Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Containers provides advanced threat protection and security capabilities for your containerized environments across multiple platforms. This guide helps you choose the right deployment path for your Kubernetes environment.
Supported environments
Defender for Containers supports the following Kubernetes environments:
- Azure (AKS) - Azure Kubernetes Service
- Arc-enabled Kubernetes (Preview) - On-premises and IaaS Kubernetes clusters
Choose your deployment path
Select the deployment guide that matches your Kubernetes environment:
Azure (AKS)
For Azure Kubernetes Service clusters, Defender for Containers provides:
- Native integration with Azure services
- Automatic deployment across all clusters in a subscription
- No cross-cloud connector required
- Vulnerability assessment (VA) features, including registry scanning for Azure Container Registry
- Security posture management features, including containers software supply chain protection
- Runtime protection features, including detection investigation and response, integrated into Microsoft XDR
- Containers software supply chain protection features
Arc-enabled Kubernetes (Preview)
For on-premises and IaaS Kubernetes clusters connected through Azure Arc, Defender for Containers provides:
- Hybrid cloud security management
- Centralized security through Azure
- Works with CNCF-certified Kubernetes distributions
- Containers software supply chain protection features, including gated deployment of container images
Prerequisites
Before deploying Defender for Containers, make sure you have:
- An active Azure subscription
- Owner or Contributor role on the subscription
- Kubernetes cluster version 1.19 or later
- Network connectivity to Azure services
- For sensor-based capabilities: Sufficient cluster resources for Defender components
Note
Agentless capabilities don't require cluster resources or sensor deployment. For a detailed list of supported features, along with their availability and characteristics, see the support matrix for Defender for Containers. The support matrix indicates whether each feature is agentless or sensor-based under the Enablement method column.
Enablement and deployment options
Defender for Containers involves two main steps:
Enabling the plan - You can enable the plan through:
- Azure portal
- Programmatically (Azure CLI, REST API, PowerShell)
Deploying the sensor
- AKS built-in addon - You can deploy through:
- Azure portal
- Programmatically (Azure CLI, REST API, IaC templates)
- Helm chart deployment
- AKS built-in addon - You can deploy through:
Next steps
Choose your environment to get started:
- Deploy on Azure (AKS) - For native Azure deployments
- Deploy on Arc-enabled Kubernetes - For hybrid and on-premises
For a comparison of features across environments, see Support matrix for Defender for Containers.