Determine Workload Protection Requirements

Implementation Effort: Medium – Requires planning and configuration across Kubernetes environments, including Azure, AWS, GCP, and on-premises clusters.

User Impact: Low – Protection setup is handled by platform and security teams; end users are not directly impacted.

Overview

Determining workload protection requirements in Microsoft Defender for Containers involves identifying the necessary components and configurations to secure containerized workloads across multicloud and hybrid environments. Defender for Containers provides runtime threat detection, vulnerability assessment, and compliance monitoring for Kubernetes clusters, container registries, and images.

Key protection requirements include:

• Enabling Defender for Containers on supported platforms (Azure Kubernetes Service, Arc-enabled Kubernetes, AWS EKS, GCP GKE).
• Deploying the Defender agent to collect telemetry and enforce runtime protections.
• Installing Azure Policy add-ons and Defender extensions for Kubernetes clusters to enforce governance and collect control plane data 1.
• Hardening container environments using built-in recommendations, such as ensuring the Azure Policy extension is installed and enabling the Defender profile 2.
• Reviewing the support matrix to ensure compatibility with your Kubernetes versions and environments 3.

This capability supports the "Assume Breach" and "Verify Explicitly" principles of Zero Trust by ensuring that all container workloads are continuously monitored, protected, and governed through policy-based enforcement.

Reference

• Overview of Microsoft Defender for Containers
• Reference table for container security recommendations
• Containers support matrix in Defender for Cloud