You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the solution you'd like
A policy that blocks ContainerAdministrator from being set on the WindowsOptions podspec. It is generally a good idea to run your containers with ContainerUser for windows pods. The users are not shared between the Container and host but the ContainerAdministrator does have additional privileges with in the container. In the PR for kubernetes/kubernetes#92355 an agree was made block ContainerAdministrator if RunAsNonRoot was specified.
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
Describe the solution you'd like
A policy that blocks
ContainerAdministrator
from being set on the WindowsOptions podspec. It is generally a good idea to run your containers withContainerUser
for windows pods. The users are not shared between the Container and host but theContainerAdministrator
does have additional privileges with in the container. In the PR for kubernetes/kubernetes#92355 an agree was made blockContainerAdministrator
ifRunAsNonRoot
was specified.The pod sec looks like (can also be set per container):
There are also username limitations to be aware of: https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/#windows-username-limitations
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
The following has more information on Windows Security Policies which are currently being defined:
kubernetes/kubernetes#64801 (comment)
Environment:
kubectl version
):The text was updated successfully, but these errors were encountered: