Coverage Matrix

Chkk Curated Release Notesv33.00.169 to latest
Private RegistrySupported
Custom Built ImagesSupported
Safety, Health, and Readiness Checksv33.02.134 to latest
Supported PackagesHelm, Kustomize, Kube
EOL InformationAvailable
Version Incompatibility InformationAvailable
Upgrade TemplatesIn-Place, Blue-Green
PreverificationAvailable

Prisma Cloud Overview

Prisma Cloud (formerly Twistlock) is a cloud-native security platform designed to protect containerized workloads and Kubernetes environments throughout their lifecycle. It deploys a lightweight Defender agent on each node to enforce vulnerability scanning, runtime threat detection, compliance policies, and Kubernetes admission controls via Open Policy Agent (OPA). Prisma Cloud integrates directly into CI/CD pipelines to provide shift-left security, ensuring consistent enforcement of image assurance and runtime defense without altering application code. Platform engineers benefit from centralized security management, real-time detection of anomalies, and automated threat mitigation, streamlining operational security across all clusters.

Chkk Coverage

Curated Release Notes

Chkk continuously tracks and curates Prisma Cloud release notes, highlighting changes specifically relevant to your environment, such as updated vulnerability scanning rules or altered Defender permissions. Platform teams receive tailored notifications about new security defaults, deprecated APIs, and dropped support for Kubernetes versions or container runtimes. By providing targeted summaries, Chkk ensures engineers stay informed of critical operational impacts without having to parse extensive changelogs manually. This reduces the risk of unforeseen upgrade complications or configuration incompatibilities.

Preflight & Postflight Checks

Chkk executes preflight checks before Prisma Cloud upgrades to validate version compatibility, supported Kubernetes environments, and Defender deployment status. These checks identify problematic configurations, outdated API endpoints, or unsupported upgrade paths (beyond Prisma Cloud’s n-2 version policy), allowing remediation prior to the upgrade. Postflight checks verify successful Defender registration, Console health, and policy enforcement consistency across upgraded nodes. This ensures immediate detection and resolution of issues such as failed Defender connections or incomplete Console migrations.

Version Recommendations

Chkk proactively monitors Prisma Cloud’s release timelines, flagging when your current Console or Defender versions approach end-of-life or support expiry. It recommends stable upgrade targets based on known issues, compatibility requirements, and community feedback, balancing stability with the urgency of security updates. By aligning version recommendations with Prisma Cloud’s official support matrix, Chkk enables platform teams to schedule timely, risk-informed upgrades. This approach prevents downtime caused by outdated or unsupported components.

Upgrade Templates

Chkk provides detailed Upgrade Templates covering both in-place and blue-green upgrades, aligning with Prisma Cloud’s best practices. In-place upgrades outline steps for backing up Console data, updating Console images, and coordinating Defender rollout to avoid version mismatches. Blue-green upgrade templates offer guidance for deploying a new Console instance temporarily alongside existing deployments, enabling gradual Defender migration and verification. These structured templates integrate seamlessly with GitOps or CI/CD pipelines, ensuring predictable upgrade processes with clear rollback points.

Preverification

Chkk’s preverification simulates Prisma Cloud upgrades in an isolated environment replicating your current configurations and policies. This digital twin approach uncovers potential upgrade complications, such as schema migration issues, Defender resource constraints, or integration conflicts, before production deployment. Engineers can proactively adjust configurations or resources based on simulation feedback, preventing real-world disruptions. Preverification effectively acts as a rehearsed upgrade, greatly reducing unforeseen operational risks.

Supported Packages

Chkk supports multiple Prisma Cloud deployment methods—including Helm charts, Prisma Cloud Operator, and Terraform—allowing seamless integration with existing workflows. It analyzes current deployment manifests or GitOps repositories, automatically adapting upgrade guidance to your installation mode and customizations, such as private registries or custom-built Defenders. Whether using self-hosted Console deployments or SaaS-managed solutions, Chkk ensures consistent upgrade practices. This flexibility maintains operational continuity and reduces friction during Prisma Cloud version transitions.

Common Operational Considerations

  • Console–Defender Version Alignment: Upgrade Prisma Cloud Console before upgrading Defenders to prevent registration or enforcement failures caused by version mismatches.
  • Defender DaemonSet Coverage: Ensure the Defender DaemonSet configuration covers all nodes, including tainted or newly provisioned node pools, to avoid unmonitored workloads.
  • Admission Controller Policies: Initially run Prisma Cloud’s admission controller in alert mode to validate policy rules, preventing unintended blocking of critical pods after upgrades.
  • Resource Allocation & Overhead: Properly allocate CPU and memory to the Prisma Cloud Console and Defender agents, scaling resources to accommodate cluster density and prevent resource starvation.
  • Network Connectivity & TLS: Confirm secure Defender-to-Console communication after upgrades by verifying proxies, certificates, and network settings to avoid silent Defender disconnections.
  • RBAC and Permissions: Regularly review and adjust Kubernetes RBAC permissions and Pod Security Standards to ensure Prisma Cloud components have required privileges, avoiding enforcement gaps during incidents.

Additional Resources