Merge pull request #2522 from ElazarK/wi554039-Secure-Kubernetes-Deployments

WI554039 secure kubernetes deployments

Author: AnnaMHuff

articles/defender-for-cloud/TOC.yml

@@ -823,10 +823,16 @@
               - name: Overview
                 href: runtime-gated-overview.md
               - name: Enable gated deployment
+                displayName: gated deployment, enable
                 href: enablement-guide-runtime-gated.md
+              - name: Gated deployment for Infrastructure as Code
+                displayName: gated deployment, infrastructure as code, IaC
+                href: gated-deployment-infrastructure-as-code.md
               - name: Troubleshooting
+                displayName: troubleshooting, gated deployment
                 href: troubleshooting-runtime-gated.md
               - name: Frequently asked questions
+                displayName: faq, frequently asked questions, gated deployment
                 href: faq-runtime-gated.md
       - name: Protect clusters with AKS Security Dashboard
         displayName: k8s, containers

articles/defender-for-cloud/gated-deployment-infrastructure-as-code.md

@@ -0,0 +1,53 @@
+---
+title: Gated deployment for Infrastructure as Code
+description: Learn how to deploy gated deployment infrastructure as code for managed cluster API.
+#customer intent: As a Kubernetes administrator, I want to deploy gated deployment infrastructure as code so that I can automate the setup and ensure consistent configuration across environments.
+author: Elazark
+ms.author: elkrieger
+ms.date: 02/16/2026
+ms.topic: how-to
+---
+
+# Gated deployment for Infrastructure as Code
+
+Microsoft Defender for Cloud's gated deployment agent is a Kubernetes admission controller that enforces container image security policies at deployment time. Gated deployment acts as a gatekeeper for container images for known security problems at deployment time and decides whether they're allowed to run.
+
+The gated deployment agent requires read access to all of your Azure Container Registries (ACRs) associated with the cluster. These registries store the container images alongside the vulnerability assessment artifacts generated by Defender for Containers. To enable this access, configure a Managed Service Identity (MSI) with the required ACR read permissions and assign it to the agent.
+
+## Prerequisites
+
+- An Azure subscription with Microsoft Defender for Cloud enabled.
+- You must [enable gated deployment in Defender for Containers](enablement-guide-runtime-gated.md) with the defender sensor and registry access extensions turned on.
+- You must enable on your Azure Kubernetes Service (AKS) cluster: 
+    - [An OpenID Connect (OIDC) issuer](/azure/aks/use-oidc-issuer#create-an-aks-cluster-with-the-oidc-issuer). 
+    - [An Azure Workload Identity](/azure/aks/workload-identity-deploy-cluster?tabs=new-cluster).
+
+> [!NOTE]
+> Security gating only needs to be installed once. The first time you enable the security gating toggle, it installs security gating.
+> After that, security gating is already installed. When the installation runs again, the system detects this and does nothing.
+> If you try to install it again through the API, it fails because security gating already exists.
+>
+> :::image type="content" source="media/gated-deployment-infrastructure-as-code/security-gating-on.png" alt-text="Screenshot that shows security gating is turned to on." lightbox="media/gated-deployment-infrastructure-as-code/security-gating-on.png":::
+
+## Deploy the gated agent
+
+1. [Create a Managed Service Identity (MSI) that the gated deployment agent uses](/entra/identity/managed-identities-azure-resources/manage-user-assigned-managed-identities-azure-portal).
+
+1. [Assign the AcrPull role (or equivalent read role)](/azure/container-registry/container-registry-rbac-built-in-roles-overview?tabs=registries-configured-with-rbac-registry-abac-repository-permissions) to the MSI on all ACRs the cluster uses.
+
+1. [Add a Federated Identity Credential (FIC) to the MSI](/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0) that allows the gated deployment agent to authenticate by using AKS Workload Identity, with the following FIC parameters:
+
+    - **Issuer**: The AKS OIDC issuer URL
+    - **Subject**: The service account used by the gated deployment agent `system:serviceaccount:kube-system:defender-admission-controller-serviceaccount`.
+    - **Audience**: api://AzureADTokenExchange
+
+1. Under the [securityGating section of the managed cluster API configuration](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters?pivots=deployment-language-arm-template#resource-format-1), set the [MSI’s objectId in the identities parameter](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters?pivots=deployment-language-arm-template#managedclustersecurityprofiledefendersecuritygating-1) under the security gating section of the managed cluster API configuration. 
+
+    :::image type="content" source="media/gated-deployment-infrastructure-as-code/identities.png" alt-text="Screenshot that shows the section of the securityGating section of the managed cluster API configuration, where the code is located." lightbox="media/gated-deployment-infrastructure-as-code/identities.png":::
+
+    This ensures the gated deployment agent can use the MSI at runtime.
+
+## Next step
+
+> [!div class="nextstep"]
+> [Troubleshoot gated deployment in Kubernetes](troubleshooting-runtime-gated.md)

articles/defender-for-cloud/media/gated-deployment-infrastructure-as-code/identities.png

@@ -4,15 +4,15 @@ description: Enforce container image security in Kubernetes with gated deploymen
 #customer intent: As a Kubernetes administrator, I want to enforce security policies for container images so that I can prevent the deployment of vulnerable workloads.
 author: Elazark
 ms.author: elkrieger
-ms.date: 10/29/2025
+ms.date: 02/16/2026
 ms.topic: overview
 ---
 
 # Gated deployment for Kubernetes container images
 
-Microsoft Defender for Containers supports **gated deployment**, which enforces container image security policies at deployment time in Kubernetes environments, including Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE). Enforcement uses vulnerability scan results from supported container registries, including Azure Container Registry (ACR), Amazon Elastic Container Registry (ECR), and Google Artifact Registry.
+Microsoft Defender for Containers supports **gated deployment**, which enforces container image security policies at deployment time in Kubernetes environments. Supported environments include Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE). Enforcement uses vulnerability scan results from supported container registries, including Azure Container Registry (ACR), Amazon Elastic Container Registry (ECR), and Google Artifact Registry.
 
-Gated deployment integrates with the Kubernetes admission controller to ensure that only container images that meet your organization's security requirements run in your Kubernetes environment. It evaluates container images against defined security rules before they're admitted into the cluster, enabling security teams to block vulnerable workloads and maintain compliance.
+Gated deployment integrates with the Kubernetes admission controller to ensure that only container images that meet your organization's security requirements run in your Kubernetes environment. It evaluates container images against defined security rules before they're admitted into the cluster. By using gated deployment, security teams can block vulnerable workloads and maintain compliance.
 
 ## Benefits
 
@@ -30,7 +30,7 @@ Many customers already use Microsoft Defender for Containers vulnerability scann
 | Audit | Lets deployment continue and generates admission events for vulnerable images that violate security rules |
 | Deny | Blocks deployment of images that violate security rules |
 
-Start in Audit mode to assess impact, then move to Deny mode to enforce rules.
+Start in audit mode to assess impact, then move to deny mode to enforce rules.
 
 ## How it works
 
@@ -41,7 +41,7 @@ Start in Audit mode to assess impact, then move to Deny mode to enforce rules.
 
 ## Key features
 
-- Use the default Audit rule that automatically flags image deployments with High or Critical vulnerabilities on eligible clusters
+- Use the default audit rule that automatically flags image deployments with high or critical vulnerabilities on eligible clusters.
 - Set time-bound, scoped exemptions.
 - Target rules granularly by cluster, namespace, pod, or image.
 - Monitor admission events via Defender for Cloud.