Defender for Containers architecture

Architecture components

When Defender for Cloud protects a cluster hosted in Azure Kubernetes Service, it collects Kubernetes audit log data natively through Azure infrastructure without requiring additional agents or configuration. To get the full protection offered by Microsoft Defender for Containers, you need these components:

• Defender sensor: A lightweight DaemonSet deployed on AKS nodes that collects runtime telemetry (Kubernetes events, process, and network data) by using eBPF technology. It sends the telemetry securely to Defender for Cloud for runtime threat protection. The sensor registers with a Log Analytics workspace and acts as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender sensor is deployed as an AKS Security profile, natively integrated into AKS Resource Provider (RP).

• Azure Policy for Kubernetes: A pod that extends the open-source Gatekeeper v3 and registers as a web hook to Kubernetes admission control. With this pod, you can apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an AKS add-on and you only need to install it on one node in the cluster. It provides the option to enforce configuration rules. Learn more about Kubernetes workload protection and Azure Policy for Kubernetes.
• ACR integration: Push-triggered and periodic image scanning for Azure Container Registry, providing vulnerability assessment without requiring extra components.
• Agentless discovery: Provides visibility into your Kubernetes clusters without requiring any agents, by using Azure native capabilities to discover and assess cluster configurations.
• Agentless scanning for machines: Periodic disk snapshots of Kubernetes nodes for an out-of-band, deep analysis of the operating system configuration and file system. This feature doesn't need any installed agents or network connectivity, and it doesn't affect machine performance.
• Microsoft XDR integration: Integrates with Microsoft’s extended detection and response platform for unified security operations and incident response.

Defender sensor component details

* You can't configure resource limits. Learn more about Kubernetes resources limits.

How does agentless discovery for Kubernetes in Azure work?

The discovery process uses snapshots taken at intervals:

When you enable the agentless discovery for Kubernetes extension, the following process occurs:

• Create:
  • If you enable the extension from Defender CSPM, Defender for Cloud creates an identity in your environment called CloudPosture/securityOperator/DefenderCSPMSecurityOperator.
  • If you enable the extension from Defender for Containers, Defender for Cloud creates an identity in your environment called CloudPosture/securityOperator/DefenderForContainersSecurityOperator.
• Assign: Defender for Cloud assigns a built-in role called Kubernetes Agentless Operator to that identity on subscription scope. The role contains the following permissions:
  • AKS read (Microsoft.ContainerService/managedClusters/read)
  • AKS Trusted Access with the following permissions:
    • Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write
    • Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read
    • Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete Learn more about AKS Trusted Access.
• Discover: Using the system assigned identity, Defender for Cloud discovers the AKS clusters in your environment by making API calls to the API server of AKS.
• Bind: After discovering an AKS cluster, Defender for Cloud performs an AKS bind operation by creating a ClusterRoleBinding between the created identity and the Kubernetes ClusterRole aks:trustedaccessrole:defender-containers:microsoft-defender-operator. The ClusterRole is visible through the API and gives Defender for Cloud data plane read permission inside the cluster.

Architecture components

When Defender for Cloud protects a cluster hosted in Elastic Kubernetes Service, it collects audit log data without using an agent. To get the full protection offered by Microsoft Defender for Containers, you need these components:

• Kubernetes audit logs: AWS account's CloudWatch enables and collects audit log data through an agentless collector, and sends the collected information to the Microsoft Defender for Cloud backend for further analysis.
• Azure Arc-enabled Kubernetes: Connects your EKS clusters to Azure and enables Defender for Cloud to deploy security components as Arc extensions.
• Defender sensor: A lightweight DaemonSet deployed on each node that collects runtime telemetry (Kubernetes events, process, and network data) using eBPF technology for runtime threat protection. The sensor registers with a Log Analytics workspace and acts as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender sensor is deployed as an Arc-enabled Kubernetes extension.
• Azure Policy for Kubernetes: A pod that extends the open-source Gatekeeper v3 and registers as a web hook to Kubernetes admission control, making it possible to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an Arc-enabled Kubernetes extension and only needs to be installed on one node in the cluster. It provides the option to enforce configuration rules.
• Amazon ECR integration: Agentless vulnerability assessment for container images stored in Amazon Elastic Container Registry (ECR). Images are scanned automatically when pushed to the registry, providing security findings integrated into Defender for Cloud.

