBLE_DEBUG_LOGS 14 | value: "TRUE" 15 | -------------------------------------------------------------------------------- /config/testing/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Adds namespace to all resources. 2 | namespace: osdk-test 3 | 4 | namePrefix: osdk- 5 | 6 | # Labels to add to all resources and selectors. 7 | #commonLabels: 8 | # someName: someValue 9 | 10 | patchesStrategicMerge: 11 | - manager_image.yaml 12 | - debug_logs_patch.yaml 13 | 14 | apiVersion: kustomize.config.k8s.io/v1beta1 15 | kind: Kustomization 16 | resources: 17 | - ../crd 18 | - ../rbac 19 | - ../manager 20 | images: 21 | - name: testing 22 | newName: testing-operator 23 | -------------------------------------------------------------------------------- /config/testing/manager_image.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: controller-manager 6 | namespace: system 7 | spec: 8 | template: 9 | spec: 10 | containers: 11 | - name: manager 12 | image: testing 13 | -------------------------------------------------------------------------------- /config/testing/pull_policy/Always.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: controller-manager 6 | namespace: system 7 | spec: 8 | template: 9 | spec: 10 | containers: 11 | - name: manager 12 | imagePullPolicy: Always 13 | -------------------------------------------------------------------------------- /config/testing/pull_policy/IfNotPresent.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: controller-manager 6 | namespace: system 7 | spec: 8 | template: 9 | spec: 10 | containers: 11 | - name: manager 12 | imagePullPolicy: IfNotPresent 13 | -------------------------------------------------------------------------------- /config/testing/pull_policy/Never.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: controller-manager 6 | namespace: system 7 | spec: 8 | template: 9 | spec: 10 | containers: 11 | - name: manager 12 | imagePullPolicy: Never 13 | -------------------------------------------------------------------------------- /docs/Kubernetes/console.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 3 | kind: Console 4 | metadata: 5 | name: pcc-console 6 | namespace: twistlock 7 | spec: 8 | namespace: twistlock 9 | orchestrator: kubernetes 10 | version: '21_08_520' 11 | consoleConfig: 12 | serviceType: ClusterIP 13 | -------------------------------------------------------------------------------- /docs/Kubernetes/consoledefender.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 3 | kind: ConsoleDefender 4 | metadata: 5 | name: pcc-consoledefender 6 | namespace: twistlock 7 | spec: 8 | namespace: twistlock 9 | orchestrator: kubernetes 10 | version: '21_08_520' 11 | consoleConfig: 12 | serviceType: ClusterIP 13 | defenderConfig: 14 | docker: false 15 | -------------------------------------------------------------------------------- /docs/Kubernetes/defender.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 3 | kind: Defender 4 | metadata: 5 | name: pcc-defender 6 | namespace: twistlock 7 | spec: 8 | namespace: twistlock 9 | orchestrator: kubernetes 10 | version: '21_08_520' 11 | defenderConfig: 12 | clusterAddress: twistlock-console 13 | consoleAddress: https://twistlock-console:8083 14 | docker: false 15 | -------------------------------------------------------------------------------- /docs/Kubernetes/kubernetes.md: -------------------------------------------------------------------------------- 1 | # Kubernetes Deployment 2 | 3 | This documentation demonstrates the automated [installation](#installation-process) and [upgrade](#upgrade-process) processes for the Prisma Cloud Compute Console and Defenders within a Kubernetes cluster that is able to communicate with the [Kubernetes Community Operators](https://github.com/k8s-operatorhub/community-operators/tree/main/operators) and the [Prisma Cloud Compute container registry](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/twistlock_container_images.html). 4 | 5 | ## Installation Process 6 | 1. Create the namespace for this deployment (e.g. `twistlock`). 7 | ```bash 8 | kubectl create ns twistlock 9 | ``` 10 | 11 | 2. The Console is licensed and the intial administrator account is created during deployment. The account credentials and license can be supplied as arguments or as a Kubernetes Secret. To deploy using a Kubernetes Secret: 12 | - Copy the following yaml into a file called [pcc-credentials.yaml](pcc-credentials.yaml) 13 | 14 | ```yaml 15 | apiVersion: v1 16 | kind: Secret 17 | metadata: 18 | name: pcc-credentials 19 | namespace: twistlock 20 | data: 21 | accessToken: 22 | license: 23 | password: 24 | username: 25 | ``` 26 | 27 | - Base64 encode your `accessToken`, `license`, `password`, and `username` values and update the `pcc-credentials.yaml` file. For example: 28 | ```bash 29 | $ echo -n "admin" | base64 30 | YWRtaW4= 31 | ``` 32 | 33 | - Create the secret within the cluster. 34 | ```bash 35 | kubectl apply -f pcc-credentials.yaml 36 | ``` 37 | 38 | 3. Install the latest [Operator Lifecycle Manager](https://github.com/operator-framework/operator-lifecycle-manager/releases) 39 | ```bash 40 | curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.19.1/install.sh -o install.sh 41 | chmod +x install.sh 42 | ./install.sh v0.19.1 43 | ``` 44 | 45 | 4. Install the Prisma Cloud Compute Operator in the `twistlock` namespace. 46 | - Copy the following yaml into a file called [operator.yaml](operator.yaml) 47 | ```yaml 48 | --- 49 | apiVersion: operators.coreos.com/v1 50 | kind: OperatorGroup 51 | metadata: 52 | name: pcc-operator 53 | namespace: twistlock 54 | spec: 55 | targetNamespaces: 56 | - twistlock 57 | --- 58 | apiVersion: operators.coreos.com/v1alpha1 59 | kind: Subscription 60 | metadata: 61 | name: pcc-operator 62 | namespace: twistlock 63 | spec: 64 | channel: stable 65 | name: pcc-operator 66 | source: operatorhubio-catalog 67 | sourceNamespace: olm 68 | ``` 69 | - Deploy the Operator 70 | ```bash 71 | kubectl apply -f ./operator.yaml 72 | ``` 73 | 74 | 5. Install Console and Defenders. 75 | - Copy the following yaml into a file called [consoledefender.yaml](consoledefender.yaml) 76 | ```yaml 77 | --- 78 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 79 | kind: ConsoleDefender 80 | metadata: 81 | name: pcc-consoledefender 82 | namespace: twistlock 83 | spec: 84 | namespace: twistlock 85 | orchestrator: kubernetes 86 | version: '21_08_520' 87 | consoleConfig: 88 | serviceType: ClusterIP 89 | defenderConfig: 90 | docker: false 91 | ``` 92 | **NOTES:** 93 | - If installing Defenders only, be sure to verify the version of your Console and use the same version for Defender deployment. 94 | - For docker-based clusters set `docker: true`. 95 | - The default `serviceType` is `NodePort`. 96 | 97 | - Set `version` to the Prisma Cloud Compute release version to be deployed (e.g. 21_08_520) 98 | 99 | - If you are not using Kubernetes Secrets set the following in the [Credentials](resource_spec.md) section: 100 | - **Access Token**: 32-character access token included in the license bundle 101 | - **License**: Product license included in the license bundle 102 | - **Password**: Password to be used for the initial local administrator user. It is highly recommended that you change the password for this user in the Prisma Cloud Compute Console after install. 103 | - **Username**: Username to be used for the initial local administrator user. 104 | 105 | - Deploy the Console and Defender 106 | ```bash 107 | kubectl apply -f ./consoledefender.yaml 108 | ``` 109 | 110 | - Confirm that the Console and Defender pods have been deployed. 111 | ```bash 112 | kubectl get pods -n twistlock 113 | ``` 114 | 115 | 116 | 6. Establish communications to the twistlock-console service’s management-port-https port (default 8083/TCP) using a Kubernetes LoadBalancer or your organization’s approved cluster ingress technology. 117 | 118 | 7. Login with the username and password specified in the `Credentials` section. If you did not use Kubernetes Secrets reset this account's password in **Manage > Authentication > Users**. 119 | 120 | ## Upgrade Process 121 | The upgrade process will retain the existing deployment's configuration and settings. Please consult the release notes first to determine if any additional procedures are required. 122 | 123 | ### Console Upgrade 124 | - Upgrade the Console. 125 | - Copy the following yaml into a file called [console.yaml](console.yaml) 126 | ```yaml 127 | --- 128 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 129 | kind: Console 130 | metadata: 131 | name: pcc-console 132 | namespace: twistlock 133 | spec: 134 | namespace: twistlock 135 | orchestrator: kubernetes 136 | version: '21_08_520' 137 | consoleConfig: 138 | serviceType: ClusterIP 139 | ``` 140 | **NOTES:** 141 | - The default `serviceType` is `NodePort`. 142 | 143 | - Set **version** to the Prisma Cloud Compute release version to be deployed (e.g. 21_08_520) section 144 | 145 | - Refer to the [field necessity table](resource_spec.md) for additional field details. 146 | 147 | - Deploy the Console 148 | ```bash 149 | kubectl apply -f ./console.yaml 150 | ``` 151 | 152 | ### Defender Upgrade 153 | - Upgrade the Defenders. 154 | - Copy the following yaml into a file called [defender.yaml](defender.yaml) 155 | ```yaml 156 | --- 157 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 158 | kind: Defender 159 | metadata: 160 | name: pcc-defender 161 | namespace: twistlock 162 | spec: 163 | namespace: twistlock 164 | orchestrator: kubernetes 165 | version: '21_08_520' 166 | defenderConfig: 167 | clusterAddress: twistlock-console 168 | consoleAddress: https://twistlock-console:8083 169 | docker: false 170 | ``` 171 | **NOTES:** 172 | - For docker-based clusters set `docker: true`. 173 | 174 | - Set **version** to the version to be deployed (e.g. 21_08_520). 175 | 176 | - If you are not using Kubernetes Secrets set the following in the [Credentials](resource_spec.md) section: 177 | - **Password**: password to an account that has defender-manager or higher role 178 | - **Username**: username to an account that has defender-manager or higher role 179 | 180 | - Deploy the Defenders 181 | ```bash 182 | kubectl apply -f ./defender.yaml 183 | ``` 184 | -------------------------------------------------------------------------------- /docs/Kubernetes/offline_kubernetes.md: -------------------------------------------------------------------------------- 1 | # Kubernetes Offline Deployment 2 | 3 | This documentation demonstrates the automated [installation](#installation-process) and [upgrade](#upgrade-process) processes for the Prisma Cloud Compute Console and Defenders within a Kubernetes cluster that is unable to communicate with the Internet. 