gMSA for Windows Container — concept

Before start

Why gMSA

How to gMSA

  • Create computer object on Domain controller (you can skip this action).
  • Perform domain joining to create trust relationship between AD and computer.
  • Reboot computer to complete domain joining.

In the AD

  • You need enable gMSA in the AD domain
  • gMSA name is end with “$”. It is similar computer object.
  • When setup permission, you need to choose service account object type, e.g. MSSQL DB permission assignment.
  • The account authorization binds at domain computer tier. Therefore, Windows node needs to join AD domain.
  • Password is managed by AD domain controller. That is to say, you don’t need to change password any more.
  • Due to no password in the connection string OR configuration file. You don’t need to worry about password leak issue because of no one know password. It is more secure.
  • Due to AD can assign to a group, therefore you just need to ensure your Windows nodes are member of this AD group. Regarding this requirement, you might need to plan automation well.
  • A domain computer can be assigned to multiple gMSA.
  • If you need Windows node auto scaling, please request an delegated OU with computer object creation/removal permission. Arrage a well talk meeting with AD admin. :)

In the Docker

  • All containers on the machine joining the domain that can get gMSA permission.
  • Docker host admin cannot limit docker container to use particular gMSA only.

In the Kubernetes

  • A Kubernetes cluster can configure multiple gMSA. All of Windows node need to join AD domain.
  • Kubernetes Cluster admin leverages CRD (custom resource definition) to manage which one service account of namespace to get which one gMSA permission. Please have relationship overview, otherwise you might get unexpected result.
  • When RestfulSet (or Job) declares gMSA, it will call a Kubernetes inside web service for authorization. If RestfulSet (or Job) does not have permission, Cluster won’t allow your pod creation.
  • Currently, gMSA web service only can run on the Linux node.
  • Till 2020/12, Linux pod cannot use gMSA because of it is not on Windows node. Maybe Microsoft will allow Linux Pod in the future. :P

Appendix

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store