Protect your Google Cloud Platform (GCP) containers with Defender for Containers

Defender for Containers in Microsoft Defender for Cloud is the cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications.

Learn more about Overview of Microsoft Defender for Containers.

You can learn more about Defender for Container's pricing on the pricing page.


Enable the Defender for Containers plan on your GCP project

To protect Google Kubernetes Engine (GKE) clusters:

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. In the Defender for Cloud menu, select Environment settings.

  4. Select the relevant GCP project.

    Screenshot showing an example GCP connector.

  5. Select the Next: Select plans button.

  6. Ensure that the Containers plan is toggled to On.

    Screenshot that shows the containers plan is toggled to on.

  7. To change optional configurations for the plan, select Settings.

    Screenshot of Defender for Cloud's environment settings page showing the settings for the Containers plan.

    • Kubernetes audit logs to Defender for Cloud: Enabled by default. This configuration is available at the GCP project level only. It provides agentless collection of the audit log data through GCP Cloud Logging to the Microsoft Defender for Cloud back end for further analysis. Defender for Containers requires control plane audit logs to provide runtime threat protection. To send Kubernetes audit logs to Microsoft Defender, toggle the setting to On.


      If you disable this configuration, then the Threat detection (control plane) feature will be disabled. Learn more about features availability.

    • Auto provision Defender's sensor for Azure Arc and Auto provision Azure Policy extension for Azure Arc: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways:

    • Agentless discovery for Kubernetes provides API-based discovery of your Kubernetes clusters. To enable the Agentless discovery for Kubernetes feature, toggle the setting to On.

    • The Agentless Container Vulnerability Assessment provides vulnerability management for images stored in Google Registries (GAR and GCR) and running images on your GKE clusters. To enable the Agentless Container Vulnerability Assessment feature, toggle the setting to On.

  8. Select the Copy button.

    Screenshot showing the location of the copy button.

  9. Select the GCP Cloud Shell button.

  10. Paste the script into the Cloud Shell terminal, and run it.

    The connector will update after the script executes. This process can take up to 6-8 hours up to complete.

  11. Select Next: Review and Generate>.

  12. Select Update.

Deploy the solution to specific clusters

If you disabled any of the default auto provisioning configurations to Off, during the GCP connector onboarding process, or afterwards. You need to manually install Azure Arc-enabled Kubernetes, the Defender sensor, and Azure Policy for Kubernetes to each of your GKE clusters to get the full security value out of Defender for Containers.

There are two dedicated Defender for Cloud recommendations you can use to install the extensions (and Arc if necessary):

  • GKE clusters should have Microsoft Defender's extension for Azure Arc installed
  • GKE clusters should have the Azure Policy extension installed


When installing Arc extensions, you must verify that the GCP project provided is identical to the one in the relevant connector.

To deploy the solution to specific clusters:

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. In the Defender for Cloud menu, select Recommendations.

  4. From Defender for Cloud's Recommendations page, search for each one of the recommendations above by name.

    Screenshot showing how to search for the recommendation.

  5. Select an unhealthy GKE cluster.


    You must select the clusters one at a time.

    Don't select the clusters by their hyperlinked names: select anywhere else in the relevant row.

  6. Select the name of the unhealthy resource.

  7. Select Fix.

    Screenshot showing the location of the fix button.

  8. Defender for Cloud generates a script in the language of your choice:

    • For Linux, select Bash.
    • For Windows, select PowerShell.
  9. Select Download remediation logic.

  10. Run the generated script on your cluster.

  11. Repeat steps 3 through 10 for the second recommendation.

Next steps