4 | 5 | ## Collect PCC-Operator Components 6 | 1. Pull the required images. 7 | - the [operator image](https://quay.io/repository/prismacloud/pcc-operator) 8 | ```bash 9 | docker pull quay.io/prismacloud/pcc-operator:v0.2.0 10 | ``` 11 | 12 | - the [Console and Defender images](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/twistlock_container_images.html) for the version you are installing 13 | ```bash 14 | docker pull registry.twistlock.com/twistlock/console:console_21_08_520 15 | docker pull registry.twistlock.com/twistlock/defender:defender_21_08_520 16 | ``` 17 | 18 | 2. Save the images as tarballs. 19 | ```bash 20 | docker save quay.io/prismacloud/pcc-operator:v0.2.0 | gzip > pcc-operator.tar.gz 21 | docker save registry.twistlock.com/twistlock/console:console_21_08_520 | gzip > console.tar.gz 22 | docker save registry.twistlock.com/twistlock/defender:defender_21_08_520 | gzip > defender.tar.gz 23 | ``` 24 | 25 | 3. Pull the PaloAltoNetworks/prisma-cloud-compute-operator GitHub repo. 26 | ```bash 27 | wget https://github.com/PaloAltoNetworks/prisma-cloud-compute-operator/archive/refs/heads/main.zip 28 | ``` 29 | 30 | 4. Download the offline update tool bundle [matching the version to be deployed](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-compute-edition-public-sector/isolated_upgrades/releases.html) (e.g. v21_08_520). 31 | ```bash 32 | wget https://cdn.twistlock.com/isolated_upgrades/v21_08_520/v21_08_520_isolated_update.tar.gz 33 | ``` 34 | 35 | 5. Move the image tarballs, the GitHub repo zip file and offline update tool bundle to a host that has docker installed and has access to the disconnected cluster. 36 | 37 | 6. Docker load, tag and push the images to a registry that is accessible (e.g. 10.105.219.150) from your isolated Kubernetes cluster. 38 | ```bash 39 | docker load < pcc_operator.tar.gz 40 | docker tag 3eee0ee3aef5 10.105.219.150/pcc-operator:v0.2.0 41 | docker push 10.105.219.150/pcc-operator:v0.2.0 42 | 43 | docker load < console.tar.gz 44 | docker tag 58c779558b27 10.105.219.150/console:console_21_08_520 45 | docker push 10.105.219.150/console:console_21_08_520 46 | 47 | docker load < defender.tar.gz 48 | docker tag aaf13f247f08 10.105.219.150/defender:defender_21_08_520 49 | docker push 10.105.219.150/defender:defender_21_08_520 50 | ``` 51 | 52 | 7. Host the offline update tool bundle v21_08_520_isolated_update.tar.gz file in an http/https location where your isolated cluster can reach and pull this file. For example, http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz 53 | 54 | 8. Unzip the PaloAltoNetworks/prisma-cloud-compute-operator GitHub repo. 55 | ```bash 56 | unzip main.zip 57 | ``` 58 | 59 | ## Installation Process 60 | 1. Create the namespace for this deployment (e.g. `twistlock`). 61 | ```bash 62 | kubectl create ns twistlock 63 | ``` 64 | 65 | 2. The Console is licensed and the intial administrator account is created during deployment. The account credentials and license can be supplied as arguments or as a Kubernetes Secret. To deploy using a Kubernetes Secret: 66 | - Copy the following yaml into a file called [pcc-credentials.yaml](pcc-credentials.yaml). 67 | 68 | ```yaml 69 | apiVersion: v1 70 | kind: Secret 71 | metadata: 72 | name: pcc-credentials 73 | namespace: twistlock 74 | data: 75 | accessToken: 76 | license: 77 | password: 78 | username: 79 | ``` 80 | 81 | - Base64 encode your `accessToken`, `license`, `password`, and `username` values and update the `pcc-credentials.yaml` file. For example: 82 | ```bash 83 | $ echo -n "admin" | base64 84 | YWRtaW4= 85 | ``` 86 | 87 | - Create the secret within the cluster. 88 | ```bash 89 | kubectl apply -f pcc-credentials.yaml 90 | ``` 91 | 92 | 3. Modify the unzipped GitHub repo's config/manager/kustomization.yaml from: 93 | ```yaml 94 | apiVersion: kustomize.config.k8s.io/v1beta1 95 | kind: Kustomization 96 | 97 | resources: 98 | - manager.yaml 99 | 100 | images: 101 | - digest: sha256:e5c9c4947755399481aa81d8ffc37543f3fcc81de8052a711cf836c83e6efa7b 102 | name: controller 103 | newName: quay.io/prismacloud/pcc-operator 104 | ``` 105 | to: 106 | ```yaml 107 | apiVersion: kustomize.config.k8s.io/v1beta1 108 | kind: Kustomization 109 | 110 | resources: 111 | - manager.yaml 112 | 113 | images: 114 | - name: controller 115 | newName: 10.105.219.150/pcc-operator 116 | newTag: v0.2.0 117 | ``` 118 | 119 | 4. Change directory to the GitHub repo's config/deploy and deploy the pcc-operator. 120 | ```bash 121 | kubectl apply -k . 122 | ``` 123 | 124 | 5. Install Console and Defenders. 125 | - Copy the following yaml into a file called [consoledefender.yaml](consoledefender.yaml). 126 | ```yaml 127 | --- 128 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 129 | kind: ConsoleDefender 130 | metadata: 131 | name: pcc-consoledefender 132 | namespace: twistlock 133 | spec: 134 | namespace: twistlock 135 | orchestrator: kubernetes 136 | version: '21_08_520' 137 | toolBundleUrl: http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz 138 | consoleConfig: 139 | serviceType: ClusterIP 140 | imageName: 10.105.219.150/console:console_21_08_520 141 | defenderConfig: 142 | docker: true 143 | imageName: 10.105.219.150/defender:defender_21_08_520 144 | ``` 145 | **NOTES:** 146 | - For docker-based clusters set `docker: true`. 147 | - The default `serviceType` is `NodePort`. 148 | 149 | - Set `version` to the Prisma Cloud Compute release version to be deployed (e.g. 21_08_520). 150 | 151 | - Set `toolBundleUrl` to the offline update tool bundle v21_08_520_isolated_update.tar.gz URL. For example, http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz 152 | 153 | - If you are not using Kubernetes Secrets set the following in the [Credentials](resource_spec.md) section: 154 | - **Access Token**: 32-character access token included in the license bundle 155 | - **License**: Product license included in the license bundle 156 | - **Password**: Password to be used for the initial local administrator user. It is highly recommended that you change the password for this user in the Prisma Cloud Compute Console after install. 157 | - **Username**: Username to be used for the initial local administrator user. 158 | 159 | - Deploy the Console and Defender. 160 | ```bash 161 | kubectl apply -f ./consoledefender.yaml 162 | ``` 163 | 164 | - Confirm that the Console and Defender pods have been deployed. 165 | ```bash 166 | kubectl get pods -n twistlock 167 | ``` 168 | 169 | 170 | 6. Establish communications to the twistlock-console service’s management-port-https port (default 8083/TCP) using a Kubernetes LoadBalancer or your organization’s approved cluster ingress technology. 171 | 172 | 7. Login with the username and password specified in the `Credentials` section. If you did not use Kubernetes Secrets reset this account's password in **Manage > Authentication > Users**. 173 | 174 | ## Upgrade Process 175 | The upgrade process will retain the existing deployment's configuration and settings. Please consult the [release notes](https://docs.prismacloudcompute.com/docs/releases/release-information/latest.html) first to determine if any additional procedures are required. 176 | 177 | ### Console Upgrade 178 | - Upgrade the Console. 179 | - Copy the following yaml into a file called [console.yaml](console.yaml). 180 | ```yaml 181 | --- 182 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 183 | kind: ConsoleDefender 184 | metadata: 185 | name: pcc-consoledefender 186 | namespace: twistlock 187 | spec: 188 | namespace: twistlock 189 | orchestrator: kubernetes 190 | version: '21_08_520' 191 | toolBundleUrl: http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz 192 | consoleConfig: 193 | serviceType: ClusterIP 194 | imageName: 10.105.219.150/console:console_21_08_520 195 | ``` 196 | **NOTES:** 197 | - The default `serviceType` is `NodePort`. 198 | 199 | - Set **version** to the Prisma Cloud Compute release version to be deployed (e.g. 21_08_520) section. 200 | 201 | - Set `toolBundleUrl` to the offline update tool bundle v21_08_520_isolated_update.tar.gz URL. For example, http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz. 202 | 203 | - Refer to the [field necessity table](resource_spec.md) for additional field details. 204 | 205 | - Deploy the Console. 206 | ```bash 207 | kubectl apply -f ./console.yaml 208 | ``` 209 | 210 | ### Defender Upgrade 211 | - Upgrade the Defenders. 212 | - Copy the following yaml into a file called [defender.yaml](defender.yaml). 213 | ```yaml 214 | --- 215 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 216 | kind: Defender 217 | metadata: 218 | name: pcc-defender 219 | namespace: twistlock 220 | spec: 221 | namespace: twistlock 222 | orchestrator: kubernetes 223 | version: '21_08_520' 224 | defenderConfig: 225 | clusterAddress: twistlock-console 226 | consoleAddress: https://twistlock-console:8083 227 | imageName: 10.105.219.150/defender:defender_21_08_520 228 | docker: true 229 | ``` 230 | **NOTES:** 231 | - Ensure the version of your Console is the same version for Defender deployment. 232 | - For docker-based clusters set `docker: true`. 233 | 234 | - Set **version** to the version to be deployed (e.g. 21_08_520). 235 | 236 | - If you are not using Kubernetes Secrets set the following in the [Credentials](resource_spec.md) section: 237 | - **Password**: password to an account that has defender-manager or higher role 238 | - **Username**: username to an account that has defender-manager or higher role 239 | 240 | - Deploy the Defenders. 241 | ```bash 242 | kubectl apply -f ./defender.yaml 243 | ``` 244 | -------------------------------------------------------------------------------- /docs/Kubernetes/operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: pcc-operator 6 | namespace: twistlock 7 | spec: 8 | targetNamespaces: 9 | - twistlock 10 | --- 11 | apiVersion: operators.coreos.com/v1alpha1 12 | kind: Subscription 13 | metadata: 14 | name: pcc-operator 15 | namespace: twistlock 16 | spec: 17 | channel: stable 18 | name: pcc-operator 19 | source: operatorhubio-catalog 20 | sourceNamespace: olm 21 | -------------------------------------------------------------------------------- /docs/Kubernetes/pcc-credentials.