You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/gated-deployment-infrastructure-as-code.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ ms.topic: how-to
10
10
11
11
# Gated deployment for Infrastructure as Code
12
12
13
-
Microsoft Defender for Cloud's gated deployment agent is a Kubernetes admission controller that enforces container image security policies at deployment time. Gated deployment acts a gatekeeper for container images for known security issues at deployment time and decides whether they’re allowed to run.
13
+
Microsoft Defender for Cloud's gated deployment agent is a Kubernetes admission controller that enforces container image security policies at deployment time. Gated deployment acts as a gatekeeper for container images for known security problems at deployment time and decides whether they're allowed to run.
14
14
15
15
The gated deployment agent requires read access to all of your Azure Container Registries (ACRs) associated with the cluster. These registries store the container images alongside the vulnerability assessment artifacts generated by Defender for Containers. To enable this access, configure a Managed Service Identity (MSI) with the required ACR read permissions and assign it to the agent.
16
16
@@ -22,11 +22,11 @@ The gated deployment agent requires read access to all of your Azure Container R
22
22
23
23
## Deploy the gated agent
24
24
25
-
1.[Create a Managed Service Identity (MSI) that the gated deployment agent uses.](/entra/identity/managed-identities-azure-resources/manage-user-assigned-managed-identities-azure-portal).
25
+
1.[Create a Managed Service Identity (MSI) that the gated deployment agent uses](/entra/identity/managed-identities-azure-resources/manage-user-assigned-managed-identities-azure-portal).
26
26
27
-
1.[Assign the AcrPull role (or equivalent read role)](/azure/container-registry/container-registry-rbac-built-in-roles-overview?tabs=registries-configured-with-rbac-registry-abac-repository-permissions) to the MSI on all ACRs used by the cluster.
27
+
1.[Assign the AcrPull role (or equivalent read role)](/azure/container-registry/container-registry-rbac-built-in-roles-overview?tabs=registries-configured-with-rbac-registry-abac-repository-permissions) to the MSI on all ACRs the cluster uses.
28
28
29
-
1.[Add a Federated Identity Credential (FIC) to the MSI](/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0) that allows the gated deployment agent to authenticate using AKS Workload Identity, with the following FIC parameters:
29
+
1.[Add a Federated Identity Credential (FIC) to the MSI](/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0) that allows the gated deployment agent to authenticate by using AKS Workload Identity, with the following FIC parameters:
30
30
31
31
-**Issuer**: The AKS OIDC issuer URL
32
32
-**Subject**: The service account used by the gated deployment agent `system:serviceaccount:kube-system:defender-admission-controller-serviceaccount`.
0 commit comments