适用于 Kubernetes 的 Azure Defender 简介Introduction to Azure Defender for Kubernetes

Azure Kubernetes 服务 (AKS) 是 Microsoft 的托管服务,用于开发、部署和管理容器化应用程序。Azure Kubernetes Service (AKS) is Microsoft's managed service for developing, deploying, and managing containerized applications.

Azure 安全中心和 AKS 构成了最佳的云原生 Kubernetes 安全产品和服务,它们提供了环境强化功能、工作负载保护和运行时间保护,如下所述。Azure Security Center and AKS form the best cloud-native Kubernetes security offering and together they provide environment hardening, workload protection, and run-time protection as outlined below.

若要对 Kubernetes 群集进行威胁检测,请启用适用于 Kubernetes 的 Azure Defender。For threat detection for your Kubernetes clusters, enable Azure Defender for Kubernetes.

如果为服务器启用 Azure Defender,则可以使用适用于 Linux AKS 节点的主机级威胁检测。Host-level threat detection for your Linux AKS nodes is available if you enable Azure Defender for servers.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 正式发布 (GA)Generally available (GA)
定价:Pricing: 适用于 Kubernetes 的 Azure Defender 按定价页中的定价计费Azure Defender for Kubernetes is billed as shown on the pricing page
所需角色和权限:Required roles and permissions: 安全管理员 可以消除警报。Security admin can dismiss alerts.
安全读取者 可以查看结果。Security reader can view findings.
云:Clouds: 是 中国云China cloud

适用于 Kubernetes 的 Azure Defender 有哪些优点?What are the benefits of Azure Defender for Kubernetes?

运行时间保护Run-time protection

通过连续分析以下 AKS 源,安全中心为容器化环境提供实时威胁防护,并为在主机和 AKS 群集级别检测到的威胁和恶意活动生成警报。Through continuous analysis of the following AKS sources, Security Center provides real-time threat protection for your containerized environments and generates alerts for threats and malicious activity detected at the host and AKS cluster level. 可以使用此信息快速补救安全问题,并提高容器的安全性。You can use this information to quickly remediate security issues and improve the security of your containers.

安全中心在不同的级别提供威胁防护:Security Center provides threat protection at different levels:

  • 主机级别(由适用于服务器的 Azure Defender 提供) - Azure Defender 利用安全中心在其他 VM 上使用的同一 Log Analytics 代理监视你的 Linux AKS 节点中是否存在可疑活动,例如 web shell 检测和与已知的可疑 IP 地址进行连接。Host level (provided by Azure Defender for servers) - Using the same Log Analytics agent that Security Center uses on other VMs, Azure Defender monitors your Linux AKS nodes for suspicious activities such as web shell detection and connection with known suspicious IP addresses. 该代理还会监视特定于容器的分析,例如创建特权容器、以可疑方式访问 API 服务器以及在 Docker 容器内部运行安全外壳 (SSH) 服务器。The agent also monitors for container-specific analytics such as privileged container creation, suspicious access to API servers, and Secure Shell (SSH) servers running inside a Docker container.

    重要

    如果你选择不在主机上安装代理,则只能收到一部分威胁防护权益和安全警报。If you choose not to install the agents on your hosts, you will only receive a subset of the threat protection benefits and security alerts. 你仍会收到与网络分析以及与恶意服务器通信相关的警报。You'll still receive alerts related to network analysis and communications with malicious servers.

  • AKS 群集级别(由适用于 Kubernetes 的 Azure Defender 提供) - 在群集级别,威胁防护基于对 Kubernetes 审核日志的分析。AKS cluster level (provided by Azure Defender for Kubernetes) - At the cluster level, the threat protection is based on analyzing Kubernetes' audit logs. 要启用此无代理监视,请启用 Azure Defender。To enable this agentless monitoring, enable Azure Defender. 为了在此级别生成警报,安全中心将使用 AKS 检索到的日志来监视 AKS 管理的服务。To generate alerts at this level, Security Center monitors your AKS-managed services using the logs retrieved by AKS. 此级别的事件示例包括公开 Kubernetes 仪表板、创建高特权角色,以及创建敏感的装入点。Examples of events at this level include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts.