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: pcc-credentials 6 | namespace: twistlock 7 | data: 8 | accessToken: 9 | license: 10 | password: 11 | username: -------------------------------------------------------------------------------- /docs/Kubernetes/resource_spec.md: -------------------------------------------------------------------------------- 1 | # Resource specification 2 | 3 | ## Notes 4 | - If `toolBundleUrl` is not specified, the tool bundle URL is built using `version`. 5 | - If `consoleConfig.imageName` is not specified, the image name is built using `version` and `credentials.accessToken`. 6 | 7 | ## ConsoleDefender 8 | - **apiVersion**: pcc.paloaltonetworks.com/v1alpha1 9 | - **kind**: ConsoleDefender 10 | - **metadata** ([ObjectMeta](https://kubernetes.io/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta)) 11 | Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 12 | - **spec** ([ConsoleDefenderSpec](#ConsoleDefenderSpec)) 13 | 14 | ## ConsoleDefenderSpec 15 | - **namespace** (string), required 16 | Namespace in which the Console and Defenders will be deployed. 17 | This should be the same namespace as the operator itself. 18 | Default is twistlock. 19 | - **orchestrator** (string), required 20 | Orchestrator being used. Must be kubernetes or openshift. 21 | - **toolBundleUrl** (string), recommended 22 | URL of the tool bundle containing twistcli, the tool used to generate Prisma Cloud Compute YAML files. 23 | Can either be an [isolated upgrade](https://docs.twistlock.com/docs/government/isolated_upgrades/isolated_upgrades.html) tarball or a release tarball URL. 24 | - **version** (string), required 25 | Version of Prisma Cloud Compute to install. 26 | - **credentials** (PrismaCloudComputeCredentials) 27 | Sensitive data to be used during installation. 28 | Be aware that these credentials will be visible in the custom resource spec. 29 | Only use this section if you cannot use secrets for whatever reason. 30 | - **credentials.accessToken** (string), required 31 | 32-character lowercase access token included in the license bundle. 32 | - **credentials.license** (string), required 33 | Product license included in the license bundle. 34 | - **credentials.password** (string), required 35 | Password to be used for the initial local administrator user. 36 | It is highly recommended that you change the password for this user in the Prisma Cloud Compute Console after install. 37 | Default is change_me_after_install. 38 | - **credentials.username** (string), required 39 | Username to be used for the initial local administrator user. 40 | Default is admin. 41 | - **consoleConfig** (PrismaCloudComputeConsoleConfig) 42 | Options for installing Console. 43 | They are ultimately passed to `twistcli` for YAML generation. 44 | - **consoleConfig.imagePullSecret** (string) 45 | Secret needed to pull the Console image when using a private registry. 46 | - **consoleConfig.imageName** (string) 47 | Console image to deploy. 48 | If no value is specified, the image is pulled from the Prisma Cloud Compute registry. 49 | - **consoleConfig.nodeLabels** (string) 50 | Label to use as a nodeSelector for Console. 51 | Specify a label and value (e.g. "kubernetes.io/hostname=node-name"). 52 | - **consoleConfig.persistentVolumeLabels** (string) 53 | Label to match the PVC to the PV. 54 | - **consoleConfig.persistentVolumeStorage** (string) 55 | Storage size of the PV. 56 | Default is 100Gi. 57 | - **consoleConfig.runAsUser** (string) 58 | Run Console as UID 2674 (requires manual pre-configuration of ownership and permissions of the PV). 59 | Must be true or false. 60 | - **consoleConfig.serviceType** (string) 61 | Service type for exposing Console. Supported values are ClusterIP, NodePort, and LoadBalancer. 62 | Default is ClusterIP. 63 | - **consoleConfig.storageClass** (string) 64 | StorageClass to use when dynamically provisioning a PV for Console. 65 | A PV is dynamically provisioned if twistcli cannot find the PV specified with the Persistent Volume Label option. 66 | If no StorageClass is specified, the default StorageClass is used. 67 | - **defenderConfig** (PrismaCloudComputeDefenderConfig) 68 | Options for installing Defender. 69 | They are ultimately passed to `twistcli` for YAML generation. 70 | - **defenderConfig.cluster** (string) 71 | A cluster name to identify the kubernetes cluster. 72 | If no value specified, defender will try to automatically get the cluster name from the cloud provider. 73 | - **defenderConfig.clusterAddress** (string) 74 | Host name used by Defender to verify Console certificate. 75 | Must be one of the SANs listed at Manage > Defenders > Names. 76 | - **defenderConfig.collectPodLabels** (string) 77 | Must be true or false. 78 | - **defenderConfig.consoleAddress** (string) 79 | URL of the Console. 80 | - **defenderConfig.docker** (string) 81 | Hook into Docker runtime. 82 | Enable only if the cluster is using Docker. 83 | - **defenderConfig.dockerSocketPath** (string) 84 | Path to docker.sock. 85 | Ignore if not using Docker. 86 | - **defenderConfig.imagePullSecret** (string) 87 | Secret needed to pull the Defender image when using a private registry. 88 | - **defenderConfig.imageName** (string) 89 | Defender image to deploy. 90 | If no value is specified, the image is pulled from the Prisma Cloud Compute registry. 91 | - **defenderConfig.monitorIstio** (string) 92 | Must be true or false. 93 | - **defenderConfig.monitorServiceAccounts** (string) 94 | Must be true or false. 95 | - **defenderConfig.nodeLabels** (string) 96 | Label to use as a nodeSelector for Defenders. Specify a label and value (e.g. 'kubernetes.io/hostname: "node-name"'). 97 | - **defenderConfig.privileged** (string) 98 | Run Defender in privileged mode. 99 | Must be true or false. 100 | - **defenderConfig.project** (string) 101 | Project to which Defenders will connect. 102 | - **defenderConfig.proxyAddress** (string) 103 | Proxy address for Defender-to-Console communication. 104 | - **defenderConfig.proxyCa** (string) 105 | Proxy's CA certificate for Console to trust, encoded in base64. 106 | Required when using TLS-intercept proxies. 107 | - **defenderConfig.proxyPassword** (string) 108 | Password for authenticating with the proxy. 109 | - **defenderConfig.proxyUsername** (string) 110 | Username for authenticating with the proxy. 111 | - **defenderConfig.selinuxEnabled** (string) 112 | Use the spc_t SELinux type. 113 | Must be true or false. 114 | - **defenderConfig.toleration** (string) 115 | Deploy Defenders with a toleration. 116 | Must be true or false. 117 | - **defenderConfig.tolerationKey** (string) 118 | Taint key that the toleration applies to. 119 | Default is node-role.kubernetes.io/master. 120 | - **defenderConfig.tolerationEffect** (string) 121 | Taint effect to match. 122 | Default is NoSchedule. 123 | -------------------------------------------------------------------------------- /docs/OpenShift/catalogsource.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: CatalogSource 4 | metadata: 5 | name: pcc-operator-catalog 6 | namespace: openshift-marketplace 7 | spec: 8 | sourceType: grpc 9 | image: image-registry.openshift-image-registry.svc.cluster.local:5000/openshift-marketplace/pcc-operator-catalog:v0.2.0 10 | displayName: Prisma Cloud Compute Operator Catalog 11 | publisher: Palo Alto Networks 12 | updateStrategy: 13 | registryPoll: 14 | interval: 10m0s 15 | -------------------------------------------------------------------------------- /docs/OpenShift/console.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 3 | kind: Console 4 | metadata: 5 | name: pcc-console 6 | namespace: twistlock 7 | spec: 8 | namespace: twistlock 9 | orchestrator: openshift 10 | version: '21_08_520' 11 | consoleConfig: 12 | serviceType: ClusterIP 13 | -------------------------------------------------------------------------------- /docs/OpenShift/consoledefender.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 3 | kind: ConsoleDefender 4 | metadata: 5 | name: pcc-consoledefender 6 | namespace: twistlock 7 | spec: 8 | namespace: twistlock 9 | orchestrator: openshift 10 | version: '21_08_520' 11 | consoleConfig: 12 | serviceType: ClusterIP 13 | defenderConfig: 14 | docker: false 15 | -------------------------------------------------------------------------------- /docs/OpenShift/defender.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: pcc.paloaltonetworks.com/v1alpha1 3 | kind: Defender 4 | metadata: 5 | name: pcc-defender 6 | namespace: twistlock 7 | spec: 8 | namespace: twistlock 9 | orchestrator: openshift 10 | version: '21_08_520' 11 | defenderConfig: 12 | clusterAddress: twistlock-console 13 | consoleAddress: https://twistlock-console:8083 14 | docker: false 15 | -------------------------------------------------------------------------------- /docs/OpenShift/offline_openshift.md: -------------------------------------------------------------------------------- 1 | This documentation demonstrates the automated [installation](#installation-process) and [upgrade](#upgrade-process) processes for the Prisma Cloud Compute Console and Defenders within an isolated OpenShift Container Platform using the [Operators for isolated environments guidance](https://cloud.redhat.com/blog/is-your-operator-air-gap-friendly). 2 | 3 | In this example we utilize the OCP built-in image registry for the storage of the Console, Defender and Operator images. 4 | For access to the built-in registry from outside the cluster, we set the `defaultRoute` parameter of the `configs.imageregistry.operator.openshift.io` resource to `true`. 5 | This procedure can be found [here](https://docs.openshift.com/container-platform/4.7/registry/securing-exposing-registry.html). 6 | We then tag and push the images with the external registry repository path (e.g. default-route-openshift-image-registry.apps.example.com/twistlock). 7 | If you do not intend to use the external route for the built-in registry, adjust the instructions accordingly. 8 | 9 | ## Installation Process 10 | On a host that has docker or podman installed and has connectivity to the Internet: 11 | 1. Pull the required images. 12 | - the [operator image](https://quay.io/repository/prismacloud/pcc-operator) 13 | ```bash 14 | docker pull quay.io/prismacloud/pcc-operator:v0.2.0 15 | ``` 16 | - the [operator catalog image](https://quay.io/repository/prismacloud/pcc-operator-catalog) 17 | ```bash 18 | docker pull quay.io/prismacloud/pcc-operator-catalog:v0.2.0 19 | ``` 20 | 21 | - the [Console and Defender images](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/twistlock_container_images.html) for the version you are installing 22 | ```bash 23 | docker pull registry.twistlock.com/twistlock/console:console_22_01_840 24 | docker pull registry.twistlock.com/twistlock/defender:defender_22_01_840 25 | ``` 26 | 27 | 2. Save the images as tarballs. 