Edit

Share via

Enable Defender for Containers on GCP (GKE) via portal

This article shows you how to enable Microsoft Defender for Containers on your Google Kubernetes Engine (GKE) clusters through the Azure portal. You can choose to enable all security features at once for comprehensive protection, or selectively deploy specific components based on your requirements.

When to use this guide

Use this guide if you want to:

  • Set up Defender for Containers on GCP for the first time
  • Enable all security features for comprehensive protection
  • Selectively deploy specific components
  • Fix or add missing components to an existing deployment
  • Deploy using a controlled, selective approach
  • Exclude certain clusters from protection

Prerequisites

Network requirements

Validate that the following endpoints for public cloud deployments are configured for outbound access. Configuring them for outbound access helps ensure that the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events.

Note

The Azure domains *.ods.opinsights.azure.com and *.oms.opinsights.azure.com no longer required for outbound access. For more information, see the deprecation announcement.

Azure domain Azure Government domain Azure operated by 21Vianet domain Port
*.cloud.defender.microsoft.com N/A N/A 443

You also need to validate the Azure Arc-enabled Kubernetes network requirements.

GCP-specific requirements:

  • GCP project with appropriate permissions
  • GKE clusters (version 1.19+)
  • Container images in Google Container Registry or Artifact Registry
  • Service account with required IAM roles
  • Cloud Shell or gcloud CLI configured

Create GCP connector

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud.

  3. Select Environment settings from the left menu.

  4. Select Add environment > Google Cloud Platform.

    Screenshot showing how to connect a GCP project to Microsoft Defender for Cloud.

    Screenshot showing adding GCP environment.

  5. Select the relevant GCP connector if you have multiple:

    Screenshot that shows an example GCP connector.

Configure connector details

  1. In the Account details section, enter:

    • Connector name: A descriptive name for your GCP project
    • GCP project ID: Your GCP project identifier
    • Resource group: Select or create a resource group

    Screenshot showing GCP account details configuration.

  2. Select Next: Select plans.

Enable Defender for Containers features

  1. In Select plans, toggle Containers to On.

    Screenshot of enabling Defender for Containers for a GCP connector.

  2. Select Configure to access the plan settings.

    Screenshot of settings for the Containers plan in the Defender for Cloud environment settings.

  3. Choose your deployment approach:

    • Enable all components (recommended): Enable all features for comprehensive protection
    • Enable specific components: Select only the components you need

    Available components:

    • Agentless discovery for Kubernetes - Discovers all GKE clusters
    • Agentless container vulnerability assessment - Scans registry images
    • Defender DaemonSet - Runtime threat detection
    • Azure Policy for Kubernetes - Security recommendations

  4. Select Continue and Next: Configure access.

Set up GCP permissions

  1. Download the setup script from the portal.

  2. Open Google Cloud Shell or your local terminal with gcloud configured.

  3. Run the setup script to create the required service account and permissions:

    # The portal provides a script similar to this
bash defender-for-containers-setup.sh \
    --project-id <project-id> \
    --workload-identity-pool <pool-name>

  4. The script creates:

    • Service account with necessary IAM roles
    • Workload identity federation
    • API enablement

  5. Copy the service account email from the script output.

    Screenshot that shows the location of the copy button.

  6. Return to Azure portal and paste the service account email.

    Screenshot showing GCP access configuration.

  7. Select Next: Review and create.

Deploy all components

Follow these steps to enable comprehensive protection for all your GKE clusters.

Connect GKE clusters to Azure Arc

After creating the connector:

  1. Go to Microsoft Defender for Cloud > Recommendations.

  2. Look for the recommendation "GKE clusters should be connected to Azure Arc".

  3. Select the recommendation to see affected clusters.

  4. Follow the remediation steps to connect each cluster:

    # Connect GKE cluster to Arc
az connectedk8s connect \
    --name <cluster-name> \
    --resource-group <resource-group> \
    --location <location>

Deploy the Defender sensor

Important

Deploying the Defender sensor using Helm: Unlike other options that are autoprovisioned and updated automatically, Helm lets you flexibly deploy the Defender sensor. This approach is especially useful in DevOps and infrastructure-as-code scenarios. With Helm, you can integrate deployment into CI/CD pipelines and control all sensor updates. You can also choose to receive preview and GA versions. For instructions on installing the Defender sensor using Helm, see Install Defender for Containers sensor using Helm.

