-
Notifications
You must be signed in to change notification settings - Fork 14k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #31851 from marosset/move-windows-security-1.24
Moving Windows security info to new page
- Loading branch information
Showing
2 changed files
with
55 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| --- | ||
| reviewers: | ||
| - jayunit100 | ||
| - jsturtevant | ||
| - marosset | ||
| - perithompson | ||
| title: Security For Windows Nodes | ||
| content_type: concept | ||
| weight: 75 | ||
| --- | ||
|
|
||
| <!-- overview --> | ||
|
|
||
| This page describes security considerations and best practices specific to the Windows operating system. | ||
|
|
||
| <!-- body --> | ||
|
|
||
| ## Protection for Secret data on nodes | ||
|
|
||
| On Windows, data from Secrets are written out in clear text onto the node's local | ||
| storage (as compared to using tmpfs / in-memory filesystems on Linux). As a cluster | ||
| operator, you should take both of the following additional measures: | ||
|
|
||
| 1. Use file ACLs to secure the Secrets' file location. | ||
| 1. Apply volume-level encryption using [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server). | ||
|
|
||
| ## Container users | ||
|
|
||
| [RunAsUsername](/docs/tasks/configure-pod-container/configure-runasusername) | ||
| can be specified for Windows Pods or containers to execute the container | ||
| processes as specific user. This is roughly equivalent to | ||
| [RunAsUser](/docs/concepts/policy/pod-security-policy/#users-and-groups). | ||
|
|
||
| Windows containers offer two default user accounts, ContainerUser and ContainerAdministrator. | ||
| The differences between these two user accounts are covered in | ||
| [When to use ContainerAdmin and ContainerUser user accounts](https://docs.microsoft.com/virtualization/windowscontainers/manage-containers/container-security#when-to-use-containeradmin-and-containeruser-user-accounts) within Microsoft's _Secure Windows containers_ documentation. | ||
|
|
||
| Local users can be added to container images during the container build process. | ||
|
|
||
| {{< note >}} | ||
|
|
||
| * [Nano Server](https://hub.docker.com/_/microsoft-windows-nanoserver) based images run as `ContainerUser` by default | ||
| * [Server Core](https://hub.docker.com/_/microsoft-windows-servercore) based images run as `ContainerAdministrator` by default | ||
|
|
||
| {{< /note >}} | ||
|
|
||
| Windows containers can also run as Active Directory identities by utilizing [Group Managed Service Accounts](/docs/tasks/configure-pod-container/configure-gmsa/) | ||
|
|
||
| ## Pod-level security isolation | ||
|
|
||
| Linux-specific pod security context mechanisms (such as SELinux, AppArmor, Seccomp, or custom | ||
| POSIX capabilities) are not supported on Windows nodes. | ||
|
|
||
| Privileged containers are [not supported](#compatibility-v1-pod-spec-containers-securitycontext) on Windows. | ||
| Instead [HostProcess containers](/docs/tasks/configure-pod-container/create-hostprocess-pod) can be used on Windows to perform many of the tasks performed by privileged containers on Linux. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters