Merge pull request #199048 from bmansheim/deploy-defender-profile-cli

BCS2022 · web-flow · commit 50d76fd0bab1 · 2022-05-25T08:21:17.000-07:00
Add CLI instructions for adding defender enabled containers
diff --git a/articles/defender-for-cloud/defender-for-containers-enable.md b/articles/defender-for-cloud/defender-for-containers-enable.md
@@ -25,7 +25,7 @@ Learn about this plan in [Overview of Microsoft Defender for Containers](defende
 ::: zone pivot="defender-for-container-arc,defender-for-container-eks,defender-for-container-gke"
 > [!NOTE]
 > Defender for Containers' support for Arc-enabled Kubernetes clusters, AWS EKS, and GCP GKE. This is a preview feature.
-> 
+>
 > [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
 ::: zone-end
 
@@ -70,7 +70,7 @@ A full list of supported alerts is available in the [reference table of all Defe
 1. In the Azure portal, open Microsoft Defender for Cloud's security alerts page and look for the alert on the relevant resource:
 
     :::image type="content" source="media/defender-for-kubernetes-azure-arc/sample-kubernetes-security-alert.png" alt-text="Sample alert from Microsoft Defender for Kubernetes." lightbox="media/defender-for-kubernetes-azure-arc/sample-kubernetes-security-alert.png":::
- 
+
 ::: zone pivot="defender-for-container-arc,defender-for-container-eks,defender-for-container-gke"
 [!INCLUDE [Remove the extension](./includes/defender-for-containers-remove-extension.md)]
 ::: zone-end
@@ -89,4 +89,4 @@ A full list of supported alerts is available in the [reference table of all Defe
 
 ## Next steps
 
-[Use Defender for Containers to scan your ACR images for vulnerabilities](defender-for-container-registries-usage.md).
+[Use Defender for Containers to scan your ACR images for vulnerabilities](defender-for-container-registries-usage.md).
diff --git a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-aks.md b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-aks.md
@@ -1,6 +1,6 @@
 ---
-author: ElazarK
-ms.author: elkrieger
+author: bmansheim
+ms.author: benmansheim
 ms.service: defender-for-cloud
 ms.topic: include
 ms.date: 05/12/2022
@@ -19,7 +19,7 @@ ms.date: 05/12/2022
     >
     > :::image type="content" source="../media/release-notes/defender-plans-deprecated-indicator.png" alt-text="Defender for container registries and Defender for Kubernetes plans showing 'Deprecated' and upgrade information.":::
 
-1. By default, when enabling the plan through the Azure portal, [Microsoft Defender for Containers](../defender-for-containers-introduction.md) is configured to auto provision (automatically install) required components to provide the protections offered by plan, including the assignment of a default workspace. 
+1. By default, when enabling the plan through the Azure portal, [Microsoft Defender for Containers](../defender-for-containers-introduction.md) is configured to auto provision (automatically install) required components to provide the protections offered by plan, including the assignment of a default workspace.
 
     Optionally, you can modify this configuration from the [Defender plans page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/pricingTier) or from the [Auto provisioning page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/dataCollection) on the **Microsoft Defender for Containers components (preview)** row:
 
@@ -39,7 +39,7 @@ ms.date: 05/12/2022
     > [!Note]
     >Microsoft Defender for Containers is configured to defend all of your clouds automatically. When you install all of the required prerequisites and enable all of the auto provisioning capabilities.
     >
-    > If you choose to disable all of the auto provision configuration options, no agents, or components will be deployed to your clusters. Protection will be limited to the Agentless features only. Learn which features are Agentless in the [availability section](../supported-machines-endpoint-solutions-clouds-containers.md) for Defender for Containers. 
+    > If you choose to disable all of the auto provision configuration options, no agents, or components will be deployed to your clusters. Protection will be limited to the Agentless features only. Learn which features are Agentless in the [availability section](../supported-machines-endpoint-solutions-clouds-containers.md) for Defender for Containers.
 
 ## Deploy the Defender profile
 
@@ -53,7 +53,7 @@ The Defender security profile is a preview feature. [!INCLUDE [Legalese](../../.
 
 ### Use the fix button from the Defender for Cloud recommendation
 
-A streamlined, frictionless, process lets you use the Azure portal pages to enable the Defender for Cloud plan and setup auto provisioning of all the necessary components for defending your Kubernetes clusters at scale. 
+A streamlined, frictionless, process lets you use the Azure portal pages to enable the Defender for Cloud plan and setup auto provisioning of all the necessary components for defending your Kubernetes clusters at scale.
 
 A dedicated Defender for Cloud recommendation provides:
 
@@ -73,7 +73,6 @@ A dedicated Defender for Cloud recommendation provides:
 
 1. Select **Fix *[x]* resources**.
 
-
 ### [**REST API**](#tab/aks-deploy-rest)
 
 ### Use the REST API to deploy the Defender profile
@@ -85,19 +84,18 @@ PUT https://management.azure.com/subscriptions/{{Subscription Id}}/resourcegroup
 ```
 
 Request URI: `https://management.azure.com/subscriptions/{{SubscriptionId}}/resourcegroups/{{ResourceGroup}}/providers/Microsoft.ContainerService/managedClusters/{{ClusterName}}?api-version={{ApiVersion}}`
- 
+
 Request query parameters:
- 
+
 | Name           | Description                        | Mandatory |
 |----------------|------------------------------------|-----------|
 | SubscriptionId | Cluster's subscription ID          | Yes       |
 | ResourceGroup  | Cluster's resource group           | Yes       |
 | ClusterName    | Cluster's name                     | Yes       |
 | ApiVersion     | API version, must be >= 2021-07-01 | Yes       |
 
- 
 Request Body:
- 
+
 ```rest
 {
   "location": "{{Location}}",
@@ -111,7 +109,7 @@ Request Body:
     }
 }
 ```
- 
+
 Request body parameters:
 
 | Name                                                                     | Description                                                                              | Mandatory |
@@ -120,7 +118,53 @@ Request body parameters:
 | properties.securityProfile.azureDefender.enabled                         | Determines whether to enable or disable Microsoft Defender for Containers on the cluster | Yes       |
 | properties.securityProfile.azureDefender.logAnalyticsWorkspaceResourceId | Log Analytics workspace Azure resource ID                                                | Yes       |
 
+### [**Azure CLI**](#tab/k8s-deploy-cli)
+
+### Use Azure CLI to deploy the Defender extension
+
+1. Log in to Azure:
+
+    ```azurecli
+    az login
+    az account set --subscription <your-subscription-id>
+    ```
+
+    > [!IMPORTANT]
+    > Ensure that you use the same subscription ID for ``<your-subscription-id>`` as the one associated with your AKS cluster.
+
+1. Enable the feature flag in the CLI:
+
+    ```azurecli
+    az feature register --namespace Microsoft.ContainerService --name AKS-AzureDefender
+    ```
 
+1. Enable the Defender profile on your containers:
+
+    - Run the following command to create a new cluster with the Defender profile enabled:
+
+        ```azurecli
+        az aks create --enable-defender --resource-group <your-resource-group> --name <your-cluster-name>
+        ```
+
+    - Run the following command to enable the Defender profile on an existing cluster:
+
+        ```azurecli
+        az aks update --enable-defender --resource-group <your-resource-group> --name <your-cluster-name>
+        ```
+
+    A description of all the supported configuration settings on the Defender extension type is given below:
+
+    | Property | Description |
+    |----------|-------------|
+    | logAnalyticsWorkspaceResourceID | **Optional**. Full resource ID of your own Log Analytics workspace.<br>When not provided, the default workspace of the region will be used.<br><br>To get the full resource ID, run the following command to display the list of workspaces in your subscriptions in the default JSON format:<br>```az resource list --resource-type Microsoft.OperationalInsights/workspaces -o json```<br><br>The Log Analytics workspace resource ID has the following syntax:<br>/subscriptions/{your-subscription-id}/resourceGroups/{your-resource-group}/providers/Microsoft.OperationalInsights/workspaces/{your-workspace-name}. <br>Learn more in [Log Analytics workspaces](../../azure-monitor/logs/log-analytics-workspace-overview.md) |
+
+    You can include these settings in a JSON file and specify the JSON file in the `az aks create` and `az aks update` commands with this parameter: `--defender-config<path-to-JSON-file>`. The format of the JSON file must be:
+
+    ```json
+    {"logAnalyticsWorkspaceResourceID": "<workspace-id>"}
+    ```
+
+Learn more about AKS CLI commands in [az aks](/cli/azure/aks).
 
 ### [**Resource Manager**](#tab/aks-deploy-arm)
 
@@ -149,4 +193,4 @@ To install the 'SecurityProfile' on an existing cluster with Resource Manager:
         },
     }
 }
-```
+```
diff --git a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-arc.md b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-arc.md
@@ -12,7 +12,7 @@ ms.date: 05/12/2022
 
 1. From Defender for Cloud's menu, open the [Environment settings page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/EnvironmentSettings) and select the relevant subscription.
 
-1. In the [Defender plans page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/pricingTier), enable **Defender for Containers**
+1. In the [Defender plans page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/pricingTier), enable **Defender for Containers**.
 
     > [!TIP]
     > If the subscription already has Defender for Kubernetes and/or Defender for container registries enabled, an update notice is shown. Otherwise, the only option will be **Defender for Containers**.
@@ -28,7 +28,7 @@ ms.date: 05/12/2022
     > [!NOTE]
     > If you choose to **disable the plan** at any time after enabling it through the portal as shown above, you'll need to manually remove Defender for Containers components deployed on your clusters.
 
-    You can [assign a custom workspace](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-arc#assign-a-custom-workspace) through Azure Policy.
+    You can [assign a custom workspace](../defender-for-containers-enable.md?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-arc#assign-a-custom-workspace) through Azure Policy.
 
 1. If you disable the auto provisioning of any component, you can easily deploy the component to one or more clusters using the appropriate recommendation:
 
@@ -39,6 +39,7 @@ ms.date: 05/12/2022
 ## Prerequisites
 
 Before deploying the extension, ensure you:
+
 - [Connect the Kubernetes cluster to Azure Arc](../../azure-arc/kubernetes/quickstart-connect-cluster.md)
 - Complete the [pre-requisites listed under the generic cluster extensions documentation](../../azure-arc/kubernetes/extensions.md#prerequisites).
 
@@ -72,7 +73,6 @@ A dedicated Defender for Cloud recommendation provides:
 
     :::image type="content" source="../media/defender-for-kubernetes-azure-arc/security-center-deploy-extension.gif" alt-text="Deploy Defender extension for Azure Arc with Defender for Cloud's 'fix' option.":::
 
-
 ### [**Azure CLI**](#tab/k8s-deploy-cli)
 
 ### Use Azure CLI to deploy the Defender extension
@@ -119,12 +119,13 @@ You can use the **azure-defender-extension-arm-template.json** Resource Manager
 
 ### [**REST API**](#tab/k8s-deploy-api)
 
-### Use REST API to deploy the Defender extension 
+### Use REST API to deploy the Defender extension
 
 To use the REST API to deploy the Defender extension, you'll need a Log Analytics workspace on your subscription. Learn more in [Log Analytics workspaces](../../azure-monitor/logs/log-analytics-workspace-overview.md).
 
 > [!TIP]
 > The simplest way to use the API to deploy the Defender extension is with the supplied **Postman Collection JSON** example from Defender for Cloud's [installation examples](https://aka.ms/kubernetes-extension-installation-examples).
+
 - To modify the Postman Collection JSON, or to manually deploy the extension with the REST API, run the following PUT command:
 
     ```rest
@@ -139,12 +140,11 @@ To use the REST API to deploy the Defender extension, you'll need a Log Analytic
     |Resource Group   | Path | True     | String | Name of the resource group containing your Azure Arc-enabled Kubernetes resource |
     | Cluster Name    | Path | True     | String | Name of your Azure Arc-enabled Kubernetes resource                               |
 
-
-
     For **Authentication**, your header must have a Bearer token (as with other Azure APIs). To get a bearer token, run the following command:
 
     `az account get-access-token --subscription <your-subscription-id>`
     Use the following structure for the body of your message:
+
     ```json
     { 
     "properties": { 
@@ -162,10 +162,10 @@ To use the REST API to deploy the Defender extension, you'll need a Log Analytic
 