After connecting your GKE clusters to Azure Arc:

  1. Go to Microsoft Defender for Cloud > Recommendations.

  2. Search for "Arc-enabled Kubernetes clusters should have Defender extension installed".

    Screenshot that shows searching for a recommendation.

    Screenshot showing sensor enablement for Arc-connected GKE clusters.

  3. Select your GKE clusters.

  4. Select Fix to deploy the sensor.

    Screenshot that shows the location of the Fix button.

Note

You can also deploy the Defender sensor by using Helm for more control. For more information, see Deploy Defender sensor using Helm.

Configure container registry scanning

For Google Container Registry (GCR) and Artifact Registry:

  1. Go to your GCP connector settings.

  2. Select Configure next to the Containers plan.

  3. Verify Agentless container vulnerability assessment is enabled.

  4. Images are automatically scanned when you push them to the registry.

Enable audit logging

Enable GKE audit logging for runtime protection:

# Enable audit logs for existing cluster
gcloud container clusters update <cluster-name> \
    --zone <zone> \
    --enable-cloud-logging \
    --logging=SYSTEM,WORKLOAD,API_SERVER

Deploy specific components (optional)

If you need selective deployment or to fix issues with existing deployments:

Deploy Defender sensor to specific clusters

To deploy the sensor to only selected GKE clusters:

  1. Connect only specific clusters to Azure Arc (not all clusters).

  2. Go to Recommendations and find "Arc-enabled Kubernetes clusters should have Defender extension installed".

  3. Select only the clusters where you want the sensor.

  4. Follow the remediation steps for the selected clusters.

Enable vulnerability scanning only

To enable only registry scanning without runtime protection:

  1. In connector configuration, enable only Agentless container vulnerability assessment.

  2. Disable other components.

  3. Save the configuration.

Configure by cluster type

Standard GKE clusters

No special configuration is required. Follow the default deployment steps.

GKE Autopilot

For Autopilot clusters:

  1. The Defender sensor automatically adjusts resource requests.

  2. No manual configuration is needed for resource limits.

Private GKE clusters

For private clusters:

  1. Ensure the cluster can reach Azure endpoints.

  2. Configure firewall rules if needed:

    gcloud compute firewall-rules create allow-azure-defender \
    --allow tcp:443 \
    --source-ranges <cluster-cidr> \
    --target-tags <node-tags>

Configure exclusions

To exclude specific GKE clusters from automatic provisioning:

  1. Go to your GKE cluster in GCP Console.

  2. Add labels to the cluster:

    • For Defender sensor: ms_defender_container_exclude_agents = true
    • For agentless deployment: ms_defender_container_exclude_agentless = true

Note

For Arc-connected clusters, you can also use Azure tags:

  • ms_defender_container_exclude_sensors = true
  • ms_defender_container_exclude_azurepolicy = true

Best practices

  1. Start with non-production: Test on dev/test clusters first for selective deployment.
  2. Enable all components: Get comprehensive protection when possible.
  3. Use Workload Identity: Enhance security with Workload Identity.
  4. Regular monitoring: Check dashboard weekly for findings.
  5. Image signing: Implement Binary Authorization for production.
  6. Document exclusions: Track why certain clusters are excluded in selective deployments.
  7. Deploy incrementally: When using selective deployment, add one component at a time.
  8. Monitor each step: Verify each component before proceeding to the next.

Clean up resources

To disable Defender for Containers, follow these steps:

  1. Go to Environment settings.

  2. Select your GCP connector.

  3. Choose one of the following options:

    • Set Containers to Off to disable the plan.
    • Delete the entire connector to remove all configurations.

  4. Clean up GCP resources:

    # Delete service account
gcloud iam service-accounts delete <service-account-email>

# Disconnect clusters from Arc
az connectedk8s delete --name <cluster-name> --resource-group <rg>

Next steps

  • Last updated on