-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Add Group Managed Service Account support to Windows #62038
Comments
@PatrickLang: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I tried to add this to SIG-Node agenda but don't have access. I would like to discuss with SIG-Node on 9 April 2018 if possible. |
Past edits are also available at https://github.com/PatrickLang/community/blob/patricklang-gmsa/sig-windows/gmsa-proposal.md |
cc @kubernetes/sig-auth-feature-requests |
This is exactly the kind of efforts that the container identity wg was formed to address where your machine is already enrolled in some identity system like kerberos, then would like to delegate a service account to the container running on it. https://github.com/kubernetes/community/tree/master/wg-container-identity It might be worth taking this proposal there and reviewing some of the alternative designs for accomplishing this such as: kubernetes/community#1132 |
Thanks @ericchiang , I proposed it for the agenda on 20 April |
Hi, we'd be super interested in this area. We have a Kerberos-based Directory Service (on Linux) and shareable service accounts for containers is of great interest |
Good feedback from sig-auth:
Will continue discussion next meeting |
Following up from the discussion in the Container Identity Working Group: What controls who is allowed to specify a given Service Account? Some options:
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@PatrickLang Any updates on this? |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Any progress on this? |
@Vacant0mens not lately. we will revisit this after we go stable (likely with v1.13). thanks |
Looks like it got pushed to 1.14: https://trello.com/c/wmZ2j67q |
we will definitely not visit this before 1.13 is complete. So this feature may land with 1.14 or possibly later. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Any news? |
/remove-lifecycle stale |
/remove-lifecycle rotten |
/remove-lifecycle stale |
@ddebroy is working on scoping this work so that we can start development. No ETA is yet established for delivery |
/assign |
We're tracking this in kubernetes/enhancements#689 now |
@PatrickLang: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Windows Service Accounts in Kubernetes
Authors: Patrick Lang (@patricklang), Ryan Puffer (@rpsqrd)
Reviewers: Peter Hornyack, more welcome!
What is Active Directory?
Windows applications and services typically use Active Directory identities to facilitate authentication and authorization between resources. In a traditional virtual machine scenario, the computer is joined to an Active Directory domain which enables it to use Kerberos, NTLM, and LDAP to identify and query for information about other resources in the domain.
What is a service account?
A Group Managed Service Account (gMSA) is a shared Active Directory identity that enables common scenarios such as authenticating and authorizing incoming requests and accessing downstream resources such as a database server, file share, or other workload.
How is it applied to containers?
To achieve the scale and speed required for containers, Windows uses a group managed service account in lieu of individual computer accounts to enable Windows containers to communicate with Active Directory. As of right now, Windows cannot use individual Active Directory computer & user accounts.
Different containers on the same machine can use different gMSAs to represent the specific workload they are hosting, allowing operators to granularly control which resources a container has access to. However, to run a container with a gMSA identity, an additional parameter must be supplied to the Windows Host Compute Service to indicate the intended identity. This proposal seeks to add support in Kubernetes for this parameter to enable Windows containers to communicate with other enterprise resources.
It's also worth noting that Docker implements this in a different way that's not managed centrally. It requires dropping a file on the node and referencing it by name, eg:
docker run --credential-spec='file://foo.json'
. For more details see the Microsoft doc.Parts of solution
Provisioning Workflow
This is a workflow that's handled outside of Kubernetes until the last step. Most organizations have tight control over who can create Active Directory accounts, and the role is usually separated from that of an application owner. Performing these steps in Kubernetes is not a goal.
a. Joins all Windows nodes to the Active Directory domain.
b. Provisions the service account and gives details to application admin.
c. Assigns access to a security group to control what machines can use this service account. This group should include all authorized Kubernetes nodes.
kubectl create secret generic WindowsServiceAccount1 --from-file=credspec.json
Steps 2 and 3 could potentially be built into cluster management tools such as
kubeadm
at a later time for an easier cluster admin experience.Example credentialspec.json
Today this would typically be around 400-2000 characters of JSON, but could grow in the future if additional account types or configurations are added.
Deployment Workflow
Deployment should be as simple as using a Kubernetes secret, but a different property will be used that's specific to Windows. This is optional, and would only be used in machines already joined to an Active Directory domain. It has no relation or dependency on existing K8s service accounts because it cannot be used inside of containers/pods to access any resources. It's used on the node side by the Windows runtime only.
There are two options proposed on how this could be done.
Option 1 - Make the new field
WindowsCredentialSpec
a reference to a k8s secret. This keeps the verbose credential spec out of the deployment which may be easier to manage and read. If multiple deployments need the same credential spec and it needs to be changed, it can be done in a single place by updating the k8s secret. The rest of this document will assume the workflow for Option 1.Option 2 - Make the new field
WindowsCredentialSpec
a literal. This will be JSON passed as-is in the OCI spec. If multiple deployments are using the same GMSA, each one will need to be updated individually.Node workflow
No extra steps or configuration are needed in the kubelet config, and no additional daemon sets are required. The deployment should contain everything needed (except the contents of the secret) as its passed from the apiserver. The kubelet will automatically pull the contents of the credentialspec from the secret, which is the same flow used for in-tree volume plugins (cephfs, iscsi, rbd, ...) today.
Deployment request includes a container with WindowsCredentialSpec set to secret name
The kubelet will retrieve the credentialspec JSON from the secret and set
windows.CredentialSpec
per the OCI Runtime SpecificationThe CRI implementation will pass this to Windows as appropriate.
a. Dockershim will need to implement an intermediate step because Docker EE-basic 17.x builds available on Windows read credentialspecs from files. The dockershim will need to copy the contents of the credentialspec to a local file with a unique name under the folder
c:\programfiles\docker\credentialspecs
such asd4d521e1-2933-4d59-9b8e-ebe51524a76e.json
. When the pod is destroyed, the file should be deleted by dockershim.b. CRI-containerd should be able to pass the JSON as-is to Windows
Glossary
Metadata & links
This would address part of the ask in #51691, but not other uses of
--security-opt
@kubernetes/sig-node-feature-requests
/kind feature
The text was updated successfully, but these errors were encountered: