Deploy Azure Policy Agent for Kubernetes
Implementation Effort: Medium – Requires enabling Defender for Containers and configuring Azure Policy add-ons across Kubernetes clusters.
User Impact: Low – Policy agent deployment is handled by platform and security teams; end users are not directly affected.
Overview
Deploying the Azure Policy agent for Kubernetes in Microsoft Defender for Containers enables governance and compliance monitoring by enforcing policies at the Kubernetes control plane level. This integration allows organizations to audit and enforce configurations such as pod security, network policies, and image sourcing across Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes clusters.
Key Capabilities
- Policy enforcement: Ensures that workloads comply with organizational standards.
- Audit and deny modes: Supports both monitoring and enforcement.
- Integration with Defender for Containers: Enables visibility into policy violations and misconfigurations.
Deployment Steps
-
Enable Defender for Containers:
- Go to Microsoft Defender for Cloud > Environment settings.
- Select your subscription and enable the Defender for Containers plan 1.
-
Enable Azure Policy for Kubernetes:
- In the Settings & Monitoring section, toggle Azure Policy for Kubernetes to On.
- This will auto-deploy the Azure Policy add-on to supported clusters 1.
-
Manual Deployment (Optional):
- If auto-provisioning is disabled, you can manually deploy the Azure Policy agent using Azure CLI or ARM templates.
- You can also assign a custom Log Analytics workspace through Azure Policy 1.
-
Verify Policy Assignment:
- Navigate to Azure Policy > Assignments.
- Assign built-in or custom Kubernetes policies to your clusters.
This capability supports the "Verify Explicitly" principle of Zero Trust by ensuring that Kubernetes configurations are continuously monitored and enforced through policy-based governance.