diff --git a/docs/en/compute-edition/33/admin-guide/install/deploy-defender/container/container.adoc b/docs/en/compute-edition/33/admin-guide/install/deploy-defender/container/container.adoc index 4e5a9dc650..40e9c8c500 100644 --- a/docs/en/compute-edition/33/admin-guide/install/deploy-defender/container/container.adoc +++ b/docs/en/compute-edition/33/admin-guide/install/deploy-defender/container/container.adoc @@ -68,6 +68,19 @@ image::install-defender-deploy-page.png[width=800] .. Under *Deployment method*, select *Single Defender*. .. In *Defender type*, select *Container Defender - Linux* or *Container Defender - Windows*. ++ +When you select *Container Defender - Linux*, *Container Runtime Type* field appears. + +.. In *Container Runtime Type*, select *Podman* or *Docker*. ++ +When you select Podman, the installation script includes the `--install-podman` argument. +If your infrastructure uses a custom Podman runtime socket path, you can specify it using the `--podman-socket` argument. ++ +For example, to use Podman with a custom runtime socket path, the final command would look like this: + ++ +`curl -sSL --header "#########" -X POST /api/v1/scripts/defender.sh | sudo bash -s -- -c "stage-consoles-cwp.cloud.twistlock.com" -v --install-podman --podman-socket ""` + ifdef::compute_edition[] .. Select the way Defender connects to Console. + diff --git a/docs/en/compute-edition/33/admin-guide/install/deploy-defender/defender-types.adoc b/docs/en/compute-edition/33/admin-guide/install/deploy-defender/defender-types.adoc index d84f5a88c9..371cb98484 100644 --- a/docs/en/compute-edition/33/admin-guide/install/deploy-defender/defender-types.adoc +++ b/docs/en/compute-edition/33/admin-guide/install/deploy-defender/defender-types.adoc @@ -37,7 +37,7 @@ To avoid manually deploying Defenders on each container, VM, or host, you can us xref:./container/container.adoc[Deploy a container Defender] on any host that runs a container workload. Container Defender protects both your containers and the underlying host. -Docker must be installed on the host because this Defender type runs as a container. +Docker or Podman (for Linux Container Defender) must be installed on the host because this Defender type runs as a container. Container Defender offers the richest set of capabilities. The deployment is also the simplest. diff --git a/docs/en/compute-edition/33/admin-guide/install/deploy-defender/host/windows-host.adoc b/docs/en/compute-edition/33/admin-guide/install/deploy-defender/host/windows-host.adoc index 8d4b69d8a5..bd97b31786 100644 --- a/docs/en/compute-edition/33/admin-guide/install/deploy-defender/host/windows-host.adoc +++ b/docs/en/compute-edition/33/admin-guide/install/deploy-defender/host/windows-host.adoc @@ -5,7 +5,7 @@ A single instance of Prisma Cloud Console can simultaneously protect both Window Prisma Cloud’s Intelligence Stream includes vulnerability data from Microsoft, so as new CVEs are reported, Prisma Cloud can detect them in your Windows images. The architecture for Defender on Windows is different than Defender on Linux. -The Defender runs as a Docker container on Linux, and as a Windows service on Windows. +The Defender runs as a Docker or a Podman container on Linux, and as a Windows service on Windows. On Linux, it is implemented as runtime protection in the userspace, and on Windows it is implemented using Windows drivers. This is because there is no concept of capabilities in Windows Docker containers like there is on Linux. Defender on Windows runs as service so it can acquire the permissions it needs to secure the containers on your host. diff --git a/docs/en/compute-edition/33/admin-guide/technology-overviews/defender-architecture.adoc b/docs/en/compute-edition/33/admin-guide/technology-overviews/defender-architecture.adoc index afb7a99e14..11e10f684f 100644 --- a/docs/en/compute-edition/33/admin-guide/technology-overviews/defender-architecture.adoc +++ b/docs/en/compute-edition/33/admin-guide/technology-overviews/defender-architecture.adoc @@ -94,7 +94,7 @@ Defender is responsible for enforcing vulnerability and compliance blocking rule When a blocking rule is created, Defender moves the original runC binary to a new path and inserts a Prisma Cloud runC shim binary in its place. When a command to create a container is issued, it propagates down the layers of the container orchestration stack, eventually terminating at runC. -Regardless of your environment (Docker, Kubernetes, or OpenShift, etc) and underlying CRI provider, runC does the actual work of instantiating a container. +Regardless of your environment (Docker, Podman, Kubernetes, or OpenShift) and underlying CRI provider, runC does the actual work of instantiating a container. image::defender_runc.png[width=350] diff --git a/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/container/container.adoc