Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Cloud helps protect supported Azure Kubernetes Service (AKS) nodes by providing vulnerability assessment and malware detection for the virtual machines (VMs) that run your cluster workloads.
These protections help you identify vulnerabilities and detect malware on the nodes that support your cluster.
Protections for Kubernetes nodes
Defender for Cloud provides the following protections for supported Kubernetes nodes:
Vulnerability assessment identifies known vulnerabilities on node software and surfaces recommendations to help you remediate them.
Malware detection scans nodes for malware and generates security alerts when malware is detected.
For support details, view the support matrix for Defender for Containers.
How Kubernetes node protection works
Kubernetes node protection uses agentless, snapshot-based scanning of node pool disks.
This capability relies on Agentless scanning for machines. When that feature is enabled in a supported plan, Defender for Cloud can scan supported Kubernetes nodes and surface findings in recommendations and alerts.
For more information about the underlying architecture, see Agentless scanning architecture.
Shared responsibility
Responsibility for Kubernetes nodes is shared between the managed Kubernetes service and your organization.
- The managed Kubernetes service provides supported node VM images and updated versions.
- You configure node pools based on your workload requirements.
- You are responsible for upgrading node pool VM versions to adopt newer images and improve your security posture.