terraform-provider-kubernetes
terraform-provider-kubernetes copied to clipboard
hashicorp
Add WindowsSecurityContextOptions to security_context
Description
I'm trying to set the username for windows containers but the WindowsSecurityContextOptions seem to be missing. Also documented here.
Potential Terraform Configuration
resource "kubernetes_deployment_v1" "example" {
metadata {
name = "example"
}
spec {
template {
spec {
security_context {
windows_options {
run_as_username = "1000"
}
}
}
}
}
}
References
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
What is the status of this issue: According to the documentation of kubernetes: https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/
The runAsUserName should be present under the tag:
security_context{
apiVersion: v1
kind: Pod
metadata:
name: run-as-username-container-demo
spec:
securityContext:
windowsOptions:
runAsUserName: "ContainerUser"
containers:
- name: run-as-username-demo
image: mcr.microsoft.com/windows/servercore:ltsc2019
command: ["ping", "-t", "localhost"]
securityContext:
windowsOptions:
runAsUserName: "ContainerAdministrator"
nodeSelector:
kubernetes.io/os: windows
Specific for windows nodes this is needed to get the Windows pod up and running. Otherwise the pod fails to run on the AKS cluster version 1.23.x and higher.
Hi Hashicorp team,
What is the status on this open issue? Is it being worked on?
This seems like a rather old K8S feature to be still not supported in the provider - any ETA? I also need access to the pod's security context windows-options in order to be able to setup windows hostprocess containers.
Please support the full crd, https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context
This has become an issue for us while trying to implement gMSA for our Windows pods. Would love to see this added soon so that we can avoid dropping into raw manifest files.
Specifically: "securityContext.windowsOptions.gmsaCredentialSpecName"
Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context
Thank you
I'm revisiting this issue after some time and it appears that the pod spec now supports the "windowsOptions". Unfortunately, we are now encountering a downstream issue.
security_context {
windows_options {
gmsa_credential_spec_name = "my-credential-spec-name"
}
}
Error: Failed to create deployment: Deployment "my-deployment" is invalid: [
spec.template.spec.securityContext.windowsOptions.gmsaCredentialSpec: Invalid value: "": gmsaCredentialSpec cannot be an empty string,
spec.template.spec.securityContext.windowsOptions.runAsUserName: Invalid value: "": runAsUserName cannot be an empty string
]
When we use a raw manifest, the gmsaCredentialSpec and runAsUserName attributes are not required.
Furthermore, the "GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.", therefore it should not be a required value.
I might be posting this in the wrong place, but I figured I would start here. Any advice would be greatly appreciated.
This is becoming an important feature for us as our current workarounds are not ideal...
