KEP: Windows GMSA support #2296
Conversation
k8s-ci-robot
added
size/L
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
sig/architecture
jdumars
added
sig/auth
| - Add the secret to the service account - `kubectl patch serviceaccount/webserver -p '{\"windowsCredentialSpec\": \"webserverCredSpec\"}'` | ||
| 3. The Kubernetes admin gives a set of users rights to the namespace and service account | ||
| 4. Application admin deploys the app with `ServiceAccount: webserver` as part of the PodSpec | ||
| 5. The admission controller validates this user has access to the service account, and sets `PodSpec.windowsSecurityContext.CredentialSpec` to the contents of the secret |
There was a problem hiding this comment.
Why not check that the admin has permission to use the GMSA when patching the kubernetes service account? It might be a simpler model to only check permissions when delegated the GMSA to a namespace, then fallback to native kubernetes ACL model (if you have permission in a namespace, you can use the {kube, group managed} service accounts in that namespace)? This is purely a suggestion and has pros and cons, but one major con of what is currently written is that all controllers would need direct permission on all GMSAs in whatever permission system your admission controller is checking.
| Go in to as much detail as necessary here. | ||
| This might be a good place to talk about core concepts and how they releate. | ||
|
|
||
| The Windows OCI runtime already has support for `windows.CredentialSpec` and is implemented in Moby. |
There was a problem hiding this comment.
This will need to be added to the CRI so you will need to interact with sig-node.
| } | ||
| ``` | ||
|
|
||
| - Create a secret in the namespace of type `WindowsCredentialSpec` with the contents of the JSON - `kubectl create secret -n ... generic webserverCredSpec --from-file credspec.json` |
There was a problem hiding this comment.
Why not use a configmap if this contains nothing confidential?
|
@PatrickLang: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
/kind kep |
thockin
changed the title
| title: Windows Group Managed Service Accounts for Container Identity | ||
| authors: | ||
| - "@patricklang" | ||
| owning-sig: "wg-container-identity" |
There was a problem hiding this comment.
The docs note that a SIG needs to own this. See https://github.com/kubernetes/community/blob/master/keps/0001-kubernetes-enhancement-proposal-process.md#kep-metadata
Would sig-auth or sig-windows be a good owner?
| #### What is Active Directory? | ||
| Windows applications and services typically use Active Directory identities to facilitate authentication and authorization between resources. In a traditional virtual machine scenario, the computer is joined to an Active Directory domain which enables it to use Kerberos, NTLM, and LDAP to identify and query for information about other resources in the domain. When a computer is joined to Active Directory, it is given an unique identity represented as a computer object in LDAP. | ||
|
|
||
| #### What is a Windows service account? |
There was a problem hiding this comment.
Are these service accounts or service principals?
|
@mattfarina: GitHub didn't allow me to request PR reviews from the following users: patricklang. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
REMINDER: KEPs are moving to k/enhancements on November 30. Please attempt to merge this KEP before then to signal consensus. Any questions regarding this move should be directed to that thread and not asked on GitHub. |
|
KEPs have moved to k/enhancements. Any questions regarding this move should be directed to that thread and not asked on GitHub. |
|
@justaugustus: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Starting a KEP to supercede kubernetes/kubernetes#62038
I'd like to develop this with wg-container-identity, sig-auth, and sig-windows, and it seems like KEP is the easiest way to capture feedback and version control the proposal until the code is implemented.
Will also resolve key ask from kubernetes/kubernetes#51691
cc @rpsqrd