28 | ```bash 29 | docker save quay.io/prismacloud/pcc-operator:v0.2.0 | gzip > pcc-operator.tar.gz 30 | docker save quay.io/prismacloud/pcc-operator-catalog:v0.2.0 | gzip > pcc-operator-catalog.tar.gz 31 | docker save registry.twistlock.com/twistlock/console:console_22_01_840 | gzip > console.tar.gz 32 | docker save registry.twistlock.com/twistlock/defender:defender_22_01_840 | gzip > defender.tar.gz 33 | ``` 34 | 35 | 3. Download the offline update tool bundle [matching the version to be deployed](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-compute-edition-public-sector/isolated_upgrades/releases.html) (e.g. v21_08_520). 36 | ```bash 37 | wget https://cdn.twistlock.com/isolated_upgrades/v21_08_520/v21_08_520_isolated_update.tar.gz 38 | ``` 39 | 40 | 4. Move the image tarballs and offline update tool bundle to a host that has docker or podman installed and has access to the disconnected cluster. 41 | 42 | 5. Create the Project (namespace) for this deployment (e.g. `twistlock`). 43 | ```bash 44 | oc create ns twistlock 45 | ``` 46 | 47 | 6. Load the images. 48 | ```bash 49 | docker load -i pcc-operator.tar.gz 50 | docker load -i pcc-operator-catalog.tar.gz 51 | docker load -i console.tar.gz 52 | docker load -i defender.tar.gz 53 | ``` 54 | 55 | 7. Tag the images for your disconnected registry. 56 | ```bash 57 | docker tag quay.io/prismacloud/pcc-operator:v0.2.0 default-route-openshift-image-registry.apps.example.com/twistlock/pcc-operator:v0.2.0 58 | docker tag quay.io/prismacloud/pcc-operator-catalog:v0.2.0 default-route-openshift-image-registry.apps.example.com/openshift-marketplace/pcc-operator-catalog:v0.2.0 59 | docker tag registry.twistlock.com/twistlock/console:console_22_01_840 default-route-openshift-image-registry.apps.example.com/twistlock/console:console_22_01_840 60 | docker tag registry.twistlock.com/twistlock/defender:defender_22_01_840 default-route-openshift-image-registry.apps.example.com/twistlock/defender:defender_22_01_840 61 | ``` 62 | 8. Push the images to your disconnected registry. 63 | ``` 64 | docker push default-route-openshift-image-registry.apps.example.com/twistlock/pcc-operator:v0.2.0 65 | docker push default-route-openshift-image-registry.apps.example.com/openshift-marketplace/pcc-operator-catalog:v0.2.0 66 | docker push default-route-openshift-image-registry.apps.example.com/twistlock/console:console_22_01_840 67 | docker push default-route-openshift-image-registry.apps.example.com/twistlock/defender:defender_22_01_840 68 | ``` 69 | 70 | 9. Host the offline update tool bundle v21_08_520_isolated_update.tar.gz file in an http/https location where your isolated OpenShift cluster can reach and pull this file. For example, http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz 71 | 72 | 73 | 10. Create the `CatalogSource` object that populates OperatorHub in OpenShift. 74 | 75 | Notice that the `image` specifies the OpenShift cluster's internal image-registry's service name and port (`image-registry.openshift-image-registry.svc.cluster.local:5000`). 76 | 77 | - Copy the following yaml into a file called [catalogsource.yaml](catalogsource.yaml) 78 | ```yaml 79 | apiVersion: operators.coreos.com/v1alpha1 80 | kind: CatalogSource 81 | metadata: 82 | name: pcc-operator-catalog 83 | namespace: openshift-marketplace 84 | spec: 85 | displayName: Prisma Cloud Compute Operator Catalog 86 | image: image-registry.openshift-image-registry.svc.cluster.local:5000/openshift-marketplace/pcc-operator-catalog:v0.2.0 87 | publisher: Palo Alto Networks 88 | sourceType: grpc 89 | updateStrategy: 90 | registryPoll: 91 | interval: 10m0s 92 | ``` 93 | - Apply the CatalogSource yaml to the cluster 94 | ```bash 95 | oc apply -f catalogsource.yaml 96 | ``` 97 | 11. The Console is licensed and the intial administrator account is created during deployment. The account credentials and license can be supplied as arguments or as a Kubernetes Secret. To deploy using a Kubernetes Secret: 98 | - Copy the following yaml into a file called `pcc-credentials.yaml` 99 | 100 | ```yaml 101 | apiVersion: v1 102 | kind: Secret 103 | metadata: 104 | name: pcc-credentials 105 | namespace: twistlock 106 | data: 107 | accessToken: 108 | license: 109 | password: 110 | username: 111 | ``` 112 | - Quick note: The `password:` comes before the `username:`. 113 | 114 | - Base64 encode your `accessToken`, `license`, `password`, and `username` values and update the `pcc-credentials.yaml` file. For example: 115 | ```bash 116 | $ echo -n "admin" | base64 117 | YWRtaW4= 118 | ``` 119 | 120 | - Create the secret within the cluster. 121 | ```bash 122 | oc apply -f pcc-credentials.yaml 123 | ``` 124 | 125 | 12. In the OCP web console, navigate to **Operators > OperatorHub** and search for `Prisma Cloud Compute Operator`. 126 | You can apply the `Infrastructure features: disconnected` filter to refine the search. 127 | 128 | 13. Install the Prisma Cloud Compute Operator in the `twistlock` namespace. 129 | 130 | 14. Update the `pcc-operator` image defined in the Operator's ClusterServiceVersion.yaml `deployments.spec.template.spec.containers` element. 131 | - Go to **Installed Operators > Prisma Cloud Compute Operator > YAML** 132 | - Change 133 | ```yaml 134 | image: quay.io/prismacloud/pcc-operator@sha256:b8fcfbd6c51286c874e00db1bd35523386cec406fa4050ef44c0a887730cf9b8 135 | ``` 136 | to 137 | ```yaml 138 | image: image-registry.openshift-image-registry.svc.cluster.local:5000/twistlock/pcc-operator@sha256:b8fcfbd6c51286c874e00db1bd35523386cec406fa4050ef44c0a887730cf9b8› 139 | ``` 140 | - Click `Save` 141 | 142 | 15. Install Console and Defenders. 143 | - Within the `twistlock` Project go to **Installed Operators > Prisma Cloud Compute Operator > Details** 144 | - Click **Create instance** in the `Console and Defender` provided API 145 | - In the `Tool Bundle URL` field specify the path (e.g. http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz) to the offline update tool bundle matching the version to be deployed. Host this tar.gz file in an http/https location where your isolated cluster can reach and pull this file. The Prisma Cloud Compute release bundle can be used as well. 146 | - Set `Version` to the version to be deployed (e.g. 22_01_840) 147 | - If you are not using Kubernetes Secrets set the following in the [Credentials](resource_spec.md) section: 148 | - **Access Token**: 32-character access token included in the license bundle 149 | - **License**: Product license included in the license bundle 150 | - **Password**: Password to be used for the initial local administrator user. It is highly recommended that you change the password for this user in the Prisma Cloud Compute Console after install. 151 | - **Username**: Username to be used for the initial local administrator user. 152 | - In the `Console Installation Options` section: 153 | - **Image Name**: `image-registry.openshift-image-registry.svc.cluster.local:5000/twistlock/console:console_22_01_840` 154 | - In the `Defender Installation Options` section: 155 | - **Image Name**: `image-registry.openshift-image-registry.svc.cluster.local:5000/twistlock/defender:defender_22_01_840` 156 | - Refer to the [field necessity table](resource_spec.md) for additional field details. 157 | - Click `Create` 158 | - Confirm that the Console and Defender containers are running in **Workloads > Pods** 159 | 160 | 16. Create OpenShift external route to the Console 161 | - Go to **Networking > Routes** 162 | - Click `Create Route` 163 | - Provide a `name` for the route (e.g. twistlock-console) 164 | - Leave `hostname` empty, Openshift will generate the FQDN based upon the route name (e.g. https://twistlock-console.apps.example.com) 165 | - Drop down `Service` menu and select `twistlock-console` 166 | - Drop down `Target port` menu and select `8083 -> 8083 (TCP)` 167 | - Click the `Secure route` radio button 168 | - Set `TLS Termination` = `Passthrough` 169 | - Drop down `Insecure Traffic` menu and select `Redirect` 170 | - Click `Create` 171 | - Browse to the newly created external router (e.g. https://twistlock-console.apps.example.com) 172 | 173 | 17. Login with the username and password used in the secret or specified in the `Credentials` section. 174 | If you did not use Kubernetes Secrets reset this account's password in **Manage > Authentication > Users**. 175 | 176 | ## Upgrade Process 177 | The upgrade process will retain the existing deployment's configuration and settings. Upload the new Prisma Cloud Compute Console and Defender images as described in the [intallation process](#installation-process) to the isolated cluster. Please consult the release notes first to determine if any additional procedures are required. 178 | 179 | ### Console Upgrade 180 | - Within the `twistlock` Project go to **Installed Operators > Prisma Cloud Compute Operator > Details** 181 | - Click **Create instance** in the `Console` provided API 182 | - In the `Orchestrator` field enter `openshift` 183 | - In the `Tool Bundle URL` field specify the path (e.g. http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz) to the offline update tool bundle matching the version to be deployed. Host this tar.gz file in an http/https location where your isolated cluster can reach and pull this file. The Prisma Cloud Compute release bundle can be used as well. 184 | - Set `Version` to the version to be deployed (e.g. 22_01_840) 185 | - If you are not using Kubernetes Secrets set the following in the `Credentials` section: 186 | - **Access Token**: `license access token` 187 | - **License**: `license key` 188 | - **Password**: `admin account password` 189 | - **Username**: `admin account username` 190 | - In the `Console Installation Options` section: 191 | - **Image Name**: `image-registry.openshift-image-registry.svc.cluster.local:5000/twistlock/console:console_22_01_840` 192 | - Refer to the [field necessity table](resource_spec.md) for additional field details. 193 | - Click `Create` 194 | 195 | ### Defender Upgrade 196 | Once the upgraded Console has been deployed upgrade the Defenders. 