How does agentless discovery for Kubernetes in AWS work?

The discovery process uses snapshots taken at intervals:

When you enable the agentless discovery for Kubernetes extension, the following process occurs:

• Create:
  • Add the Defender for Cloud role MDCContainersAgentlessDiscoveryK8sRole to the aws-auth ConfigMap of the EKS clusters. You can customize the name.
• Assign: Defender for Cloud assigns the MDCContainersAgentlessDiscoveryK8sRole role the following permissions:
  • eks:UpdateClusterConfig
  • eks:DescribeCluster
• Discover: Using the system assigned identity, Defender for Cloud discovers the EKS clusters in your environment by making API calls to the API server of EKS.

Architecture components

When Defender for Cloud protects a cluster hosted in Google Kubernetes Engine, it collects audit log data without using an agent. To get full protection from Microsoft Defender for Containers, you need these components:

• Kubernetes audit logs: GCP Cloud Logging enables and collects audit log data through an agentless collector, and sends the collected information to the Microsoft Defender for Cloud backend for further analysis.
• Azure Arc-enabled Kubernetes: Connects your GKE clusters to Azure and enables Defender for Cloud to deploy security components as Arc extensions.
• Defender sensor: A lightweight DaemonSet deployed on each node that collects runtime telemetry (Kubernetes events, process, and network data) using eBPF technology for runtime threat protection. The sensor registers with a Log Analytics workspace and acts as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender sensor is deployed as an Arc-enabled Kubernetes extension.
• Azure Policy for Kubernetes: A pod that extends the open-source Gatekeeper v3 and registers as a web hook to Kubernetes admission control, making it possible to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an Arc-enabled Kubernetes extension and only needs to be installed on one node in the cluster. It provides the option to enforce configuration rules.
• Google Registry integration: Agentless vulnerability assessment for container images stored in Google Container Registry (GCR) and Google Artifact Registry (GAR). Images are scanned automatically when pushed to the registries, surfacing vulnerabilities natively in Defender for Cloud.

How does agentless discovery for Kubernetes in GCP work?

The discovery process uses snapshots taken at intervals:

When you enable the agentless discovery for Kubernetes extension, the following process occurs:

• Create:
  • The service account mdc-containers-k8s-operator is created. You can customize the name.
• Assign: Defender for Cloud attaches the following roles to the service account mdc-containers-k8s-operator:
  • The custom role MDCGkeClusterWriteRole, which has the container.clusters.update permission
  • The built-in role container.viewer
• Discover: Using the system assigned identity, Defender for Cloud discovers the GKE clusters in your environment by making API calls to the API server of GKE.

Architecture components

To get full protection from Microsoft Defender for Containers, you need these components:

• Azure Arc-enabled Kubernetes: Connects your clusters to Azure and lets Defender for Cloud deploy security components as Arc extensions.
• Defender sensor: A lightweight DaemonSet deployed on each node that collects runtime telemetry (Kubernetes events, process, and network data) by using eBPF technology and Kubernetes audit logs for runtime threat protection. The sensor registers with a Log Analytics workspace and acts as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. You deploy the Defender sensor as an Arc-enabled Kubernetes extension.
• Azure Policy for Kubernetes: A pod that extends the open-source Gatekeeper v3 and registers as a web hook to Kubernetes admission control. With this pod, you can apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. You only need to install it on one node in the cluster. It provides the option to enforce configuration rules. Learn more about Kubernetes workload protection and Azure Policy for Kubernetes.