Add local user account creation for host process containers #1286
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dcantah
commented
Feb 4, 2022
|
I tried out these changes in a K8s cluster and everything is working as expected. On one of the Windows nodes I performed the following actions
net localgroup hpc-users /add
mkdir c:\hpc-user-share
icacls c:\hpc-user-share /inheritance:r
icacls c:\hpc-user-share /grant:r SYSTEM:(OI)(CI)(F)
icacls c:\hpc-user-share /grant:r BUILTIN\Administrators:(OI)(CI)(F)
icacls c:\hpc-user-share /grant:r hpc-users:(OI)(CI)(F)
icacls c:\hpc-user-share
c:\hpc-user-share 1576k8s00000000\hcp-users:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
mkdir c:\admin-share
icacls c:\admin-share /inheritance:r
icacls c:\admin-share /grant:r SYSTEM:(OI)(CI)(F)
icacls c:\admin-share /grant:r BUILTIN\Administrators:(OI)(CI)(F)
C:\Users\azureuser>icacls c:\admin-share
c:\admin-share BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)(not a step but here are the ACLs for c:\windows) icacls c:\windows
c:\windows NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)I think created a pod with the following deployment file apiVersion: v1
kind: Pod
metadata:
name: test-account-test
spec:
securityContext:
windowsOptions:
hostProcess: true
runAsUserName: hpc-users
hostNetwork: true
containers:
- name: test
image: mcr.microsoft.com/windows/nanoserver:1809
command:
- "ping"
- "-t"
- "127.0.0.1"
nodeSelector:
"kubernetes.io/os": windowsExec'ed into it and ran the following actions. C:\C\dc5fa129a454d485e76f291b905c62ea3b096ef742051cd7dac592dfffb420ed>whoami
1576k8s00000000\dc5fa129a454d485e76f
C:\C\dc5fa129a454d485e76f291b905c62ea3b096ef742051cd7dac592dfffb420ed>cd c:\hpc-user-share
c:\hpc-user-share>echo "" > temp
c:\hpc-user-share>cd c:\admin-share
Access is denied.
c:\hpc-user-share>cd c:\Windows
c:\Windows>echo "" > temp
Access is denied. |
dcantah
force-pushed
the
temp-account-hpc
branch
from
18d7f5e
to
40572b9
Compare
dcantah
force-pushed
the
temp-account-hpc
branch
from
40572b9
to
d50887b
Compare
dcantah
force-pushed
the
temp-account-hpc
branch
from
d50887b
to
fe1f499
Compare
helsaawy
reviewed
Feb 8, 2022
dcantah
force-pushed
the
temp-account-hpc
branch
from
fe1f499
to
92d90aa
Compare
helsaawy
approved these changes
Feb 11, 2022
|
@ambarve ptal when you get a chance |
|
Actually this needs a quick rebase |
This change is experimental for now. This allows a user the ability to pass a Windows group name as the username for the container. What happens in this case is: 1. Client provides a Windows group name as the username for the container 2. We validate that it's a group, and if so then make a temporary local account. 3. Add local account to the group passed in and run the container under the account. 4. On container exit delete the account. This allows a client to setup a group with whatever permissions/restrictions needed on it and have any host process containers run as a user in the group. The blocker for not just creating a user itself with the right permissions is there's no cri field to pass a user password, and passwordless logon seems to be blocked on Windows by default. Signed-off-by: Daniel Canter <dcanter@microsoft.com>
1. Fix comment regarding when to create a new token 2. Make "go friendly" wrappers for the net functions so we don't have to windows.UTF16PtrFromString at the callsite everywhere. Signed-off-by: Daniel Canter <dcanter@microsoft.com>
* Make comment on makeLocalAccount more clear * Delete account if any errors occurred. * Don't return on first error in jobcontainer.Close() Signed-off-by: Daniel Canter <dcanter@microsoft.com>
dcantah
force-pushed
the
temp-account-hpc
branch
from
92d90aa
to
4e62590
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This allows a user the ability to pass a Windows group name as the username for the container. What happens in this
case is:
account.
account.
This allows a client to setup a group with whatever permissions/restrictions
needed on it and have any host process containers run as a user in the group.
The blocker for not just creating a user itself with the right permissions is
there's no cri field to pass a user password, and passwordless logon seems to be
blocked on Windows by default.