Defender for Containers architecture
Defender for Containers is designed differently for each Kubernetes environment whether they're running in:
Azure Kubernetes Service (AKS) - Microsoft's managed service for developing, deploying, and managing containerized applications.
Amazon Elastic Kubernetes Service (EKS) in a connected Amazon Web Services (AWS) account - Amazon's managed service for running Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
Google Kubernetes Engine (GKE) in a connected Google Cloud Platform (GCP) project - Google’s managed environment for deploying, managing, and scaling applications using GCP infrastructure.
An unmanaged Kubernetes distribution (using Azure Arc-enabled Kubernetes) - Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters hosted on-premises or on IaaS.
Defender for Containers support for Arc-enabled Kubernetes clusters (AWS EKS and GCP GKE) is a preview feature.
To protect your Kubernetes containers, Defender for Containers receives and analyzes:
- Audit logs and security events from the API server
- Cluster configuration information from the control plane
- Workload configuration from Azure Policy
- Security signals and events from the node level
To learn more about implementation details such as supported operating systems, feature availability, outbound proxy, see Defender for Containers feature availability.
Architecture for each Kubernetes environment
When Defender for Cloud protects a cluster hosted in Azure Kubernetes Service, the collection of audit log data is agentless and frictionless.
The Defender profile deployed to each node provides the runtime protections and collects signals from nodes using eBPF technology.
The Azure Policy add-on for Kubernetes collects cluster and workload configuration for admission control policies as explained in Protect your Kubernetes workloads.
Defender profile component details
|Pod Name||Namespace||Kind||Short Description||Capabilities||Resource limits||Egress Required|
|microsoft-defender-collector-ds-*||kube-system||DaemonSet||A set of containers that focus on collecting inventory and security events from the Kubernetes environment.||SYS_ADMIN,
|microsoft-defender-collector-misc-*||kube-system||Deployment||A set of containers that focus on collecting inventory and security events from the Kubernetes environment that aren't bounded to a specific node.||N/A||memory: 64Mi
|microsoft-defender-publisher-ds-*||kube-system||DaemonSet||Publish the collected data to Microsoft Defender for Containers backend service where the data will be processed for and analyzed.||N/A||memory: 200Mi
Learn more about the outbound access prerequisites
* Resource limits aren't configurable; Learn more about Kubernetes resources limits
In this overview, you learned about the architecture of container security in Microsoft Defender for Cloud. To enable the plan, see: