Edit

Share via

Overview of Defender for Cloud protection of Kubernetes nodes

In addition to protecting the Kubernetes cluster control plane and workloads, Defender for Cloud also extends security and compliance over the Kubernetes nodes in the customer's Azure Kubernetes Service (AKS).

Protection for Kubernetes nodes

Kubernetes nodes are virtual machines (VMs) that the cloud provider’s Kubernetes service creates to run the cluster control plane and workloads.

A cluster node pool, also called a node group, is a managed set of identical VM types and VM versions.

The Kubernetes service lets you configure a cluster, including the node pools.

Node pool configuration includes the node count and the VM type and VM version.

You set the node pool configuration based on application requirements. You manage each node pool as a single set. You configure and update all nodes together.

The customer upgrades the node pool VM version to improve node security, as indicated by Defender for Cloud recommendations.

The support for protecting Kubernetes nodes is detailed in the support matrix of containers in Defender for Cloud in the Vulnerability assessments and Runtime threat protection sections of each cloud environment.

Shared responsibility of Kubernetes nodes

The responsibility for maintaining the Kubernetes nodes is shared between the Kubernetes service and the customer.

  • The Kubernetes service maintains and patches the OS and the software of its supported node VM images by providing upgraded versions.
  • The customer is responsible for initially configuring the Kubernetes node pools based on the requirements of the applications running in the cluster. The customer is also responsible for upgrading the node pool VM version as required to improve security, and support the applications running in the cluster.

Kubernetes node protections

The following protections are provided for Kubernetes nodes:

  • Vulnerability assessment - Kubernetes node software is scanned for known vulnerabilities. Recommendations are generated for the customer to review and remediate.

  • Malware detection - Kubernetes nodes are scanned for malware. A security alert is generated for the customer to review and remediate.

The Kubernetes nodes protections are provided by taking snapshots of node pool disks for scanning. See the Agentless scanning architecture description for details.

Enable agentless scanning for machines

Protection for Kubernetes nodes is enabled by toggling on Agentless scanning for machines in the Defender for Containers, Defender Cloud Security Posture Management, or Defender for Servers P2 plan.

To enable agentless scanning for machines in the Defender for Containers plan in the Azure portal:

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Management > Environment settings.

  3. (Optional) Select Expand all.

    Screenshot of Environment settings page with the Expand All button indicated.

  4. Select the relevant subscription.

  5. Locate the Containers plan row and select Settings.

    Screenshot of selecting the settings option of Defender for Containers plan.

  6. Toggle Agentless scanning for machines to On.

    Screenshot of turning on the agentless scanning for machines toggle.

  7. Select Save.

  • Last updated on