Azure Defender for Containers - Limits, Control daemonsets and deployments, updates, no uninstall?
Hi, I use Azure defender for containers on multiple AKS clusters, and so far I'm very unhappy with the service. If it would work as intended than it should be a great feature but at this moment. it's broken. limits are set to to low. (60m for the publisher pods). This makes the pods crash, and eventually trigger CrashLoopBackOff. One one cluster I have 600+ reboots of these pods a day. triggering a flood of Log Analytics ingests, costing an insane amount of money. another problem is the livenessProbe, it keeps failing.. triggering more ingest to Log Analytics. You cant edit the daemonsets and deployeyments.. well it is possible, but after 15 minutes the yaml's just get overwritten by an undocumented mechanism. Changing limits is useless, trying to troubleshoot at all is useless. The yaml's contain paths to the image repositories but when looking up the versions, they seem old. mcr.microsoft.com/azuredefender/stable/security-publisher:0.3.27 is atleast 8 versions old. again, updating the yaml's pulls the new versions, but after 15 minutes it gets rolled back. Is there an update control that I'm not aware of, there is no documentation. MS seems to push the yaml's every 15 minutes so this should be an easy fix. just please write documentation on how it works. Last but not least --the biggest issue--. Because of the above I tried uninstalling the solution for now. it is pretty expensive as it is, and because of the added log analytics cost I cant stand behind the product for now. I followed the documentation, removing auto onboarding from Defender, and used the rest api to set azureDefender enabled: false. command got put fine. I wait, and wait. nothing happens. So I remove all defender resources from a cluster and after 15 minutes, everything is back.... I have the solution set to off in the defender portal, auto onboarding is turned off, but I cant remove the solution.... how is this even possible. These things are happening on 3 clusters over two azure tenants. I raised a ticket already, but at this moment, I don't think it is something I did. Don't get me wrong, I like Azure and I like Defender, but the container solutions seems broken at this moment.
New Blog | Leveraging Defender for Containers to simplify policy management for Kubernetes Clusters
Leveraging Defender for Containers to simplify policy management in your Kubernetes Clusters - Microsoft Community Hub A key part of Kubernetes security includes making sure the cluster is configured to industry and company best practices. This entails controlling what users can do on the cluster and blocking actions that don’t comply with pre-defined best practices. Out of the box, Kubernetes does not provide a mechanism to write and deploy fine grained policies required per your security and compliance mandates. As a result, you will probably leverage something like Gatekeeper along with Open Policy Agent (OPA). Defender for Containers protects your Kubernetes clusters by continuously assessing them to get visibility into misconfigurations and help mitigate identified threats. To get insight into the workload configuration on the cluster, the Azure Policy for Kubernetes is deployed as part of the Defender for Containers plan. The Azure Policy for Kubernetes extends the Gatekeeper v3 admission controller webhook for OPA. Gatekeeper is needed to check if the policy is correct before enforcing it. On Azure Kubernetes Service (AKS), it is deployed as an add-on. For Arc Enabled Kubernetes, which includes on-premises clusters and clusters hosted in Google Cloud or Amazon Web Services, it is deployed as an extension. In this blog, we will go more into detail about how Azure Policy for Kubernetes, uses Gatekeeper with OPA in the Defender for Containers plan.
Blog | Defender for Cloud unified Vulnerability Assessment pwd by Defender Vulnerability Management
We are thrilled to announce that Defender for Cloud is unifying our vulnerability assessment engine to Microsoft Defender Vulnerability Management (MDVM) across servers and containers. Security admins will benefit from Microsoft’s unmatched threat intelligence, breach likelihood predictions and business contexts to identify, assess, prioritize, and remediate vulnerabilities - making it an ideal tool for managing an expanded attack surface and reducing overall cloud risk posture. Read the full blog here: Defender for Cloud unified Vulnerability Assessment powered by Defender Vulnerability Management - Microsoft Community HubNew Blog | Agentless Container Posture Management in Multicloud
Container security is an integral part of Microsoft Defender for Cloud, a Cloud Native Application Platform (CNAPP) as it addresses the unique challenges presented by containerized environments, providing a holistic approach to securing applications and infrastructure in the cloud-native landscape. As organizations embrace multicloud, the silos between cloud environments can become barriers for a holistic approach to container security. Defender for Cloud continues to adapt, offering new capabilities that resonate with the fluidity of multicloud architecture. Our latest additions to AWS and GCP seamlessly traverse cloud silos and provide a comprehensive and unified view of container security posture. Read the full blog post here: Agentless Container Posture Management in Multicloud - Microsoft Community HubNew Blog | Bridging the Gap Between Code and Cloud with Defender for Cloud
While containers have revolutionized modern software development, the complexity of dependencies in containerized environments and the expanded attack surface they present are still significant hurdles for security professionals. The initial step in securing these environments involves identifying vulnerabilities within container images. Yet, the most time-consuming task can often be identifying the right development team to address these vulnerabilities, particularly the mission-critical ones. Microsoft Defender for Cloud addresses this critical need with its container mapping feature. This blog post explores how Defender for Cloud streamlines the process of tracing vulnerabilities in container images back to their origins in CI/CD pipelines, specifically within Azure DevOps and GitHub environments. This functionality is key to facilitating effective developer remediation workflows, thereby enhancing the security posture of cloud-native applications. Read the full blog post here: Bridging the Gap Between Code and Cloud with Defender for Cloud - Microsoft Community Hub
