OpenShift Container Platform 4 & Palo Alto Networks Prisma Cloud (formerly known as Twistlock)

Solution Verified - Updated -


  • OpenShift Container Platform 4.x

  • Twistlock was acquired by Palo Alto Network in 2019 and became part of the Prisma Cloud product afterwards


  • Before when TwistLock was installed on OpenShift Container Platform 4, it modified the crio.conf file and prevented the operator from upgrading.


This issue has been reported to Palo Alto Networks.

Take a backup of the MachineConfig before any upgrade :

$ oc get machineconfig <01-worker-xxx> -o yaml > 01-worker-mc-xxx.yaml

Prior to Upgrade :

1. Uninstall Twistlock defender pods

2. Restore Container runtime config

$ oc apply -f 01-worker-mc-xxx.yaml

3. Check MCO is not reporting degraded state

Trigger an OpenShift upgrade if required. 

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.