UNCLASSIFIED - NO CUI

Skip to content

Defenders deployed, not showing up in console

When deploying Prisma Cloud as part of Big Bang, the defender daemonset is deployed successfully in my k3s cluster but I don't see the defenders show up in the twistlock console. Here is how I have the defenders configured

twistlock:
  enabled: true
  values:
  ...
    defender:
      enabled: true
      dockerSocket: /run/k3s/containerd/containerd.sock
      cri: true
      privileged: false
      selinux: true
    init:
      enabled: true
    monitoring:
      enabled: true

The pods are running fine

image

Running logs on them returns basically nothing

WARN 2025-04-14T16:48:34.156 dump.go:34  Falling back to default log level WARNING

WARN 2025-04-14T16:48:34.156 dump.go:34  Falling back to default log level WARNING

However, if I grab the defender.log file from /var/lib/twistlock/log/ inside the defender pod, I see a bunch of permission denied errors... Here's an excerpt, I'll also attach the entire file

ERRO 2025-02-16T22:05:09.044 controller_filesystem.go:833 Failed to read thread syscall of process opening /usr/bin/bash: open /proc/1948620/task/1948620/syscall: permission denied
ERRO 2025-02-16T22:05:09.044 controller_filesystem.go:833 Failed to read thread syscall of process opening /usr/bin/bash: open /proc/1948620/task/1948620/syscall: permission denied
ERRO 2025-02-16T22:05:21.527 controller_filesystem.go:833 Failed to read thread syscall of process opening /usr/bin/dash: open /proc/1948922/task/1948922/syscall: permission denied
ERRO 2025-02-16T22:05:21.527 controller_filesystem.go:833 Failed to read thread syscall of process opening /usr/bin/dash: open /proc/1948922/task/1948922/syscall: permission denied
ERRO 2025-02-16T22:05:21.529 controller_filesystem.go:833 Failed to read thread syscall of process opening /usr/bin/dash: open /proc/1948923/task/1948923/syscall: permission denied
ERRO 2025-02-16T22:05:21.529 controller_filesystem.go:833 Failed to read thread syscall of process opening /usr/bin/dash: open /proc/1948923/task/1948923/syscall: permission denied
ERRO 2025-02-16T22:05:21.531 controller_filesystem.go:833 Failed to read thread syscall of process opening /usr/bin/dirname: open /proc/1948924/task/1948924/syscall: permission denied
ERRO 2025-02-16T22:05:21.531 controller_filesystem.go:833 Failed to read thread syscall of process opening /usr/bin/dirname: open /proc/1948924/task/1948924/syscall: permission denied
ERRO 2025-02-16T22:05:21.534 controller_filesystem.go:833 Failed to read thread syscall of process opening /usr/bin/locale: open /proc/1948926/task/1948926/syscall: permission denied
ERRO 2025-02-16T22:05:21.534 controller_filesystem.go:833 Failed to read thread syscall of process opening /usr/bin/grep: open /proc/1948927/task/1948927/syscall: permission denied

Seems like maybe it's a Kyverno issue, but I'm not seeing any PolicyViolation events being trigged in Kyverno after the defenders are deployed.

defender.log

Edited by Todd Skinner

UNCLASSIFIED - NO CUI