     Description of the properties is given below:
 
-    | Property | Description | 
+    | Property | Description |
     | -------- | ----------- |
     | logAnalytics.workspaceId | Workspace ID of the Log Analytics resource |
-    | logAnalytics.key         | Key of the Log Analytics resource | 
+    | logAnalytics.key         | Key of the Log Analytics resource |
     | auditLogPath             | **Optional**. The full path to the audit log files. The default value is ``/var/log/kube-apiserver/audit.log`` |
 
 ---
@@ -186,7 +186,6 @@ To verify that your cluster has the Defender extension installed on it, follow t
 
 1. Check that the cluster on which you deployed the extension is listed as **Healthy**.
 
-
 ### [**Azure portal - Azure Arc**](#tab/k8s-verify-arc)
 
 ### Use the Azure Arc pages to verify the status of your extension
@@ -201,7 +200,6 @@ To verify that your cluster has the Defender extension installed on it, follow t
 
     :::image type="content" source="../media/defender-for-kubernetes-azure-arc/extension-details-page.png" alt-text="Full details of an Azure Arc extension on a Kubernetes cluster.":::
 
-
 ### [**Azure CLI**](#tab/k8s-verify-cli)
 
 ### Use Azure CLI to verify that the extension is deployed
@@ -216,9 +214,9 @@ To verify that your cluster has the Defender extension installed on it, follow t
 
     > [!NOTE]
     > It might show "installState": "Pending" for the first few minutes.
-    
+
 1. If the state shows **Installed**, run the following command on your machine with the `kubeconfig` file pointed to your cluster to check that a pod called "azuredefender-XXXXX" is in 'Running' state:
-    
+
     ```console
     kubectl get pods -n azuredefender
     ```
@@ -247,5 +245,3 @@ To confirm a successful deployment, or to validate the status of your extension
     ```
 
 ---
-
-
diff --git a/articles/defender-for-cloud/includes/defender-for-containers-remove-profile.md b/articles/defender-for-cloud/includes/defender-for-containers-remove-profile.md
@@ -9,16 +9,38 @@ ms.author: elkrieger
 
 To remove this - or any - Defender for Cloud extension, it's not enough to turn off auto provisioning:
 
-- **Enabling** auto provisioning, potentially impacts *existing* and *future* machines. 
+- **Enabling** auto provisioning, potentially impacts *existing* and *future* machines.
 - **Disabling** auto provisioning for an extension, only affects the *future* machines - nothing is uninstalled by disabling auto provisioning.
 
 Nevertheless, to ensure the Defender for Containers components aren't automatically provisioned to your resources from now on, disable auto provisioning of the extensions as explained in [Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud](../enable-data-collection.md).
 
 You can remove the profile using the REST API or a Resource Manager template as explained in the tabs below.
 
+### [**Azure CLI**](#tab/k8s-remove-cli)
+
+### Use Azure CLI to remove the Defender profile
+
+1. Remove the Microsoft Defender for  with the following commands:
+
+    ```azurecli
+    az login
+    az account set --subscription <subscription-id>
+    az aks update --disable-defender
+    ```
+
+    Removing the profile may take a few minutes.
+
+1. To verify that the profile was successfully removed, run the following command:
+
+    ```console
+    kubectl get pods -n azuredefender
+    ```
+
+    When the profile is removed, you should see that no pods are returned in the `get pods` command. It might take a few minutes for the pods to be deleted.
+
 ### [**REST API**](#tab/aks-removeprofile-api)
 
-### Use REST API to remove the Defender profile from AKS 
+### Use REST API to remove the Defender profile from AKS
 
 To remove the profile using the REST API, run the following PUT command:
 
@@ -33,9 +55,8 @@ https://management.azure.com/subscriptions/{{SubscriptionId}}/resourcegroups/{{R
 | ClusterName    | Cluster's name                     | Yes       |
 | ApiVersion     | API version, must be >= 2021-07-01 | Yes       |
 
-
 Request body:
- 
+
 ```rest
 {
   "location": "{{Location}}",
@@ -48,16 +69,14 @@ Request body:
     }
 }
 ```
- 
+
 Request body parameters:
 
 | Name                                                                     | Description                                                                              | Mandatory |
 |--------------------------------------------------------------------------|------------------------------------------------------------------------------------------|-----------|
 | location                                                                 | Cluster's location                                                                       | Yes       |
 | properties.securityProfile.azureDefender.enabled                         | Determines whether to enable or disable Microsoft Defender for Containers on the cluster | Yes       |
 
-
-
 ### [**Resource Manager**](#tab/aks-removeprofile-resource-manager)
 
 ### Use Azure Resource Manager to remove the Defender profile from AKS
@@ -69,7 +88,7 @@ To use Azure Resource Manager to remove the Defender profile, you'll need a Log
 
 The relevant template and parameters to remove the Defender profile from AKS are:
 
-```
+```json
 { 
     "type": "Microsoft.ContainerService/managedClusters", 
     "apiVersion": "2021-07-01", 
diff --git a/articles/defender-for-cloud/release-notes.md b/articles/defender-for-cloud/release-notes.md
