cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Defender for Containers - Limits, Control daemonsets and deployments, updates, no uninstall?

Jeffrey Persson
Copper Contributor

‎Apr 15 2022 04:54 AM

‎Apr 15 2022 04:54 AM

Azure Defender for Containers - Limits, Control daemonsets and deployments, updates, no uninstall?

Hi,

 

I use Azure defender for containers on multiple AKS clusters, and so far I'm very unhappy with the service. If it would work as intended than it should be a great feature but at this moment. it's broken.

 

  • limits are set to to low. (60m for the publisher pods). This makes the pods crash, and eventually trigger CrashLoopBackOff. One one cluster I have 600+ reboots of these pods a day. triggering a flood of Log Analytics ingests, costing an insane amount of money.
  • another problem is the livenessProbe, it keeps failing.. triggering more ingest to Log Analytics. 
  • You cant edit the daemonsets and deployeyments.. well it is possible, but after 15 minutes the yaml's just get overwritten by an undocumented mechanism. Changing limits is useless, trying to troubleshoot at all is useless.
  • The yaml's contain paths to the image repositories but when looking up the versions, they seem old. mcr.microsoft.com/azuredefender/stable/security-publisher:0.3.27 is atleast 8 versions old. again, updating the yaml's pulls the new versions, but after 15 minutes it gets rolled back.
  • Is there an update control that I'm not aware of, there is no documentation. MS seems to push the yaml's every 15 minutes so this should be an easy fix. just please write documentation on how it works.
  • Last but not least --the biggest issue--. Because of the above I tried uninstalling the solution for now. it is pretty expensive as it is, and because of the added log analytics cost I cant stand behind the product for now. I followed the documentation, removing auto onboarding from Defender, and used the rest api to set azureDefender enabled: false. command got put fine.
  • I wait, and wait. nothing happens. So I remove all defender resources from a cluster and after 15 minutes, everything is back....

I have the solution set to off in the defender portal, auto onboarding is turned off, but I cant remove the solution.... how is this even possible. 

 

These things are happening on 3 clusters over two azure tenants. I raised a ticket already, but at this moment, I don't think it is something I did. 

 

Don't get me wrong, I like Azure and I like Defender, but the container solutions seems broken at this moment.

Labels:
3,076 Views
0 Likes
3 Replies
Reply
3 Replies
Stanislav Belov

‎Apr 23 2022 12:37 PM

‎Apr 23 2022 12:37 PM

Re: Azure Defender for Containers - Limits, Control daemonsets and deployments, updates, no uninstal

Hi Jeff,
Thank you for your feedback. We will review it with the team and come back to you.
0 Likes
Reply
Eli Sagie

‎Apr 26 2022 01:05 AM - edited ‎Apr 26 2022 01:06 AM

‎Apr 26 2022 01:05 AM - edited ‎Apr 26 2022 01:06 AM

Re: Azure Defender for Containers - Limits, Control daemonsets and deployments, updates, no uninstal

Hello Jeffery,
This is Eli from Defender for Containers support.
Thanks for the feedback!
We'd like to investigate your claims deeper. You stated that a support case was created: Can you please provide its ID?
To keep the privacy, please email it to me at eli.sagie@microsoft.com.

 

Thanks.

0 Likes
Reply
Jeffrey Persson

‎Jun 09 2022 04:31 AM

‎Jun 09 2022 04:31 AM

Re: Azure Defender for Containers - Limits, Control daemonsets and deployments, updates, no uninstal

@Eli Sagie 

 

Hi there, 

 

Sorry for late reply. I have just send you a mail with case.

0 Likes
Reply