Defender for Containers is designed differently for each Kubernetes environment whether they're running in:
Azure Kubernetes Service (AKS) - Microsoft's managed service for developing, deploying, and managing containerized applications.
Amazon Elastic Kubernetes Service (EKS) in a connected Amazon Web Services (AWS) account - Amazon's managed service for running Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
Google Kubernetes Engine (GKE) in a connected Google Cloud Platform (GCP) project - Google’s managed environment for deploying, managing, and scaling applications using GCP infrastructure.
An unmanaged Kubernetes distribution (using Azure Arc-enabled Kubernetes) - Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters hosted on-premises or on IaaS.
Note
Defender for Containers support for Arc-enabled Kubernetes clusters (AWS EKS and GCP GKE) is a preview feature.
To protect your Kubernetes containers, Defender for Containers receives and analyzes:
Audit logs and security events from the API server
Cluster configuration information from the control plane
Architecture diagram of Defender for Cloud and AKS clusters
When Defender for Cloud protects a cluster hosted in Azure Kubernetes Service, the collection of audit log data is agentless and frictionless.
The Defender profile deployed to each node provides the runtime protections and collects signals from nodes using eBPF technology.
The Azure Policy add-on for Kubernetes collects cluster and workload configuration for admission control policies as explained in Protect your Kubernetes workloads.
Architecture diagram of Defender for Cloud and Arc-enabled Kubernetes clusters
For all clusters hosted outside of Azure, Azure Arc-enabled Kubernetes is required to connect the clusters to Azure and provide Azure services such as Defender for Containers.
When a non-Azure container is connected to Azure with Arc, the Arc extension collects Kubernetes audit logs data from all control plane nodes in the cluster. The extension sends the log data to the Microsoft Defender for Cloud backend in the cloud for further analysis. The extension is registered with a Log Analytics workspace used as a data pipeline, but the audit log data isn't stored in the Log Analytics workspace.
Workload configuration information is collected by an Azure Policy add-on. As explained in this Azure Policy for Kubernetes page, the add-on extends the open-source Gatekeeper v3 admission controller webhook for Open Policy Agent. Kubernetes admission controllers are plugins that enforce how your clusters are used. The add-on registers as a web hook to Kubernetes admission control and makes it possible to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
Note
Defender for Containers support for Arc-enabled Kubernetes clusters is a preview feature.
Architecture diagram of Defender for Cloud and EKS clusters
These components are required in order to receive the full protection offered by Microsoft Defender for Containers:
Kubernetes audit logs – AWS account’s CloudWatch enables, and collects audit log data through an agentless collector, and sends the collected information to the Microsoft Defender for Cloud backend for further analysis.
Azure Arc-enabled Kubernetes - An agent based solution that connects your EKS clusters to Azure. Azure then is capable of providing services such as Defender, and Policy as Arc extensions.
The Defender extension – The DaemonSet that collects signals from hosts using eBPF technology, and provides runtime protection. The extension is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace.
The Azure Policy extension - The workload's configuration information is collected by the Azure Policy add-on. The Azure Policy add-on extends the open-source Gatekeeper v3 admission controller webhook for Open Policy Agent. The extension registers as a web hook to Kubernetes admission control and makes it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. For more information, see Understand Azure Policy for Kubernetes clusters.
Note
Defender for Containers support for AWS EKS clusters is a preview feature.
Architecture diagram of Defender for Cloud and GKE clusters
These components are required in order to receive the full protection offered by Microsoft Defender for Containers:
Kubernetes audit logs – GCP Cloud Logging enables, and collects audit log data through an agentless collector, and sends the collected information to the Microsoft Defender for Cloud backend for further analysis.
Azure Arc-enabled Kubernetes - An agent based solution that connects your GKE clusters to Azure. Azure then is capable of providing services such as Defender, and Policy as Arc extensions.
The Defender extension – The DaemonSet that collects signals from hosts using eBPF technology, and provides runtime protection. The extension is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace.
The Azure Policy extension - The workload's configuration information is collected by the Azure Policy add-on. The Azure Policy add-on extends the open-source Gatekeeper v3 admission controller webhook for Open Policy Agent. The extension registers as a web hook to Kubernetes admission control and makes it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. For more information, see Understand Azure Policy for Kubernetes clusters.
Note
Defender for Containers support for GCP GKE clusters is a preview feature.
Next steps
In this overview, you learned about the architecture of container security in Microsoft Defender for Cloud. To enable the plan, see: