Merge pull request #250176 from ElazarK/WI1545548-agentless-kubernetes

WI154548 agentless discovery

Author: v-ccolin

articles/defender-for-cloud/defender-for-containers-architecture.md

@@ -5,8 +5,9 @@ author: dcurwin
 ms.author: dacurwin
 ms.topic: overview
 ms.custom: ignite-2022
-ms.date: 08/27/2023
+ms.date: 09/06/2023
 ---
+
 # Defender for Containers architecture
 
 Defender for Containers is designed differently for each Kubernetes environment whether they're running in:
@@ -106,6 +107,30 @@ When Defender for Cloud protects a cluster hosted in Google Kubernetes Engine, t
 
 ---
 
+## How does agentless discovery for Kubernetes work?
+
+The discovery process is based on snapshots taken at intervals:
+
+:::image type="content" source="media/concept-agentless-containers/diagram-permissions-architecture.png" alt-text="Diagram of the permissions architecture." lightbox="media/concept-agentless-containers/diagram-permissions-architecture.png":::
+
+When you enable the agentless discovery for Kubernetes extension, the following process occurs:
+
+- **Create**:
+  - If the extension is enabled from Defender CSPM, Defender for Cloud creates an identity in customer environments called `CloudPosture/securityOperator/DefenderCSPMSecurityOperator`.
+  - If the extension is enabled from Defender for Containers, Defender for Cloud creates an identity in customer environments called `CloudPosture/securityOperator/DefenderForContainersSecurityOperator`.
+- **Assign**: Defender for Cloud assigns a built-in role called **Kubernetes Agentless Operator** to that identity on subscription scope. The role contains the following permissions:
+
+  - AKS read (Microsoft.ContainerService/managedClusters/read)
+  - AKS Trusted Access with the following permissions:
+  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write
+  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read
+  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete
+
+   Learn more about [AKS Trusted Access](/azure/aks/trusted-access-feature).
+
+- **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the AKS clusters in your environment using API calls to the API server of AKS.
+- **Bind**: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind operation between the created identity and the Kubernetes role “Microsoft.Security/pricings/microsoft-defender-operator”. The role is visible via API and gives Defender for Cloud data plane read permission inside the cluster.
+
 ## Next steps
 
 In this overview, you learned about the architecture of container security in Microsoft Defender for Cloud. To enable the plan, see:

articles/defender-for-cloud/defender-for-containers-introduction.md

@@ -5,7 +5,7 @@ ms.topic: overview
 author: dcurwin
 ms.author: dacurwin
 ms.custom: ignite-2022
-ms.date: 08/27/2023
+ms.date: 09/06/2023
 ---
 
 # Overview of Microsoft Defender for Containers
@@ -106,30 +106,6 @@ Defender for containers uses [cloud security graph](concept-attack-path.md#what-
 
 :::image type="content" source="media/defender-for-containers/risk-hunting.png" alt-text="Screenshot of risk hunting query." lightbox="media/defender-for-containers/risk-hunting.png":::
 
-### How does agentless discovery for Kubernetes work?
-
-The discovery process is based on snapshots taken at intervals:
-
-:::image type="content" source="media/concept-agentless-containers/diagram-permissions-architecture.png" alt-text="Diagram of the permissions architecture." lightbox="media/concept-agentless-containers/diagram-permissions-architecture.png":::
-
-When you enable the agentless discovery for Kubernetes extension, the following process occurs:
-
-- **Create**:
-  - If the extension is enabled from Defender CSPM, Defender for Cloud creates an identity in customer environments called `CloudPosture/securityOperator/DefenderCSPMSecurityOperator`.
-  - If the extension is enabled from Defender for Containers, Defender for Cloud creates an identity in customer environments called `CloudPosture/securityOperator/DefenderForContainersSecurityOperator`.
-- **Assign**: Defender for Cloud assigns a built-in role called **Kubernetes Agentless Operator** to that identity on subscription scope. The role contains the following permissions:
-
-  - AKS read (Microsoft.ContainerService/managedClusters/read)
-  - AKS Trusted Access with the following permissions:
-  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write
-  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read
-  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete
-
-   Learn more about [AKS Trusted Access](/azure/aks/trusted-access-feature).
-
-- **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the AKS clusters in your environment using API calls to the API server of AKS.
-- **Bind**: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind operation between the created identity and the Kubernetes role “Microsoft.Security/pricings/microsoft-defender-operator”. The role is visible via API and gives Defender for Cloud data plane read permission inside the cluster.
-
 ## Learn more
 
 Learn more about Defender for Containers in the following blogs:

articles/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure.md

@@ -3,7 +3,7 @@ title: Vulnerability assessment for Azure powered by Qualys
 description: Learn how to use Defender for Containers to scan images in your Azure Container Registry to find vulnerabilities.
 author: dcurwin
 ms.author: dacurwin
-ms.date: 08/27/2023
+ms.date: 09/06/2023
 ms.topic: how-to
 ms.custom: ignite-2022, build-2023
 ---
@@ -152,9 +152,9 @@ To create a rule:
 
 Defender for Cloud gives its customers the ability to prioritize the remediation of vulnerabilities in images that are currently being used within their environment using the [Running container images should have vulnerability findings resolved-(powered by Qualys)](https://portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/KubernetesRuntimeVisibilityRecommendationDetailsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462c/showSecurityCenterCommandBar~/false) recommendation.
 
