Overview of Microsoft Defender for Containers

Microsoft Defender for Containers is the cloud-native solution for securing your containers.

On this page, you'll learn how you can use Defender for Containers to improve, monitor, and maintain the security of your clusters, containers, and their applications.

Microsoft Defender for Containers plan availability

Aspect Details
Release state: General availability (GA)
Certain features are in preview, for a full list see the availability section.
Feature availability Refer to the availability section for additional information on feature release state and availability.
Pricing: Microsoft Defender for Containers is billed as shown on the pricing page
Required roles and permissions: • To auto provision the required components, see the permissions for each of the components
Security admin can dismiss alerts
Security reader can view vulnerability assessment findings
See also Azure Container Registry roles and permissions
Clouds: Azure:
Commercial clouds
National clouds (Azure Government, Azure China 21Vianet) (Except for preview features))

Non Azure:
Connected AWS accounts (Preview)
Connected GCP projects (Preview)
On-prem/IaaS supported via Arc enabled Kubernetes (Preview).

For more details, see the availability section.

What are the benefits of Microsoft Defender for Containers?

Defender for Containers helps with the core aspects of container security:

  • Environment hardening - Defender for Containers protects your Kubernetes clusters whether they're running on Azure Kubernetes Service, Kubernetes on-prem / IaaS, or Amazon EKS. By continuously assessing clusters, Defender for Containers provides visibility into misconfigurations and guidelines to help mitigate identified threats. Learn more in Hardening.

  • Vulnerability assessment - Vulnerability assessment and management tools for images stored in ACR registries and running in Azure Kubernetes Service. Learn more in Vulnerability assessment.

  • Run-time threat protection for nodes and clusters - Threat protection for clusters and Linux nodes generates security alerts for suspicious activities. Learn more in Run-time protection for Kubernetes nodes, clusters, and hosts.

Hardening

Continuous monitoring of your Kubernetes clusters - wherever they're hosted

Defender for Cloud continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations. Use Defender for Cloud's recommendations page to view recommendations and remediate issues. For details of the relevant Defender for Cloud recommendations that might appear for this feature, see the compute section of the recommendations reference table.

For Kubernetes clusters on EKS, you'll need to connect your AWS account to Microsoft Defender for Cloud via the environment settings page as described in Connect your AWS accounts to Microsoft Defender for Cloud. Then ensure you've enabled the CSPM plan.

When reviewing the outstanding recommendations for your container-related resources, whether in asset inventory or the recommendations page, you can use the resource filter:

Screenshot showing you where the resource filter is located.

Kubernetes data plane hardening

For a bundle of recommendations to protect the workloads of your Kubernetes containers, install the Azure Policy for Kubernetes. You can also auto deploy this component as explained in enable auto provisioning of agents and extensions.

With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure to enforce the best practices and mandate them for future workloads.

For example, you can mandate that privileged containers shouldn't be created, and any future requests to do so will be blocked.

Learn more in Kubernetes data plane hardening.

Vulnerability assessment

Scanning images in ACR registries

Defender for Containers includes an integrated vulnerability scanner for scanning images in Azure Container Registry registries. The vulnerability scanner runs on an image:

  • When you push the image to your registry
  • Weekly on any image that was pulled within the last 30
  • When you import the image to your Azure Container Registry
  • Continuously in specific situations

Learn more in Vulnerability assessment.

Sample Microsoft Defender for Cloud recommendation about vulnerabilities discovered in Azure Container Registry (ACR) hosted images.

View vulnerabilities for running images

The recommendation Running container images should have vulnerability findings resolved shows vulnerabilities for running images by using the scan results from ACR registries and information on running images from the Defender security profile/extension. Images that are deployed from a non ACR registry, will appear under the Not applicable tab.

Screenshot showing where the recommendation is viewable

Run-time protection for Kubernetes nodes and clusters

Defender for Cloud provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.

Threat protection at the cluster level is provided by the Defender profile and analysis of the Kubernetes audit logs. Examples of events at this level include exposed Kubernetes dashboards, creation of high-privileged roles, and the creation of sensitive mounts.

