Configure GMSA for Windows Pods and containers

FEATURE STATE: Kubernetes v1.18 [stable]

This page shows how to configure Group Managed Service Accounts (GMSA) for Pods and containers that will run on Windows nodes. Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers.

In Kubernetes, GMSA credential specs are configured at a Kubernetes cluster-wide scope as Custom Resources. Windows Pods, as well as individual containers within a Pod, can be configured to use a GMSA for domain based functions (e.g. Kerberos authentication) when interacting with other Windows services. As of v1.16, the Docker runtime supports GMSA for Windows workloads.

Before you begin

You need to have a Kubernetes cluster and the kubectl command-line tool must be configured to communicate with your cluster. The cluster is expected to have Windows worker nodes. This section covers a set of initial steps required once for each cluster:

Install the GMSACredentialSpec CRD

A CustomResourceDefinition(CRD) for GMSA credential spec resources needs to be configured on the cluster to define the custom resource type GMSACredentialSpec. Download the GMSA CRD YAML and save it as gmsa-crd.yaml. Next, install the CRD with kubectl apply -f gmsa-crd.yaml

Install webhooks to validate GMSA users

Two webhooks need to be configured on the Kubernetes cluster to populate and validate GMSA credential spec references at the Pod or container level:

  1. A mutating webhook that expands references to GMSAs (by name from a Pod specification) into the full credential spec in JSON form within the Pod spec.

  2. A validating webhook ensures all references to GMSAs are authorized to be used by the Pod service account.

Installing the above webhooks and associated objects require the steps below:

  1. Create a certificate key pair (that will be used to allow the webhook container to communicate to the cluster)

  2. Install a secret with the certificate from above.

  3. Create a deployment for the core webhook logic.

  4. Create the validating and mutating webhook configurations referring to the deployment.

A script can be used to deploy and configure the GMSA webhooks and associated objects mentioned above. The script can be run with a --dry-run=server option to allow you to review the changes that would be made to your cluster.

The YAML template used by the script may also be used to deploy the webhooks and associated objects manually (with appropriate substitutions for the parameters)

Configure GMSAs and Windows nodes in Active Directory

Before Pods in Kubernetes can be configured to use GMSAs, the desired GMSAs need to be provisioned in Active Directory as described in the Windows GMSA documentation. Windows worker nodes (that are part of the Kubernetes cluster) need to be configured in Active Directory to access the secret credentials associated with the desired GMSA as described in the Windows GMSA documentation

Create GMSA credential spec resources

With the GMSACredentialSpec CRD installed (as described earlier), custom resources containing GMSA credential specs can be configured. The GMSA credential spec does not contain secret or sensitive data. It is information that a container runtime can use to describe the desired GMSA of a container to Windows. GMSA credential specs can be generated in YAML format with a utility PowerShell script.

Following are the steps for generating a GMSA credential spec YAML manually in JSON format and then converting it:

  1. Import the CredentialSpec module: ipmo CredentialSpec.psm1

  2. Create a credential spec in JSON format using New-CredentialSpec. To create a GMSA credential spec named WebApp1, invoke New-CredentialSpec -Name WebApp1 -AccountName WebApp1 -Domain $(Get-ADDomain -Current LocalComputer)

  3. Use Get-CredentialSpec to show the path of the JSON file.

  4. Convert the credspec file from JSON to YAML format and apply the necessary header fields apiVersion, kind, metadata and credspec to make it a GMSACredentialSpec custom resource that can be configured in Kubernetes.

The following YAML configuration describes a GMSA credential spec named gmsa-WebApp1:

  1. apiVersion: windows.k8s.io/v1alpha1
  2. kind: GMSACredentialSpec
  3. metadata:
  4. name: gmsa-WebApp1 #This is an arbitrary name but it will be used as a reference
  5. credspec:
  6. ActiveDirectoryConfig:
  7. GroupManagedServiceAccounts:
  8. - Name: WebApp1 #Username of the GMSA account
  9. Scope: CONTOSO #NETBIOS Domain Name
  10. - Name: WebApp1 #Username of the GMSA account
  11. Scope: contoso.com #DNS Domain Name
  12. CmsPlugins:
  13. - ActiveDirectory
  14. DomainJoinConfig:
  15. DnsName: contoso.com #DNS Domain Name
  16. DnsTreeName: contoso.com #DNS Domain Name Root
  17. Guid: 244818ae-87ac-4fcd-92ec-e79e5252348a #GUID
  18. MachineAccountName: WebApp1 #Username of the GMSA account
  19. NetBiosName: CONTOSO #NETBIOS Domain Name
  20. Sid: S-1-5-21-2126449477-2524075714-3094792973 #SID of GMSA

