Keyvault Flexvol Windows Container Support

[techbunny]

Will there be future support for windows containers to take advantage of this? Some customers doing application modernization with Windows are also looking for ways to manage secrets across all their containers.

[ritazh]

Currently there is no windows support for this solution. Please +1 if this is a requirement for you. cc @PatrickLang

[PatrickLang]

This should be feasible, but needs a few high-level changes:

1. The flexvolume plugin binary needs to be deployed to the Windows hosts directly, not as a daemonset. Windows doesn't support mount projection back to the node or privileged containers with support to write directly to the node's filesystem
2. AKS-Engine custom script extension needs to be updated to handle step 1
3. Update place the binaries are written to be a properly ACL'd path on the Windows host. tmpfs is not available on Windows so they will need to be written to disk. Admins may want to enable bitlocker to mitigate the threat of a disk being removed from the system and secrets being recovered from it.
4. AAD pod identity would require updates here https://github.com/Azure/aad-pod-identity/issues/242

[rahul24]

Any plans to support Windows containers?

[anufryieu]

I also need this feature.

[ritazh]

This feature is being tracked in these issues. Please subscribe to get the latest: https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/115 https://github.com/Azure/secrets-store-csi-driver-provider-azure/issues/29