-To provide the findings for the recommendation, Defender for Cloud collects the inventory of your running containers that are collected by the [agentless container registry vulnerability assessment](agentless-container-registry-vulnerability-assessment.md) or the [Defender agent](tutorial-enable-containers-azure.md#deploy-the-defender-agent-in-azure). Defender for Cloud correlates that inventory with the vulnerability assessment scan of images that are stored in ACR. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and provides vulnerability reports and remediation steps.
+To provide the findings for the recommendation, Defender for Cloud collects the inventory of your running containers that are collected by the [agentless discovery for Kubernetes](defender-for-containers-introduction.md#agentless-discovery-for-kubernetes) or the [Defender agent](tutorial-enable-containers-azure.md#deploy-the-defender-agent-in-azure). Defender for Cloud correlates that inventory with the vulnerability assessment scan of images that are stored in ACR. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and provides vulnerability reports and remediation steps.
 
-While Defender agent provides pod inventory every hour, the agentless container registry vulnerability assessment provides an update every six hours. If both extensions are enabled, the newest information is used.
+While Defender agent provides pod inventory every hour, the [agentless discovery for Kubernetes](defender-for-containers-introduction.md#agentless-discovery-for-kubernetes) provides an update every six hours. If both extensions are enabled, the newest information is used.
 
 :::image type="content" source="media/defender-for-containers-vulnerability-assessment-azure/view-running-containers-vulnerability.png" alt-text="Screenshot of recommendations showing your running containers with the vulnerabilities associated with the images used by each container." lightbox="media/defender-for-containers-vulnerability-assessment-azure/view-running-containers-vulnerability.png":::
 

articles/defender-for-cloud/media/defender-for-containers-enable-plan-gke/container-components-on.png

@@ -4,7 +4,7 @@ description: Review support requirements for the Defender for Containers plan in
 ms.topic: limits-and-quotas
 author: dcurwin
 ms.author: dacurwin
-ms.date: 08/20/2023
+ms.date: 09/06/2023
 ms.custom: references_regions, ignite-2022
 ---
 
@@ -19,7 +19,7 @@ This article summarizes support information for the [Defender for Containers pla
 
 | Feature | Supported Resources | Linux release state | Windows release state   | Agentless/Agent-based | Pricing Tier | Azure clouds availability |
 |--|--|--|--|--|--|--|
-| [Agentless discovery for Kubernetes](defender-for-containers-introduction.md#agentless-discovery-for-kubernetes) | ACR, AKS | GA | GA | Agentless | Defender for Containers | Azure commercial clouds |
+| [Agentless discovery for Kubernetes](defender-for-containers-introduction.md#agentless-discovery-for-kubernetes) | ACR, AKS | GA | GA | Agentless | Defender for Containers or Defender CSPM | Azure commercial clouds |
 | Compliance-Docker CIS | VM, Virtual Machine Scale Set | GA | - | Log Analytics agent | Defender for Servers Plan 2 | Commercial clouds<br><br> National clouds: Azure Government, Microsoft Azure operated by 21Vianet  |
 | [Vulnerability assessment](defender-for-containers-vulnerability-assessment-azure.md) (powered by Qualys) - registry scan [OS packages](#registries-and-images-support-for-azure---powered-by-qualys) | ACR, Private ACR | GA | Preview | Agentless | Defender for Containers  | Commercial clouds<br><br> National clouds: Azure Government, Azure operated by 21Vianet |
 | [Vulnerability assessment](defender-for-containers-vulnerability-assessment-azure.md) (powered by Qualys) -registry scan [language packages](#registries-and-images-support-for-azure---powered-by-qualys) | ACR, Private ACR | Preview | - | Agentless | Defender for Containers  | Commercial clouds<br><br> National clouds: Azure Government, Azure operated by 21Vianet |

articles/defender-for-cloud/support-matrix-defender-for-containers.md

@@ -4,14 +4,14 @@ description: Learn how to view and remediate runtime threat findings
 ms.service: defender-for-cloud
 ms.custom: build-2023
 ms.topic: how-to
-ms.date: 07/11/2023
+ms.date: 09/06/2023
 ---
 
 # View and remediate vulnerabilities for images running on your AKS clusters
 
 Defender for Cloud gives its customers the ability to prioritize the remediation of vulnerabilities in images that are currently being used within their environment using the [Running container images should have vulnerability findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/KubernetesRuntimeVisibilityRecommendationDetailsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462ce) recommendation.
 
-To provide findings for the recommendation, Defender CSPM uses [agentless container registry vulnerability assessment](agentless-container-registry-vulnerability-assessment.md) or the [Defender agent](tutorial-enable-containers-azure.md#deploy-the-defender-agent-in-azure) to create a full inventory of your Kubernetes clusters and their workloads and correlates that inventory with the vulnerability reports created for your registry images. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and remediation steps.
+To provide findings for the recommendation, Defender for Cloud uses [agentless discovery for Kubernetes](defender-for-containers-introduction.md#agentless-discovery-for-kubernetes) or the [Defender agent](tutorial-enable-containers-azure.md#deploy-the-defender-agent-in-azure) to create a full inventory of your Kubernetes clusters and their workloads and correlates that inventory with the vulnerability reports created for your registry images. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and remediation steps.
 
 Defender for Cloud presents the findings and related information as recommendations, including related information such as remediation steps and relevant CVEs. You can view the identified vulnerabilities for one or more subscriptions, or for a specific resource.