Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to deploy Defender for Containers components on your Google Kubernetes Engine (GKE) clusters by using command-line tools and automation methods.
Tip
For a guided portal experience, see Enable all components via portal.
Prerequisites
Network requirements
Validate that the following endpoints for public cloud deployments are configured for outbound access. Configuring them for outbound access helps ensure that the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events.
Note
The Azure domains *.ods.opinsights.azure.com and *.oms.opinsights.azure.com no longer required for outbound access. For more information, see the deprecation announcement.
| Azure domain | Azure Government domain | Azure operated by 21Vianet domain | Port |
|---|---|---|---|
| *.cloud.defender.microsoft.com | N/A | N/A | 443 |
You also need to validate the Azure Arc-enabled Kubernetes network requirements.
Required tools:
- Azure CLI (version 2.40.0 or later)
- gcloud CLI configured with appropriate credentials
kubectlconfigured for your GKE clusters
Enable Defender for Containers
To enable the Defender for Containers plan on your subscription, see Enable Microsoft Defender for Cloud. You can enable the plan through the Azure portal, REST API, or Azure Policy.
Connect your GCP project
Before deploying the Defender sensor, connect your GCP project to Microsoft Defender for Cloud. For instructions, see Connect your GCP project.
The connection wizard in the Azure portal guides you through:
- Creating the necessary GCP service accounts
- Configuring workload identity federation
- Setting up the required IAM permissions
- Downloading and running the setup scripts
Connect GKE clusters to Azure Arc
Connect your GKE clusters to Azure Arc to deploy the Defender sensor. For instructions, see Connect an existing Kubernetes cluster to Azure Arc.
Deploy the Defender sensor
After connecting your GCP project and GKE clusters to Azure Arc, deploy the Defender sensor extension:
az k8s-extension create \
--name microsoft.azuredefender.kubernetes \
--extension-type microsoft.azuredefender.kubernetes \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group> \
--configuration-settings \
logAnalyticsWorkspaceResourceID="/subscriptions/<subscription-id>/resourceGroups/<rg>/providers/Microsoft.OperationalInsights/workspaces/<workspace-name>"
Deploy the Azure Policy extension
Deploy the Azure Policy extension to enable policy enforcement on your GKE clusters:
az k8s-extension create \
--name azure-policy \
--extension-type Microsoft.PolicyInsights \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group>