197 | - Within the `twistlock` Project go to **Installed Operators > Prisma Cloud Compute Operator > Details** 198 | - Click **Create instance** in the `Defender` provided API 199 | - In the `Tool Bundle URL` field specify the path (e.g. http://192.168.49.2:30001/v21_08_520_isolated_update.tar.gz) to the offline update tool bundle matching the version to be deployed. Host this tar.gz file in an http/https location where your isolated cluster can reach and pull this file. The Prisma Cloud Compute release bundle can be used as well. 200 | - Set `Version` to the version to be deployed (e.g. 22_01_840) 201 | - In the `Credentials` section: 202 | - **Password**: password to an account that has defender-manager or higher role 203 | - **Username**: username to an account that has defender-manager or higher role 204 | - In the `Defender Installation Options` section: 205 | - **Cluster Address**: `twistlock-console` name of the Console's service 206 | - **Console Address**: `https://twistlock-console:8083` Console's service API endpoint 207 | - **Image Name**: `image-registry.openshift-image-registry.svc.cluster.local:5000/twistlock/defender:defender_22_01_840` 208 | - Refer to the [field necessity table](resource_spec.md) for additional field details. 209 | - Click `Create` 210 | -------------------------------------------------------------------------------- /docs/OpenShift/openshift.md: -------------------------------------------------------------------------------- 1 | # OpenShift Deployment 2 | 3 | This documentation demonstrates the automated [installation](#installation-process) and [upgrade](#upgrade-process) processes for the Prisma Cloud Compute Console and Defenders within an OpenShift Container Platform that is able to communicate with the [RedHat Community Operators](https://github.com/redhat-openshift-ecosystem/community-operators-prod/tree/main/operators) and the [Prisma Cloud Compute container registry](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/twistlock_container_images.html). 4 | 5 | ## Installation Process 6 | 1. Create the Project (namespace) for this deployment (e.g. `twistlock`). 7 | ```bash 8 | oc create ns twistlock 9 | ``` 10 | 11 | 2. The Console is licensed and the intial administrator account is created during deployment. The account credentials and license can be supplied as arguments or as a Kubernetes Secret. To deploy using a Kubernetes Secret: 12 | - Copy the following yaml into a file called [pcc-credentials.yaml](pcc-credentials.yaml) 13 | 14 | ```yaml 15 | apiVersion: v1 16 | kind: Secret 17 | metadata: 18 | name: pcc-credentials 19 | namespace: twistlock 20 | data: 21 | accessToken: 22 | license: 23 | password: 24 | username: 25 | ``` 26 | 27 | - Base64 encode your `accessToken`, `license`, `password`, and `username` values and update the `pcc-credentials.yaml` file. For example: 28 | ```bash 29 | $ echo -n "admin" | base64 30 | YWRtaW4= 31 | ``` 32 | 33 | - Create the secret within the cluster. 34 | ```bash 35 | oc apply -f pcc-credentials.yaml 36 | ``` 37 | 38 | 3. In the OCP web console, navigate to **Operators > OperatorHub** and search for `Prisma Cloud Compute Operator`. Select the community Operator. 39 | 40 | 4. Install the Prisma Cloud Compute Operator in the `twistlock` namespace. 41 | 42 | 5. Install Console and Defenders. 43 | - Within the `twistlock` Project go to **Installed Operators > Prisma Cloud Compute Operator > Details** 44 | - Click **Create instance** in the `Console and Defender` provided API 45 | - In the `Tool Bundle URL` field specify the path to the update tool bundle matching the version to be deployed. The Prisma Cloud Compute release bundle can be used as well. 46 | - Set `Version` to the version to be deployed (e.g. 21_08_520). 47 | If installing Defenders only, be sure to verify the version of your Console and use the same version for Defender deployment. 48 | - If you are not using Kubernetes Secrets set the following in the [Credentials](resource_spec.md) section: 49 | 50 | - **Access Token**: 32-character access token included in the license bundle 51 | - **License**: Product license included in the license bundle 52 | - **Password**: Password to be used for the initial local administrator user. It is highly recommended that you change the password for this user in the Prisma Cloud Compute Console after install. 53 | - **Username**: Username to be used for the initial local administrator user. 54 | - Refer to the [field necessity table](resource_spec.md) for additional field details. 55 | - Click `Create` 56 | - Confirm that the Console and Defender containers are running in **Workloads > Pods** 57 | 58 | 6. Create OpenShift external route to the Console 59 | - Go to **Networking > Routes** 60 | - Click `Create Route` 61 | - Provide a `name` for the route (e.g. twistlock-console) 62 | - Leave `hostname` empty, Openshift will generate the FQDN based upon the route name (e.g. https://twistlock-console.apps.example.com) 63 | - Drop down `Service` menu and select `twistlock-console` 64 | - Drop down `Target port` menu and select `8083 -> 8083 (TCP)` 65 | - Click the `Secure route` radio button 66 | - Set `TLS Termination` = `Passthrough` 67 | - Drop down `Insecure Traffic` menu and select `Redirect` 68 | - Click `Create` 69 | - Browse to the newly created external router (e.g. https://twistlock-console.apps.example.com) 70 | 71 | 7. Login with the username and password specified in the `Credentials` section. If you did not use Kubernetes Secrets reset this account's password in **Manage > Authentication > Users**. 72 | 73 | ## Upgrade Process 74 | The upgrade process will retain the existing deployment's configuration and settings. Please consult the release notes first to determine if any additional procedures are required. 75 | 76 | ### Console Upgrade 77 | - Within the `twistlock` Project go to **Installed Operators > Prisma Cloud Compute Operator > Details** 78 | - Click **Create instance** in the `Console` provided API 79 | - In the `Orchestrator` field enter `openshift` 80 | - In the `Tool Bundle URL` field specify the path to the update tool bundle matching the version to be deployed. The Prisma Cloud Compute release bundle can be used as well. 81 | - Set `Version` to the version to be deployed (e.g. 21_08_520) 82 | - If you are not using Kubernetes Secrets set the following in the `Credentials` section: 83 | - **Access Token**: `license access token` 84 | - **License**: `license key` 85 | - **Password**: `admin account password` 86 | - **Username**: `admin account username` 87 | - Refer to the [field necessity table](resource_spec.md) for additional field details. 88 | - Click `Create` 89 | 90 | ### Defender Upgrade 91 | Once the upgraded Console has been deployed upgrade the Defenders. 92 | - Within the `twistlock` Project go to **Installed Operators > Prisma Cloud Compute Operator > Details** 93 | - Click **Create instance** in the `Defender` provided API 94 | - In the `Tool Bundle URL` field specify the path to the update tool bundle matching the version to be deployed. The Prisma Cloud Compute release bundle can be used as well. 95 | - Set `Version` to the version to be deployed (e.g. 21_08_520) 96 | - In the `Credentials` section: 97 | - **Password**: password to an account that has defender-manager or higher role 98 | - **Username**: username to an account that has defender-manager or higher role 99 | - In the `Defender Installation Options` section: 100 | - **Cluster Address**: `twistlock-console` name of the Console's service 101 | - **Console Address**: `https://twistlock-console:8083` Console's service API endpoint 102 | - Refer to the [field necessity table](resource_spec.md) for additional field details. 103 | - Click `Create` 104 | -------------------------------------------------------------------------------- /docs/OpenShift/pcc-credentials.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: pcc-credentials 6 | namespace: twistlock 7 | data: 8 | accessToken: 9 | license: 10 | password: 11 | username: -------------------------------------------------------------------------------- /docs/OpenShift/resource_spec.md: -------------------------------------------------------------------------------- 1 | # Resource specification 2 | 3 | ## Notes 4 | - If `toolBundleUrl` is not specified, the tool bundle URL is built using `version`. 5 | - If `consoleConfig.imageName` is not specified, the image name is built using `version` and `credentials.accessToken`. 6 | 7 | ## ConsoleDefender 8 | - **apiVersion**: pcc.paloaltonetworks.com/v1alpha1 9 | - **kind**: ConsoleDefender 10 | - **metadata** ([ObjectMeta](https://kubernetes.io/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta)) 11 | Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 12 | - **spec** ([ConsoleDefenderSpec](#ConsoleDefenderSpec)) 13 | 14 | ## ConsoleDefenderSpec 15 | - **namespace** (string), required 16 | Namespace in which the Console and Defenders will be deployed. 17 | This should be the same namespace as the operator itself. 18 | Default is twistlock. 19 | - **orchestrator** (string), required 20 | Orchestrator being used. Must be kubernetes or openshift. 21 | - **toolBundleUrl** (string), recommended 22 | URL of the tool bundle containing twistcli, the tool used to generate Prisma Cloud Compute YAML files. 23 | Can either be an [isolated upgrade](https://docs.twistlock.com/docs/government/isolated_upgrades/isolated_upgrades.html) tarball or a release tarball URL. 24 | - **version** (string), required 25 | Version of Prisma Cloud Compute to install. 26 | - **credentials** (PrismaCloudComputeCredentials) 27 | Sensitive data to be used during installation. 28 | Be aware that these credentials will be visible in the custom resource spec. 29 | Only use this section if you cannot use secrets for whatever reason. 30 | - **credentials.accessToken** (string), required 31 | 32-character lowercase access token included in the license bundle. 32 | - **credentials.license** (string), required 33 | Product license included in the license bundle. 34 | - **credentials.password** (string), required 35 | Password to be used for the initial local administrator user. 36 | It is highly recommended that you change the password for this user in the Prisma Cloud Compute Console after install. 37 | Default is change_me_after_install. 38 | - **credentials.username** (string), required 39 | Username to be used for the initial local administrator user. 40 | Default is admin. 41 | - **consoleConfig** (PrismaCloudComputeConsoleConfig) 42 | Options for installing Console. 43 | They are ultimately passed to `twistcli` for YAML generation. 