    备注

    安全中心针对在订阅设置中启用“Kubernetes”选项后发生的 Azure Kubernetes 服务操作和部署生成安全警报。Security Center generates security alerts for Azure Kubernetes Service actions and deployments occurring after the Kubernetes option is enabled on the subscription settings.

此外,我们的全球安全研究团队会不断监视威胁态势。Also, our global team of security researchers constantly monitor the threat landscape. 一旦发现威胁,他们就会添加容器特定的警报和漏洞。They add container-specific alerts and vulnerabilities as they're discovered.

提示

可以按照此博客文章中的说明来模拟容器警报。You can simulate container alerts by following the instructions in this blog post.

安全中心的 Kubernetes 保护如何工作?How does Security Center's Kubernetes protection work?

下面是有关 Azure 安全中心、Azure Kubernetes 服务和 Azure Policy 之间的交互的高级关系图。Below is a high-level diagram of the interaction between Azure Security Center, Azure Kubernetes Service, and Azure Policy.

你可以看到安全中心接收和分析的项包括:You can see that the items received and analyzed by Security Center include:

有关 Azure 安全中心、Azure Kubernetes 服务和 Azure Policy 之间的交互的高级关系图

适用于 Kubernetes 的 Azure Defender - 常见问题解答Azure Defender for Kubernetes - FAQ

如果没有 Log Analytics 代理,是否仍可获得 AKS 保护?Can I still get AKS protections without the Log Analytics agent?

如上所述,适用于 Kubernetes 的 Azure Defender 可选计划在群集级别提供保护,适用于服务器的 Azure Defender 的 Log Analytics 代理会保护节点 。As mentioned above, the optional Azure Defender for Kubernetes plan provides protections at the cluster level, the Log Analytics agent of Azure Defender for servers protects your nodes.

建议两者同时部署,以实现最完整的保护。We recommend deploying both, for the most complete protection possible.

如果你选择不在主机上安装代理,则只能收到一部分威胁防护权益和安全警报。If you choose not to install the agent on your hosts, you'll only receive a subset of the threat protection benefits and security alerts. 你仍会收到与网络分析以及与恶意服务器通信相关的警报。You'll still receive alerts related to network analysis and communications with malicious servers.

AKS 是否允许我在 AKS 节点上安装自定义 VM 扩展?Does AKS allow me to install custom VM extensions on my AKS nodes?

为使 Azure Defender 能够监视 AKS 节点,它们必须运行 Log Analytics 代理。For Azure Defender to monitor your AKS nodes, they must be running the Log Analytics agent.

AKS 是一项托管服务,由于 Log Analytics 代理是 Microsoft 托管的扩展,因此也受 AKS 群集支持。AKS is a managed service and since the Log analytics agent is a Microsoft-managed extension, it is also supported on AKS clusters.

如果我的群集已经在运行用于容器的 Azure Monitor 代理,我是否也需要 Log Analytics 代理?If my cluster is already running an Azure Monitor for containers agent, do I need the Log Analytics agent too?

为使 Azure Defender 能够监视 AKS 节点,它们必须运行 Log Analytics 代理。For Azure Defender to monitor your AKS nodes, they must be running the Log Analytics agent.

如果群集已经在运行用于容器的 Azure Monitor 代理,则也可以安装 Log Analytics 代理,这两个代理可以彼此协同工作,而不会出现任何问题。If your clusters are already running the Azure Monitor for containers agent, you can install the Log Analytics agent too and the two agents can work alongside one another without any problems.

详细了解用于容器的 Azure Monitor 代理Learn more about the Azure Monitor for containers agent.

后续步骤Next steps

本文介绍了安全中心的 Kubernetes 保护,包括适用于 Kubernetes 的 Azure Defender。In this article, you learned about Security Center's Kubernetes protection including Azure Defender for Kubernetes.

如需相关材料,请参阅以下文章:For related material, see the following articles: