MicrosoftDocs
diff --git a/‎articles/defender-for-cloud/kubernetes-workload-protections.md‎
Lines changed: 40 additions & 74 deletions b/‎articles/defender-for-cloud/kubernetes-workload-protections.md‎
Lines changed: 40 additions & 74 deletions
diff --git a/‎articles/defender-for-cloud/media/kubernetes-workload-protections/security-policies-select-manage.png‎
-52.6 KB b/‎articles/defender-for-cloud/media/kubernetes-workload-protections/security-policies-select-manage.png‎
-52.6 KB
diff --git a/‎articles/defender-for-cloud/media/kubernetes-workload-protections/take-action-tab.png‎
144 KB b/‎articles/defender-for-cloud/media/kubernetes-workload-protections/take-action-tab.png‎
144 KB
@@ -11,90 +11,60 @@ ms.date: 03/23/2026
 
 Kubernetes data plane hardening helps enforce secure configurations for workloads running in your cluster, such as restricting privileged containers, enforcing resource limits, and limiting network access.
 
-In Microsoft Defender for Cloud, data plane hardening is implemented by using [Azure Policy](defender-for-cloud-glossary.md#azure-policy-for-kubernetes) for Kubernetes to evaluate and enforce these configurations. Azure Policy is deployed as part of Defender for Containers automatically when automatic provisioning is enabled. If Azure Policy for Kubernetes is turned off in the Defender for Containers plan settings, you can deploy it by remediating the relevant recommendation.
+In Microsoft Defender for Cloud, data plane hardening is implemented by using [Azure Policy](defender-for-cloud-glossary.md#azure-policy-for-kubernetes) for Kubernetes to evaluate and enforce these configurations. Azure Policy is deployed as part of Defender for Containers when automatic provisioning is enabled.
 
-After Azure Policy for Kubernetes is deployed, Defender for Cloud generates data plane hardening recommendations based on your cluster configuration. This page shows how to review these recommendations, configure policy parameters, and enforce them on your clusters.
-
-> [!TIP]
-> For a list of the security recommendations that might appear for Kubernetes clusters and nodes, review [container recommendations](recommendations-reference-container.md).
-
-## Prerequisites
-
-- Add the [Required FQDN/application rules for Azure policy](/azure/aks/outbound-rules-control-egress#azure-policy).
-- (For non AKS clusters) [Connect an existing Kubernetes cluster to Azure Arc](/azure/azure-arc/kubernetes/quickstart-connect-cluster).
-
-## Enable Azure Policy for Kubernetes
-
-> [!NOTE]
-> When you enable this setting, the Azure Policy for Kubernetes pods are installed on the cluster. Doing so allocates a small amount of CPU and memory for the pods to use. This allocation might reach maximum capacity, but it doesn't affect the rest of the CPU and memory on the resource.
-
-### Enable Azure Policy using 
-
-If you disabled the "Azure Policy for Kubernetes" settings under the containers plan, you can follow the steps below to enable it across all clusters in your subscription:
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-
-1. Go to **Microsoft Defender for Cloud** > **Environment settings**.
-
-1. Select the relevant subscription.
-
-1. On the Defender plans page, ensure that **Containers** is toggled to **On**.
-
-1. Select **Settings**.
-
-   :::image type="content" source="media/kubernetes-workload-protections/containers-settings.png" alt-text="Screenshot showing the settings button in the Defender plan." lightbox="media/kubernetes-workload-protections/containers-settings.png":::
+If Azure Policy for Kubernetes is turned off in the Defender for Containers plan settings, you can deploy it by remediating the relevant recommendation. You can also deploy Azure Policy manually by using [Azure CLI](defender-for-containers-deploy-azure-cli.md) or [Helm](deploy-helm.md) if you didn't use automatic provisioning or if you excluded clusters from automatic provisioning.
 
-1. In the Settings & Monitoring page, toggle the **Azure Policy for Kubernetes** to **On**.
+If Azure Policy for Kubernetes is turned off in the Defender for Containers plan settings, you can deploy it by remediating the relevant recommendation. You can also deploy Azure Policy manually by using [Azure CLI](defender-for-containers-deploy-azure-cli.md) or [Helm](deploy-helm.md) if you disabled automatic provisioning during enablement or excluded specific clusters from automatic provisioning.
 
-     :::image type="content" source="media/kubernetes-workload-protections/toggle-on-extensions.png" alt-text="Screenshot showing the toggles used to enable or disable the extensions." lightbox="media/kubernetes-workload-protections/toggle-on-extensions.png":::
-
-#### Enable for GCP projects
-
-When you enable Microsoft Defender for Containers on a GCP connector, the "Azure Policy Extension for Azure Arc" setting is enabled by default for the Google Kubernetes Engine in the relevant project. If you disable the setting on initial configuration, you can enable it afterwards manually.
+After Azure Policy for Kubernetes is deployed, Defender for Cloud generates data plane hardening recommendations based on your cluster configuration. This page shows how to review these recommendations, configure policy parameters, and enforce them on your clusters.
 
