Uredi

Dijelite putem

Containers support matrix in Defender for Cloud

  • Članak

Caution

This article references CentOS, a Linux distribution that is End Of Service as of June 30, 2024. Please consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.

This article summarizes support information for Container capabilities in Microsoft Defender for Cloud.

Note

  • Specific features are in preview. The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
  • Only the versions of AKS, EKS and GKE supported by the cloud vendor are officially supported by Defender for Cloud.

The following are the features provided by Defender for Containers, for the supported cloud environments and container registries.

Vulnerability assessment (VA) features

Feature Description Supported resources Linux release state Windows release state Enablement method Plans Clouds availability
Container registry VA VA for images in container registries ACR, ECR, GAR, GCR, Docker Hub, JFrog Artifactory GA GA Requires Registry access 1 or Connector creation for Docker Hub/Jfrog Defender for Containers or Defender CSPM Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet
Runtime container VA - Registry scan based VA of containers running images from supported registries ACR, ECR, GAR, GCR, Docker Hub, JFrog Artifactory GA GA Requires Registry access 1 or Connector creation for Docker Hub/Jfrog and either K8S API access or Defender sensor 1 Defender for Containers or Defender CSPM Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet
Runtime container VA Registry agnostic VA of container running images All Preview - Requires Agentless scanning for machines and either K8S API access or Defender sensor 1 Defender for Containers or Defender CSPM Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet

1National clouds are automatically enabled and cannot be disabled.

Registries and images support for vulnerability assessment

Aspect Details
Registries and images Supported
* Container images in Docker V2 format
* Images with Open Container Initiative (OCI) image format specification
Unsupported
* Super-minimalist images such as Docker scratch images is currently unsupported
* Public repositories
* Manifest lists
Operating systems Supported
* Alpine Linux 3.12-3.21
* Red Hat Enterprise Linux 6-9
* CentOS 6-9 (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.)
* Oracle Linux 6-9
* Amazon Linux 1, 2
* openSUSE Leap, openSUSE Tumbleweed
* SUSE Enterprise Linux 11-15
* Debian GNU/Linux 7-12
* Google Distroless (based on Debian GNU/Linux 7-12)
* Ubuntu 12.04-22.04
* Fedora 31-37
* Azure Linux 1-2
* Windows server 2016, 2019, 2022
Language specific packages

Supported
* Python
* Node.js
* PHP
* Ruby
* Rust
* .NET
* Java
* Go

Runtime protection features

Feature Description Supported resources Linux release state Windows release state Enablement method Plans Clouds availability
Control plane detection Detection of suspicious activity for Kubernetes based on Kubernetes audit trail AKS GA GA Enabled with plan Defender for Containers or Defender CSPM Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet
Workload detection Monitors containerized workloads for threats and gives alerts to suspicious activities AKS GA - Requires Defender sensor Defender for Containers Commercial clouds and National clouds: Azure Government, Azure operated by 21Vianet
Binary drift detection Detects binary of runtime container from container image AKS GA - Requires Defender sensor Defender for Containers Commercial clouds
Advanced hunting in XDR View cluster incidents and alerts in Microsoft XDR AKS Preview - currently supports audit logs & process events Preview - currently supports audit logs Requires Defender sensor Defender for Containers Commercial clouds and National clouds: Azure Government, Azure operated by 21Vianet
Response actions in XDR Provides automated and manual remediation in Microsoft XDR AKS Preview - Requires Defender sensor and K8S access API Defender for Containers Commercial clouds and National clouds: Azure Government, Azure operated by 21Vianet
Malware detection Detection of malware AKS nodes GA GA Requires Agentless scanning for machines Defender for Containers or Defender for Servers Plan 2 Commercial clouds

Kubernetes distributions and configurations for runtime threat protection in Azure

Aspect Details
Kubernetes distributions and configurations Supported
* Azure Kubernetes Service (AKS) with Kubernetes RBAC

Supported via Arc enabled Kubernetes 1 2
* Azure Kubernetes Service hybrid
* Kubernetes
* AKS Engine
* Azure Red Hat OpenShift

1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested on Azure.

2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.

Note

For additional requirements for Kubernetes workload protection, see existing limitations.

Security posture management features

Feature Description Supported resources Linux release state Windows release state Enablement method Plans Clouds availability
Agentless discovery for Kubernetes 1 Provides zero footprint, API-based discovery of Kubernetes clusters, their configurations and deployments. AKS GA GA Requires K8S API access Defender for Containers OR Defender CSPM Azure commercial clouds
Comprehensive inventory capabilities Enables you to explore resources, pods, services, repositories, images, and configurations through security explorer to easily monitor and manage your assets. ACR, AKS GA GA Requires K8S API access Defender for Containers OR Defender CSPM Azure commercial clouds
Attack path analysis A graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment. ACR, AKS GA GA Requires K8S API access Defender CSPM Azure commercial clouds
Enhanced risk-hunting Enables security admins to actively hunt for posture issues in their containerized assets through queries (built-in and custom) and security insights in the security explorer. ACR, AKS GA GA Requires K8S API access Defender for Containers OR Defender CSPM Azure commercial clouds
Control plane hardening 1 Continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. The recommendations let you investigate and remediate issues. ACR, AKS GA GA Enabled with plan Free Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet
Workload hardening 1 Protect workloads of your Kubernetes containers with best practice recommendations. AKS GA - Requires Azure Policy Free Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet
CIS Azure Kubernetes Service CIS Azure Kubernetes Service Benchmark AKS GA - Assigned as a security standard Defender for Containers OR Defender CSPM Commercial clouds

1 This feature can be enabled for an individual cluster when enabling Defender for Containers at the cluster resource level.

Containers software supply chain protection features

Feature Description Supported resources Linux release state Windows release state Enablement method Plans Clouds availability
Gated deployment Gated deployment of container images to your Kubernetes environment AKS 1.32 or higher Preview Preview Enabled with plan Defender for Containers or Defender CSPM Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet

Network restrictions

Aspect Details
Outbound proxy support Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.
Clusters with IP restrictions If your Kubernetes cluster in AWS has control plane IP restrictions enabled (see Amazon EKS cluster endpoint access control - Amazon EKS ), the control plane's IP restriction configuration is updated to include the CIDR block of Microsoft Defender for Cloud.

Supported host operating systems

Defender for Containers relies on the Defender sensor for several features. The Defender sensor is supported only with Linux Kernel 5.4 and above, on the following host operating systems:

  • Amazon Linux 2
  • CentOS 8 (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.)
  • Debian 10
  • Debian 11
  • Google Container-Optimized OS
  • Azure Linux 1.0
  • Azure Linux 2.0
  • Red Hat Enterprise Linux 8
  • Ubuntu 16.04
  • Ubuntu 18.04
  • Ubuntu 20.04
  • Ubuntu 22.04

Ensure your Kubernetes node is running on one of these verified operating systems. Clusters with unsupported host operating systems don't get the benefits of features relying on Defender sensor.

Defender sensor limitations

The Defender sensor in AKS V1.28 and below isn't supported on Arm64 nodes.

Next steps