Guarding Kubernetes Deployments: Runtime Gating for Vulnerable Images Now Generally Available

Cloud-native development has made containerization vital, but it has also brought about new risks. In dynamic Kubernetes environments, a single vulnerable container image can open the door to an attack. Organizations need proactive controls to prevent unsafe workloads from running. Although security professionals recognize these risks, traditional security checks typically occur after deployment, relying on scans and alerts that only identify issues once workloads are already running, leaving teams scrambling to respond. Kubernetes runtime gating within Microsoft Defender for Cloud effectively addresses these challenges. Now generally available, gated deployment for Kubernetes container images introduces a proactive, automated checkpoint at the moment of deployment.

Getting Started: Setting Up Kubernetes Gated Deployment

The process starts with enabling the required components for gated deployment. When Security Gating is enabled, the defender admission controller pod is deployed to the Kubernetes cluster. Organizations can create rules for gated deployment which will define the criteria that container images must meet to be permitted to the cluster. With the admission controller and policies in place, the system is ready to evaluate deployment requests against the defined rules.

How Kubernetes Gated Deployment Works

1. Vulnerability Scanning

• Defender for Cloud performs agentless vulnerability scanning on container images stored in the registry.
• Scan results are saved as security artifacts in the registry, detailing each image’s vulnerabilities. Security artifacts are signed with Microsoft signature to verify authenticity.

2. Deployment Evaluation

• During deployment, the admission controller reads both the stored security policies and vulnerability assessment artifacts.
• Each container image is evaluated against the organization’s defined policies.

3. Enforcement Modes

• Audit Mode: Deployments are allowed, but any policy violations are logged for review. This helps teams refine policies without disrupting workflows.
• Deny Mode: Non-compliant images are blocked from deployment, ensuring only secure containers reach production.

Configure your rule to run in Audit or Deny mode.

 

Practical Guidance: Using Gating to Advance DevSecOps

Leveraging gated deployment requires thoughtful coordination between several teams, with security professionals working closely alongside platform, DevOps, and application teams to define policies, enforce risk thresholds, and ensure compliance throughout the deployment process.

To maximize the effectiveness of gated deployment, organizations should take a strategic approach to policy enforcement.

• Work with platform teams to define risk thresholds and deploy in audit mode during rollout - then move to deny mode when ready.
• Continuously tune policies based on audit logs and incident findings to adapt to new threats and business requirements.
• Educate DevOps and application teams on policy requirements and violation remediation, fostering a culture of shared responsibility.
• Consider best practices for rule design.

Use Cases and Real-World Examples

Gated deployment is designed to meet the diverse needs of modern enterprises. Here are several use cases that illustrate its' effectiveness in protecting workloads and streamlining cloud operations:

• Ensuring Compliance in Regulated Industries: Organizations in sectors like finance, healthcare, and government often have strict compliance mandates (e.g. no use of software with known critical vulnerabilities). Gated deployment provides an automated way to enforce these mandates. For example, a bank can define rules to block any container image that has a critical vulnerability or that lacks the required security scan metadata. The admission controller will automatically prevent non-compliant deployments, ensuring the production environment is continuously compliant with the bank’s security policy. This not only reduces the risk of costly security incidents but also creates an audit trail of compliance – every blocked deployment is logged, which can be shown to auditors as proof that proactive controls are in place. In short, gated deployment helps organizations maintain compliance as they deploy cloud-native applications.

Set conditions for the rule such as blocking deployments without an artifact and no critical vulnerabilities.View inventory of all admission actions to the environment.

 

• Reducing Risk in Multi-Team DevOps Environments: In large enterprises with multiple development teams pushing code to shared Kubernetes clusters, it can be challenging to enforce consistent security standards. Gated deployment acts as a safety net across all teams. Imagine a scenario with dozens of microservices and dev teams: even if one team attempts to deploy an outdated base image with known vulnerabilities, the gating feature will catch it. This is especially useful in multi-cloud setups – e.g., your company runs some workloads on Azure Kubernetes Service (AKS) and others on Elastic Kubernetes Service (EKS). With gated deployment in Defender for Cloud, you can apply the same security rules to both, and the system will uniformly block non-compliant images on Azure or Amazon Web Services (AWS) clusters alike. This consistency simplifies governance. It also fosters a DevSecOps culture: developers get immediate feedback if their deployment is flagged, which raises awareness of security requirements. Over time, teams learn to integrate security earlier (shifting left) to avoid tripping the gate. Yet, because you can start in audit mode, there is an educational grace period – developers see warnings in logs about policy violations before those violations cause deployment failures. This leads to collaborative remediation rather than abrupt disruption.

Define a cloud and resource scope for the rule

 

• Protecting Against Known Threats in Production: Zero-day vulnerabilities in popular containers (like database images or open-source services) are regularly discovered. Organizations often scramble to patch or update once a new CVE is announced. Gated deployment can serve as an automatic shield against known issues. For instance, if a critical CVE in Nginx is published, any container image still carrying that vulnerability would be denied at deployment until it is patched. If an attacker attempts to deploy a backdoored container image in your environment, the admission rules can stop it if it does not meet the security criteria. In this way, gating provides a form of runtime admission control that complements runtime threat detection: rather than detecting malicious activity after a container is running, it tries to prevent potentially unsafe containers from ever running at all.
• Streamlining Cloud Deployment Workflows with Security Built-In: Enterprises embracing cloud-native development want to move fast but safely. Gated deployment lets security teams define guardrails, and then developers can operate within those guardrails without constant oversight. For example, a company can set a policy “all images must be scanned and free of critical vulnerabilities before deployment.” Once that rule is in place, developers simply get an error if they try to deploy something out-of-bounds – they know to go back and fix it and then redeploy. This removes the need for manual ticketing or approvals for each deployment; the system itself enforces the policy. That increases operational efficiency and ensures a consistent baseline of security across all services. Gated deployment operationalizes the concept of “secure by default” for Kubernetes workloads: every deployment is vetted, with no extra steps required by end-users beyond what they normally do.

An example of an error message from gated deployment.

Part of a Broader Security Strategy

Kubernetes gated deployment is a key piece of Microsoft’s larger vision for container security and secure supply chain at large. While runtime gating is a powerful tool on its own, its' value multiplies when seen as part of Microsoft Defender for Cloud’s holistic container security offering. It complements and enhances the other security layers that are available for containerized applications, covering the full lifecycle of container workloads from development to runtime. Let’s put gated deployment in context of this broader story:

• During development and build phases, Defender for Cloud offers tools like CI/CD pipeline scanning (for example, a CLI that scans images during the build process).
• Agentless discovery, inventory and continuous monitoring of cloud resources to detect misconfigurations, contextual risk assessment, enhanced risk hunting and more.
• Continuous agentless vulnerability scanning takes place at both the registry and runtime level.
• Runtime Gating prevents those known issues from ever running and logs all non-compliant attempts at deployment.
• Threat Detection surfaces anomalies or malicious activities by monitoring Kubernetes audit logs and live workloads. Using integration with Defender XDR, organizations can further investigate these threats or implement response actions.

Conclusion: Raising the Bar for Multi-Cloud Container Security

With Kubernetes Gating now generally available in Defender for Cloud, technical leaders and security teams can audit or block vulnerable containers across any cloud platform. Integrating automated controls and best practices improves compliance and reduces risk within cloud-native environments.

This strengthens Kubernetes clusters by preventing unsafe deployments, ensuring ongoing compliance, and supporting innovation without sacrificing security. Runtime gating helps teams balance rapid delivery with robust protection.

Additional Resources to Learn More:

• Release Notes
• Overview of Gated Deployment
• Enable Gated Deployment
• Troubleshooting
• FAQ
• Test Gated Deployment in Your Own Environment

 

Reviewers:

Maya Herskovic, Principal Product Manager

Dolev Tsuberi, Senior Software Engineer