You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/kubernetes-workload-protections.md
+14-10Lines changed: 14 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,9 +27,9 @@ Microsoft Defender for Cloud includes a bundle of recommendations that are avail
27
27
28
28
You can enable the Azure Policy for Kubernetes by one of two ways:
29
29
30
-
- Enable for all current and future clusters using plan/connector settings
30
+
- Enable for all current and future clusters using plan/connector settings:
31
31
-[Enabling for Azure subscriptions or on-premises](#enable-for-azure-subscriptions-or-on-premises)
32
-
-[Enabling for GCP projects](#enable-for-gcp-projects)
32
+
-[Enabling for Google Cloud Platform (GCP) projects](#enable-for-gcp-projects)
33
33
-[Deploy Azure Policy for Kubernetes on existing clusters](#deploy-azure-policy-for-kubernetes-on-existing-clusters)
34
34
35
35
### Enable Azure Policy for Kubernetes for all current and future clusters using plan/connector settings
@@ -42,23 +42,23 @@ You can enable the Azure Policy for Kubernetes by one of two ways:
42
42
43
43
#### Enable for Azure subscriptions or on-premises
44
44
45
-
When you enable Microsoft Defender for Containers, the "Azure Policy for Kubernetes" setting is enabled by default for the Azure Kubernetes Service, and for Azure Arc-enabled Kubernetes clusters in the relevant subscription. If you disable the setting on initial configuration, you can enable it afterwards manually.
45
+
When you enable Microsoft Defender for Containers, the "Azure Policy for Kubernetes" setting is enabled by default for the Azure Kubernetes Service and for Azure Arc-enabled Kubernetes clusters in the relevant subscription. If you disable the setting on initial configuration, you can enable it afterwards manually.
46
46
47
-
If you disabled the "Azure Policy for Kubernetes" settings under the containers plan, you can follow the below steps to enable it across all clusters in your subscription:
47
+
If you disabled the "Azure Policy for Kubernetes" settings under the containers plan, you can follow the steps bellow to enable it across all clusters in your subscription:
48
48
49
49
1. Sign in to the [Azure portal](https://portal.azure.com).
50
50
51
-
1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.
51
+
1. Navigate to **Microsoft Defender for Cloud** > **Management** > **Environment settings**.
52
52
53
53
1. Select the relevant subscription.
54
54
55
-
1. On the Defender plans page, ensure that Containers is toggled to **On**.
55
+
1. On the Defender plans page, ensure that **Containers** is toggled to **On**.
56
56
57
57
1. Select **Settings**.
58
58
59
59
:::image type="content" source="media/kubernetes-workload-protections/containers-settings.png" alt-text="Screenshot showing the settings button in the Defender plan." lightbox="media/kubernetes-workload-protections/containers-settings.png":::
60
60
61
-
1. In the Settings & Monitoring page, toggle the "Azure Policy for Kubernetes" to **On**.
61
+
1. In the Settings & Monitoring page, toggle the **Azure Policy for Kubernetes** to **On**.
62
62
63
63
:::image type="content" source="media/kubernetes-workload-protections/toggle-on-extensions.png" alt-text="Screenshot showing the toggles used to enable or disable the extensions." lightbox="media/kubernetes-workload-protections/toggle-on-extensions.png":::
64
64
@@ -73,11 +73,15 @@ If you disabled the "Azure Policy Extension for Azure Arc" settings under the GC
73
73
You can manually configure the Azure Policy for Kubernetes on existing Kubernetes clusters through the Recommendations page. Once enabled, the hardening recommendations become available (some of the recommendations require another configuration to work).
74
74
75
75
> [!NOTE]
76
-
> For AWS it isn't possible to do onboarding at scale using the connector, but it can be installed on all existing clusters or on specific clusters using the recommendation Azure Arc-enabled Kubernetes clusters should have the Azure policy extension for Kubernetes extension installed**.
76
+
> For AWS, onboarding at scale using the connector isn't supported. However, you can install Azure Policy for Kubernetes on all existing clusters or on specific clusters by using the recommendation `Azure Arc-enabled Kubernetes clusters should have the Azure policy extension for Kubernetes extension installed`.
77
+
78
+
**To deploy the Azure Policy for Kubernetes to specified clusters**:
79
+
80
+
1. Sign in to the [Azure portal](https://portal.azure.com).
77
81
78
-
**To deploy the****Azure Policy for Kubernetes****to specified clusters**:
82
+
1. Navigate to**Microsoft Defender for Cloud**> **General** > **Recommendations**.
79
83
80
-
1.From the recommendations page, search for the relevant recommendation:
84
+
1.Search for the relevant recommendation:
81
85
82
86
-**Azure -**`"Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed"`
83
87
-**GCP** - `"GKE clusters should have the Azure Policy extension"`.
0 commit comments