fix link

Author: David Curwin

articles/defender-for-cloud/kubernetes-workload-protections.md

@@ -21,20 +21,20 @@ Microsoft Defender for Cloud includes a bundle of recommendations that are avail
 
 ## Prerequisites
 
--  Add the [Required FQDN/application rules for Azure policy](../aks/outbound-rules-control-egress.md#azure-policy).
+- Add the [Required FQDN/application rules for Azure policy](../aks/outbound-rules-control-egress.md#azure-policy).
 - (For non AKS clusters) [Connect an existing Kubernetes cluster to Azure Arc](../azure-arc/kubernetes/quickstart-connect-cluster.md).
 
 ## Enable Kubernetes data plane hardening
 
 You can enable the Azure policy for Kubernetes by one of two ways:
+
 - Enable for all current and future clusters using plan/connector settings
-    - [Enabling for Azure subscriptions or on-premises](#enabling-for-azure-subscriptions-or-on-premises)
-    - [Enabling for GCP projects](#enabling-for-gcp-projects)
-- [Enable for existing clusters using recommendations (specific clusters or all clusters)](#manually-deploy-the-add-on-to-clusters-using-recommendations-on-specific-clusters). 
+  - [Enabling for Azure subscriptions or on-premises](#enabling-for-azure-subscriptions-or-on-premises)
+  - [Enabling for GCP projects](#enabling-for-gcp-projects)
+- [Enable for existing clusters using recommendations (specific clusters or all clusters)](#manually-deploy-the-add-on-to-clusters-using-recommendations-on-specific-clusters).
 
 ### Enable for all current and future clusters using plan/connector settings
 
-
 > [!NOTE]
 > When you enable this setting, the Azure Policy for Kubernetes pods are installed on the cluster. Doing so allocates a small amount of CPU and memory for the pods to use. This allocation might reach maximum capacity, but it doesn't affect the rest of the CPU and memory on the resource.
 
@@ -47,7 +47,7 @@ When you enable Microsoft Defender for Containers, the "Azure Policy for Kuberne
 
 If you disabled the "Azure Policy for Kubernetes" settings under the containers plan, you can follow the below steps to enable it across all clusters in your subscription:
 
-1. Sign in to the [Azure portal](https://portal.azure.com). 
+1. Sign in to the [Azure portal](https://portal.azure.com).
 
 1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.
 
@@ -63,33 +63,32 @@ If you disabled the "Azure Policy for Kubernetes" settings under the containers
 
       :::image type="content" source="media/kubernetes-workload-protections/toggle-on-extensions.png" alt-text="Screenshot showing the toggles used to enable or disable the extensions." lightbox="media/kubernetes-workload-protections/toggle-on-extensions.png":::
 
-####  Enabling for GCP projects
+#### Enabling for GCP projects
 
 When you enable Microsoft Defender for Containers on a GCP connector, the "Azure Policy Extension for Azure Arc" setting is enabled by default for the Google Kubernetes Engine in the relevant project. If you disable the setting on initial configuration you can enable it afterwards manually.
 
-If you disabled the "Azure Policy Extension for Azure Arc" settings under the GCP connector, you can follow the below steps to [enable it on your GCP connector](/defender-for-containers-enable?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-gke&preserve-view=true#protect-google-kubernetes-engine-gke-clusters).
+If you disabled the "Azure Policy Extension for Azure Arc" settings under the GCP connector, you can follow the below steps to [enable it on your GCP connector](defender-for-containers-enable.md?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-gke&preserve-view=true#protect-google-kubernetes-engine-gke-clusters).
 
 ### Manually deploy the add-on to clusters using recommendations on specific clusters
 
 You can manually configure the Kubernetes data plane hardening add-on, or extension on specific cluster through the Recommendations page using the following recommendations:
 
-- **Azure Recommendations** -  `"Azure Policy add-on for Kubernetes should be installed and enabled on your clusters"`, or `"Azure policy extension for Kubernetes should be installed and enabled on your clusters"`. 
+- **Azure Recommendations** -  `"Azure Policy add-on for Kubernetes should be installed and enabled on your clusters"`, or `"Azure policy extension for Kubernetes should be installed and enabled on your clusters"`.
 - **GCP Recommendation** - `"GKE clusters should have Microsoft Defender's extension for Azure Arc installed"`.
 - **AWS Recommendation** - `"EKS clusters should have Microsoft Defender's extension for Azure Arc installed"`.
 
 Once enabled, the hardening recommendation becomes available (some of the recommendations require another configuration to work).
 
-> [!NOTE] 
+> [!NOTE]
 > For AWS it isn't possible to do onboarding at scale using the connector, but it can be installed on all clusters or specific clusters using the recommendation ["EKS clusters should have Microsoft Defender's extension for Azure Arc installed"](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/38307993-84fb-4636-8ce7-3a64466bb5cc).
 