44 | - **consoleConfig.imagePullSecret** (string) 45 | Secret needed to pull the Console image when using a private registry. 46 | - **consoleConfig.imageName** (string) 47 | Console image to deploy. 48 | If no value is specified, the image is pulled from the Prisma Cloud Compute registry. 49 | - **consoleConfig.nodeLabels** (string) 50 | Label to use as a nodeSelector for Console. 51 | Specify a label and value (e.g. "kubernetes.io/hostname=node-name"). 52 | - **consoleConfig.persistentVolumeLabels** (string) 53 | Label to match the PVC to the PV. 54 | - **consoleConfig.persistentVolumeStorage** (string) 55 | Storage size of the PV. 56 | Default is 100Gi. 57 | - **consoleConfig.runAsUser** (string) 58 | Run Console as UID 2674 (requires manual pre-configuration of ownership and permissions of the PV). 59 | Must be true or false. 60 | - **consoleConfig.serviceType** (string) 61 | Service type for exposing Console. Supported values are ClusterIP, NodePort, and LoadBalancer. 62 | Default is ClusterIP. 63 | - **consoleConfig.storageClass** (string) 64 | StorageClass to use when dynamically provisioning a PV for Console. 65 | A PV is dynamically provisioned if twistcli cannot find the PV specified with the Persistent Volume Label option. 66 | If no StorageClass is specified, the default StorageClass is used. 67 | - **defenderConfig** (PrismaCloudComputeDefenderConfig) 68 | Options for installing Defender. 69 | They are ultimately passed to `twistcli` for YAML generation. 70 | - **defenderConfig.cluster** (string) 71 | A cluster name to identify the openshift cluster. 72 | If no value specified, defender will try to automatically get the cluster name from the cloud provider. 73 | - **defenderConfig.clusterAddress** (string) 74 | Host name used by Defender to verify Console certificate. 75 | Must be one of the SANs listed at Manage > Defenders > Names. 76 | - **defenderConfig.collectPodLabels** (string) 77 | Must be true or false. 78 | - **defenderConfig.consoleAddress** (string) 79 | URL of the Console. 80 | - **defenderConfig.docker** (string) 81 | Hook into Docker runtime. 82 | Enable only if the cluster is using Docker. 83 | - **defenderConfig.dockerSocketPath** (string) 84 | Path to docker.sock. 85 | Ignore if not using Docker. 86 | - **defenderConfig.imagePullSecret** (string) 87 | Secret needed to pull the Defender image when using a private registry. 88 | - **defenderConfig.imageName** (string) 89 | Defender image to deploy. 90 | If no value is specified, the image is pulled from the Prisma Cloud Compute registry. 91 | - **defenderConfig.monitorIstio** (string) 92 | Must be true or false. 93 | - **defenderConfig.monitorServiceAccounts** (string) 94 | Must be true or false. 95 | - **defenderConfig.nodeLabels** (string) 96 | Label to use as a nodeSelector for Defenders. Specify a label and value (e.g. 'kubernetes.io/hostname: "node-name"'). 97 | - **defenderConfig.privileged** (string) 98 | Run Defender in privileged mode. 99 | Must be true or false. 100 | - **defenderConfig.project** (string) 101 | Project to which Defenders will connect. 102 | - **defenderConfig.proxyAddress** (string) 103 | Proxy address for Defender-to-Console communication. 104 | - **defenderConfig.proxyCa** (string) 105 | Proxy's CA certificate for Console to trust, encoded in base64. 106 | Required when using TLS-intercept proxies. 107 | - **defenderConfig.proxyPassword** (string) 108 | Password for authenticating with the proxy. 109 | - **defenderConfig.proxyUsername** (string) 110 | Username for authenticating with the proxy. 111 | - **defenderConfig.selinuxEnabled** (string) 112 | Use the spc_t SELinux type. 113 | Must be true or false. 114 | - **defenderConfig.toleration** (string) 115 | Deploy Defenders with a toleration. 116 | Must be true or false. 117 | - **defenderConfig.tolerationKey** (string) 118 | Taint key that the toleration applies to. 119 | Default is node-role.kubernetes.io/master. 120 | - **defenderConfig.tolerationEffect** (string) 121 | Taint effect to match. 122 | Default is NoSchedule. 123 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # Prisma Cloud Compute Operator 2 | 3 | Example Operator deployments within Kubernetes and OpenShift clusters: 4 | - [Kubernetes cluster with Internet access](./Kubernetes/kubernetes.md) 5 | - [Kubernetes cluster within an isolated environment](./Kubernetes/offline_kubernetes.md) 6 | - [Openshift cluster with Internet access](./OpenShift/openshift.md) 7 | - [Openshift cluster within an isolated environment](./OpenShift/offline_openshift.md) -------------------------------------------------------------------------------- /licenses/twistlock-license.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PaloAltoNetworks/prisma-cloud-compute-operator/8e5142022fe7c1cda9b08d88120dccaa34a7b24c/licenses/twistlock-license.pdf -------------------------------------------------------------------------------- /molecule/default/converge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Converge 3 | hosts: localhost 4 | connection: local 5 | gather_facts: no 6 | collections: 7 | - community.kubernetes 8 | 9 | tasks: 10 | - name: Create Namespace 11 | k8s: 12 | api_version: v1 13 | kind: Namespace 14 | name: '{{ namespace }}' 15 | 16 | - import_tasks: kustomize.yml 17 | vars: 18 | state: present 19 | -------------------------------------------------------------------------------- /molecule/default/create.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create 3 | hosts: localhost 4 | connection: local 5 | gather_facts: false 6 | tasks: [] 7 | -------------------------------------------------------------------------------- /molecule/default/destroy.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Destroy 3 | hosts: localhost 4 | connection: local 5 | gather_facts: false 6 | collections: 7 | - community.kubernetes 8 | 9 | tasks: 10 | - import_tasks: kustomize.yml 11 | vars: 12 | state: absent 13 | 14 | - name: Destroy Namespace 15 | k8s: 16 | api_version: v1 17 | kind: Namespace 18 | name: '{{ namespace }}' 19 | state: absent 20 | 21 | - name: Unset pull policy 22 | command: '{{ kustomize }} edit remove patch pull_policy/{{ operator_pull_policy }}.yaml' 23 | args: 24 | chdir: '{{ config_dir }}/testing' 25 | -------------------------------------------------------------------------------- /molecule/default/kustomize.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Build kustomize testing overlay 3 | # load_restrictor must be set to none so we can load patch files from the default overlay 4 | command: '{{ kustomize }} build --load_restrictor none .' 5 | args: 6 | chdir: '{{ config_dir }}/testing' 7 | register: resources 8 | changed_when: false 9 | 10 | - name: Set resources to {{ state }} 11 | k8s: 12 | definition: '{{ item }}' 13 | state: '{{ state }}' 14 | wait: yes 15 | loop: '{{ resources.stdout | from_yaml_all | list }}' 16 | -------------------------------------------------------------------------------- /molecule/default/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependency: 3 | name: galaxy 4 | driver: 5 | name: delegated 6 | lint: | 7 | set -e 8 | yamllint -d "{extends: relaxed, rules: {line-length: {max: 120}}}" . 9 | platforms: 10 | - name: cluster 11 | groups: 12 | - k8s 13 | provisioner: 14 | name: ansible 15 | lint: | 16 | set -e 17 | ansible-lint 18 | inventory: 19 | group_vars: 20 | all: 21 | namespace: ${TEST_OPERATOR_NAMESPACE:-osdk-test} 22 | host_vars: 23 | localhost: 24 | ansible_python_interpreter: '{{ ansible_playbook_python }}' 25 | config_dir: ${MOLECULE_PROJECT_DIRECTORY}/config 26 | samples_dir: ${MOLECULE_PROJECT_DIRECTORY}/config/samples 27 | operator_image: ${OPERATOR_IMAGE:-""} 28 | operator_pull_policy: ${OPERATOR_PULL_POLICY:-"Always"} 29 | kustomize: ${KUSTOMIZE_PATH:-kustomize} 30 | env: 31 | K8S_AUTH_KUBECONFIG: ${KUBECONFIG:-"~/.kube/config"} 32 | verifier: 33 | name: ansible 34 | lint: | 35 | set -e 36 | ansible-lint 37 | -------------------------------------------------------------------------------- /molecule/default/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Prepare 3 | hosts: localhost 4 | connection: local 5 | gather_facts: false 6 | 7 | tasks: 8 | - name: Ensure operator image is set 9 | fail: 10 | msg: | 11 | You must specify the OPERATOR_IMAGE environment variable in order to run the 12 | 'default' scenario 13 | when: not operator_image 14 | 15 | - name: Set testing image 16 | command: '{{ kustomize }} edit set image testing={{ operator_image }}' 17 | args: 18 | chdir: '{{ config_dir }}/testing' 19 | 20 | - name: Set pull policy 21 | command: '{{ kustomize }} edit add patch pull_policy/{{ operator_pull_policy }}.yaml' 22 | args: 23 | chdir: '{{ config_dir }}/testing' 24 | 25 | - name: Set testing namespace 26 | command: '{{ kustomize }} edit set namespace {{ namespace }}' 27 | args: 28 | chdir: '{{ config_dir }}/testing' 29 | -------------------------------------------------------------------------------- /molecule/default/tasks/console_test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create the pcc.paloaltonetworks.com/v1alpha1.Console 3 | k8s: 4 | state: present 5 | namespace: '{{ namespace }}' 6 | definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}" 7 | wait: yes 8 | wait_timeout: 300 9 | wait_condition: 10 | type: Running 11 | reason: Successful 12 | status: "True" 13 | vars: 14 | cr_file: 'pcc_v1alpha1_console.yaml' 15 | 16 | - name: Add assertions here 17 | assert: 18 | that: false 19 | fail_msg: FIXME Add real assertions for your operator 20 | -------------------------------------------------------------------------------- /molecule/default/tasks/consoledefender_test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create the pcc.paloaltonetworks.com/v1alpha1.ConsoleDefender 3 | k8s: 4 | state: present 5 | namespace: '{{ namespace }}' 6 | definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}" 7 | wait: yes 8 | wait_timeout: 300 9 | wait_condition: 10 | type: Running 11 | reason: Successful 12 | status: "True" 13 | vars: 14 | cr_file: 'pcc_v1alpha1_consoledefender.yaml' 15 | 16 | - name: Add assertions here 17 | assert: 18 | that: false 19 | fail_msg: FIXME Add real assertions for your operator 20 | -------------------------------------------------------------------------------- /molecule/default/tasks/defender_test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create the pcc.paloaltonetworks.com/v1alpha1.Defender 3 | k8s: 4 | state: present 5 | namespace: '{{ namespace }}' 6 | definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}" 7 | wait: yes 8 | wait_timeout: 300 9 | wait_condition: 10 | type: Running 11 | reason: Successful 12 | status: "True" 13 | vars: 14 | cr_file: 'pcc_v1alpha1_defender.yaml' 15 | 16 | - name: Add assertions here 17 | assert: 18 | that: false 19 | fail_msg: FIXME Add real assertions for your operator 20 | -------------------------------------------------------------------------------- /molecule/default/verify.