You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/concept-agentless-containers.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
2
title: Agentless container posture for Microsoft Defender for Cloud
3
-
description: Learn how agentless container posture offers discovery, visibility, and vulnerability assessment for Containers without installing an agent on your machines.
3
+
description: Learn how agentless container posture offers discovery, visibility, and vulnerability assessment for containers without installing an agent on your machines.
4
4
ms.service: defender-for-cloud
5
5
ms.topic: conceptual
6
6
ms.date: 07/03/2023
@@ -17,14 +17,14 @@ Learn more about [CSPM](concept-cloud-security-posture-management.md).
17
17
18
18
For support and prerequisites for agentless containers posture, see [Support and prerequisites for agentless containers posture](support-agentless-containers-posture.md).
19
19
20
-
Agentless container Posture provides the following capabilities:
20
+
Agentless container posture provides the following capabilities:
21
21
22
22
-[Agentless discovery and visibility](#agentless-discovery-and-visibility-within-kubernetes-components) within Kubernetes components.
23
23
-[Container registry vulnerability assessment](agentless-container-registry-vulnerability-assessment.md) provides vulnerability assessment for all container images, with near real-time scan of new images and daily refresh of results for maximum visibility to current and emerging vulnerabilities, enriched with exploitability insights, and added to Defender CSPM security graph for contextual risk assessment and calculation of attack paths.
24
24
- Using Kubernetes [attack path analysis](concept-attack-path.md) to visualize risks and threats to Kubernetes environments.
25
25
- Using [cloud security explorer](how-to-manage-cloud-security-explorer.md) for risk hunting by querying various risk scenarios, including viewing security insights, such as internet exposure, and other predefined security scenarios. For more information, search for `Kubernetes` in the [list of Insights](attack-path-reference.md#insights).
26
26
27
-
All of these capabilities are available as part of the [Defender Cloud Security Posture Management](concept-cloud-security-posture-management.md) plan.
27
+
All of these capabilities are available as part of the [Defender CSPM](concept-cloud-security-posture-management.md) plan.
28
28
29
29
## Agentless discovery and visibility within Kubernetes components
30
30
@@ -38,9 +38,9 @@ The discovery process is based on snapshots taken at intervals:
38
38
39
39
When you enable the agentless discovery for Kubernetes extension, the following process occurs:
40
40
41
-
-**Create**: MDC (Microsoft Defender for Cloud) creates an identity in customer environments called CloudPosture/securityOperator/DefenderCSPMSecurityOperator.
41
+
-**Create**: Defender for Cloud creates an identity in customer environments called CloudPosture/securityOperator/DefenderCSPMSecurityOperator.
42
42
43
-
-**Assign**: MDC assigns 1 built-in role called **Kubernetes Agentless Operator** to that identity on subscription scope.
43
+
-**Assign**: Defender for Cloud assigns 1 built-in role called **Kubernetes Agentless Operator** to that identity on subscription scope.
44
44
45
45
The role contains the following permissions:
46
46
- AKS read (Microsoft.ContainerService/managedClusters/read)
@@ -53,11 +53,11 @@ When you enable the agentless discovery for Kubernetes extension, the following
53
53
54
54
-**Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the AKS clusters in your environment using API calls to the API server of AKS.
55
55
56
-
-**Bind**: Upon discovery of an AKS cluster, MDC performs an AKS bind operation between the created identity and the Kubernetes role “Microsoft.Security/pricings/microsoft-defender-operator”. The role is visible via API and gives MDC data plane read permission inside the cluster.
56
+
-**Bind**: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind operation between the created identity and the Kubernetes role “Microsoft.Security/pricings/microsoft-defender-operator”. The role is visible via API and gives Defender for Cloud data plane read permission inside the cluster.
57
57
58
58
### What's the refresh interval?
59
59
60
-
Agentless information in Defender CSPM is updated through a snapshot mechanism. It can take up to **24 hours** to see results in Cloud Security Explorer and Attack Path.
60
+
Agentless information in Defender CSPM is updated through a snapshot mechanism. It can take up to **24 hours** to see results in attack paths and the cloud security explorer.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments