Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to disable and remove Defender for Containers from your GCP GKE environment.
When you enable Defender for Containers capabilities that use automatic provisioning, or use recommendations to manually deploy container capabilities on specific resources, you install Defender components and extensions in your environment. To help you keep track of these components, the following sections provide tables that show the Defender for Clouds feature and its installed Defender for Container components, extensions, and roles.
If you decide to stop using those capabilities, you might also want to remove these components from your environment. This article helps you understand the actions you can take to remove them.
The components and roles fall under two removal-type categories:
- Safe to remove - Resources and settings exclusively used by Defender for Containers. You can safely remove these resources if you're no longer using the associated capability.
- Shared component - Resources that might be used by non-Defender for Cloud solutions or by other Defender for Cloud solutions in the target cloud environment. If you disable a shared resource, the other solutions might be negatively affected. Before removing these resources, review if other solutions in that cloud environment need the resource.
Important
Removing Defender for Containers eliminates security protection for your GKE clusters. Make sure you have alternative security measures in place before you proceed.
GCP scenarios
Resources created via script
| Offering | Resource | Manual offboarding | Removal information |
|---|---|---|---|
| Workload runtime threat protection | logging.googleapis.com API | Non-Defender for Cloud clients in your project might use the GCP Logging API. Use the GCP Logging API to see if other clients use it. Use the GCP Logging API to disable it. | Shared component |
| Workload runtime threat protection | Data Access audit logs configuration | Disable data access audit logs for the Kubernetes Engine API | Shared component |
| Workload runtime threat protection Kubernetes data plane hardening |
ms-defender-containers (Service Account) | Delete gcloud IAM service-accounts | Safe to remove |
| Workload runtime threat protection | ms-defender-containers-stream (Service Account) | Delete gcloud IAM service-accounts | Safe to remove |
| Agentless discovery for Kubernetes | mdc-containers-k8s-operator stream (Service Account) | Delete gcloud IAM service-accounts | Safe to remove |
| Agentless Container Vulnerability Assessment | mdc-containers-artifact-assess stream (Service Account) | Delete gcloud IAM service-accounts | Safe to remove |
| Container runtime threat protection | MicrosoftDefenderContainersDataCollectionRole | gcloud iam roles delete | Google Cloud CLI Documentation | Safe to remove |
| Container runtime threat protection | MicrosoftDefenderContainersRole | gcloud iam roles delete | Google Cloud CLI Documentation | Safe to remove |
| Agentless discovery for Kubernetes | MDCGkeClusterWriteRole | gcloud iam roles delete | Google Cloud CLI Documentation | Safe to remove |
| Shared between all five Containers offerings | containers OIDC workload identity pool provider | Manage workload identity pools and providers | Safe to remove |
| Workload runtime threat protection | containers-streams OIDC workload identity pool provider | Manage workload identity pools and providers | Safe to remove |
Resources created automatically after connector creation - GCP
| Offering | Resource | Manual offboarding | Removal information |
|---|---|---|---|
| Workload runtime threat protection | Pub/Sub Topic | gcloud pubsub articles delete - Each cluster in a project has a topic with the prefix: MicrosoftDefender- |
Safe to remove |
| Workload runtime threat protection | Pub/sub Subscription | gcloud pubsub subscription delete Each cluster in a project has a subscription with the prefix: MicrosoftDefender- |
Safe to remove |
| Workload runtime threat protection | SINK | gcloud logging sinks delete | Google Cloud CLI Documentation | Safe to remove |
| Workload runtime threat protection | Defender sensor (per cluster in a project) + Arc for Kubernetes | Defender sensor removal | Safe to remove |
| Workload runtime threat protection Kubernetes data plane hardening |
Azure Arc enabled Kubernetes (Connects your GKE clusters to Azure) | Remove Azure Arc-enabled Kubernetes per cluster via Azure CLI or Azure PowerShell. Running this command deletes all arc related resources including extensions | Safe to remove |
| Workload runtime threat protection Kubernetes data plane hardening |
Azure Policy extension | Remove Defender extensions per cluster using the Azure portal, Azure CLI, or REST API | Safe to remove |
Disable Defender for Containers
Using Azure portal
- Go to Microsoft Defender for Cloud > Environment settings.
- Select your GCP connector.
- Select Settings.
- Toggle Containers to Off.
- Select Save.
Remove Defender components from GKE clusters
Remove the Defender extension
az k8s-extension delete \
--name microsoft.azuredefender.kubernetes \
--cluster-type connectedClusters \
--cluster-name <cluster-name> \
--resource-group <resource-group> \
--yes
Disconnect GKE clusters from Azure Arc
az connectedk8s delete \
--name <cluster-name> \
--resource-group <resource-group> \
--yes
Delete the GCP connector
Using Azure portal
Go to Microsoft Defender for Cloud > Environment settings.
Find your GCP connector.
Select the ... (more options) menu.
Select Delete.
Confirm deletion.
Verify removal
Check GKE cluster
kubectl get pods -n kube-system -l app=microsoft-defender
No pods should be returned after successful removal.
Check Azure portal
- Go to Microsoft Defender for Cloud > Environment settings.
- Verify the GCP connector is removed or shows Containers as disabled.
- Check that no GKE-related recommendations appear.
Re-enable Defender for Containers
To re-enable Defender for Containers:
- Follow the deployment guide: Enable all Defender for Containers components on GCP (GKE)
- Recreate service accounts and permissions
- Reconnect clusters to Azure Arc
- Redeploy the Defender sensor
All security features are restored, but historical data during the disabled period is missing.