适用于 Kubernetes 的 Azure Defender 简介Introduction to Azure Defender for Kubernetes

Azure Kubernetes 服务 (AKS) 是 Microsoft 的托管服务,用于开发、部署和管理容器化应用程序。Azure Kubernetes Service (AKS) is Microsoft's managed service for developing, deploying, and managing containerized applications.

Azure 安全中心和 AKS 构成了一种云原生 Kubernetes 安全产品/服务,同时提供环境强化功能、工作负载保护和运行时间保护,如安全中心中的容器安全所述。Azure Security Center and AKS form a cloud-native Kubernetes security offering with environment hardening, workload protection, and run-time protection as outlined in Container security in Security Center.

若要对 Kubernetes 群集进行威胁检测,请启用适用于 Kubernetes 的 Azure Defender。For threat detection for your Kubernetes clusters, enable Azure Defender for Kubernetes.

如果启用适用于服务器的 Azure Defender 及其 Log Analytics 代理,则可以使用适用于 Linux AKS 节点的主机级威胁检测。Host-level threat detection for your Linux AKS nodes is available if you enable Azure Defender for servers and its Log Analytics agent. 但是,如果在虚拟机规模集上部署 AKS 群集,则当前不支持 Log Analytics 代理。However, if your AKS cluster is deployed on a virtual machine scale set, the Log Analytics agent is not currently supported.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 正式发布版 (GA)General Availability (GA)
定价:Pricing: 用于 Kubernetes 的 Azure Defender 按安全中心定价中显示的定价计费Azure Defender for Kubernetes is billed as shown on Security Center pricing
所需角色和权限:Required roles and permissions: 安全管理员 可以消除警报。Security admin can dismiss alerts.
安全读取者 可以查看结果。Security reader can view findings.
云:Clouds: 是 中国云China cloud

适用于 Kubernetes 的 Azure Defender 有哪些优点?What are the benefits of Azure Defender for Kubernetes?

Azure Defender for Kubernetes 通过 Azure Kubernetes 服务 (AKS) 检索到的日志来监视 AKS 托管服务,从而提供群集级别的威胁防护。Azure Defender for Kubernetes provides cluster-level threat protection by monitoring your AKS-managed services through the logs retrieved by Azure Kubernetes Service (AKS).

Azure Defender for Kubernetes 监视的安全事件示例包括公开 Kubernetes 仪表板、创建高特权角色,以及创建敏感的装入点。Examples of security events that Azure Defender for Kubernetes monitors include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts. 有关 AKS 群集级警报的完整列表,请参阅警报引用表For a full list of the AKS cluster level alerts, see the reference table of alerts.

提示

可以按照此博客文章中的说明来模拟容器警报。You can simulate container alerts by following the instructions in this blog post.

此外,我们的全球安全研究团队会不断监视威胁态势。Also, our global team of security researchers constantly monitor the threat landscape. 一旦发现威胁,他们就会添加容器特定的警报和漏洞。They add container-specific alerts and vulnerabilities as they're discovered.

备注

安全中心针对在启用 Azure Defender for Kubernetes 后发生的 Azure Kubernetes 服务操作和部署生成安全警报。Security Center generates security alerts for Azure Kubernetes Service actions and deployments occurring after you've enabled Azure Defender for Kubernetes.

适用于 Kubernetes 的 Azure Defender - 常见问题解答Azure Defender for Kubernetes - FAQ

如果没有 Log Analytics 代理,是否仍可获得 AKS 保护?Can I still get AKS protections without the Log Analytics agent?

Azure Defender for Kubernetes 计划在群集级别提供保护。Azure Defender for Kubernetes plan provides protections at the cluster level. 如果还部署适用于服务器的 Azure Defender 的 Log Analytics 代理,则将获得该计划随附的用于节点的威胁防护功能。If you also deploy the Log Analytics agent of Azure Defender for servers, you'll get the threat protection for your nodes that's provided with that plan. 有关详细信息,请参阅适用于服务器的 Azure Defender 简介Learn more in Introduction to Azure Defender for servers.

建议两者同时部署,以实现最完整的保护。We recommend deploying both, for the most complete protection possible.

如果你选择不在主机上安装代理,则只能收到一部分威胁防护权益和安全警报。If you choose not to install the agent on your hosts, you'll only receive a subset of the threat protection benefits and security alerts. 你仍会收到与网络分析以及与恶意服务器通信相关的警报。You'll still receive alerts related to network analysis and communications with malicious servers.

AKS 是否允许我在 AKS 节点上安装自定义 VM 扩展?Does AKS allow me to install custom VM extensions on my AKS nodes?

为使 Azure Defender 能够监视 AKS 节点,它们必须运行 Log Analytics 代理。For Azure Defender to monitor your AKS nodes, they must be running the Log Analytics agent.

AKS 是一项托管服务,由于 Log Analytics 代理是 Microsoft 托管的扩展,因此也受 AKS 群集支持。AKS is a managed service and since the Log analytics agent is a Microsoft-managed extension, it is also supported on AKS clusters.

如果我的群集已经在运行用于容器的 Azure Monitor 代理,我是否也需要 Log Analytics 代理?If my cluster is already running an Azure Monitor for containers agent, do I need the Log Analytics agent too?

为使 Azure Defender 能够监视 AKS 节点,它们必须运行 Log Analytics 代理。For Azure Defender to monitor your AKS nodes, they must be running the Log Analytics agent.

如果群集已经在运行用于容器的 Azure Monitor 代理,则也可以安装 Log Analytics 代理,这两个代理可以彼此协同工作,而不会出现任何问题。If your clusters are already running the Azure Monitor for containers agent, you can install the Log Analytics agent too and the two agents can work alongside one another without any problems.

详细了解用于容器的 Azure Monitor 代理Learn more about the Azure Monitor for containers agent.

后续步骤Next steps

本文介绍了安全中心的 Kubernetes 保护,包括适用于 Kubernetes 的 Azure Defender。In this article, you learned about Security Center's Kubernetes protection including Azure Defender for Kubernetes.

如需相关材料,请参阅以下文章:For related material, see the following articles: