Edit

Share via

Enable Defender for Containers on GCP (GKE) via portal

This article shows you how to enable Microsoft Defender for Containers on your Google Kubernetes Engine (GKE) clusters through the Azure portal. You can choose to enable all security features at once for comprehensive protection, or selectively deploy specific components based on your requirements.

When to use this guide

Use this guide if you want to:

  • Set up Defender for Containers on GCP for the first time
  • Enable all security features for comprehensive protection
  • Selectively deploy specific components
  • Fix or add missing components to an existing deployment
  • Deploy using a controlled, selective approach
  • Exclude certain clusters from protection

Prerequisites

Network requirements

Validate that the following endpoints for public cloud deployments are configured for outbound access. Configuring them for outbound access helps ensure that the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events.

Note

The Azure domains *.ods.opinsights.azure.com and *.oms.opinsights.azure.com no longer required for outbound access. For more information, see the deprecation announcement.

Azure domain Azure Government domain Azure operated by 21Vianet domain Port
*.cloud.defender.microsoft.com N/A N/A 443

You also need to validate the Azure Arc-enabled Kubernetes network requirements.

GCP-specific requirements:

  • GCP project with appropriate permissions
  • GKE clusters (version 1.19+)
  • Container images in Google Container Registry or Artifact Registry
  • Service account with required IAM roles
  • Cloud Shell or gcloud CLI configured

Deploy all components

Follow these steps to enable comprehensive protection for all your GKE clusters.

Connect GKE clusters to Azure Arc

After creating the connector:

  1. Go to Microsoft Defender for Cloud > Recommendations.

  2. Look for the recommendation "GKE clusters should be connected to Azure Arc".

  3. Select the recommendation to see affected clusters.

  4. Follow the remediation steps to connect each cluster:

    # Connect GKE cluster to Arc
az connectedk8s connect \
    --name <cluster-name> \
    --resource-group <resource-group> \
    --location <location>

Deploy the Defender sensor

Important

Deploying the Defender sensor using Helm: Unlike other options that are autoprovisioned and updated automatically, Helm lets you flexibly deploy the Defender sensor. This approach is especially useful in DevOps and infrastructure-as-code scenarios. With Helm, you can integrate deployment into CI/CD pipelines and control all sensor updates. You can also choose to receive preview and GA versions. For instructions on installing the Defender sensor using Helm, see Install Defender for Containers sensor using Helm.

After connecting your GKE clusters to Azure Arc:

  1. Go to Microsoft Defender for Cloud > Recommendations.

  2. Search for "Arc-enabled Kubernetes clusters should have Defender extension installed".

    Screenshot that shows you where to find the arc-enabled Kubernetes clusters should have Defender extension installed recommendation.

  3. Select only the clusters where you want the sensor.

  4. Select Fix to deploy the sensor.

    Screenshot that shows where to find the fix button in the Azure portal.

Configure container registry scanning

For Google Container Registry (GCR) and Artifact Registry:

  1. Go to your GCP connector settings.

  2. Select Configure next to the Containers plan.

  3. Verify Agentless container vulnerability assessment is enabled.

  4. Images are automatically scanned when you push them to the registry.

Enable audit logging

Enable GKE audit logging for runtime protection:

# Enable audit logs for existing cluster
gcloud container clusters update <cluster-name> \
    --zone <zone> \
    --enable-cloud-logging \
    --logging=SYSTEM,WORKLOAD,API_SERVER

Enable vulnerability scanning only

To enable only registry scanning without runtime protection:

  1. In connector configuration, enable only Agentless container vulnerability assessment.

  2. Disable other components.

  3. Save the configuration.

Configure by cluster type

Standard GKE clusters

No special configuration is required. Follow the default deployment steps.

GKE Autopilot

For Autopilot clusters:

  1. The Defender sensor automatically adjusts resource requests.

  2. No manual configuration is needed for resource limits.

Private GKE clusters

For private clusters:

  1. Ensure the cluster can reach Azure endpoints.

  2. Configure firewall rules if needed:

    gcloud compute firewall-rules create allow-azure-defender \
    --allow tcp:443 \
    --source-ranges <cluster-cidr> \
    --target-tags <node-tags>

Configure exclusions

To exclude specific GKE clusters from automatic provisioning:

  1. Go to your GKE cluster in GCP Console.

  2. Add labels to the cluster:

    • For Defender sensor: ms_defender_container_exclude_agents = true
    • For agentless deployment: ms_defender_container_exclude_agentless = true

Note

For Arc-connected clusters, you can also use Azure tags:

  • ms_defender_container_exclude_sensors = true
  • ms_defender_container_exclude_azurepolicy = true

Next step

  • Last updated on