The above credential spec resource may be saved as gmsa-Webapp1-credspec.yaml and applied to the cluster using: kubectl apply -f gmsa-Webapp1-credspec.yml

Configure cluster role to enable RBAC on specific GMSA credential specs

A cluster role needs to be defined for each GMSA credential spec resource. This authorizes the use verb on a specific GMSA resource by a subject which is typically a service account. The following example shows a cluster role that authorizes usage of the gmsa-WebApp1 credential spec from above. Save the file as gmsa-webapp1-role.yaml and apply using kubectl apply -f gmsa-webapp1-role.yaml

  1. #Create the Role to read the credspec
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. kind: ClusterRole
  4. metadata:
  5. name: webapp1-role
  6. rules:
  7. - apiGroups: ["windows.k8s.io"]
  8. resources: ["gmsacredentialspecs"]
  9. verbs: ["use"]
  10. resourceNames: ["gmsa-WebApp1"]

Assign role to service accounts to use specific GMSA credspecs

A service account (that Pods will be configured with) needs to be bound to the cluster role create above. This authorizes the service account to use the desired GMSA credential spec resource. The following shows the default service account being bound to a cluster role webapp1-role to use gmsa-WebApp1 credential spec resource created above.

  1. apiVersion: rbac.authorization.k8s.io/v1
  2. kind: RoleBinding
  3. metadata:
  4. name: allow-default-svc-account-read-on-gmsa-WebApp1
  5. namespace: default
  6. subjects:
  7. - kind: ServiceAccount
  8. name: default
  9. namespace: default
  10. roleRef:
  11. kind: ClusterRole
  12. name: webapp1-role
  13. apiGroup: rbac.authorization.k8s.io

Configure GMSA credential spec reference in Pod spec

The Pod spec field securityContext.windowsOptions.gmsaCredentialSpecName is used to specify references to desired GMSA credential spec custom resources in Pod specs. This configures all containers in the Pod spec to use the specified GMSA. A sample Pod spec with the annotation populated to refer to gmsa-WebApp1:

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4. labels:
  5. run: with-creds
  6. name: with-creds
  7. namespace: default
  8. spec:
  9. replicas: 1
  10. selector:
  11. matchLabels:
  12. run: with-creds
  13. template:
  14. metadata:
  15. labels:
  16. run: with-creds
  17. spec:
  18. securityContext:
  19. windowsOptions:
  20. gmsaCredentialSpecName: gmsa-webapp1
  21. containers:
  22. - image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019
  23. imagePullPolicy: Always
  24. name: iis
  25. nodeSelector:
  26. kubernetes.io/os: windows

Individual containers in a Pod spec can also specify the desired GMSA credspec using a per-container securityContext.windowsOptions.gmsaCredentialSpecName field. For example:

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4. labels:
  5. run: with-creds
  6. name: with-creds
  7. namespace: default
  8. spec:
  9. replicas: 1
  10. selector:
  11. matchLabels:
  12. run: with-creds
  13. template:
  14. metadata:
  15. labels:
  16. run: with-creds
  17. spec:
  18. containers:
  19. - image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019
  20. imagePullPolicy: Always
  21. name: iis
  22. securityContext:
  23. windowsOptions:
  24. gmsaCredentialSpecName: gmsa-Webapp1
  25. nodeSelector:
  26. kubernetes.io/os: windows

As Pod specs with GMSA fields populated (as described above) are applied in a cluster, the following sequence of events take place:

  1. The mutating webhook resolves and expands all references to GMSA credential spec resources to the contents of the GMSA credential spec.

  2. The validating webhook ensures the service account associated with the Pod is authorized for the use verb on the specified GMSA credential spec.

  3. The container runtime configures each Windows container with the specified GMSA credential spec so that the container can assume the identity of the GMSA in Active Directory and access services in the domain using that identity.

Containerd

On Windows Server 2019, in order to use GMSA with containerd, you must be running OS Build 17763.1817 (or later) which can be installed using the patch KB5000822.

There is also a known issue with containerd that occurs when trying to connect to SMB shares from Pods. Once you have configured GMSA, the pod will be unable to connect to the share using the hostname or FQDN, but connecting to the share using an IP address works as expected.

  1. ping adserver.ad.local

and correctly resolves the hostname to an IPv4 address. The output is similar to:

  1. Pinging adserver.ad.local [192.168.111.18] with 32 bytes of data:
  2. Reply from 192.168.111.18: bytes=32 time=6ms TTL=124
  3. Reply from 192.168.111.18: bytes=32 time=5ms TTL=124
  4. Reply from 192.168.111.18: bytes=32 time=5ms TTL=124
  5. Reply from 192.168.111.18: bytes=32 time=5ms TTL=124

However, when attempting to browse the directory using the hostname

  1. cd \\adserver.ad.local\test

you see an error that implies the target share doesn’t exist:

  1. cd : Cannot find path '\\adserver.ad.local\test' because it does not exist.
  2. At line:1 char:1
  3. + cd \\adserver.ad.local\test
  4. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  5. + CategoryInfo : ObjectNotFound: (\\adserver.ad.local\test:String) [Set-Location], ItemNotFoundException
  6. + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand

but you notice that the error disappears if you browse to the share using its IPv4 address instead; for example:

  1. cd \\192.168.111.18\test

After you change into a directory within the share, you see a prompt similar to:

  1. Microsoft.PowerShell.Core\FileSystem::\\192.168.111.18\test>

To correct the behaviour you must run the following on the node reg add "HKLM\SYSTEM\CurrentControlSet\Services\hns\State" /v EnableCompartmentNamespace /t REG_DWORD /d 1 to add the required registry key. This node change will only take effect in newly created pods, meaning you must now recreate any running pods which require access to SMB shares.

Troubleshooting

If you are having difficulties getting GMSA to work in your environment, there are a few troubleshooting steps you can take.

First, make sure the credspec has been passed to the Pod. To do this you will need to exec into one of your Pods and check the output of the nltest.exe /parentdomain command.

In the example below the Pod did not get the credspec correctly:

  1. kubectl exec -it iis-auth-7776966999-n5nzr powershell.exe

nltest.exe /parentdomain results in the following error:

  1. Getting parent domain failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE

If your Pod did get the credspec correctly, then next check communication with the domain. First, from inside of your Pod, quickly do an nslookup to find the root of your domain.

This will tell us 3 things:

  1. The Pod can reach the DC
  2. The DC can reach the Pod
  3. DNS is working correctly.

If the DNS and communication test passes, next you will need to check if the Pod has established secure channel communication with the domain. To do this, again, exec into your Pod and run the nltest.exe /query command.

  1. nltest.exe /query

Results in the following output:

  1. I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE

This tells us that for some reason, the Pod was unable to logon to the domain using the account specified in the credspec. You can try to repair the secure channel by running the following:

  1. nltest /sc_reset:domain.example

If the command is successful you will see and output similar to this:

  1. Flags: 30 HAS_IP HAS_TIMESERV
  2. Trusted DC Name \\dc10.domain.example
  3. Trusted DC Connection Status Status = 0 0x0 NERR_Success
  4. The command completed successfully

If the above corrects the error, you can automate the step by adding the following lifecycle hook to your Pod spec. If it did not correct the error, you will need to examine your credspec again and confirm that it is correct and complete.

  1. image: registry.domain.example/iis-auth:1809v1
  2. lifecycle:
  3. postStart:
  4. exec:
  5. command: ["powershell.exe","-command","do { Restart-Service -Name netlogon } while ( $($Result = (nltest.exe /query); if ($Result -like '*0x0 NERR_Success*') {return $true} else {return $false}) -eq $false)"]
  6. imagePullPolicy: IfNotPresent

If you add the lifecycle section show above to your Pod spec, the Pod will execute the commands listed to restart the netlogon service until the nltest.exe /query command exits without error.