In the ever-evolving world of cloud native technologies, keeping your Kubernetes cluster, including Azure Kubernetes Service (Kubernetes), secure is paramount. On August 31, 2023, Microsoft added Agentless Discovery for Kubernetes to Defender for Containers. This exciting addition allows you to enhance your Kubernetes security without the hassle of installing extra agents. In this blog post I am going to explain what this feature is and how to enable it on your subscription using bicep.
Agentless Discovery in Defender for Containers
Previously, Agentless Discovery was only available in Defender Cloud Security Posture Management (CSPM). Now, it’s seamlessly integrated into Defender for Containers, offering you better visibility into your Kubernetes cluster security landscape. Let’s explore how this can help you:
1. Kubernetes Inventory and Security Exploration: With Agentless Discovery, you can easily explore Kubernetes resources, like pods, services, and container images. This is vital for monitoring and securing your Kubernetes assets.
2. Specific Kubernetes Security Insights: Gain clear insights into potential security risks within your Kubernetes environment. Identify vulnerabilities, like exposures to the internet or remote code execution threats.
3. Efficient Risk-Hunting: Evaluate custom or predefined security scenarios. For example, you can look for internet-exposed pods with vulnerable images to proactively manage issues.
4. Container Registry Vulnerability Assessment: Quickly visualize the vulnerability assessment status across your Kubernetes workloads.
Understanding Agentless vs. Agent-Based Approaches
To make an informed choice between Agentless Discovery and the existing agent-based approach, consider factors like coverage, operational overhead, performance, and use cases. Microsoft provides a comprehensive comparison in their blog post titled “Comprehensive Guide on Agent-Based and Agentless Cloud Security.”
Enabling Agentless Discovery for Kubernetes with Bicep
Let’s make it even simpler – you can enable Agentless Discovery for Kubernetes using Bicep, Microsoft’s Infrastructure as Code (IaC) language:
|
1 2 3 4 5 6 7 8 9 |
targetScope = 'subscription' resource pricingTiers 'Microsoft.Security/pricings@2023-01-01' = { name: 'Containers' properties: { pricingTier: 'Standard' } } |
This Bicep code sets your subscription’s pricing tier for ‘Containers’ to ‘Standard,’ aligning it with the necessary settings for using Agentless Discovery for Kubernetes.
You can deploy this using the following command (just change the template file name to match what you have saved, and change the location to match your needs):
|
1 |
az deployment sub create --name defenderUpdate --template-file '.\add-defender.bicep' --location westeurope --name defenderUpdate |
Take Action
If you’re already a Defender for Containers user and haven’t enabled the “Agentless Discovery for Kubernetes” extension for your Kubernetes, do it now! You can manually enable this extension in the “Environments and settings” section of Defender for Containers also.
By doing this, you’ll access the latest features without extra costs, improving your Kubernetes security posture effortlessly.
Conclusion
Defender for Containers simplifies Kubernetes security with Agentless Discovery, making it easier than ever to protect your Kubernetes workloads. This integration shows Microsoft’s commitment to providing top-notch solutions for securing your containerized environments. Don’t miss out on this opportunity to boost your Kubernetes security – enable Agentless Discovery today!
0 Comments