Merge pull request #261983 from dcurwin/wi-193073-gcp-agentless-dec27-2023

GCP Agentless Containers

Author: v-regandowner

articles/defender-for-cloud/TOC.yml

@@ -614,6 +614,8 @@
             href: agentless-vulnerability-assessment-azure.md
           - name: Vulnerability assessments for AWS
             href: agentless-vulnerability-assessment-aws.md
+          - name: Vulnerability assessments for GCP
+            href: agentless-vulnerability-assessment-gcp.md
           - name: Enable vulnerability assessments
             href: enable-vulnerability-assessment.md
           - name: View and remediate vulnerabilities for registry images

articles/defender-for-cloud/agentless-vulnerability-assessment-gcp.md

@@ -0,0 +1,72 @@
+---
+title: Vulnerability assessments for GCP with Microsoft Defender Vulnerability Management
+description: Learn about vulnerability assessments for GCP with Microsoft Defender Vulnerability Management.
+author: dcurwin
+ms.author: dacurwin
+ms.date: 12/12/2023
+ms.topic: how-to
+---
+
+# Vulnerability assessments for GCP with Microsoft Defender Vulnerability Management
+
+Vulnerability assessment for GCP, powered by Microsoft Defender Vulnerability Management, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in Linux container images, with zero configuration for onboarding, and without deployment of any agents.
+
+In every account where enablement of this capability is completed, all images stored in Google Registries (GAR and GCR) that meet the following criteria for scan triggers are scanned for vulnerabilities without any extra configuration of users or registries. Recommendations with vulnerability reports are provided for all images in Google Registries (GAR and GCR), images that are currently running in GKE that were pulled from Google Registries (GAR and GCR) or any other Defender for Cloud supported registry (ACR or ECR). Images are scanned shortly after being added to a registry, and rescanned for new vulnerabilities once every 24 hours.
+
+Container vulnerability assessment powered by Microsoft Defender Vulnerability Management has the following capabilities:  
+
+- **Scanning OS packages** - container vulnerability assessment has the ability to scan vulnerabilities in packages installed by the OS package manager in Linux and Windows operating systems. See the [full list of the supported OS and their versions](support-matrix-defender-for-containers.md#registries-and-images-support-for-gcp---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management).
+
+- **Language specific packages** – **Linux only** - support for language specific packages and files, and their dependencies installed or copied without the OS package manager. See the [complete list of supported languages](support-matrix-defender-for-containers.md#registries-and-images-support-for-gcp---vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management).  
+
+- **Exploitability information** - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability.  
+
+- **Reporting** - Container Vulnerability Assessment for GCP powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations:
+
+    | Recommendation | Description | Assessment Key|
+    |--|--|--|
+    | [GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/5cc3a2c1-8397-456f-8792-fe9d0d4c9145) | Scans your GCP registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce |
+    | [GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Google Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 5cc3a2c1-8397-456f-8792-fe9d0d4c9145 |
+
+- **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](/azure/governance/resource-graph/overview#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md).
+
+- **Query scan results via REST API** - Learn how to query scan results via [REST API](subassessment-rest-api.md).
+
+## Scan triggers
+
+The triggers for an image scan are:
+
+- **One-time triggering**:
+  - Each image pushed to a container registry is triggered to be scanned. In most cases, the scan is completed within a few hours, but in rare cases it might take up to 24 hours.
+  - Each image pulled from a registry is triggered to be scanned within 24 hours.
+
+- **Continuous rescan triggering** – continuous rescan is required to ensure images that have been previously scanned for vulnerabilities are rescanned to update their vulnerability reports in case a new vulnerability is published.
+  - **Re-scan** is performed once a day for:  
+    - Images pushed in the last 90 days.
+    - Images pulled in the last 30 days.
+    - Images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via [Agentless discovery for Kubernetes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability) or the [Defender agent](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability)).
+
+## How does image scanning work?
+
+A detailed description of the scan process is described as follows:
+
+- When you enable the [container vulnerability assessment for GCP powered by Microsoft Defender Vulnerability Management](enable-vulnerability-assessment.md), you authorize Defender for Cloud to scan container images in your Elastic Container registries.
+- Defender for Cloud automatically discovers all containers registries, repositories and images (created before or after enabling this capability).
+- Once a day, and for new images pushed to a registry:
+
+  - All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.​
+  - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both  [Agentless discovery for Kubernetes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability) and [inventory collected via the Defender agent running on GKE nodes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability)
+  - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/5cc3a2c1-8397-456f-8792-fe9d0d4c9145).
+- For customers using either [Agentless discovery for Kubernetes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability) or [inventory collected via the Defender agent running on GKE nodes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516) for remediating vulnerabilities for vulnerable images running on a GKE cluster. For customers using only [Agentless discovery for Kubernetes](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender agent](/azure/defender-for-cloud/defender-for-containers-enable#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.
+
+> [!NOTE]
+> For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week.
+
+## If I remove an image from my registry, how long before vulnerabilities reports on that image would be removed?
+
+It takes 30 hours after an image is deleted from Google Registries (GAR and GCR) before the reports are removed.
+
+## Next steps
+
+- Learn more about the Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads).
+- Check out [common questions](faq-defender-for-containers.yml) about Defender for Containers.

articles/defender-for-cloud/concept-agentless-containers.md

@@ -9,7 +9,7 @@ ms.custom: template-concept
 
 # Agentless container posture in Defender CSPM
 
-The Defender for Cloud Security Posture Management (CSPM) plan in Defender for Cloud provides container posture capabilities for Azure AKS and AWS EKS. For requirements and support, see the [Containers support matrix in Defender for Cloud](support-matrix-defender-for-containers.md).
+The Defender for Cloud Security Posture Management (CSPM) plan in Defender for Cloud provides container posture capabilities for Azure, AWS, and GCP. For requirements and support, see the [Containers support matrix in Defender for Cloud](support-matrix-defender-for-containers.md).
 
 Agentless container posture provides easy and seamless visibility into your Kubernetes assets and security posture, with contextual risk analysis that empowers security teams to prioritize remediation based on actual risk behind security issues, and proactively hunt for posture issues.
 

articles/defender-for-cloud/concept-cloud-security-posture-management.md

@@ -43,8 +43,8 @@ The following table summarizes each plan and their cloud availability.
 | [Cloud security explorer](how-to-manage-cloud-security-explorer.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |
 | [Attack path analysis](how-to-manage-attack-path.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |
 | [Agentless scanning for machines](concept-agentless-data-collection.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |
-| [Agentless container security posture](concept-agentless-containers.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |
-| [Container registries vulnerability assessment](concept-agentless-containers.md), including registry scanning | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS |
+| [Agentless container security posture](concept-agentless-containers.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |
+| [Container registries vulnerability assessment](concept-agentless-containers.md), including registry scanning | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |
 | [Data aware security posture](concept-data-security-posture.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |
 | EASM insights in network exposure | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |
 | [Permissions management (Preview)](enable-permissions-management.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP |

articles/defender-for-cloud/defender-for-containers-architecture.md

@@ -145,6 +145,22 @@ When Defender for Cloud protects a cluster hosted in Google Kubernetes Engine, t
 
 :::image type="content" source="./media/defender-for-containers/architecture-gke.png" alt-text="Diagram of high-level architecture of the interaction between Microsoft Defender for Containers, Google GKE clusters, Azure Arc-enabled Kubernetes, and Azure Policy." lightbox="./media/defender-for-containers/architecture-gke.png":::
 
+### How does agentless discovery for Kubernetes in GCP work?
+
+The discovery process is based on snapshots taken at intervals:
+
+When you enable the agentless discovery for Kubernetes extension, the following process occurs:
+
+- **Create**:
+  - The service account *mdc-containers-k8s-operator* is created. The name can be customized.
+
+- **Assign**: Defender for Cloud attaches the following roles to the service account *mdc-containers-k8s-operator*:
+
+  - The custom role `MDCGkeClusterWriteRole`, which has the `container.clusters.update` permission
+  - The built-in role `container.viewer`
+
+- **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the GKE clusters in your environment using API calls to the API server of GKE.
+
 ---
 
 ## Next steps

articles/defender-for-cloud/defender-for-containers-introduction.md

@@ -1,11 +1,11 @@
 ---
-title: Container security 
+title: Overview of Container security in Microsoft Defender for Containers
 description: Learn about Microsoft Defender for Containers
 ms.topic: overview
 author: dcurwin
 ms.author: dacurwin
 ms.custom: ignite-2022
-ms.date: 12/12/2023
+ms.date: 01/09/2024
 ---
 
 # Overview of Container security in Microsoft Defender for Containers
@@ -16,7 +16,7 @@ Defender for Containers assists you with four core domains of container security
 
 - [**Security posture management**](#security-posture-management) - performs continuous monitoring of cloud APIs,  Kubernetes APIs, and Kubernetes workloads to discover cloud resources, provide comprehensive inventory capabilities, detect misconfigurations and provide guidelines to  mitigate them,  provide contextual risk assessment, and empowers users to perform enhanced risk hunting capabilities through the Defender for Cloud security explorer.
 
-- [**Vulnerability assessment**](#vulnerability-assessment) -  provides agentless vulnerability assessment for Azure and AWS with remediation guidelines, zero configuration, daily rescans, coverage for OS and language packages, and exploitability insights.
+- [**Vulnerability assessment**](#vulnerability-assessment) -  provides agentless vulnerability assessment for Azure, AWS, and GCP with remediation guidelines, zero configuration, daily rescans, coverage for OS and language packages, and exploitability insights.
 
 - [**Run-time threat protection**](#run-time-protection-for-kubernetes-nodes-and-clusters) - a rich threat detection suite for Kubernetes clusters, nodes, and workloads, powered by Microsoft leading threat intelligence, provides mapping to MITRE ATT&CK framework for easy understanding of risk and relevant context, automated response, and SIEM/XDR integration.
 
@@ -65,7 +65,7 @@ You can learn more about [Kubernetes data plane hardening](kubernetes-workload-p
 
 ## Vulnerability assessment
 
-Defender for Containers scans the container images in Azure Container Registry (ACR) and Amazon AWS Elastic Container Registry (ECR) to provide agentless vulnerability assessment for your container images, including registry and runtime recommendations, remediation guidance, quick scans of new images, real-world exploit insights, exploitability insights, and more.
+Defender for Containers scans the container images in Azure Container Registry (ACR), Amazon AWS Elastic Container Registry (ECR), Google Artifact Registry (GAR), and Google Container Registry (GCR) to provide agentless vulnerability assessment for your container images, including registry and runtime recommendations, remediation guidance, quick scans of new images, real-world exploit insights, exploitability insights, and more.
 
 Vulnerability information powered by Microsoft Defender Vulnerability Management is added to the [cloud security graph](concept-attack-path.md#what-is-cloud-security-graph) for contextual risk, calculation of attack paths, and hunting capabilities.
 
@@ -77,8 +77,8 @@ There are two solutions for vulnerability assessment in Azure, one powered by Mi
 Learn more about:
 
 - [Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-azure.md)
-- [Vulnerability assessment for Azure powered by Qualys](defender-for-containers-vulnerability-assessment-azure.md)
-- [Vulnerability assessment for Amazon AWS Elastic Container Registry (ECR)](defender-for-containers-vulnerability-assessment-elastic.md)
+- [Vulnerability assessments for AWS with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-aws.md)
+- [Vulnerability assessments for GCP with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-gcp.md)
 
 ## Run-time protection for Kubernetes nodes and clusters
 

articles/defender-for-cloud/how-to-enable-agentless-containers.md

@@ -11,7 +11,7 @@ ms.date: 12/13/2023
 Onboarding agentless container posture in Defender CSPM allows you to gain all its [capabilities](concept-agentless-containers.md#capabilities).
 
 > [!NOTE]
-> Agentless container posture is available for Azure and AWS clouds.
+> Agentless container posture is available for Azure, AWS, and GCP clouds.
 
 Defender CSPM includes [two extensions](/azure/defender-for-cloud/faq-defender-for-containers#what-are-the-extensions-for-agentless-container-posture-management) that allow for agentless visibility into Kubernetes and containers registries across your organization's software development lifecycle.