In addition, our threat detection goes beyond the Kubernetes management layer. Defender for Containers includes host-level threat detection with over 60 Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload. Our global team of security researchers constantly monitor the threat landscape. They add container-specific alerts and vulnerabilities as they're discovered. Together, this solution monitors the growing attack surface of multi-cloud Kubernetes deployments and tracks the MITRE ATT&CK® matrix for Containers, a framework that was developed by the Center for Threat-Informed Defense in close partnership with Microsoft and others.

The full list of available alerts can be found in the Reference table of alerts.

Screenshot of Defender for Cloud's alerts page showing alerts for multi-cloud Kubernetes resources.

Architecture overview

The architecture of the various elements involved in the full range of protections provided by Defender for Containers varies depending on where your Kubernetes clusters are hosted.

Defender for Containers protects your clusters whether they're running in:

  • Azure Kubernetes Service (AKS) (Preview) - Microsoft's managed service for developing, deploying, and managing containerized applications.

  • Amazon Elastic Kubernetes Service (EKS) in a connected Amazon Web Services (AWS) account (Preview) - Amazon's managed service for running Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

  • Google Kubernetes Engine (GKE) in a connected Google Cloud Platform (GCP) project (Preview) - Google’s managed environment for deploying, managing, and scaling applications using GCP infrastructure.

  • An unmanaged Kubernetes distribution (using Azure Arc-enabled Kubernetes) - Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters hosted on-premises or on IaaS.

For high-level diagrams of each scenario, see the relevant tabs below.

In the diagrams you'll see that the items received and analyzed by Defender for Cloud include:

  • Audit logs and security events from the API server
  • Cluster configuration information from the control plane
  • Workload configuration from Azure Policy
  • Security signals and events from the node level

Architecture diagram of Defender for Cloud and AKS clusters

When Defender for Cloud protects a cluster hosted in Azure Kubernetes Service, the collection of audit log data is agentless and frictionless.

The Defender profile (preview) deployed to each node provides the runtime protections and collects signals from nodes using eBPF technology.

The Azure Policy add-on for Kubernetes collects cluster and workload configuration for admission control policies as explained in Protect your Kubernetes workloads.

Note

Defender for Containers' Defender profile is a preview feature.

High-level architecture of the interaction between Microsoft Defender for Containers, Azure Kubernetes Service, and Azure Policy.

Defender profile component details

Pod Name Namespace Kind Short Description Capabilities Resource limits Egress Required
azuredefender-collector-ds-* kube-system DaemonSet A set of containers that focus on collecting inventory and security events from the Kubernetes environment. SYS_ADMIN, 
SYS_RESOURCE,
SYS_PTRACE
memory: 64Mi

cpu: 60m
No
azuredefender-collector-misc-* kube-system Deployment A set of containers that focus on collecting inventory and security events from the Kubernetes environment that aren't bounded to a specific node. N/A memory: 64Mi

cpu: 60m
No
azuredefender-publisher-ds-* kube-system DaemonSet Publish the collected data to Microsoft Defender for Containers' backend service where the data will be processed for and analyzed. N/A memory: 200Mi  

cpu: 60m
Https 443

Learn more about the outbound access prerequisites

* resource limits aren't configurable

FAQ - Defender for Containers

What are the options to enable the new plan at scale?

We’ve rolled out a new policy in Azure Policy, Configure Microsoft Defender for Containers to be enabled, to make it easier to enable the new plan at scale.

Does Microsoft Defender for Containers support AKS clusters with virtual machines scale set (VMSS)?

Yes.

Does Microsoft Defender for Containers support AKS without scale set (default)?

No. Only Azure Kubernetes Service (AKS) clusters that use virtual machine scale sets for the nodes is supported.

Do I need to install the Log Analytics VM extension on my AKS nodes for security protection?

No, AKS is a managed service, and manipulation of the IaaS resources isn't supported. The Log Analytics VM extension is not needed and may result in additional charges.

Next steps

In this overview, you learned about the core elements of container security in Microsoft Defender for Cloud. To enable the plan, see: