편집

Configure gated deployment rules for Kubernetes container images

This article shows you how to configure gated deployment rules in Microsoft Defender for Containers.

Gated deployment uses an admission controller to evaluate container images before they're admitted into a Kubernetes cluster. It uses vulnerability scan results from supported container registries to audit or deny deployments when images don't meet your organization's vulnerability policy.

Prerequisites

Before you begin, make sure that:

  • You have a Microsoft Azure subscription. If you don't have an Azure subscription, you can sign up for a free subscription.

  • Defender for Cloud is enabled on your Azure subscription.

  • Defender for Containers is enabled for the environment that contains your Kubernetes cluster and container registry, with the following components enabled:

    • Defender sensor with Security Gating
    • Registry access with Security findings

    Note

    If the Kubernetes cluster and container registry are in different environments, enable Defender for Containers and the required components for both environments.

  • AKS clusters: The cluster has an OpenID Connect (OIDC) issuer enabled.

  • Your Kubernetes environment and container registry are supported for gated deployment. See the Defender for Containers support matrix.

  • Vulnerability scan results are available for the container images you want to evaluate. Gated deployment uses vulnerability assessment findings from supported registries.

  • You have the required permissions:

    • To create or change gated deployment rules, you need Security Admin or higher permissions.
    • To view gated deployment rules, you need Security Reader or higher permissions.

Configure a gated deployment rule

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Environment settings.

  3. Select Security rules.

    Screenshot of the Security Rules tile in Microsoft Defender for Cloud.

  4. Select Gated deployment > Vulnerability assessment.

    Screenshot of the Vulnerability Assessment tab in Security Rules.

    Note

    By default, after the required prerequisites are met, Defender for Containers creates an audit rule that flags image deployments with high or critical vulnerabilities.

  5. Select Add rule.

  6. Enter a Rule name.

  7. Select an Action:

    • Audit: Allows the deployment and creates an admission event for review.
    • Deny: Blocks deployments that match the rule conditions.

    Tip

    Start with Audit to understand the effect of the rule before you use Deny mode to block deployments.

    Note

    Deny mode can introduce a one- or two-second delay during deployment because the image is evaluated before the workload is admitted into the cluster.

  8. If needed, enter a Rule description.

  9. Enter a Scope name.

  10. Select the Cloud scope.

  11. Under Resource scope, keep the default scope or select Add condition to narrow the rule scope.

    Tip

    Start with a narrow scope, such as namespace or deployment, before applying broader enforcement.

    Screenshot of the rule creation wizard in Microsoft Defender for Cloud.

  12. Select Next.

  13. Toggle on Block all deployments with missing artifacts if you want to block deployments when vulnerability findings artifacts aren't available.

  14. Select Add condition, and define at least one condition for the rule.

    Screenshot of the vulnerability assessment rule configuration pane.

  15. Select Next.

  16. To exempt specific vulnerabilities, select Add allowed vulnerabilities, and then enter the CVE IDs that you want to exempt.

  17. To make the vulnerability exemption temporary, toggle on Time bound, and then select a Valid until date.

  18. To exempt specific resources, select Add exemption, and then define the resource-based exemption.

    Screenshot of the exemption configuration pane with the time-bound option.

  19. Select Add Rule.

Monitor gated deployment events

You can monitor gated deployment events to review rule evaluations, triggered actions, and affected resources. Use these events to help refine rule scope, conditions, and exemptions.

To investigate a specific admission event:

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Environment settings.

  3. Select Security rules.

  4. Select Gated deployment > Admission Monitoring.

    Screenshot of the Admission Monitoring view showing rule evaluations and actions.

  5. Select an event from the list.

    The details pane shows:

    • The event timestamp and admission action.
    • The container image digest, detected violations, and triggered rule.
    • The vulnerability assessment policy and criteria used for evaluation.
    • The rule conditions and exemptions that were applied.

    Screenshot of the admission event details pane.

Disable or delete a gated deployment rule

To disable or delete a gated deployment rule:

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Environment settings.

  3. Select Security Rules.

  4. Select the Vulnerability Assessment tab.

  5. Select the rule.

  6. Select Disable or Delete rule.

Related content

  • Last updated on