Enable Defender profile#

Security · Azure Kubernetes Service · Rule · 2023_03 · Important

Enable the Defender profile with Azure Kubernetes Service (AKS) cluster.

Description#

To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters.

These components are installed when the Defender profile is enabled on the cluster.

The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.

Recommendation#

Consider enabling the Defender profile with Azure Kubernetes Service (AKS) cluster.

Examples#

Configure with Azure template#

To enable the Defender profile with Azure Kubernetes Service clusters:

Set the properties.securityProfile.defender.securityMonitoring.enabled to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.ContainerService/managedClusters",
  "apiVersion": "2023-01-02-preview",
  "name": "[parameters('clusterName')]",
  "location": "[parameters('location')]",
  "properties": {
    "securityProfile": {
      "defender": {
        "logAnalyticsWorkspaceResourceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
        "securityMonitoring": {
          "enabled": true
        }
      }
    }
  }
}

Configure with Bicep#

To enable the Defender profile with Azure Kubernetes Service clusters:

Set the properties.securityProfile.defender.securityMonitoring.enabled to true.

For example:

Azure Bicep snippet

resource cluster 'Microsoft.ContainerService/managedClusters@2023-01-02-preview' = {
  location: location
  name: clusterName
  properties: {
    securityProfile: {
      defender: {
        logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
        securityMonitoring: {
          enabled: true
        }
      }
    }
  } 
}

Notes#

Outbound access so that the Defender profile can connect to Microsoft Defender for Cloud to send security data and events is required.