This page describes how to set up Defend for Containers (D4C) for Kubernetes.

First, you’ll need to deploy Elastic’s Defend for Containers integration to the Kubernetes clusters you wish to monitor.

1. FindContainer Workload Security in the navigation menu or use theglobal search field. ClickAdd D4C Integration.

2. Name the integration. The default name, which you can change, iscloud_defend-1.

3. (Optional) Adjust theSelectors andResponses sections in theintegration’s policy to modify the core container workload protection capabilities that the D4C integration policy will implement. You can change these later, if needed.

4. UnderWhere to add this integration, select an existing or new agent policy.

5. ClickSave & Continue, thenAdd Elastic Agent to your hosts.

6. On the Elastic Agent policy page, clickAdd agent to open the Add agent flyout.

7. In the flyout, go to step 3 (Install Elastic Agent on your host) and select theKubernetes tab.

8. Download or copy the manifest (elastic-agent-managed-kubernetes.yml).

9. Open the manifest using your favorite editor, and uncomment the#capabilities section:

   #capabilities:#  add:#    - BPF # (Since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps.#    - PERFMON # (Since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations.#    - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock'#    - SYS_ADMIN # Required if using Defend for Containers on Azure Kubernetes Service (AKS)

   1. (Since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps.
   2. (Since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations.
   3. Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock'
   4. Required if using Defend for Containers on Azure Kubernetes Service (AKS)

10. From the directory where you saved the manifest, run the commandkubectl apply -f elastic-agent-managed-kubernetes.yml.

11. Wait for theConfirm agent enrollment dialogue to show that data has started flowing from your newly-installed agent, then clickClose.

Thedefault D4C policy provides threat detection capabilities. It is designed to send process telemetry events (fork andexec) to Elasticsearch.

To detect threats using this data, you’ll need activedetection rules. You can use Elastic's prebuilt rules that are designed for this data or createcustom rules.

To set up threat detection, install and enable Elastic's prebuilt rules that use data ingested by D4C:

1. FindDetection rules (SIEM) in the navigation menu or use theglobal search field. ClickAdd Elastic rules.
2. Click theTags filter next to the search bar, and search for theData Source: Elastic Defend for Containers tag.
3. Select all the displayed rules, then clickInstallx selected rule(s).
4. Return to theRules page. Click theTags filter next to the search bar, and search for theData Source: Elastic Defend for Containers tag.
5. Select all the rules with the tag, and then clickBulk actions > Enable.

Elastic Security defines container drift as the creation or modification of an executable within a container. Blocking drift restricts the number of attack vectors available to bad actors by prohibiting them from using external tools.

Thedefault D4C policy provides drift detection and prevention capabilities. Before you enable drift detection, do the following:

• Make sure the default D4C policy is active.
• Make sure you've installed and enabled the "Container Workload Protection" prebuilt rule. The steps for installing and enabling prebuilt rules are above.

To enable drift prevention, create a new policy:

1. FindContainer Workload Security in the navigation menu or use theglobal search field, then select your integration.
2. UnderSelectors, clickAdd selector > File Selector. By default, it selects the operationscreateExecutable andmodifyExecutable.
3. Name the selector, for example:blockDrift.
4. Scroll down to theResponses section and clickAdd response > File Response.
5. UnderMatch selectors, add the name of your new selector, for example:blockDrift.
6. Select theAlert andBlock actions.
7. ClickSave integration.

To ensure the stability of your production workloads, you should test policy changes before implementing them in production workloads. We also recommend you test policy changes on a simulated environment with workloads similar to production. This approach allows you to test that policy changes prevent undesirable behavior without disrupting your production workloads.