Defender for Containers architecture

Defender for Containers is designed differently for each Kubernetes environment whether they're running in:

  • Azure Kubernetes Service (AKS) - Microsoft's managed service for developing, deploying, and managing containerized applications.

  • Amazon Elastic Kubernetes Service (EKS) in a connected Amazon Web Services (AWS) account - Amazon's managed service for running Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

  • Google Kubernetes Engine (GKE) in a connected Google Cloud Platform (GCP) project - Google’s managed environment for deploying, managing, and scaling applications using GCP infrastructure.

  • An unmanaged Kubernetes distribution (using Azure Arc-enabled Kubernetes) - Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters hosted on-premises or on IaaS.


Defender for Containers support for Arc-enabled Kubernetes clusters (AWS EKS and GCP GKE) is a preview feature.

To protect your Kubernetes containers, Defender for Containers receives and analyzes:

  • Audit logs and security events from the API server
  • Cluster configuration information from the control plane
  • Workload configuration from Azure Policy
  • Security signals and events from the node level

To learn more about implementation details such as supported operating systems, feature availability, outbound proxy, see Defender for Containers feature availability.

Architecture for each Kubernetes environment

Architecture diagram of Defender for Cloud and AKS clusters

When Defender for Cloud protects a cluster hosted in Azure Kubernetes Service, the collection of audit log data is agentless and frictionless.

The Defender profile deployed to each node provides the runtime protections and collects signals from nodes using eBPF technology.

The Azure Policy add-on for Kubernetes collects cluster and workload configuration for admission control policies as explained in Protect your Kubernetes workloads.

Diagram of high-level architecture of the interaction between Microsoft Defender for Containers, Azure Kubernetes Service, and Azure Policy.

Defender profile component details

Pod Name Namespace Kind Short Description Capabilities Resource limits Egress Required
microsoft-defender-collector-ds-* kube-system DaemonSet A set of containers that focus on collecting inventory and security events from the Kubernetes environment. SYS_ADMIN, 
memory: 296Mi

cpu: 360m
microsoft-defender-collector-misc-* kube-system Deployment A set of containers that focus on collecting inventory and security events from the Kubernetes environment that aren't bounded to a specific node. N/A memory: 64Mi

cpu: 60m
microsoft-defender-publisher-ds-* kube-system DaemonSet Publish the collected data to Microsoft Defender for Containers backend service where the data will be processed for and analyzed. N/A memory: 200Mi  

cpu: 60m
Https 443

Learn more about the outbound access prerequisites

* Resource limits aren't configurable; Learn more about Kubernetes resources limits

Next steps

In this overview, you learned about the architecture of container security in Microsoft Defender for Cloud. To enable the plan, see: