Hi Rodrigo, This Option is starting the container under the service account on our W2016 Host as configured in the json file. To get our Application working, it must be running under this gMSA (Group Managed Service Accounts)
Here is a good explaination about gMSA and how to run it with docker: https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts and this: https://blogs.msdn.microsoft.com/containerstuff/2017/01/30/create-a-container-with-active-directory-support/ But unfortunately I dont know how to apply the gMSA Credentials with Kubernetes. The application works fine if we start the container with docker and the security-opt Parameter so it seems working basically. Cheers, Thomas Am Freitag, 19. Januar 2018 11:49:03 UTC+1 schrieb Thomas Asanger: > > Hi All, > > I need to start a Windows Container with Kubernetes on a W2016 Server with > a given group managed service account. > The Kubernetes Setup itself seems working, also the Docker installation. > Starting the Windows Container directly with docker works also fine. > > This is the Docker start Command : > > docker run -d -p 8000:9000 --security-opt "credentialspec= > file://svc1505.json ........." > > The Parameter --security-opt applies the credentials stored in the file > "svc1505.json" > as wanted. > This is an example content of the json credentials file: > {"CmsPlugins":["ActiveDirectory"],"DomainJoinConfig":{"DnsName":" > contoso.com","Guid":"244818ae-87ca-4fcd-92ec-e79e5252348a","DnsTreeName":" > contoso.com > ","NetBiosName":"DEMO","Sid":"S-1-5-21-2126729477-2524075714-3094792973","MachineAccountName":"WebApplication1"},"ActiveDirectoryConfig":{"GroupManagedServiceAccounts":[{"Name":"WebApplication1","Scope":"DEMO"},{"Name":"WebApplication1","Scope":" > contoso.com"}]}} > > How is it possible to run this container with the needed Credentials under > Kubernetes ? > > The Kubernetes Security context seems to related to linux only, is this > right ? > > spec: > securityContext: > runAsUser: 1000 > fsGroup: 2000 > > > Cheers, Thomas > > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
