This article references CentOS, a Linux distribution that is End Of Service as of June 30, 2024. Please consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.
This article summarizes support information for Container capabilities in Microsoft Defender for Cloud.
Note
Specific features are in preview. The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Only the versions of AKS, EKS and GKE supported by the cloud vendor are officially supported by Defender for Cloud.
The following are the features provided by Defender for Containers, for the supported cloud environments and container registries.
Vulnerability assessments for images in container registries
ACR
GA
GA
Requires Registry access (National clouds are automatically enabled and cannot be toggled)
Defender for Containers or Defender CSPM
Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet
Runtime container
Vulnerability assessments of running container images
Agnostic to container registry source
Preview (Container with ACR images are GA)
-
Requires Agentless scanning for machines and either K8S API access or Defender sensor (National clouds are automatically enabled and cannot be disabled)
Defender for Containers or Defender CSPM
Commercial clouds and National clouds: Azure Government, Azure operated by 21Vianet
Registries and images support for vulnerability assessment in Azure
Supported * Alpine Linux 3.12-3.21 * Red Hat Enterprise Linux 6-9 * CentOS 6-9. (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.) * Oracle Linux 6-9 * Amazon Linux 1, 2 * openSUSE Leap, openSUSE Tumbleweed * SUSE Enterprise Linux 11-15 * Debian GNU/Linux 7-12 * Google Distroless (based on Debian GNU/Linux 7-12) * Ubuntu 12.04-22.04 * Fedora 31-37 * Mariner 1-2 * Windows Server 2016, 2019, 2022
Vulnerability assessments for images in container registries
ECR
GA
GA
Requires Registry access
Defender for Containers or Defender CSPM
AWS
Runtime container
Vulnerability assessments of running container images
Supported container registries
Preview
-
Requires Agentless scanning for machines and either K8S API access or Defender sensor
Defender for Containers or Defender CSPM
AWS
Registries and images support for vulnerability assessment in AWS
Aspect
Details
Registries and images
Supported * ECR registries * Container images in Docker V2 format * Images with Open Container Initiative (OCI) image format specification Unsupported * Super-minimalist images such as Docker scratch images is currently unsupported * Public repositories * Manifest lists
Operating systems
Supported * Alpine Linux 3.12-3.21 * Red Hat Enterprise Linux 6-9 * CentOS 6-9 (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.) * Oracle Linux 6-9 * Amazon Linux 1, 2 * openSUSE Leap, openSUSE Tumbleweed * SUSE Enterprise Linux 11-15 * Debian GNU/Linux 7-12 * Google Distroless (based on Debian GNU/Linux 7-12) * Ubuntu 12.04-22.04 * Fedora 31-37 * Mariner 1-2 * Windows server 2016, 2019, 2022
Vulnerability assessments for images in container registries
GAR, GCR
GA
GA
Enable Registry access toggle
Defender for Containers or Defender CSPM
AWS
Runtime container
Vulnerability assessments of running container images
Supported container registries
Preview
-
Requires Agentless scanning for machines and either K8S API access or Defender sensor
Defender for Containers or Defender CSPM
GCP
Registries and images support for vulnerability assessment in GCP
Aspect
Details
Registries and images
Supported * Google Registries (GAR, GCR) * Container images in Docker V2 format * Images with Open Container Initiative (OCI) image format specification Unsupported * Super-minimalist images such as Docker scratch images is currently unsupported * Public repositories * Manifest lists
Operating systems
Supported * Alpine Linux 3.12-3.21 * Red Hat Enterprise Linux 6-9 * CentOS 6-9 (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.) * Oracle Linux 6-9 * Amazon Linux 1, 2 * openSUSE Leap, openSUSE Tumbleweed * SUSE Enterprise Linux 11-15 * Debian GNU/Linux 7-12 * Google Distroless (based on Debian GNU/Linux 7-12) * Ubuntu 12.04-22.04 * Fedora 31-37 * Mariner 1-2 * Windows server 2016, 2019, 2022
1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested on Azure.
Provides zero footprint, API-based discovery of Kubernetes clusters, their configurations and deployments.
AKS
GA
GA
Requires K8S API access
Defender for Containers OR Defender CSPM
Azure commercial clouds
Comprehensive inventory capabilities
Enables you to explore resources, pods, services, repositories, images, and configurations through security explorer to easily monitor and manage your assets.
ACR, AKS
GA
GA
Requires K8S API access
Defender for Containers OR Defender CSPM
Azure commercial clouds
Attack path analysis
A graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment.
ACR, AKS
GA
GA
Activated with plan
Defender CSPM (requires Agentless discovery for Kubernetes to be enabled)
Azure commercial clouds
Enhanced risk-hunting
Enables security admins to actively hunt for posture issues in their containerized assets through queries (built-in and custom) and security insights in the security explorer.
Continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. The recommendations let you investigate and remediate issues.
