Merge pull request #262886 from dcurwin/wi-195468-architecture-jan10-2023

v-dirichards · web-flow · commit ff50535afc52 · 2024-01-16T09:38:06.000-06:00
Agentless in architecture page
diff --git a/articles/defender-for-cloud/defender-for-containers-architecture.md b/articles/defender-for-cloud/defender-for-containers-architecture.md
@@ -5,7 +5,7 @@ author: dcurwin
 ms.author: dacurwin
 ms.topic: overview
 ms.custom: ignite-2022
-ms.date: 09/06/2023
+ms.date: 01/10/2024
 ---
 
 # Defender for Containers architecture
@@ -36,7 +36,7 @@ To learn more about implementation details such as supported operating systems,
 
 ## [**Azure (AKS)**](#tab/defender-for-container-arch-aks)
 
-### Architecture diagram of Defender for Cloud and AKS clusters<a name="jit-asc"></a>
+### Architecture diagram of Defender for Cloud and AKS clusters
 
 When Defender for Cloud protects a cluster hosted in Azure Kubernetes Service, the collection of audit log data is agentless and collected automatically through Azure infrastructure with no additional cost or configuration considerations. These are the required components in order to receive the full protection offered by Microsoft Defender for Containers:
 
@@ -53,7 +53,31 @@ When Defender for Cloud protects a cluster hosted in Azure Kubernetes Service, t
 | microsoft-defender-collector-misc-* | kube-system | [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) | A set of containers that focus on collecting inventory and security events from the Kubernetes environment that aren't bounded to a specific node. | N/A | memory: 64Mi <br> <br>cpu: 60m | No |
 | microsoft-defender-publisher-ds-* | kube-system | [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) | Publish the collected data to Microsoft Defender for Containers backend service where the data will be processed for and analyzed. | N/A | memory: 200Mi <br> <br> cpu: 60m | Https 443 <br> <br> Learn more about the [outbound access prerequisites](../aks/outbound-rules-control-egress.md#microsoft-defender-for-containers) |
 
-\* Resource limits aren't configurable; Learn more about [Kubernetes resources limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes)
+\* Resource limits aren't configurable; Learn more about [Kubernetes resources limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes).
+
+### How does agentless discovery for Kubernetes in Azure work?
+
+The discovery process is based on snapshots taken at intervals:
+
+:::image type="content" source="media/concept-agentless-containers/diagram-permissions-architecture.png" alt-text="Diagram of the permissions architecture." lightbox="media/concept-agentless-containers/diagram-permissions-architecture.png":::
+
+When you enable the agentless discovery for Kubernetes extension, the following process occurs:
+
+- **Create**:
+  - If the extension is enabled from Defender CSPM, Defender for Cloud creates an identity in customer environments called `CloudPosture/securityOperator/DefenderCSPMSecurityOperator`.
+  - If the extension is enabled from Defender for Containers, Defender for Cloud creates an identity in customer environments called `CloudPosture/securityOperator/DefenderForContainersSecurityOperator`.
+- **Assign**: Defender for Cloud assigns a built-in role called **Kubernetes Agentless Operator** to that identity on subscription scope. The role contains the following permissions:
+
+  - AKS read (Microsoft.ContainerService/managedClusters/read)
+  - AKS Trusted Access with the following permissions:
+  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write
+  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read
+  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete
+
+   Learn more about [AKS Trusted Access](/azure/aks/trusted-access-feature).
+
+- **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the AKS clusters in your environment using API calls to the API server of AKS.
+- **Bind**: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind operation between the created identity and the Kubernetes role *Microsoft.Security/pricings/microsoft-defender-operator*. The role is visible via API and gives Defender for Cloud data plane read permission inside the cluster.
 
 ## [**On-premises / IaaS (Arc)**](#tab/defender-for-container-arch-arc)
 
@@ -88,9 +112,25 @@ When Defender for Cloud protects a cluster hosted in Elastic Kubernetes Service,
 
 :::image type="content" source="./media/defender-for-containers/architecture-eks-cluster.png" alt-text="Diagram of high-level architecture of the interaction between Microsoft Defender for Containers, Amazon Web Services' EKS clusters, Azure Arc-enabled Kubernetes, and Azure Policy." lightbox="./media/defender-for-containers/architecture-eks-cluster.png":::
 
+### How does agentless discovery for Kubernetes in AWS work?
+
+The discovery process is based on snapshots taken at intervals:
+
+When you enable the agentless discovery for Kubernetes extension, the following process occurs:
+
+- **Create**:
+  - The Defender for Cloud role *MDCContainersAgentlessDiscoveryK8sRole* must be added to the *aws-auth ConfigMap* of the EKS clusters. The name can be customized.
+
+- **Assign**: Defender for Cloud assigns the *MDCContainersAgentlessDiscoveryK8sRole* role the following permissions:
+
+  - `eks:UpdateClusterConfig`
+  - `eks:DescribeCluster`
+
+- **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the EKS clusters in your environment using API calls to the API server of EKS.
+
 ## [**GCP (GKE)**](#tab/defender-for-container-gke)
 
