Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Caution
This article references CentOS, a Linux distribution that is End Of Service as of June 30, 2024. Please consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.
This article summarizes support information for Container capabilities in Microsoft Defender for Cloud.
Note
- Specific features are in preview. The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- Only the versions of AKS supported by the cloud vendor are officially supported by Defender for Cloud.
The following are the features provided by Defender for Containers, for the supported cloud environments and container registries.
Vulnerability assessment (VA) features
| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Plans | Clouds availability |
|---|---|---|---|---|---|---|---|
| Container registry VA | Vulnerability assessments for images in container registries | ACR | GA | GA | Requires Registry access 1 | Defender for Containers or Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Runtime container VA | Vulnerability assessments of running container images | Agnostic to container registry source | Preview (Container with ACR images are GA) |
GA | Requires Agentless scanning for machines and either K8S API access or Defender sensor 1 | Defender for Containers or Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
1National clouds are automatically enabled and cannot be disabled.
Registries and images support for vulnerability assessment
| Aspect | Details |
|---|---|
| Registries and images | Supported * Container images in Docker V2 format * Images with Open Container Initiative (OCI) image format specification Unsupported * Super-minimalist images such as Docker scratch images is currently unsupported * Public repositories * Manifest lists |
| Operating systems | Supported * Alpine Linux 3.12-3.21 * Red Hat Enterprise Linux 6-9 * CentOS 6-9 (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.) * Oracle Linux 6-9 * Amazon Linux 1, 2 * openSUSE Leap, openSUSE Tumbleweed * SUSE Enterprise Linux 11-15 * Debian GNU/Linux 7-12 * Google Distroless (based on Debian GNU/Linux 7-12) * Ubuntu 12.04-22.04 * Fedora 31-37 * Azure Linux 1-2 * Windows server 2016, 2019, 2022 |
| Language specific packages |
Supported * Python * Node.js * PHP * Ruby * Rust * .NET * Java * Go |
Runtime protection features
| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Plans | Clouds availability |
|---|---|---|---|---|---|---|---|
| Control plane detection | Detection of suspicious activity for Kubernetes based on Kubernetes audit trail | AKS | GA | GA | Enabled with plan | Defender for Containers or Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Workload detection | Monitors containerized workloads for threats and gives alerts to suspicious activities | AKS | GA | - | Requires Defender sensor | Defender for Containers | Commercial clouds and National clouds: Azure Government, Azure operated by 21Vianet |
| Binary drift detection | Detects binary of runtime container from container image | AKS | GA | GA | Requires Defender sensor | Defender for Containers | Commercial clouds |
| Advanced hunting in XDR | View cluster incidents and alerts in Microsoft XDR | AKS | Preview - currently supports audit logs & process events | Preview - currently supports audit logs & process events | Requires Defender sensor | Defender for Containers | Commercial clouds and National clouds: Azure Government, Azure operated by 21Vianet |
| Response actions in XDR | Provides automated and manual remediation in Microsoft XDR | AKS | Preview | Preview | Requires Defender sensor and K8S access API | Defender for Containers | Commercial clouds and National clouds: Azure Government, Azure operated by 21Vianet |
| Malware detection | Detection of malware | AKS nodes | Preview | Preview | Requires Agentless scanning for machines | Defender for Containers or Defender for Servers Plan 2 | Commercial clouds |
Kubernetes distributions and configurations for runtime threat protection in Azure
| Aspect | Details |
|---|---|
| Kubernetes distributions and configurations | Supported * Azure Kubernetes Service (AKS) with Kubernetes RBAC Supported via Arc enabled Kubernetes 1 2 * Kubernetes * AKS Engine |
1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested on Azure.
2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.
Note
For additional requirements for Kubernetes workload protection, see existing limitations.
| Aspect | Details |
|---|---|
| Kubernetes distributions and configurations | Supported via Arc enabled Kubernetes 1 2 * Red Hat OpenShift (version 4.6 or newer) |
1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.
2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.
Note
For additional requirements for Kubernetes workload protection, see existing limitations.
Security posture management features
| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Plans | Clouds availability |
|---|---|---|---|---|---|---|---|
| Agentless discovery for Kubernetes 1 | Provides zero footprint, API-based discovery of Kubernetes clusters, their configurations and deployments. | AKS | GA | GA | Requires K8S API access | Defender for Containers OR Defender CSPM | Azure commercial clouds |
| Control plane hardening 1 | Continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. The recommendations let you investigate and remediate issues. | ACR, AKS | GA | GA | Enabled with plan | Free | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Workload hardening 1 | Protect workloads of your Kubernetes containers with best practice recommendations. | AKS | GA | - | Requires Azure Policy | Free | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| CIS Azure Kubernetes Service | CIS Azure Kubernetes Service Benchmark | AKS | GA | - | Assigned as a security standard | Defender for Containers OR Defender CSPM | Commercial clouds |
1 This feature can be enabled for an individual cluster when enabling Defender for Containers at the cluster resource level.
Supported host operating systems
Defender for Containers relies on the Defender sensor for several features. The Defender sensor is supported only with Linux Kernel 5.4 and above, on the following host operating systems:
- Amazon Linux 2
- CentOS 8 (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.)
- Debian 10
- Debian 11
- Google Container-Optimized OS
- Azure Linux 1.0
- Azure Linux 2.0
- Red Hat Enterprise Linux 8
- Ubuntu 16.04
- Ubuntu 18.04
- Ubuntu 20.04
- Ubuntu 22.04
Ensure your Kubernetes node is running on one of these verified operating systems. Clusters with unsupported host operating systems don't get the benefits of features relying on Defender sensor.
Defender sensor limitations
The Defender sensor in AKS V1.28 and below isn't supported on Arm64 nodes.