Edit

Share via

Configure Defender for Containers on GCP (GKE)

After deploying Defender for Containers on your GKE clusters, configure various settings to customize the security coverage to meet your needs. This article also explains how to add or remove components after initial deployment.

Configuration areas

Jump to the configuration you need:

Component management

Core settings

Tip

Most organizations start with configuring plan components. If you need to add or remove components after initial deployment, see Add or remove components.

Add or remove components

After initial deployment, you might need to add components that you skipped or remove unnecessary ones.

Check component deployment status

  1. Go to Inventory and filter by GCP resources.

  2. Check each GKE cluster for:

    • Arc connectivity status
    • Defender extension status
    • Policy extension status

Add missing components

Connect GKE clusters to Azure Arc

If you didn't connect clusters to Arc:

  1. Go to Microsoft Defender for Cloud > Recommendations.

  2. Look for recommendations about GKE clusters that need Arc connection.

  3. Follow the recommendation to connect your clusters.

  4. Use the provided scripts to connect each cluster to Azure Arc.

Or use CLI:

# Connect cluster to Arc
az connectedk8s connect \
    --name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP \
    --location $REGION

Deploy Defender sensor to existing clusters

After connecting your GKE clusters to Azure Arc:

  1. Go to Microsoft Defender for Cloud > Recommendations.

  2. Search for "GKE clusters should have Microsoft Defender's extension for Azure Arc installed".

  3. Select the recommendation and follow the remediation steps.

Or deploy using CLI:

# Install Defender extension
az k8s-extension create \
    --name microsoft-defender \
    --extension-type microsoft.azuredefender.kubernetes \
    --cluster-type connectedClusters \
    --cluster-name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP

Add Azure Policy extension

To add policy assessment to existing deployments:

  1. Go to Microsoft Defender for Cloud > Recommendations.

  2. Search for "GKE clusters should have the Azure Policy extension installed".

  3. Select the recommendation and follow the remediation steps.

Or use CLI:

# Install Azure Policy extension
az k8s-extension create \
    --name azurepolicy \
    --extension-type Microsoft.PolicyInsights \
    --cluster-type connectedClusters \
    --cluster-name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP

Remove specific components

To remove components but keep others:

  1. Go to your Arc-enabled Kubernetes cluster in the Azure portal.

  2. Under Settings, select Extensions.

  3. Select the extension to remove (Microsoft Defender or Azure Policy).

  4. Select Uninstall.

Or use CLI:

# Remove Defender sensor only
az k8s-extension delete \
    --name microsoft-defender \
    --cluster-type connectedClusters \
    --cluster-name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP

# Remove Policy extension only
az k8s-extension delete \
    --name azurepolicy \
    --cluster-type connectedClusters \
    --cluster-name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP

Deploy components selectively

Deploy to specific clusters only

To deploy the sensor only to selected GKE clusters:

  1. Connect specific clusters to Azure Arc (not all clusters).

  2. Go to Recommendations and find "GKE clusters should have Microsoft Defender's extension for Azure Arc installed".

  3. Select only the clusters where you want the sensor.

  4. Follow the remediation steps for the selected clusters.

Configure plan components

You can enable or disable specific Defender for Containers components:

  1. Go to Microsoft Defender for Cloud > Environment settings.

  2. Select your GCP connector.

  3. Select Settings for the Containers plan.

  4. Turn components on or off:

    • Agentless discovery for Kubernetes
    • Agentless container vulnerability assessment
    • Defender DaemonSet
    • Azure Policy for Kubernetes

    Screenshot that shows turning on components.

  5. Select Continue and Save.

Troubleshooting component issues

Fix Arc connectivity issues

For clusters that show as disconnected:

  1. Rerun the Arc connection script.

  2. Verify network connectivity from the cluster to Azure.

  3. Check Arc agent logs: kubectl logs -n azure-arc -l app.kubernetes.io/component=cluster-agent

Fix sensor deployment issues

For clusters missing the Defender sensor:

  1. Verify Arc connection is healthy.

  2. Check for conflicting policies or admission controllers.

  3. Deploy manually if needed: Use remediation from the recommendation.

Sensor pods not starting

# Check pod status
kubectl describe pods -n mdc -l app=microsoft-defender

# Common issues:
# - Image pull errors: Check network connectivity
# - Permission denied: Verify RBAC settings
# - Resource constraints: Check node resources

Best practices

  1. Regular reviews: Review configuration monthly.
  2. Test changes: Test configuration changes in non-production environments first.
  3. Document settings: Maintain documentation of custom configurations.
  4. Monitor impact: Watch for performance impact after changes.
  5. Back up settings: Export configurations before major changes.
  6. Track exclusions: Document why certain clusters or components are excluded.

Related content

  • Last updated on