search

Azure / aksArc

# Welcome to the Azure Kubernetes Service enabled by Azure Arc (AKS Arc) repo This is where the AKS Arc team will track features and issues with AKS Arc. We will monitor this repo in order to engage with our community and discuss questions, customer scenarios, or feature requests. Checkout our projects tab to see the roadmap for AKS Arc!
MIT License
113 stars 45 forks source link

gMSA question/issue #382

Open nmdange2 opened 3 days ago

nmdange2 commented 3 days ago

I've run into this issue on an AKS on Windows Server Cluster https://github.com/microsoft/Windows-Containers/issues/405

It appears there may be a fix available. However, in the case of AKS on Windows Server, the gMSA Web Hook is installed through Powershell. Will the updated webhook be incorporated into a new release? Or is there another way to update the webhook?

Elektronenvolt commented 1 day ago

Hey,

I'm wondering how you use gMSA with AKS Arc. We have gMSA for containers with a non-domain joined host in use. The credspec file and permissions are done by Add-AksHciGMSACredentialSpec. So far we have not seen any issues by running multiple containers with the same gMSA. We had a situation where it didn't work because of using the Netbios name instead of the domain DNS name in config file - that caused "falling back" from Kerberos to NTLM - what broke the feature.

Why do you use docker run --security-opt "credentialspec=file://gmsa-credspec.json" --hostname <gMSAName> -it <image> ? I know this from using gMSA at domain joined Windows Server VMs only.