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Verify 3 | hosts: localhost 4 | connection: local 5 | gather_facts: no 6 | collections: 7 | - community.kubernetes 8 | 9 | vars: 10 | ctrl_label: control-plane=controller-manager 11 | 12 | tasks: 13 | - block: 14 | - name: Import all test files from tasks/ 15 | include_tasks: '{{ item }}' 16 | with_fileglob: 17 | - tasks/*_test.yml 18 | rescue: 19 | - name: Retrieve relevant resources 20 | k8s_info: 21 | api_version: '{{ item.api_version }}' 22 | kind: '{{ item.kind }}' 23 | namespace: '{{ namespace }}' 24 | loop: 25 | - api_version: v1 26 | kind: Pod 27 | - api_version: apps/v1 28 | kind: Deployment 29 | - api_version: v1 30 | kind: Secret 31 | - api_version: v1 32 | kind: ConfigMap 33 | register: debug_resources 34 | 35 | - name: Retrieve Pod logs 36 | k8s_log: 37 | name: '{{ item.metadata.name }}' 38 | namespace: '{{ namespace }}' 39 | container: manager 40 | loop: "{{ q('k8s', api_version='v1', kind='Pod', namespace=namespace, label_selector=ctrl_label) }}" 41 | register: debug_logs 42 | 43 | - name: Output gathered resources 44 | debug: 45 | var: debug_resources 46 | 47 | - name: Output gathered logs 48 | debug: 49 | var: item.log_lines 50 | loop: '{{ debug_logs.results }}' 51 | 52 | - name: Re-emit failure 53 | vars: 54 | failed_task: 55 | result: '{{ ansible_failed_result }}' 56 | fail: 57 | msg: '{{ failed_task }}' 58 | -------------------------------------------------------------------------------- /molecule/kind/converge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Converge 3 | hosts: localhost 4 | connection: local 5 | gather_facts: no 6 | 7 | tasks: 8 | - name: Build operator image 9 | docker_image: 10 | build: 11 | path: '{{ project_dir }}' 12 | pull: no 13 | name: '{{ operator_image }}' 14 | tag: latest 15 | push: no 16 | source: build 17 | force_source: yes 18 | 19 | - name: Load image into kind cluster 20 | command: kind load docker-image --name osdk-test '{{ operator_image }}' 21 | register: result 22 | changed_when: '"not yet present" in result.stdout' 23 | 24 | - import_playbook: ../default/converge.yml 25 | -------------------------------------------------------------------------------- /molecule/kind/create.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create 3 | hosts: localhost 4 | connection: local 5 | gather_facts: false 6 | tasks: 7 | - name: Create test kind cluster 8 | command: kind create cluster --name osdk-test --kubeconfig {{ kubeconfig }} 9 | -------------------------------------------------------------------------------- /molecule/kind/destroy.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Destroy 3 | hosts: localhost 4 | connection: local 5 | gather_facts: false 6 | collections: 7 | - community.kubernetes 8 | 9 | tasks: 10 | - name: Destroy test kind cluster 11 | command: kind delete cluster --name osdk-test --kubeconfig {{ kubeconfig }} 12 | 13 | - name: Unset pull policy 14 | command: '{{ kustomize }} edit remove patch pull_policy/{{ operator_pull_policy }}.yaml' 15 | args: 16 | chdir: '{{ config_dir }}/testing' 17 | -------------------------------------------------------------------------------- /molecule/kind/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependency: 3 | name: galaxy 4 | driver: 5 | name: delegated 6 | lint: | 7 | set -e 8 | yamllint -d "{extends: relaxed, rules: {line-length: {max: 120}}}" . 9 | platforms: 10 | - name: cluster 11 | groups: 12 | - k8s 13 | provisioner: 14 | name: ansible 15 | playbooks: 16 | prepare: ../default/prepare.yml 17 | verify: ../default/verify.yml 18 | lint: | 19 | set -e 20 | ansible-lint 21 | inventory: 22 | group_vars: 23 | all: 24 | namespace: ${TEST_OPERATOR_NAMESPACE:-osdk-test} 25 | host_vars: 26 | localhost: 27 | ansible_python_interpreter: '{{ ansible_playbook_python }}' 28 | config_dir: ${MOLECULE_PROJECT_DIRECTORY}/config 29 | samples_dir: ${MOLECULE_PROJECT_DIRECTORY}/config/samples 30 | project_dir: ${MOLECULE_PROJECT_DIRECTORY} 31 | operator_image: testing-operator 32 | operator_pull_policy: "Never" 33 | kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" 34 | kustomize: ${KUSTOMIZE_PATH:-kustomize} 35 | env: 36 | K8S_AUTH_KUBECONFIG: ${MOLECULE_EPHEMERAL_DIRECTORY}/kubeconfig 37 | KUBECONFIG: ${MOLECULE_EPHEMERAL_DIRECTORY}/kubeconfig 38 | verifier: 39 | name: ansible 40 | lint: | 41 | set -e 42 | ansible-lint 43 | -------------------------------------------------------------------------------- /openshift-extras.txt: -------------------------------------------------------------------------------- 1 | # Bundle annotations since they get overwritten every `make bundle`. 2 | # Copy the three annotations and comments below into the bundle/metadata/annotations.yaml file. 3 | 4 | # Annotations for OpenShift. 5 | # https://redhat-connect.gitbook.io/certified-operator-guide/ocp-deployment/operator-metadata/bundle-directory 6 | com.redhat.delivery.backport: true 7 | com.redhat.delivery.operator.bundle: true 8 | com.redhat.openshift.versions: v4.5-v4.7 9 | 10 | 11 | # Bundle Dockerfile LABELs also get overwritten. 12 | # Copy the three LABELs and comments below into the bundle.Dockerfile file. 13 | 14 | # Labels for OpenShift. 15 | # https://redhat-connect.gitbook.io/certified-operator-guide/ocp-deployment/operator-metadata/bundle-directory 16 | LABEL com.redhat.delivery.backport=true 17 | LABEL com.redhat.delivery.operator.bundle=true 18 | LABEL com.redhat.openshift.versions=v4.5-v4.7 19 | -------------------------------------------------------------------------------- /requirements.yml: -------------------------------------------------------------------------------- 1 | --- 2 | collections: 3 | - name: kubernetes.core 4 | - name: operator_sdk.util 5 | -------------------------------------------------------------------------------- /roles/console/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Twistlock tools directory 3 | file: 4 | path: "{{ work_dir }}/tools" 5 | state: directory 6 | mode: 0700 7 | register: tools_dir 8 | 9 | - name: Extract twistcli-linux.zip to tools directory 10 | unarchive: 11 | src: "{{ toolBundleUrl if toolBundleUrl is defined else 'https://storage.googleapis.com/twistlock-cdn/isolated_upgrades/v' + version + '/v' + version + '_isolated_update.tar.gz' }}" 12 | dest: "{{ tools_dir.path }}" 13 | remote_src: true 14 | 15 | - name: Create Console YAML file 16 | command: > 17 | linux/twistcli console export {{ orchestrator }} 18 | {{ ('--image-pull-secrets ' + consoleConfig.imagePullSecret) if consoleConfig.imagePullSecret is defined else '' }} 19 | --image-name {{ consoleConfig.imageName if consoleConfig.imageName is defined else 'registry-auth.twistlock.com/tw_' + access_token + '/twistlock/console:console_' + version }} 20 | {{ ('--namespace ' + namespace) if namespace is defined else '' }} 21 | {{ ('--node-labels ' + consoleConfig.nodeLabels) if consoleConfig.nodeLabels is defined else '' }} 22 | {{ ('--persistent-volume-labels ' + consoleConfig.persistentVolumeLabels) if consoleConfig.persistentVolumeLabels is defined else '' }} 23 | {{ ('--persistent-volume-storage ' + consoleConfig.persistentVolumeStorage) if consoleConfig.persistentVolumeStorage is defined else '' }} 24 | {{ '--run-as-user' if consoleConfig.runAsUser else '' }} 25 | {{ ('--service-type ' + consoleConfig.serviceType) if consoleConfig.serviceType is defined else '' }} 26 | {{ ('--storage-class ' + consoleConfig.storageClass) if consoleConfig.storageClass is defined else '' }} 27 | --output {{ work_dir }} 28 | args: 29 | chdir: "{{ tools_dir.path }}" 30 | 31 | - name: Create Console from YAML file 32 | k8s: 33 | src: "{{ work_dir }}/twistlock_console.yaml" 34 | 35 | - name: Wait for Console to start up 36 | uri: 37 | url: https://twistlock-console.{{ namespace }}:8083/api/v1/_ping 38 | validate_certs: false 39 | method: GET 40 | register: result 41 | until: result.status == 200 42 | retries: 60 43 | delay: 5 44 | 45 | - name: Create first admin user 46 | uri: 47 | url: https://twistlock-console.{{ namespace }}:8083/api/v1/signup 48 | validate_certs: false 49 | method: POST 50 | body_format: json 51 | body: { 52 | "username": "{{ username }}", 53 | "password": "{{ password }}" 54 | } 55 | status_code: [200, 400] 56 | 57 | - name: Add license to Console 58 | uri: 59 | url: https://twistlock-console.{{ namespace }}:8083/api/v1/settings/license 60 | validate_certs: false 61 | url_username: "{{ username }}" 62 | url_password: "{{ password }}" 63 | force_basic_auth: true 64 | method: POST 65 | body_format: json 66 | body: { 67 | "key": "{{ license }}" 68 | } 69 | -------------------------------------------------------------------------------- /roles/console/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | access_token: "{{ lookup('env', 'PCC_ACCESS_TOKEN') or credentials.accessToken }}" 3 | license: "{{ lookup('env', 'PCC_LICENSE') or credentials.license }}" 4 | password: "{{ lookup('env', 'PCC_PASSWORD') or credentials.password }}" 5 | username: "{{ lookup('env', 'PCC_USERNAME') or credentials.username }}" 6 | 7 | work_dir: /opt/ansible/twistlock 8 | -------------------------------------------------------------------------------- /roles/consoledefender/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Twistlock tools directory 3 | file: 4 | path: "{{ work_dir }}/tools" 5 | state: directory 6 | mode: 0700 7 | register: tools_dir 8 | 9 | - name: Extract twistcli-linux.zip to tools directory 10 | unarchive: 11 | src: "{{ toolBundleUrl if toolBundleUrl is defined else 'https://storage.googleapis.com/twistlock-cdn/isolated_upgrades/v' + version + '/v' + version + '_isolated_update.tar.gz' }}" 12 | dest: "{{ tools_dir.path }}" 13 | remote_src: true 14 | 15 | - name: Create Console YAML file 16 | command: > 17 | linux/twistcli console export {{ orchestrator }} 18 | {{ ('--image-pull-secrets ' + consoleConfig.imagePullSecret) if consoleConfig.imagePullSecret is defined else '' }} 19 | --image-name {{ consoleConfig.imageName if consoleConfig.imageName is defined else 'registry-auth.twistlock.com/tw_' + access_token + '/twistlock/console:console_' + version }} 20 | {{ ('--namespace ' + namespace) if namespace is defined else '' }} 21 | {{ ('--node-labels ' + consoleConfig.nodeLabels) if consoleConfig.nodeLabels is defined else '' }} 22 | {{ ('--persistent-volume-labels ' + consoleConfig.persistentVolumeLabels) if consoleConfig.persistentVolumeLabels is defined else '' }} 23 | {{ ('--persistent-volume-storage ' + consoleConfig.persistentVolumeStorage) if consoleConfig.persistentVolumeStorage is defined else '' }} 24 | {{ '--run-as-user' if consoleConfig.runAsUser else '' }} 25 | {{ ('--service-type ' + consoleConfig.serviceType) if consoleConfig.serviceType is defined else '' }} 26 | {{ ('--storage-class ' + consoleConfig.storageClass) if consoleConfig.storageClass is defined else '' }} 27 | --output {{ work_dir }} 28 | args: 29 | chdir: "{{ tools_dir.path }}" 30 | 31 | - name: Create Console from YAML file 32 | k8s: 33 | src: "{{ work_dir }}/twistlock_console.yaml" 34 | 35 | - name: Wait for Console to start up 36 | uri: 37 | url: https://twistlock-console.