How to add the Docker Parameter "--security-opt" to Kubernetes Deployment ?
340 views
Skip to first unread message
Thomas Privat
Jan 19, 2018, 5:49:03 AM1/19/18
to Kubernetes user discussion and Q&A
Hi All,
I need to start a Windows Container with Kubernetes on a W2016 Server with a given group managed service account.
The Kubernetes Setup itself seems working, also the Docker installation.
Starting the Windows Container directly with docker works also fine.
This is the Docker start Command :
docker run -d -p 8000:9000 --security-opt "credentialspec=file://svc1505.json ........."
The Parameter --security-opt applies the credentials stored in the file "svc1505.json" as wanted.
This is an example content of the json credentials file:
{"CmsPlugins":["ActiveDirectory"],"DomainJoinConfig":{"DnsName":"contoso.com","Guid":"244818ae-87ca-4fcd-92ec-e79e5252348a","DnsTreeName":"contoso.com","NetBiosName":"DEMO","Sid":"S-1-5-21-2126729477-2524075714-3094792973","MachineAccountName":"WebApplication1"},"ActiveDirectoryConfig":{"GroupManagedServiceAccounts":[{"Name":"WebApplication1","Scope":"DEMO"},{"Name":"WebApplication1","Scope":"contoso.com"}]}}
How is it possible to run this container with the needed Credentials under Kubernetes ?
The Kubernetes Security context seems to related to linux only, is this right ?
I need to start a Windows Container with Kubernetes on a W2016 Server with a given group managed service account.
The Kubernetes Setup itself seems working, also the Docker installation.
Starting the Windows Container directly with docker works also fine.
This is the Docker start Command :
docker run -d -p 8000:9000 --security-opt "credentialspec=file://svc1505.json ........."
The Parameter --security-opt applies the credentials stored in the file "svc1505.json" as wanted.
This is an example content of the json credentials file:
{"CmsPlugins":["ActiveDirectory"],"DomainJoinConfig":{"DnsName":"contoso.com","Guid":"244818ae-87ca-4fcd-92ec-e79e5252348a","DnsTreeName":"contoso.com","NetBiosName":"DEMO","Sid":"S-1-5-21-2126729477-2524075714-3094792973","MachineAccountName":"WebApplication1"},"ActiveDirectoryConfig":{"GroupManagedServiceAccounts":[{"Name":"WebApplication1","Scope":"DEMO"},{"Name":"WebApplication1","Scope":"contoso.com"}]}}
How is it possible to run this container with the needed Credentials under Kubernetes ?
The Kubernetes Security context seems to related to linux only, is this right ?
spec:
securityContext:
runAsUser: 1000
fsGroup: 2000
Cheers, Thomas
Rodrigo Campos
Jan 19, 2018, 9:27:20 AM1/19/18
to kubernet...@googlegroups.com
If one of the available options on deployment (see the API doc for completeness) doesn't do that, then you probably can't use that option.
But what is that you want (sorry, I don't know what that docker option does)? Do you want some json file available in the container fs when it runs? In that case, take a look at secrets (or configmaps) that do exactly that :)
--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
Thomas Asanger
Jan 21, 2018, 2:01:27 PM1/21/18
to Kubernetes user discussion and Q&A
Hi Rodrigo,
This Option is starting the container under the service account on our W2016 Host as configured in the json file.
To get our Application working, it must be running under this gMSA (Group Managed Service Accounts)
Here is a good explaination about gMSA and how to run it with docker:
https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts
and this:
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/
But unfortunately I dont know how to apply the gMSA Credentials with Kubernetes.
The application works fine if we start the container with docker and the security-opt Parameter so it seems working basically.
Cheers, Thomas
This Option is starting the container under the service account on our W2016 Host as configured in the json file.
To get our Application working, it must be running under this gMSA (Group Managed Service Accounts)
Here is a good explaination about gMSA and how to run it with docker:
https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts
and this:
https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/
But unfortunately I dont know how to apply the gMSA Credentials with Kubernetes.
The application works fine if we start the container with docker and the security-opt Parameter so it seems working basically.
Cheers, Thomas
Rodrigo Campos
Jan 21, 2018, 2:09:09 PM1/21/18
to kubernet...@googlegroups.com
Oh, sorry, I really don't know about windows :-(
Reply all
Reply to author
Forward
0 new messages