-### Architecture diagram of Defender for Cloud and GKE clusters<a name="jit-asc"></a>
+### Architecture diagram of Defender for Cloud and GKE clusters
 
 When Defender for Cloud protects a cluster hosted in Google Kubernetes Engine, the collection of audit log data is agentless. These are the required components in order to receive the full protection offered by Microsoft Defender for Containers:
 
@@ -107,30 +147,6 @@ When Defender for Cloud protects a cluster hosted in Google Kubernetes Engine, t
 
 ---
 
-## How does agentless discovery for Kubernetes work?
-
-The discovery process is based on snapshots taken at intervals:
-
-:::image type="content" source="media/concept-agentless-containers/diagram-permissions-architecture.png" alt-text="Diagram of the permissions architecture." lightbox="media/concept-agentless-containers/diagram-permissions-architecture.png":::
-
-When you enable the agentless discovery for Kubernetes extension, the following process occurs:
-
-- **Create**:
-  - If the extension is enabled from Defender CSPM, Defender for Cloud creates an identity in customer environments called `CloudPosture/securityOperator/DefenderCSPMSecurityOperator`.
-  - If the extension is enabled from Defender for Containers, Defender for Cloud creates an identity in customer environments called `CloudPosture/securityOperator/DefenderForContainersSecurityOperator`.
-- **Assign**: Defender for Cloud assigns a built-in role called **Kubernetes Agentless Operator** to that identity on subscription scope. The role contains the following permissions:
-
-  - AKS read (Microsoft.ContainerService/managedClusters/read)
-  - AKS Trusted Access with the following permissions:
-  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write
-  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read
-  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete
-
-   Learn more about [AKS Trusted Access](/azure/aks/trusted-access-feature).
-
-- **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the AKS clusters in your environment using API calls to the API server of AKS.
-- **Bind**: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind operation between the created identity and the Kubernetes role “Microsoft.Security/pricings/microsoft-defender-operator”. The role is visible via API and gives Defender for Cloud data plane read permission inside the cluster.
-
 ## Next steps
 
 In this overview, you learned about the architecture of container security in Microsoft Defender for Cloud. To enable the plan, see:
diff --git a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-eks.md b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-eks.md
@@ -33,7 +33,7 @@ To protect your EKS clusters, enable the Containers plan on the relevant account
         > [!NOTE]
         > If you disable this configuration, then the `Threat detection (control plane)` feature will be disabled. Learn more about [features availability](../supported-machines-endpoint-solutions-clouds-containers.md).
 
-    - [Agentless discovery for Kubernetes](../defender-for-containers-architecture.md#how-does-agentless-discovery-for-kubernetes-work) provides API-based discovery of your Kubernetes clusters. To enable the **Agentless discovery for Kubernetes** feature, toggle the setting to **On**.
+    - [Agentless discovery for Kubernetes](../defender-for-containers-architecture.md#how-does-agentless-discovery-for-kubernetes-in-aws-work) provides API-based discovery of your Kubernetes clusters. To enable the **Agentless discovery for Kubernetes** feature, toggle the setting to **On**.
     - The [Agentless Container Vulnerability Assessment](../agentless-vulnerability-assessment-aws.md) provides vulnerability management for images stored in ECR and running images on your EKS clusters. To enable the **Agentless Container Vulnerability Assessment** feature, toggle the setting to **On**.
 
 1. Continue through the remaining pages of the connector wizard.
diff --git a/articles/defender-for-cloud/tutorial-enable-container-aws.md b/articles/defender-for-cloud/tutorial-enable-container-aws.md
@@ -2,7 +2,7 @@
 title: Protect your Amazon Web Service (AWS) accounts containers with Defender for Containers
 description: Learn how to enable the Defender for Containers plan on your Amazon Web Service (AWS) accounts for Microsoft Defender for Cloud.
 ms.topic: install-set-up-deploy
-ms.date: 06/29/2023
+ms.date: 01/10/2024
 ---
 
 # Protect your Amazon Web Service (AWS) containers with Defender for Containers
@@ -54,7 +54,7 @@ To protect your EKS clusters, you need to enable the Containers plan on the rele
         > [!NOTE]
         > If you disable this configuration, then the `Threat detection (control plane)` feature will be disabled. Learn more about [features availability](supported-machines-endpoint-solutions-clouds-containers.md).
 
-    - [Agentless discovery for Kubernetes](defender-for-containers-architecture.md#how-does-agentless-discovery-for-kubernetes-work) provides API-based discovery of your Kubernetes clusters. To enable the **Agentless discovery for Kubernetes** feature, toggle the setting to **On**.
+    - [Agentless discovery for Kubernetes](defender-for-containers-architecture.md#how-does-agentless-discovery-for-kubernetes-in-aws-work) provides API-based discovery of your Kubernetes clusters. To enable the **Agentless discovery for Kubernetes** feature, toggle the setting to **On**.
     - The [Agentless Container Vulnerability Assessment](agentless-vulnerability-assessment-aws.md) provides vulnerability management for images stored in ECR and running images on your EKS clusters. To enable the **Agentless Container Vulnerability Assessment** feature, toggle the setting to **On**.
 
 1. Select **Next: Review and generate**.
