Coverage Matrix
| Generate IaC Pull Requests | Available (Request Preview in Free Tier) |
| Curated Release Notes | to latest |
| Guided & Automated Safety Checks | to latest |
| Rapid Upgrade Assessments | Available |
| Upgrade Templates & Plans | In-Place, Blue-Green |
| Upgrade Advisories | Available |
| Preverification | Available |
| End-Of-Life (EOL) Information | Available |
| Version Incompatibility Information | Available |
| Operational Risk Detection | Available |
| Supported Packages | Helm, Kustomize, Kube |
| Private Registries | Covered |
| Custom Built Images | Covered |
Prisma Cloud Overview
Prisma Cloud (formerly Twistlock) is a Cloud Native security platform designed to protect containerized workloads throughout their lifecycle. It deploys a lightweight Defender agent on each node to enforce vulnerability scanning, runtime threat detection, compliance policies, and admission controls via Open Policy Agent (OPA). Prisma Cloud integrates directly into CI/CD pipelines to provide shift-left security, ensuring consistent enforcement of image assurance and runtime defense without altering application code. Platform engineers benefit from centralized security management, real-time detection of anomalies, and automated threat mitigation, streamlining operational security across all clusters.Chkk Coverage
Curated Release Notes
Chkk continuously tracks and curates Prisma Cloud release notes, highlighting changes specifically relevant to your environment, such as updated vulnerability scanning rules or altered Defender permissions. Platform teams receive tailored notifications about new security defaults, deprecated APIs, and dropped support for specific versions or container runtimes. By providing targeted summaries, Chkk ensures engineers stay informed of critical operational impacts without having to parse extensive changelogs manually. This reduces the risk of unforeseen upgrade complications or configuration incompatibilities.Preflight & Postflight Checks
Chkk executes preflight checks before Prisma Cloud upgrades to validate version compatibility, supported environments, and Defender deployment status. These checks identify problematic configurations, outdated API endpoints, or unsupported upgrade paths (beyond Prisma Cloud’s n-2 version policy), allowing remediation prior to the upgrade. Postflight checks verify successful Defender registration, Console health, and policy enforcement consistency across upgraded nodes. This ensures immediate detection and resolution of issues such as failed Defender connections or incomplete Console migrations.Version Recommendations
Chkk proactively monitors Prisma Cloud’s release timelines, flagging when your current Console or Defender versions approach end-of-life or support expiry. It recommends stable upgrade targets based on known issues, compatibility requirements, and community feedback, balancing stability with the urgency of security updates. By aligning version recommendations with Prisma Cloud’s official support matrix, Chkk enables platform teams to schedule timely, risk-informed upgrades. This approach prevents downtime caused by outdated or unsupported components.Upgrade Templates
Chkk provides detailed Upgrade Templates covering both in-place and blue-green upgrades, aligning with Prisma Cloud’s best practices. In-place upgrades outline steps for backing up Console data, updating Console images, and coordinating Defender rollout to avoid version mismatches. Blue-green upgrade templates offer guidance for deploying a new Console instance temporarily alongside existing deployments, enabling gradual Defender migration and verification. These structured templates integrate seamlessly with GitOps or CI/CD pipelines, ensuring predictable upgrade processes with clear rollback points.Preverification
Chkk’s preverification simulates Prisma Cloud upgrades in an isolated environment replicating your current configurations and policies. This digital twin approach uncovers potential upgrade complications, such as schema migration issues, Defender resource constraints, or integration conflicts, before production deployment. Engineers can proactively adjust configurations or resources based on simulation feedback, preventing real-world disruptions. Preverification effectively acts as a rehearsed upgrade, greatly reducing unforeseen operational risks.Supported Packages
Chkk supports multiple Prisma Cloud deployment methods—including Helm charts, Prisma Cloud Operator, and Terraform—allowing seamless integration with existing workflows. It analyzes current deployment manifests or GitOps repositories, automatically adapting upgrade guidance to your installation mode and customizations, such as private registries or custom-built Defenders. Whether using self-hosted Console deployments or SaaS-managed solutions, Chkk ensures consistent upgrade practices. This flexibility maintains operational continuity and reduces friction during Prisma Cloud version transitions.Common Operational Considerations
- Console–Defender Version Alignment: Upgrade Prisma Cloud Console before upgrading Defenders to prevent registration or enforcement failures caused by version mismatches.
- Defender DaemonSet Coverage: Ensure the Defender DaemonSet configuration covers all nodes, including tainted or newly provisioned node pools, to avoid unmonitored workloads.
- Admission Controller Policies: Initially run Prisma Cloud’s admission controller in alert mode to validate policy rules, preventing unintended blocking of critical pods after upgrades.
- Resource Allocation & Overhead: Properly allocate CPU and memory to the Prisma Cloud Console and Defender agents, scaling resources to accommodate cluster density and prevent resource starvation.
- Network Connectivity & TLS: Confirm secure Defender-to-Console communication after upgrades by verifying proxies, certificates, and network settings to avoid silent Defender disconnections.
- RBAC and Permissions: Regularly review and adjust RBAC permissions and Pod Security Standards to ensure Prisma Cloud components have required privileges, avoiding enforcement gaps during incidents.