AKS is a managed service for developing, deploying, and managing containerized applications offered by Microsoft. To onboard AKS to Microsoft Defender for Cloud, the following provides important steps to take and the relevant documentation from Microsoft:
- Network requirement: It is important to note that by default, AKS clusters have unrestricted outbound (egress) internet access. To understand more about outbound network rules and FQDNs for AKS clusters, refer to the Microsoft documentation (https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress#required-outbound-network-rules-and-fqdns-for-aks-clusters).
- Enable the Defender plan: To follow the steps to enable the Defender plans for containers, refer to the Microsoft documentation (https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks#enable-the-plan).
- Deploy the Defender profile: You can enable the Defender for Containers plan and deploy all of the relevant components from the Azure portal, the REST API, or with a Resource Manager template. A default workspace is automatically assigned once the Defender profile is deployed. It is also possible to assign a custom workspace in place of the default workspace through Azure Policy, which is a helpful feature for collecting logs in one centralized workspace. To learn more about the detailed and updated steps, follow the Microsoft documentation (https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks#deploy-the-defender-profile).
- View scan results: After vulnerability scanning is enabled and configured, Microsoft Defender for Cloud will automatically scan the registry images based on the specified settings. You can view the scan results in the Azure portal. Navigate to the Container Registry and select Vulnerabilities in the Security section to see the scan results and any identified vulnerabilities.
- Take remediation actions: If any vulnerabilities are detected, review the details provided by Microsoft Defender for Cloud and take the necessary remediation actions. This may involve updating the vulnerable images, applying patches, or implementing other security measures.
Similar to the preceding example, you can follow CSPM documentation and in this case, Microsoft documentation, for onboarding Kubernetes clusters hosted in another environment. Refer to the following document to understand the onboarding process for on-premises/IaaS (Arc), Amazon EKS, and GKE clusters: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks#deploy-the-defender-extension.
Now you understand the process of onboarding containers to the CSPM tool with the help of an example using Microsoft Defender for Cloud. Let us now understand the challenges and issues that may arise while onboarding Kubernetes clusters to the CSPM tool.