ACR, AKS
GA
GA
Requires K8S API access
Free
Commercial clouds
National clouds: Azure Government, Azure operated by 21Vianet
Provides zero footprint, API-based discovery of Kubernetes clusters, their configurations and deployments.
EKS
GA
GA
Requires K8S API access
Defender for Containers OR Defender CSPM
Azure commercial clouds
Comprehensive inventory capabilities
Enables you to explore resources, pods, services, repositories, images, and configurations through security explorer to easily monitor and manage your assets.
ECR, EKS
GA
GA
Requires K8S API access
Defender for Containers OR Defender CSPM
AWS
Attack path analysis
A graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment.
ECR, EKS
GA
GA
Requires K8S API access
Defender CSPM (requires Agentless discovery for Kubernetes to be enabled)
AWS
Enhanced risk-hunting
Enables security admins to actively hunt for posture issues in their containerized assets through queries (built-in and custom) and security insights in the security explorer.
Continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. The recommendations let you investigate and remediate issues.
Provides zero footprint, API-based discovery of Kubernetes clusters, their configurations and deployments.
GKE
GA
GA
Requires K8S API access
Defender for Containers OR Defender CSPM
GCP
Comprehensive inventory capabilities
Enables you to explore resources, pods, services, repositories, images, and configurations through security explorer to easily monitor and manage your assets.
GCR, GAR, GKE
GA
GA
Requires K8S API access
Defender for Containers OR Defender CSPM
GCP
Attack path analysis
A graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment.
GCR, GAR, GKE
GA
GA
Requires K8S API access
Defender CSPM
GCP
Enhanced risk-hunting
Enables security admins to actively hunt for posture issues in their containerized assets through queries (built-in and custom) and security insights in the security explorer.
Continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. The recommendations let you investigate and remediate issues.
Provides zero footprint, API-based discovery of Kubernetes clusters, their configurations and deployments.
Arc enabled Kubernetes cluster
-
-
Requires K8S API access
Defender for Containers OR Defender CSPM
Arc enabled Kubernetes cluster
Comprehensive inventory capabilities
Enables you to explore resources, pods, services, repositories, images, and configurations through security explorer to easily monitor and manage your assets.
Arc enabled Kubernetes cluster
-
-
Requires K8S API access
Defender for Containers OR Defender CSPM
Arc enabled Kubernetes cluster
Attack path analysis
A graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment.
Arc enabled Kubernetes cluster
GA
GA
Requires K8S API access
Defender CSPM
Arc enabled Kubernetes cluster
Enhanced risk-hunting
Enables security admins to actively hunt for posture issues in their containerized assets through queries (built-in and custom) and security insights in the security explorer.
Continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. The recommendations let you investigate and remediate issues.
Protect workloads of your Kubernetes containers with best practice recommendations.
Arc enabled Kubernetes cluster
GA
-
Requires Auto provision Azure Policy extension for Azure Arc
Defender for Containers
Arc enabled Kubernetes cluster
CIS Azure Kubernetes Service
CIS Azure Kubernetes Service Benchmark
Arc enabled VMs
Preview
-
Assigned as a security standard
Defender for Containers OR Defender CSPM
Arc enabled Kubernetes cluster
Feature
Description
Supported resources
Linux release state
Windows release state
Enablement method
Plans
Clouds availability
Comprehensive inventory capabilities
Enables you to explore resources, pods, services, repositories, images, and configurations through security explorer to easily monitor and manage your assets.
Docker Hub , JFrog Artifactory
Preview
Preview
Requires K8S API access
Defender for Containers OR Defender CSPM
-
Attack path analysis
A graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment.
Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.
Clusters with IP restrictions
If your Kubernetes cluster in AWS has control plane IP restrictions enabled (see Amazon EKS cluster endpoint access control - Amazon EKS ), the control plane's IP restriction configuration is updated to include the CIDR block of Microsoft Defender for Cloud.
Aspect
Details
Outbound proxy support
Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.
Clusters with IP restrictions
If your Kubernetes cluster in GCP has control plane IP restrictions enabled (see GKE - Add authorized networks for control plane access ), the control plane's IP restriction configuration is updated to include the CIDR block of Microsoft Defender for Cloud.
Aspect
Details
Outbound proxy support
Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.
Supported host operating systems
Defender for Containers relies on the Defender sensor for several features. The Defender sensor is supported only with Linux Kernel 5.4 and above, on the following host operating systems:
Amazon Linux 2
CentOS 8 (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.)
Debian 10
Debian 11
Google Container-Optimized OS
Mariner 1.0
Mariner 2.0
Red Hat Enterprise Linux 8
Ubuntu 16.04
Ubuntu 18.04
Ubuntu 20.04
Ubuntu 22.04
Ensure your Kubernetes node is running on one of these verified operating systems. Clusters with unsupported host operating systems don't get the benefits of features relying on Defender sensor.
Defender sensor limitations
The Defender sensor in AKS V1.28 and below isn't supported on Arm64 nodes.