-
Notifications
You must be signed in to change notification settings - Fork 63
/
Copy pathfaq-defender-for-containers.yml
213 lines (169 loc) · 14.3 KB
/
faq-defender-for-containers.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
### YamlMime:FAQ
metadata:
title: Common questions about protecting containers
description: Get answers to common questions about protecting containers
ms.topic: faq
ms.service: defender-for-cloud
author: dcurwin
ms.author: dacurwin
ms.date: 12/12/2023
title: Common questions about protecting containers
summary: Get answers to common questions about protecting containers
sections:
- name: Ignored
questions:
- question: |
What are the options to enable the new plan at scale?
answer: |
You can use the Azure Policy `Configure Microsoft Defender for Containers to be enabled`, to enable Defender for Containers at scale. You can also see all of the options that are available to [enable Microsoft Defender for Containers](defender-for-containers-enable.md).
- question: |
Does Microsoft Defender for Containers support AKS clusters with virtual machines scale sets?
answer: |
Yes.
- question: |
Does Microsoft Defender for Containers support AKS without scale set (default)?
answer: |
No. Only Azure Kubernetes Service (AKS) clusters that use Virtual Machine Scale Sets for the nodes is supported.
- question: |
Do I need to install the Log Analytics VM extension on my AKS nodes for security protection?
answer: |
No, AKS is a managed service, and manipulation of the IaaS resources isn't supported. The Log Analytics VM extension isn't needed and might result in extra charges.
- question: |
How can I use my existing Log Analytics workspace?
answer: |
You can use your existing Log Analytics workspace by following the steps in the [Assign a custom workspace](defender-for-containers-enable.md?pivots=defender-for-container-aks&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#assign-a-custom-workspace) workspace section of this article.
- question: |
Can I delete the default workspaces created by Defender for Cloud?
answer: |
We don't recommend deleting the default workspace. Defender for Containers uses the default workspaces to collect security data from your clusters. Defender for Containers will be unable to collect data, and some security recommendations and alerts, will become unavailable if you delete the default workspace.
- question: |
I deleted my default workspace, how can I get it back?
answer: |
To recover your default workspace, you need to remove the [Defender sensor](defender-for-cloud-glossary.md#defender-sensor), and reinstall the sensor. Reinstalling the Defender sensor creates a new default workspace.
- question: |
Where is the default Log Analytics workspace located?
answer: |
Depending on your region, the default Log Analytics workspace might be located in various locations. To check your region see [Where is the default Log Analytics workspace created?](faq-data-collection-agents.yml)
- question: |
My organization requires me to tag my resources, and the required sensor didn't get installed, what went wrong?
answer: |
The [Defender sensor](defender-for-cloud-glossary.md#defender-sensor) uses the Log analytics workspace to send data from your Kubernetes clusters to Defender for Cloud. The Defender for Cloud adds the Log analytic workspace and the resource group as a parameter for the sensor to use.
However, if your organization has a policy that requires a specific tag on your resources, it might cause the sensor installation to fail during the resource group or the default workspace creation stage. If it fails, you can either:
- [Assign a custom workspace](defender-for-containers-enable.md?pivots=defender-for-container-aks&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#assign-a-custom-workspace) and add any tag your organization requires.
or
- If your company requires you to tag your resource, you should navigate to that policy and exclude the following resources:
1. The resource group `DefaultResourceGroup-<RegionShortCode>`
1. The Workspace `DefaultWorkspace-<sub-id>-<RegionShortCode>`
RegionShortCode is a 2-4 letters string.
- question: |
How does Defender for Containers scan an image?
answer: |
Defender for Containers pulls the image from the registry and runs it in an isolated sandbox with Microsoft Defender Vulnerability Management for multicloud environments. The scanner extracts a list of known vulnerabilities.
Defender for Cloud filters and classifies findings from the scanner. When an image is healthy, Defender for Cloud marks it as such. Defender for Cloud generates security recommendations only for images that have issues to be resolved. By only notifying you when there are problems, Defender for Cloud reduces the potential for unwanted informational alerts.
- question: |
How can I identify pull events performed by the scanner?
answer: |
To identify pull events performed by the scanner, do the following steps:
1. Search for pull events with the UserAgent of *MDCContainersSecurity/1.0*.
1. Extract the identity associated with this event.
1. Use the extracted identity to identify pull events from the scanner.
- question: |
What is the difference between Not Applicable Resources and Unverified Resources?
answer: |
- **Not applicable resources** are resources for which the recommendation can't give a definitive answer. The not applicable tab includes reasons for each resource that couldn't be assessed.
- **Unverified resources** are resources scheduled to be assessed, but not assessed yet.
- question: |
Why is Defender for Cloud alerting me to vulnerabilities about an image that isn't in my registry?
answer: |
Some images might reuse tags from an image that was already scanned. For example, you might reassign the tag “Latest” every time you add an image to a digest. In such cases, the 'old' image does still exist in the registry and might still be pulled by its digest. If the image has security findings and is pulled, it will expose security vulnerabilities.
- question: |
Does Defender for Containers scan images in Microsoft Container Registry?
answer: |
Currently, Defender for Containers can scan images in Azure Container Registry (ACR), AWS Elastic Container Registry (ECR), Google Container Registry (GCR), Google Archive Registry (GAR) and supported external registries only.
Microsoft Artifact Registry/Microsoft Container Registry, and Microsoft Azure Red Hat OpenShift (ARO) built-in container image registry aren't supported.
- question: |
How does Defender for Containers scan a running container?
answer: |
Defender for Cloud performs agentless scanning of VMs. Snapshots of VM disks are taken every 24 hours to perform out-of-band analysis, without affecting performance.
