Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows security options set incorrect default values #2575

Open
david-garcia-garcia opened this issue Aug 26, 2024 · 2 comments
Open

Windows security options set incorrect default values #2575

david-garcia-garcia opened this issue Aug 26, 2024 · 2 comments
Assignees
@jrhouston
Labels
bug

Comments

@david-garcia-garcia
Copy link

Terraform Version, Provider Version and Kubernetes Version

Terraform v1.9.3
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v3.116.0
+ provider registry.terraform.io/hashicorp/helm v2.15.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.32.0
+ provider registry.terraform.io/newrelic/newrelic v3.42.3
Kubernetes provider version:
Kubernetes version: 1.29.5

Affected Resource(s)

kubernetes_daemonset

I believe any resource containing a container def has the same issue.

Terraform Configuration Files

resource "kubernetes_deployment_v1" "example" {
  metadata {
    name = "example"
  }
  spec {
    template {
      spec {
        security_context {
          windows_options {
            host_process              = true
            run_as_username           = "NT AUTHORITY\\SYSTEM"
          }
        }

        host_network = true
      }
    }
  }
}

Debug Output

Error: Failed to update daemonset: DaemonSet.apps "newrelic-windows-2004" is invalid: [spec.template.spec.securityContext.windowsOptions.gmsaCredentialSpecName: Invalid value: "": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), spec.template.spec.securityContext.windowsOptions.gmsaCredentialSpec: Invalid value: "": gmsaCredentialSpec cannot be an empty string]

Expected Behavior

gmsa_credential_spec and gmsa_credential_spec_name should not be required. It is currently impossible to create a container using windows options and not specifying those, because looks like the API call is setting them to empty strings, which is incorrect.

Looks like in the implementation this was incorrectly set as required?

812e23e

Actual Behavior

Should apply OK.

References

#1623

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@david-garcia-garcia
Copy link
Author

This comment here also points to the opposie also happening, someone trying to set gmsa values, but not runAsUser:

#1623 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jrhouston jrhouston

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jrhouston @david-garcia-garcia and others