Edit

Kubernetes misconfiguration enforcement

Kubernetes misconfiguration enforcement is a Microsoft Defender for Containers capability that evaluates Kubernetes resources before they're admitted into a cluster. You can use it to audit or block deployments that don't meet Microsoft security best-practice rules.

After you enable the feature, Defender for Containers creates a default security rule named Default K8s misconfiguration rule. The default rule is created in Audit mode and applies to all Kubernetes clusters in scope. You can change the rule action to Block, configure individual rules and parameters, or create custom policies for specific scopes.

Use Kubernetes misconfiguration enforcement to help:

  • Audit or block Kubernetes workloads with unsafe security configurations.
  • Enforce non-root execution and approved user or group IDs.
  • Prevent automatic mounting of Kubernetes API credentials.
  • Block workloads from running in the default Kubernetes namespace.
  • Prevent containers from sharing sensitive host namespaces, such as PID, IPC, or network.
  • Restrict container images to trusted registries or approved patterns.
  • Enforce CPU and memory limits.
  • Require HTTPS for Kubernetes Ingress resources.
  • Block privilege escalation and fully privileged containers.
  • Require containers to use a read-only root filesystem.

Prerequisites

Before you begin, make sure that:

  • Defender for Containers is enabled on the subscription or cloud account where the Kubernetes cluster is running.

  • Your Kubernetes cluster is supported.

  • The cluster uses AKS, Azure Arc-enabled Kubernetes, EKS, or GKE.

  • If you are using automatic provisioning: The required Defender for Containers components are enabled for your environment:

    • AKS and Azure Arc-enabled Kubernetes: Kubernetes API access is enabled.
    • AWS and GCP: Agentless threat protection is enabled to collect audit logs.

    Note

    Agentless threat protection is enabled by default when you enable Defender for Containers for AWS or GCP. If it was disabled, enable it before you configure Kubernetes misconfiguration enforcement.

  • If you're using Helm for manual deployment: Make sure helm is installed and available in your command-line environment. Then, manually enable misconfiguration enforcement with Helm.

  • Kubernetes ValidatingAdmissionPolicy is enabled on the cluster. Kubernetes 1.30 and later versions enable this capability by default.

  • You have the required permissions:

    • To enable and manage deployment-time enforcement policies, you need Subscription Owner or Security Admin permissions.
    • To view policies and monitoring information, you need Security Reader or equivalent permissions.

Manually enable misconfiguration enforcement with Helm

To manually enable misconfiguarion enforcement with Helm:

  1. Follow the Helm installation guide for the Defender for Containers sensor for your environment.

  2. During Helm chart installation, use the latest supported chart tag from the following Helm repository:

    oci://mcr.microsoft.com/azuredefender-preview/microsoft-defender-for-containers
    
  3. Include the following value:

    defender-admission-controller.enableMisconfigurationPolicies=true
    

After misconfiguration enforcement is enabled, the default audit rule is created automatically in the portal.

Create a misconfiguration enforcement policy

By default, Defender for Containers creates the Default K8s misconfiguration rule in Audit mode, scoped to all resources. While in Audit mode, the admission controller logs violations but allows deployments to continue. You can create custom policies scoped to specific subscriptions, clusters, or namespaces.

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Environment settings.

  3. Select Security rules.

    Screenshot of the Security Rules tile in Environment Settings.

  4. Select Gated deployment > Misconfigurations to view available policies.

    Screenshot of the Misconfiguration tab in Security Rules showing the default policy.

  5. Select Create new policy.

  6. Enter a Policy name.

    Screenshot of the Create new policy panel showing Policy name and Action fields.

  7. Select an Action:

    • Audit: Logs violations without blocking deployments.
    • Block: Denies noncompliant deployments.

    Note

    Selecting Block mode can introduce a short delay during deployments because of real-time policy enforcement.

  8. If needed, enter a Rule description.

  9. Enter a Scope name.

  10. Select the Cloud scope.

  11. Under Resource scope, keep the default scope or select Add condition to narrow the rule scope.

  12. Select Next.

  13. Select the checkbox next to each rule that you want to enable.

    Screenshot of the Rules tab showing individual rules that can be enabled or disabled.

  14. To configure parameters for a rule, select the rule name.

    Some rules include configurable parameters. If parameters are available, update them as needed, and then select Save.

    Screenshot of the rule configuration panel showing customizable parameters and their default values.

  15. Select Next.

  16. Review the policy configuration.

  17. Select Add policy.

Edit a misconfiguration enforcement policy

You can edit an existing misconfiguration enforcement policy to update its action, enabled rules, and configurable rule parameters.

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Environment settings.

  3. Select Security rules.

  4. Select Gated deployment > Misconfigurations.

  5. Select the checkbox next to the policy that you want to edit.

  6. Select Edit.

  7. Update the policy settings as needed.

  8. Select Save policy.

Default policy limitations

The built-in Default K8s misconfiguration rule has the following limitations:

  • You can change the Action between Audit and Block.
  • You can enable or disable individual rules.
  • You can configure parameters for rules that support customization.
  • You can't edit the policy name, description, or scope.

Custom policies you create don't have these restrictions.

Built-in misconfiguration rules

Kubernetes misconfiguration enforcement includes built-in rules based on Microsoft security best practices.

Built-in rules help enforce controls for:

  • Container resource limits (CPU and memory): Ensures containers don't exceed specified limits to prevent resource exhaustion.
  • Privilege and capability management: Prevents containers from running with elevated privileges, unnecessary Linux capabilities, or privilege escalation paths.
  • Non-root execution: Enforces non-root user and group IDs so containers can't run with excessive OS privileges.
  • API credential mounting: Prevents containers from automatically mounting Kubernetes API credentials.
  • Default namespace: Blocks workloads from running in the default Kubernetes namespace.
  • Host namespace isolation: Blocks containers from sharing the host PID, IPC, or network namespace.
  • Trusted image sources: Restricts container images to trusted registries or approved patterns.
  • Network security: Enforces HTTPS for Kubernetes Ingress resources.
  • Runtime security: Requires containers to use a read-only root filesystem and blocks fully privileged containers.

You can enable or disable individual rules within a policy and configure parameters for rules that support customization.