-
 **To deploy the add-on to specified clusters**:
 
 1. From the recommendations page, search for the relevant recommendation:
     - **Azure** -  `Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed` or `Azure policy extension for Kubernetes should be installed and enabled on your clusters`
     - **AWS** - `EKS clusters should have Microsoft Defender's extension for Azure Arc installed`
     - **GCP** - `GKE clusters should have Microsoft Defender's extension for Azure Arc installed`
-     
+
         :::image type="content" source="./media/kubernetes-workload-protections/azure-kubernetes-service-clusters-recommendation.png" alt-text="Screenshot showing the Azure Kubernetes service clusters recommendation." lightbox="media/kubernetes-workload-protections/azure-kubernetes-service-clusters-recommendation.png":::
 
    > [!TIP]
@@ -106,7 +105,7 @@ Once enabled, the hardening recommendation becomes available (some of the recomm
 Approximately 30 minutes after the add-on installation completes, Defender for Cloud shows the clusters’ health status for the following recommendations, each in the relevant security control as shown:
 
 > [!NOTE]
-> If you're installing the add-on/extension for the first time, these recommendations will appear as new additions in the list of recommendations. 
+> If you're installing the add-on/extension for the first time, these recommendations will appear as new additions in the list of recommendations.
 
 > [!TIP]
 > Some recommendations have parameters that must be customized via Azure Policy to use them effectively. For example, to benefit from the recommendation **Container images should be deployed only from trusted registries**, you'll have to define your trusted registries. If you don't enter the necessary parameters for the recommendations that require configuration, your workloads will be shown as unhealthy.
@@ -130,27 +129,26 @@ Approximately 30 minutes after the add-on installation completes, Defender for C
 | Privileged containers should be avoided                                     | Manage access and permissions            | No                     |
 | Running containers as root user should be avoided                           | Manage access and permissions            | No                     |
 
-
 For recommendations with parameters that need to be customized, you need to set the parameters:
 
 **To set the parameters**:
- 
-1. Sign in to the [Azure portal](https://portal.azure.com). 
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
 
 1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.
 
 1. Select the relevant subscription.
 
 1. From Defender for Cloud's menu, select **Security policy**.
-    
+
 1. Select the relevant assignment. The default assignment is `ASC default`.
-    
+
 1. Open the **Parameters** tab and modify the values as required.
 
     :::image type="content" source="media/kubernetes-workload-protections/containers-parameter-requires-configuration.png" alt-text="Screenshot showing where to modify the parameters for one of the recommendations in the Kubernetes data plane hardening protection bundle." lightbox="media/kubernetes-workload-protections/containers-parameter-requires-configuration.png":::
 
 1. Select **Review + save**.
-    
+
 1. Select **Save**.
 
 **To enforce any of the recommendations**:
@@ -159,19 +157,19 @@ For recommendations with parameters that need to be customized, you need to set
 
     :::image type="content" source="./media/defender-for-kubernetes-usage/enforce-workload-protection-example.png" alt-text="Screenshot showing the Deny option for Azure Policy parameter." lightbox="media/defender-for-kubernetes-usage/enforce-workload-protection-example.png":::
 
-    The pane to set the scope opens. 
+    The pane to set the scope opens.
 
 1. Set the scope and select **Change to deny**.
 
 **To see which recommendations apply to your clusters**:
 
 1. Open Defender for Cloud's [asset inventory](asset-inventory.md) page and set the resource type filter to **Kubernetes services**.
 
-1. Select a cluster to investigate and review the available recommendations available for it. 
+1. Select a cluster to investigate and review the available recommendations available for it.
 
 When you view a recommendation from the workload protection set, the number of affected pods ("Kubernetes components") is listed alongside the cluster. For a list of the specific pods, select the cluster and then select **Take action**.
 
-:::image type="content" source="./media/defender-for-kubernetes-usage/view-affected-pods-for-recommendation.gif" alt-text="Screenshot showing where to view the affected pods for a Kubernetes recommendation."::: 
+:::image type="content" source="./media/defender-for-kubernetes-usage/view-affected-pods-for-recommendation.gif" alt-text="Screenshot showing where to view the affected pods for a Kubernetes recommendation.":::
 
 **To test the enforcement, use the two Kubernetes deployments below**:
 
@@ -181,7 +179,6 @@ When you view a recommendation from the workload protection set, the number of a
 
 Deploy the example .yaml files as-is, or use them as a reference to remediate your own workload.  
 
-
 ## Healthy deployment example .yaml file
 
 ```yml
@@ -293,9 +290,9 @@ spec:
 
 ## Next steps
 
-In this article, you learned how to configure Kubernetes data plane hardening. 
+In this article, you learned how to configure Kubernetes data plane hardening.
 
-For related material, see the following pages: 
+For related material, see the following pages:
 
 - [Defender for Cloud recommendations for compute](recommendations-reference.md#recs-compute)
 - [Alerts for AKS cluster level](alerts-reference.md#alerts-k8scluster)