-If you disabled the "Azure Policy Extension for Azure Arc" settings under the GCP connector, you can follow the below steps to [enable it on your GCP connector](defender-for-containers-enable.md?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-gke&preserve-view=true#enable-the-plan).
+## Prerequisites
 
-### Deploy Azure Policy for Kubernetes on existing clusters  
+To begin, make sure that:
 
-You can manually configure the Azure Policy for Kubernetes on existing Kubernetes clusters through the Recommendations page. Once enabled, the hardening recommendations become available (some of the recommendations require another configuration to work).
+- [Defender for Containers is enabled on your subscription](defender-for-containers-enable-portal.md).
+- You have added the [required FQDN/application rules for Azure policy](/azure/aks/outbound-rules-control-egress#azure-policy).
+- (For non AKS clusters) Your Kubernetes cluster is [connected to Azure Arc](/azure/azure-arc/kubernetes/quickstart-connect-cluster).
 
-> [!NOTE]
-> For AWS, onboarding at scale using the connector isn't supported. However, you can install Azure Policy for Kubernetes on all existing clusters or on specific clusters by using the recommendation `Azure Arc-enabled Kubernetes clusters should have the Azure policy extension for Kubernetes extension installed`.
+## Deploy Azure Policy for Kubernetes by remediating recommendations
 
-**To deploy the Azure Policy for Kubernetes to specified clusters**:
+If Azure Policy for Kubernetes isn't deployed or was turned off in the Defender for Containers plan settings, you can install it by remediating the relevant recommendation in Defender for Cloud.
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 
-1. Go to **Microsoft Defender for Cloud** > **General** > **Recommendations**.
+1. Go to **Microsoft Defender for Cloud** > **Recommendations**.
 
 1. Search for the relevant recommendation:
 
-   - **Azure -** `"Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed"`
-   - **GCP** - `"GKE clusters should have the Azure Policy extension"`.
-   - **AWS and On-premises** - `"Azure Arc-enabled Kubernetes clusters should have the Azure policy extension for Kubernetes extension installed"`.
+   - **Azure:** Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed
+   - **GCP:** GKE clusters should have the Azure Policy extension installed
+   - **AWS/Arc-enabled Kubernetes:** Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed
 
    :::image type="content" source="./media/kubernetes-workload-protections/azure-kubernetes-service-clusters-recommendation.png" alt-text="Screenshot showing the Azure Kubernetes service clusters recommendation." lightbox="media/kubernetes-workload-protections/azure-kubernetes-service-clusters-recommendation.png":::
 
-1. Select a found recommendation.
+1. Select a recommendation.
 
-1. Select **Fix**.
+1. In the **Take action** tab, select **Fix**.
 
    :::image type="content" source="media/kubernetes-workload-protections/azure-kubernetes-service-clusters-recommendation-fix.png" alt-text="Screenshot of a recommendation with the Fix button highlighted." lightbox="media/kubernetes-workload-protections/azure-kubernetes-service-clusters-recommendation-fix.png":::
 
-1. Repeat for each additional recommendation.
+1. Select **Fix** to remediate the selected resources.
 
-## View and configure the bundle of recommendations
+1. Repeat for each recommendation.
 
-After Azure Policy for Kubernetes is deployed, Defender for Cloud evaluates your cluster configuration and generates data plane hardening recommendations. This can take up to 30 minutes.
+## Review data plane hardening recommendations
 
-> Microsoft components, such as the Defender sensor, are deployed in the `kube-system` namespace by default and aren't marked as noncompliant. Third-party components installed in other namespaces might be flagged. To exclude specific namespaces, configure policy exclusions.
+After you deploy Azure Policy for Kubernetes Defender for Cloud evaluates your cluster configuration and generates data plane hardening recommendations. This process can take up to 30 minutes.
+
+> Microsoft components, such as the Defender sensor, are deployed in the `kube-system` namespace by default and aren't marked as noncompliant. Third-party components installed in other namespaces might be flagged. To exclude specific namespaces, configure Azure policy exclusions.
 
