Add WindowsSecurityContextOptions to security_context

dvdvorle commented 2 years ago

Description

I'm trying to set the username for windows containers but the WindowsSecurityContextOptions seem to be missing. Also documented here.

Potential Terraform Configuration

resource "kubernetes_deployment_v1" "example" {
  metadata {
    name = "example"
  }
  spec {
    template {
      spec {
        security_context {
           windows_options {
            run_as_username = "1000"
          }
        }
      }
    }
  }
}

References

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Passie1982 commented 1 year ago

What is the status of this issue: According to the documentation of kubernetes: https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/

The runAsUserName should be present under the tag:

security_context{
apiVersion: v1
kind: Pod
metadata:
  name: run-as-username-container-demo
spec:
  securityContext:
    windowsOptions:
      runAsUserName: "ContainerUser"
  containers:
  - name: run-as-username-demo
    image: mcr.microsoft.com/windows/servercore:ltsc2019
    command: ["ping", "-t", "localhost"]
    securityContext:
        windowsOptions:
            runAsUserName: "ContainerAdministrator"
  nodeSelector:
    kubernetes.io/os: windows

Specific for windows nodes this is needed to get the Windows pod up and running. Otherwise the pod fails to run on the AKS cluster version 1.23.x and higher.

MunierSaadeh commented 1 year ago

Hi Hashicorp team,

What is the status on this open issue? Is it being worked on?

Rob-B-NAIT commented 1 year ago

This seems like a rather old K8S feature to be still not supported in the provider - any ETA? I also need access to the pod's security context windows-options in order to be able to setup windows hostprocess containers.

davhdavh commented 1 year ago

Please support the full crd, https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context

jflord-srt commented 1 year ago

This has become an issue for us while trying to implement gMSA for our Windows pods. Would love to see this added soon so that we can avoid dropping into raw manifest files.

Specifically: "securityContext.windowsOptions.gmsaCredentialSpecName"

Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context

Thank you

jflord-srt commented 8 months ago

I'm revisiting this issue after some time and it appears that the pod spec now supports the "windowsOptions". Unfortunately, we are now encountering a downstream issue.

security_context {
    windows_options {
        gmsa_credential_spec_name = "my-credential-spec-name"
    }
}

Error: Failed to create deployment: Deployment "my-deployment" is invalid: [
    spec.template.spec.securityContext.windowsOptions.gmsaCredentialSpec: Invalid value: "": gmsaCredentialSpec cannot be an empty string,
    spec.template.spec.securityContext.windowsOptions.runAsUserName: Invalid value: "": runAsUserName cannot be an empty string
]

When we use a raw manifest, the gmsaCredentialSpec and runAsUserName attributes are not required.

Furthermore, the "GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.", therefore it should not be a required value.

I might be posting this in the wrong place, but I figured I would start here. Any advice would be greatly appreciated.

This is becoming an important feature for us as our current workarounds are not ideal...

hashicorp / terraform-provider-kubernetes