Adds WindowsOptions.RunAsUserName field#79489
Adds WindowsOptions.RunAsUserName field#79489k8s-ci-robot merged 3 commits intokubernetes:masterfrom
Conversation
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
There was a problem hiding this comment.
There are no known limitation regarding the Windows username length or special character usage, so we only set an upper limit in order to prevent abuse.
this is supposed to target GMSA, correct?
is there a username cap for the existing GMSA support based on https://kubernetes.io/docs/tasks/configure-pod-container/configure-gmsa/#create-gmsa-credential-spec-resources
Not quite, they're not quite the same: https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190418-windows-security-context.md#specification-of-both-gmsa-credspec-and-runasusername |
2812776 to
b6d8043
Compare
|
/cc @PatrickLang |
the KEP does not seem to outline which Windows user account backend are we targeting if not GMSA?
searching online the only tutorials for running Windows containers with non-root users, cover AD + GMSA only. |
liggitt
left a comment
There was a problem hiding this comment.
Needs a feature gate added, and corresponding logic in api/pod/util.go#dropDisabledFields
@neolit123 |
|
@BCLAU for the |
ddebroy
left a comment
There was a problem hiding this comment.
Couple of nits around the comments for the WindowsOptions field.
a61067a to
01176ff
Compare
|
/lgtm I talked to @liggitt briefly on Slack. The validation regex looks ok to me and there's a test PR coming in with more validation. |
01176ff to
175ffa7
Compare
|
thanks, that's easier to follow. one question still pending at #79489 (comment), then lgtm |
175ffa7 to
f01c790
Compare
claudiubelu
left a comment
There was a problem hiding this comment.
I didn't realize that I didn't press the Submit review button yesterday. Sorry. :)
f01c790 to
a39e483
Compare
Adds the field RunAsUserName in the WindowsSecurityContextOptions type, which is used in PodSecurityContext and SecurityContext. This field needs to allow for a valid set of usernames allowed for Windows containers. It must have the format "U This commit also validates the runAsUserName field, making sure that it valid, having the format DOMAIN\USER (case insensitive), where DOMAIN\ is optional and has to be a valid NetBios or DNS domain name. For more information about the restrictions on the DOMAIN and USER parts, look here: [1] [2] Adds the WindowsRunAsUserName alpha feature gate. By default, it is disabled. If the feature gate is not enabled, the WindowsOptions.RunAsUserName field will be dropped from both the PodSecurityContext and container SecurityContext. Co-Authored-By: Claudiu Belu <cbelu@cloudbasesolutions.com> [1] https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and [2] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser?view=powershell-5.1
Co-Authored-By: Claudiu Belu <cbelu@cloudbasesolutions.com>
a39e483 to
a8c78d1
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bclau, derekwaynecarr, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test pull-kubernetes-e2e-gce-device-plugin-gpu |
|
/retest |
|
/lgtm |
What type of PR is this?
/kind api-change
/sig windows
What this PR does / why we need it:
This adds windows configuration and wires up username in the podspec to the runtime interface.
#64009 added run_as_username to the container runtime interface, but did not hook it up in the Kubernetes v1.Container.SecurityContext.WindowsOptions.runAsUser field.
This PR also validates the
RunAsUserNamefield, making sure that it valid, having the formatDOMAIN\USER(case insensitive), whereDOMAIN\is optional and has to be a valid NetBios or DNS domain name. For more information about the restrictions on theDOMAINandUSERparts, look here: [1] [2]Adds the
WindowsRunAsUserNamealpha feature gate. By default, it is disabled. If the feature gate is not enabled, theWindowsOptions.RunAsUserNamefield will be dropped from both thePodSecurityContextand containerSecurityContext.[1] https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
[2] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser?view=powershell-5.1
Which issue(s) this PR fixes:
Fixes: #73387
Special notes for your reviewer:
The original PR and discussions on it is here: #73609
Does this PR introduce a user-facing change?: