Nota
L'accesso a questa pagina richiede l'autorizzazione. È possibile provare ad accedere o modificare le directory.
L'accesso a questa pagina richiede l'autorizzazione. È possibile provare a modificare le directory.
This article shows you how to configure gated deployment for Azure Kubernetes Service (AKS) by using the managed cluster API. You can also install the Defender for Containers sensor by using Helm.
Gated deployment uses an admission controller to evaluate container images before they're admitted into a Kubernetes cluster. For AKS, the gated deployment agent needs read access to the Azure Container Registries (ACRs) used by the cluster so it can access vulnerability findings artifacts generated by Defender for Containers.
Before you configure gated deployment by using the managed cluster API, enable the required Defender for Containers components for the AKS cluster and ACRs.
To provide the required ACR access, create a user-assigned managed identity, assign it read permissions on the relevant ACRs, configure federated identity credentials, and reference the managed identity in the managed cluster API.
Prerequisites
Before you begin, make sure that:
You have a Microsoft Azure subscription. If you don't have an Azure subscription, you can sign up for a free subscription.
Defender for Cloud is enabled on your Azure subscription.
Defender for Containers is enabled for the Azure subscription or subscriptions that contain your AKS cluster and Azure Container Registries (ACRs), with the following components enabled:
- Defender sensor with Security Gating
- Registry access with Security findings
Note
Security gating only needs to be installed once. The first time you enable the security gating toggle, it installs security gating. After that, security gating is already installed. When the installation runs again, the system detects this and does nothing. If you try to install it again through the API, it fails because security gating already exists.
Your AKS cluster has:
- An OpenID Connect (OIDC) issuer enabled.
- Azure Workload Identity enabled.
You have permission to create and assign a user-assigned managed identity.
You have permission to assign the AcrPull role, or an equivalent read role, on all ACRs used by the cluster.
Configure the managed identity
Create a Managed Service Identity (MSI) that the gated deployment agent uses.
Assign the AcrPull role (or an equivalent read role) to the MSI on all ACRs the cluster uses.
Add a Federated Identity Credential (FIC) to the MSI that allows the gated deployment agent to authenticate by using AKS Workload Identity, with the following FIC parameters:
- Issuer: The AKS OIDC issuer URL
- Subject: The service account used by the gated deployment agent
system:serviceaccount:kube-system:defender-admission-controller-serviceaccount. - Audience: api://AzureADTokenExchange
Under the securityGating section of the managed cluster API configuration, set the MSI's objectId in the identities parameter under the security gating section of the managed cluster API configuration.
This ensures the gated deployment agent can use the MSI at runtime.