b/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/container/container.adoc index dba365438a..ef657679bd 100644 --- a/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/container/container.adoc +++ b/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/container/container.adoc @@ -42,7 +42,20 @@ image::runtime-security/install-defender-deploy-page.png[] . Under *Deployment method*, select *Single Defender*. -. Select your desired *Defender type* +. Select your desired *Defender type*. ++ +When you select *Container Defender - Linux* option as the Defender type, *Container Runtime Type* field appears. + +. In *Container Runtime Type*, select *Podman* or *Docker*. ++ +When you select Podman, the installation script includes the `--install-podman` argument. +If your infrastructure uses a custom Podman runtime socket path, you can specify it using the `--podman-socket` argument. + ++ +For example, to use Podman with a custom runtime socket path, the final command would look like this: + ++ +`curl -sSL --header "#########" -X POST /api/v1/scripts/defender.sh | sudo bash -s -- -c "stage-consoles-cwp.cloud.twistlock.com" -v --install-podman --podman-socket ""` . Under *The name that Defender will use to connect to this Console* select the correct item from the list of IP addresses and hostnames pre-populated in the drop-down list. After adding a SAN, your IP address or hostname will be available in the drop-down list. diff --git a/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/defender-architecture.adoc b/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/defender-architecture.adoc index 748c3dead6..80083f3e49 100644 --- a/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/defender-architecture.adoc +++ b/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/defender-architecture.adoc @@ -84,7 +84,7 @@ Defender is responsible for enforcing vulnerability and compliance blocking rule When a blocking rule is created, Defender moves the original runC binary to a new path and inserts a Prisma Cloud runC shim binary in its place. When a command to create a container is issued, it propagates down the layers of the container orchestration stack, eventually terminating at runC. -Regardless of your environment (Docker, Kubernetes, or OpenShift, etc) and underlying CRI provider, runC does the actual work of instantiating a container. +Regardless of your environment (Docker, Podman, Kubernetes, or OpenShift) and underlying CRI provider, runC does the actual work of instantiating a container. image::runtime-security/defender-runc.png[] diff --git a/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/defender-types.adoc b/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/defender-types.adoc index 6215ee5b26..08e4d06973 100644 --- a/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/defender-types.adoc +++ b/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/defender-types.adoc @@ -28,7 +28,7 @@ To avoid manually deploying Defenders on each container, VM, or host, you can us xref:./container/container.adoc[Deploy a container Defender] on any host that runs a container workload. Container Defender protects both your containers and the underlying host. -Docker must be installed on the host because this Defender type runs as a container. +Docker or Podman (for Linux Container Defender) must be installed on the host because this Defender type runs as a container. Container Defender offers the richest set of capabilities. The deployment is also the simplest. diff --git a/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/host/windows-host.adoc b/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/host/windows-host.adoc index 35589db939..f8b9394032 100644 --- a/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/host/windows-host.adoc +++ b/docs/en/enterprise-edition/content-collections/runtime-security/install/deploy-defender/host/windows-host.adoc @@ -6,7 +6,7 @@ A single instance of Prisma Cloud Console can simultaneously protect both Window Prisma Cloud’s Intelligence Stream includes vulnerability data from Microsoft, so as new CVEs are reported, Prisma Cloud can detect them in your Windows images. The architecture for Defender on Windows is different than Defender on Linux. -The Defender runs as a Docker container on Linux, and as a Windows service on Windows. +The Defender runs as a Docker or a Podman container on Linux, and as a Windows service on Windows. On Linux, it is implemented as runtime protection in the userspace, and on Windows it is implemented using Windows drivers. This is because there is no concept of capabilities in Windows Docker containers like there is on Linux. Defender on Windows runs as service so it can acquire the permissions it needs to secure the containers on your host.