{{ namespace }}:8083/api/v1/_ping 38 | validate_certs: false 39 | method: GET 40 | register: result 41 | until: result.status == 200 42 | retries: 60 43 | delay: 5 44 | 45 | - name: Create first admin user 46 | uri: 47 | url: https://twistlock-console.{{ namespace }}:8083/api/v1/signup 48 | validate_certs: false 49 | method: POST 50 | body_format: json 51 | body: { 52 | "username": "{{ username }}", 53 | "password": "{{ password }}" 54 | } 55 | status_code: [200, 400] 56 | 57 | - name: Add license to Console 58 | uri: 59 | url: https://twistlock-console.{{ namespace }}:8083/api/v1/settings/license 60 | validate_certs: false 61 | url_username: "{{ username }}" 62 | url_password: "{{ password }}" 63 | force_basic_auth: true 64 | method: POST 65 | body_format: json 66 | body: { 67 | "key": "{{ license }}" 68 | } 69 | 70 | - name: Create Defender YAML file 71 | command: > 72 | linux/twistcli defender export {{ orchestrator }} 73 | --user {{ username }} 74 | --address https://twistlock-console.{{ namespace }}:8083 75 | --cluster-address twistlock-console 76 | {{ ('--cluster ' + defenderConfig.cluster) if defenderConfig.cluster is defined else '' }} 77 | {{ '--collect-pod-labels' if defenderConfig.collectPodLabels else '' }} 78 | {{ '--cri' if not defenderConfig.docker else '' }} 79 | {{ ('--docker-socket-path ' + defenderConfig.dockerSocketPath) if defenderConfig.dockerSocketPath is defined else '' }} 80 | {{ ('--image-pull-secrets ' + defenderConfig.imagePullSecret) if defenderConfig.imagePullSecret is defined else '' }} 81 | {{ ('--image-name ' + defenderConfig.imageName) if defenderConfig.imageName is defined else '' }} 82 | {{ '--monitor-istio' if defenderConfig.monitorIstio else '' }} 83 | {{ '--monitor-service-accounts' if defenderConfig.monitorServiceAccounts else '' }} 84 | {{ ('--namespace ' + namespace) if namespace is defined else '' }} 85 | {{ ("--nodeSelector '" + defenderConfig.nodeLabels + "'") if defenderConfig.nodeLabels is defined else '' }} 86 | {{ '--privileged' if defenderConfig.privileged else '' }} 87 | {{ ('--project ' + defenderConfig.project) if defenderConfig.project is defined else '' }} 88 | {{ ('--proxy-address ' + defenderConfig.proxyAddress) if defenderConfig.proxyAddress is defined else '' }} 89 | {{ ('--proxy-ca ' + defenderConfig.proxyCa) if defenderConfig.proxyCa is defined else '' }} 90 | {{ ('--proxy-password ' + defenderConfig.proxyPassword) if defenderConfig.proxyPassword is defined else '' }} 91 | {{ ('--proxy-user ' + defenderConfig.proxyUsername) if defenderConfig.proxyUsername is defined else '' }} 92 | {{ '--selinux-enabled' if defenderConfig.selinuxEnabled else '' }} 93 | --output {{ work_dir }}/twistlock_defender.yaml 94 | args: 95 | chdir: "{{ tools_dir.path }}" 96 | stdin: "{{ password }}" 97 | 98 | - name: Add toleration to YAML file 99 | lineinfile: 100 | path: "{{ work_dir }}/twistlock_defender.yaml" 101 | insertbefore: ^\s+containers:$ 102 | line: |2- 103 | tolerations: 104 | - key: {{ defenderConfig.tolerationKey }} 105 | operator: "Exists" 106 | effect: {{ defenderConfig.tolerationEffect }} 107 | when: defenderConfig.toleration | bool 108 | 109 | 110 | - name: Create Defender from YAML file 111 | k8s: 112 | src: "{{ work_dir }}/twistlock_defender.yaml" 113 | -------------------------------------------------------------------------------- /roles/consoledefender/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | access_token: "{{ lookup('env', 'PCC_ACCESS_TOKEN') or credentials.accessToken }}" 3 | license: "{{ lookup('env', 'PCC_LICENSE') or credentials.license }}" 4 | password: "{{ lookup('env', 'PCC_PASSWORD') or credentials.password }}" 5 | username: "{{ lookup('env', 'PCC_USERNAME') or credentials.username }}" 6 | 7 | work_dir: /opt/ansible/twistlock 8 | -------------------------------------------------------------------------------- /roles/defender/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Twistlock tools directory 3 | file: 4 | path: "{{ work_dir }}/tools" 5 | state: directory 6 | mode: 0700 7 | register: tools_dir 8 | 9 | - name: Extract twistcli-linux.zip to tools directory 10 | unarchive: 11 | src: "{{ toolBundleUrl if toolBundleUrl is defined else 'https://storage.googleapis.com/twistlock-cdn/isolated_upgrades/v' + version + '/v' + version + '_isolated_update.tar.gz' }}" 12 | dest: "{{ tools_dir.path }}" 13 | remote_src: true 14 | 15 | - name: Create Defender YAML file 16 | command: > 17 | linux/twistcli defender export {{ orchestrator }} 18 | --user {{ username }} 19 | --address {{ defenderConfig.consoleAddress }} 20 | --cluster-address {{ defenderConfig.clusterAddress }} 21 | {{ ('--cluster ' + defenderConfig.cluster) if defenderConfig.cluster is defined else '' }} 22 | {{ '--collect-pod-labels' if defenderConfig.collectPodLabels else '' }} 23 | {{ '--cri' if not defenderConfig.docker else '' }} 24 | {{ ('--docker-socket-path ' + defenderConfig.dockerSocketPath) if defenderConfig.dockerSocketPath is defined else '' }} 25 | {{ ('--image-pull-secrets ' + defenderConfig.imagePullSecret) if defenderConfig.imagePullSecret is defined else '' }} 26 | {{ ('--image-name ' + defenderConfig.imageName) if defenderConfig.imageName is defined else '' }} 27 | {{ '--monitor-istio' if defenderConfig.monitorIstio else '' }} 28 | {{ '--monitor-service-accounts' if defenderConfig.monitorServiceAccounts else '' }} 29 | {{ ('--namespace ' + namespace) if namespace is defined else '' }} 30 | {{ ("--nodeSelector '" + defenderConfig.nodeLabels + "'") if defenderConfig.nodeLabels is defined else '' }} 31 | {{ '--privileged' if defenderConfig.privileged else '' }} 32 | {{ ('--project ' + defenderConfig.project) if defenderConfig.project is defined else '' }} 33 | {{ ('--proxy-address ' + defenderConfig.proxyAddress) if defenderConfig.proxyAddress is defined else '' }} 34 | {{ ('--proxy-ca ' + defenderConfig.proxyCa) if defenderConfig.proxyCa is defined else '' }} 35 | {{ ('--proxy-password ' + defenderConfig.proxyPassword) if defenderConfig.proxyPassword is defined else '' }} 36 | {{ ('--proxy-user ' + defenderConfig.proxyUsername) if defenderConfig.proxyUsername is defined else '' }} 37 | {{ '--selinux-enabled' if defenderConfig.selinuxEnabled else '' }} 38 | --output {{ work_dir }}/twistlock_defender.yaml 39 | args: 40 | chdir: "{{ tools_dir.path }}" 41 | stdin: "{{ password }}" 42 | 43 | - name: Add toleration to YAML file 44 | lineinfile: 45 | path: "{{ work_dir }}/twistlock_defender.yaml" 46 | insertbefore: ^\s+containers:$ 47 | line: |2- 48 | tolerations: 49 | - key: {{ defenderConfig.tolerationKey }} 50 | operator: "Exists" 51 | effect: {{ defenderConfig.tolerationEffect }} 52 | when: defenderConfig.toleration | bool 53 | 54 | - name: Create Defender from YAML file 55 | k8s: 56 | src: "{{ work_dir }}/twistlock_defender.yaml" 57 | -------------------------------------------------------------------------------- /roles/defender/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | password: "{{ lookup('env', 'PCC_PASSWORD') or credentials.password }}" 3 | username: "{{ lookup('env', 'PCC_USERNAME') or credentials.username }}" 4 | 5 | work_dir: /opt/ansible/twistlock 6 | -------------------------------------------------------------------------------- /scripts/update_annotations.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | # Bandage solution to update the annotaions YAML until I find something better 3 | require 'yaml' 4 | 5 | ANNOTATIONS_FILE = 'bundle/metadata/annotations.yaml' 6 | 7 | annotations_file_yaml = YAML.load_file(ANNOTATIONS_FILE) 8 | 9 | annotations_file_yaml['annotations']['com.redhat.delivery.backport'] = true 10 | annotations_file_yaml['annotations']['com.redhat.delivery.operator.bundle'] = true 11 | annotations_file_yaml['annotations']['com.redhat.openshift.versions'] = 'v4.6' 12 | 13 | File.open(ANNOTATIONS_FILE, 'w') { |f| YAML.dump(annotations_file_yaml, f) } 14 | -------------------------------------------------------------------------------- /scripts/update_csv.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | # Bandage solution to update the CSV YAML until I find something better 3 | require 'time' 4 | require 'yaml' 5 | 6 | MANIFEST_FILE = 'config/manifests/bases/pcc-operator.clusterserviceversion.yaml' 7 | 8 | manifest_file_yaml = YAML.load_file(MANIFEST_FILE) 9 | 10 | manifest_file_yaml['metadata']['annotations']['containerImage'] = ARGV[0] 11 | manifest_file_yaml['metadata']['annotations']['createdAt'] = Time.now.strftime('%Y-%m-%d') 12 | 13 | File.open(MANIFEST_FILE, 'w') { |f| YAML.dump(manifest_file_yaml, f) } 14 | -------------------------------------------------------------------------------- /watches.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - version: v1alpha1 3 | group: pcc.paloaltonetworks.com 4 | kind: Console 5 | role: console 6 | manageStatus: false 7 | snakeCaseParameters: false 8 | watchDependentResources: false 9 | 10 | - version: v1alpha1 11 | group: pcc.paloaltonetworks.com 12 | kind: Defender 13 | role: defender 14 | manageStatus: false 15 | snakeCaseParameters: false 16 | watchDependentResources: false 17 | 18 | - version: v1alpha1 19 | group: pcc.paloaltonetworks.com 20 | kind: ConsoleDefender 21 | role: consoledefender 22 | manageStatus: false 23 | snakeCaseParameters: false 24 | watchDependentResources: false 25 | 26 | #+kubebuilder:scaffold:watch 27 | --------------------------------------------------------------------------------