Challenges with gMSA in Containerized Environments
Aside from being used for authentication across multiple instances, gMSAs solves for two additional problems:- Containers cannot join the domain, and;
- When you start a container, you never really know which host in your cluster it’s going to run on. You might have three replicas running across hosts A, B, and C today and then tomorrow you have four replicas running across hosts Q, R, S, and T.
which is a cluster-wide resource and can be used as a parameter when you create a Windows container service:docker config create credspec...
Swarm then automatically provides the credential spec to the appropriate container at runtime. Much like a secret, the config is only provided to containers that require it; and unlike a typical docker config, the cred spec is not mounted as a file in the system.docker service create --credential-spec="config://credspec”...
Bringing gMSA credspecs to Kubernetes
Now that Kubernetes 1.14 has added support for Windows, the number of Windows container applications is likely to increase substantially and this same gMSA support will be important to anybody trying to run production Windows apps in their Kubernetes environment. The Docker team has been supporting this effort within the Kubernetes project with help from the SIG-Windows community. gMSA support is in the Alpha release phase in Kubernetes 1.14.gMSAs in Kubernetes work in a similar fashion to the
config
in Swarm: you create a credspec for the gMSA, use Kubernetes RBAC to control which pods can access the credspec, and then your pods can access the appropriate gMSA as needed. Again, this is still in Alpha right now so if you want to try it out you will have to enable the feature first.We have additional work we are contributing upstream in addition to the gMSA work, like CSI support for Windows workloads, and we’ll share more about that in the weeks ahead as they reach alpha release stages. To find out more:
- If you’re attending OSCON check out the “Deploying Windows apps with Draft, Helm, and Kubernetes” session by Jessica Deen
- Test out the new gMSA config specs, coming soon in Docker Enterprise 3.0
- Review and contribute to the Kubernetes Windows gMSA SIG or other enhancement proposals
- Learn more about Microsoft Group Managed Service Accounts
Feedback
0 thoughts on "Docker’s Contribution to Authentication for Windows Containers in Kubernetes"