Prisma Cloud Container Security with GKE Autopilot

Prisma Cloud now supports Autopilot, a new mode of operation in GKE designed to reduce the operational cost of managing clusters.

One of the more innovative and prominent features of cloud workload technology today are managed services with automation that can optimize your operational costs and make operational maintenance easier in cloud environments for higher workload availability. Part of our mission at Prisma Cloud is to ensure our customers can secure their clusters. So, we are excited to announce, in partnership with Google Cloud, a new capability to monitor and protect Google Kubernetes Engine (GKE) Autopilot clusters with Prisma Cloud.

The Prisma Cloud integration with GKE supports installs of the Prisma Cloud Compute DaemonSet Defender on GKE Autopilot clusters. It is easy to deploy and delivers automatic detection and protection of cluster instances across the full lifecycle with vulnerability management, compliance enforcement, access control, web application and API security, and also runtime defense.

“Securing the continuously evolving infrastructure and solutions that GKE provides, is one of Prisma Cloud’s main objectives,” said John Morello, VP of Product at Palo Alto Networks. “Thanks to our partnership with Google, we can now ensure that our mutual customers can comprehensively protect their cloud workloads running on GKE Autopilot.”

 

What is GKE Autopilot?

With the GKE Autopilot mode of operation, your cluster's underlying infrastructure can be managed for you—including nodes and node pools—so that it produces an optimized cluster with a hands-off experience.

 

 

With GKE Autopilot, you no longer have to monitor the health of your nodes or calculate the amount of node compute capacity that your workloads require. Instead, you can stay within GKE without having to interact with Compute Engine, as the nodes are already fully managed and optimized, and are provisioned based on your Pod’s resource requests.

 

 

 

Protecting GKE Autopilot clusters with Prisma Cloud

A picture containing application Description automatically generated

Prisma Cloud Defenders enforce the policies you want for your environment. To install our DaemonSet Defender for Autopilot, simply generate a Kubernetes CRI Defender using the Prisma Cloud Console or the CLI tool (twistcli) and then install the Defender on your Autopilot cluster. For installation instructions see  GKE Autopilot installation guidelines.

 

Figure 1. Prisma Cloud DaemonSet Defenders deployed to protect Autopilot clusters
Figure 1. Prisma Cloud DaemonSet Defenders deployed to protect Autopilot clusters

Figure 1. Prisma Cloud DaemonSet Defenders deployed to protect Autopilot clusters

 

Our Prisma Cloud DaemonSet Defender will automatically detect your cluster nodes and any running containers. After the Defender installation, Prisma Cloud Radar will display a comprehensive visualization of your GKE Autopilot clusters and nodes so you can conceptualize architecture and connectivity, identify risks, and investigate incidents that require response. Prisma Cloud lets you click on any individual pod to drill down into vulnerability reports, compliance reports, and runtime anomalies.

Figure 2. Use Prisma Cloud Radar to monitor, visualize, and navigate through all your Prisma Cloud security data on your cloud environment
Figure 2. Use Prisma Cloud Radar to monitor, visualize, and navigate through all your Prisma Cloud security data on your cloud environment

Figure 2. Use Prisma Cloud Radar to monitor, visualize, and navigate through all your Prisma Cloud security data on your cloud environment

 

The DaemonSet Defender will natively protect your GKE Autopilot cluster. Alongside many security capabilities it provides, you can find the following:

 

You can adjust each capability according to your use case and security guidelines by defining a set of Prisma Cloud policy rules. The rules can also be scoped by the cluster or specific workloads by using the Prisma Cloud collection mechanism. Collections are used to filter security reports and dashboards and can control access to data on a need-to-know basis.

 

Figure 3. Filtered Autopilot collection of image vulnerability scan results 
Figure 3. Filtered Autopilot collection of image vulnerability scan results

Figure 3. Filtered Autopilot collection of image vulnerability scan results 

 

Start using Prisma Cloud with GKE Autopilot

Palo Alto Networks and Google Cloud are committed partners working together to continuously deliver integrated and seamless cloud technologies that perform for customers and accelerate their business.

 

Start using Prisma Cloud to enhance your protection on Google Cloud by visiting Prisma Cloud in the Google Cloud Marketplace. Learn more about Prisma Cloud integrations for Google Cloud by visiting our Google Cloud environment page.