 The following table lists common data plane hardening recommendations:
 
 | Recommendation name | Security control | Configuration required |
 |---------------------|------------------|------------------------|
 | Container CPU and memory limits should be enforced | Protect applications against DDoS attack | **Yes** |
-| Container images should be deployed only from trusted registries | Remediate vulnerabilities | **Yes** |
+| Container images should be deployed from trusted registries only | Remediate vulnerabilities | **Yes** |
 | Least privileged Linux capabilities should be enforced for containers | Manage access and permissions | **Yes** |
 | Containers should only use allowed AppArmor profiles | Remediate security configurations | **Yes** |
 | Services should listen on allowed ports only | Restrict unauthorized network access | **Yes** |
@@ -112,7 +82,7 @@ The following table lists common data plane hardening recommendations:
 
 ### Configure policy parameters
 
-Some recommendations require parameter configuration to be effective. For example, the recommendation **Container images should be deployed only from trusted registries** requires you to define a list of trusted registries.
+Some recommendations require parameter configuration to be effective. For example, the recommendation **Container images should be deployed from trusted registries only** requires you to define a list of trusted registries.
 
 If required parameters aren't configured, resources are shown as unhealthy.
 
@@ -128,11 +98,7 @@ To configure policy parameters:
 
    :::image type="content" source="media/kubernetes-workload-protections/security-policies-page.png" alt-text="Screenshot of the Security policies page." lightbox="media/kubernetes-workload-protections/security-policies-page.png":::
 
-1. On the **Standards** tab, search for the relevant security standard.
-
-1. Select the security standard's 3-dot menu and select **Manage**.
-   
-   :::image type="content" source="media/kubernetes-workload-protections/security-policies-select-manage.png" alt-text="Screenshot of selecting Manage from the recommendation's 3-dot menu." lightbox="media/kubernetes-workload-protections/security-policies-select-manage.png":::
+1. On the **Standards** tab, select the relevant security standard.
 
 1. Select the relevant policy assignment's 3-dot menu and select **Manage effect and parameters**.
 
@@ -156,8 +122,6 @@ To enforce a recommendation:
 
 1. Search for and select the relevant data plane hardening recommendation.
 
-1. Open the recommendation details page.
-
 1. On the **Take action** tab, select **Deny**.
 
    :::image type="content" source="./media/kubernetes-workload-protections/enforce-workload-protection-example.png" alt-text="Screenshot showing the Deny option for Azure Policy parameter." lightbox="media/kubernetes-workload-protections/enforce-workload-protection-example.png":::
@@ -174,30 +138,32 @@ To view data plane hardening recommendations for a specific cluster:
 
 1. Go to **Defender for Cloud** > **Inventory**.
 
-1. Set the resource type filter to **Kubernetes services** and select **Apply**.
+1. Set the resource type filter to **Kubernetes service** and select **Apply**.
 
     :::image type="content" source="media/kubernetes-workload-protections/resource-type-kubernetes-service.png" alt-text="Screenshot of using the resource type filter to select kubernetes service." lightbox="media/kubernetes-workload-protections/resource-type-kubernetes-service.png":::
 
-1. Select a cluster to investigate.
+1. Select a cluster.
 
-1. Review the available recommendations for it. When you view a recommendation from the workload protection set, the number of affected pods ("Kubernetes components") is listed alongside the cluster.
+1. Review the available recommendations. Data plane hardening recommendations show the number of affected Kubernetes components.
 
-1. Optional: For a list of the specific pods, select the recommendation.
+1. Select a recommendation to view affected resources.
 
    :::image type="content" source="media/kubernetes-workload-protections/resource-health-recommendation.png" alt-text="Screenshot of selecting a recommendation from the Resource health page." lightbox="media/kubernetes-workload-protections/resource-health-recommendation.png":::
-1.  and then select **Take action**.
 
-:::image type="content" source="./media/defender-for-kubernetes-usage/view-affected-pods-for-recommendation.gif" alt-text="Screenshot showing where to view the affected pods for a Kubernetes recommendation.":::
+1. Select the **Take action** tab to review remediation options.
+
+    :::image type="content" source="media/kubernetes-workload-protections/take-action-tab.png" alt-text="Use the Take action tab to view remediation steps for a recommendation." lightbox="media/kubernetes-workload-protections/take-action-tab.png":::
 
-**To test the enforcement, use the two Kubernetes deployments below**:
+## Test policy enforcement
 
-- One is for a healthy deployment, compliant with the bundle of workload protection recommendations.
+You can validate data plane hardening policies by deploying test workloads.
 
-- The other is for an unhealthy deployment, noncompliant with *any* of the recommendations.
+- A compliant deployment that meets data plane hardening requirements  
+- A noncompliant deployment that violates multiple policies  
 
-Deploy the example .yaml files as-is, or use them as a reference to remediate your own workload.  
+Deploy the following example YAML files to verify that compliant workloads are deployed successfully and noncompliant workloads are flagged or blocked, depending on policy enforcement settings.
 
-## Healthy deployment example .yaml file
+### Compliant deployment example
 
 ```yml
 apiVersion: apps/v1
@@ -247,7 +213,7 @@ spec:
     targetPort: 80
 ```
 
-## Unhealthy deployment example .yaml file
+### Noncompliant deployment example
 
 ```yml
 apiVersion: apps/v1