gMSA question/issue

[nmdange2]

I've run into this issue on an AKS on Windows Server Cluster microsoft/Windows-Containers#405

It appears there may be a fix available. However, in the case of AKS on Windows Server, the gMSA Web Hook is installed through Powershell. Will the updated webhook be incorporated into a new release? Or is there another way to update the webhook?

[Elektronenvolt]

Hey,

I'm wondering how you use gMSA with AKS Arc. We have gMSA for containers with a non-domain joined host in use. The credspec file and permissions are done by Add-AksHciGMSACredentialSpec.
So far we have not seen any issues by running multiple containers with the same gMSA. We had a situation where it didn't work because of using the Netbios name instead of the domain DNS name in config file - that caused "falling back" from Kerberos to NTLM - what broke the feature.

Why do you use docker run --security-opt "credentialspec=file://gmsa-credspec.json" --hostname <gMSAName> -it <image> ? I know this from using gMSA at domain joined Windows Server VMs only.

[nmdange2]

I'm not using docker run to run the container. I followed the instructions you referenced to install the webhook via powershell, and to properly annotate pods to use it. Everything works as expected except intermittently, one specific api call will fail: when you attempt to translate a Sid to an account name or vice-versa.

More generally, I can see from this command kubectl get deployment -n kube-system gmsa-webhook -o yaml that the version of the gmsa web hook that's installed is using the image ecpacr.azurecr.io/windows-gmsa:v0.1.1

This appears to be a much older version than the latest release on https://github.com/kubernetes-sigs/windows-gmsa/releases

I could try deploying the web hook directly from there to get the latest version, but I'd rather Microsoft update the image used with Install-AksHciGMSAWebhook so I don't have to.