Data plane containers residing in VM disk snapshots, agnostic of the container image registry from which it was pulled, are assessed for vulnerabilities using Microsoft Defender Vulnerability Management (MDVM). MDVM generates security recommendations for any vulnerable container images.
- question: |
Can I get the scan results via REST API?
answer: |
Yes. The results are under [Sub-Assessments REST API](/rest/api/defenderforcloud-composite/sub-assessments/list?view=rest-defenderforcloud-composite-latest&tabs=HTTP&preserve-view=true). Also, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.
- question: |
How do I check which media type my containers are using?
answer: |
To check an image type, you need to use a tool that can check the raw image manifest such as [skopeo](https://github.com/containers/skopeo), and inspect the raw image format.
- For the Docker v2 format, the manifest media type would be **application/vnd.docker.distribution.manifest.v1+json** or **application/vnd.docker.distribution.manifest.v2+json**, as documented [here](https://docs.docker.com/registry/spec/manifest-v2-2/).
- For the OCI image format, the manifest media type would be **application/vnd.oci.image.manifest.v1+json**, and config media type **application/vnd.oci.image.config.v1+json**, as documented [here](https://specs.opencontainers.org/image-spec/media-types/).
- question: |
What are the extensions for agentless container posture management?
answer: |
There are two extensions that provide agentless CSPM functionality:
- **Agentless Container vulnerability assessments**: Provides agentless containers vulnerability assessments. Learn more about [Agentless Container vulnerability assessment](agentless-vulnerability-assessment-azure.md).
- **Agentless discovery for Kubernetes**: Provides API-based discovery of information about Kubernetes cluster architecture, workload objects, and setup.
- question: |
How can I onboard multiple subscriptions at once?
answer: |
To onboard multiple subscriptions at once, you can use [this script](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Powershell%20scripts/Agentless%20Container%20Posture).
- question: |
Why don't I see results from my clusters?
answer: |
If you don't see results from your clusters, check the following questions:
- Do you have stopped clusters?
- Are your resource groups, subscriptions, or clusters locked?
If the answer to either of these questions is yes, see the answers in the following questions.
- question: |
What can I do if I have stopped clusters?
answer: |
We don't support or charge stopped clusters. To get the value of agentless capabilities on a stopped cluster, you can rerun the cluster.
- question: |
What do I do if I have locked resource groups, subscriptions, or clusters?
answer: |
We suggest that you unlock the locked resource group/subscription/cluster, make the relevant requests manually, and then relock the resource group/subscription/cluster by doing the following:
1. Enable the feature flag manually via CLI by using [Trusted Access](/azure/aks/trusted-access-feature).
``` CLI
“az feature register --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview”
```
1. Perform the bind operation in the CLI:
``` CLI
az account set -s <SubscriptionId>
az extension add --name aks-preview
az aks trustedaccess rolebinding create --resource-group <cluster resource group> --cluster-name <cluster name> --name defender-cloudposture --source-resource-id /subscriptions/<SubscriptionId>/providers/Microsoft.Security/pricings/CloudPosture/securityOperators/DefenderCSPMSecurityOperator --roles "Microsoft.Security/pricings/microsoft-defender-operator"
```
For locked clusters, you can also do one of the following steps:
- Remove the lock.
- Perform the bind operation manually by making an API request.
Learn more about [locked resources](/azure/azure-resource-manager/management/lock-resources?tabs=json).
- question: |
Are you using an updated version of AKS?
answer: |
Learn more about [supported Kubernetes versions in Azure Kubernetes Service (AKS)](/azure/aks/supported-kubernetes-versions?tabs=azure-cli).
- question: |
What's the refresh interval for Agentless discovery of Kubernetes?
answer: |
It can take up to **24 hours** for changes to reflect in the security graph, attack paths, and the security explorer.
- question: |
How do I upgrade from the retired Trivy vulnerability assessment to the AWS vulnerability assessment powered by Microsoft Defender Vulnerability Management?
answer: |
The following steps will remove the single registry recommendation powered by Trivy and add the [new registry and runtime recommendations that are powered by MDVM](agentless-vulnerability-assessment-azure.md).
1. Open the relevant AWS connector.
1. Open the **Settings** page for Defender for Containers.
1. Enable **Agentless Container Vulnerability Assessment**.
1. Complete the steps of the connector wizard, including deployment of the new onboarding script in AWS.
1. Manually delete the resources created during onboarding:
- S3 bucket with the prefix defender-for-containers-va
- ECS cluster with the name defender-for-containers-va
- VPC:
- Tag `name` with the value `defender-for-containers-va`
- IP subnet CIDR 10.0.0.0/16
- Associated with **default security group** with the tag `name` and the value `defender-for-containers-va` that has one rule of all incoming traffic.
- **Subnet** with the tag `name` and the value `defender-for-containers-va` in the `defender-for-containers-va` VPC with the CIDR 10.0.1.0/24 IP subnet used by the ECS cluster `defender-for-containers-va`
- **Internet Gateway** with the tag `name` and the value `defender-for-containers-va`
- **Route table** - Route table with the tag `name` and value `defender-for-containers-va`, and with these routes:
- Destination: `0.0.0.0/0`; Target: Internet Gateway with the tag `name` and the value `defender-for-containers-va`
- Destination: `10.0.0.0/16`; Target: `local`
To get vulnerability assessments for running images, either enable [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or deploy the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) on your Kubernetes clusters.
additionalContent: |
## Next steps
[Learn about Defender for Containers](defender-for-containers-introduction.md)