Configure gMSA for Windows Pods and containers¶
What is a gMSA account¶
Windows-based applications such as .NET applications often use Active Directory as an identity provider, providing authorization/authentication using NTLM or Kerberos protocol.
An application server to exchange Kerberos tickets with Active Directory requires to be domain-joined. Windows containers don’t support domain joins and would not make much sense as containers are ephemeral resources, creating a burden on the Active Directory RID pool.
However, administrators can leverage gMSA Active Directory accounts to negotiate a Windows authentication for resources such as Windows containers, NLB, and server farms.
Windows container and gMSA use case¶
ASP.NET applications that leverage on Windows authentication, and run as Windows containers, benefit from gMSA because the Windows Node is used to exchange the Kerberos ticket on behalf of the container. However, the dockerfile used to build the Windows container image needs configure IIS and enable Windows authentication.
The following steps will set up IIS for Windows Authentication:
- Install the Windows-Auth feature on IIS as it isn't installed by default on a Windows image
- Setup the IIS Application pool to run under a Network Account
- Disable
anonymousAuthentication
which is enabled by default - Enable Windows Authentication
RUN Install-WindowsFeature -Name Web-Windows-Auth -IncludeAllSubFeature
RUN Import-Module WebAdministration; Set-ItemProperty 'IIS:\AppPools\SiteName' -name processModel.identityType -value 2
RUN Import-Module WebAdministration; Set-WebConfigurationProperty -Filter '/system.webServer/security/authentication/anonymousAuthentication' -Name Enabled -Value False -PSPath 'IIS:\' -Location 'SiteName'
RUN Import-Module WebAdministration; Set-WebConfigurationProperty -Filter '/system.webServer/security/authentication/windowsAuthentication' -Name Enabled -Value True -PSPath 'IIS:\' -Location 'SiteName'
Enabling gMSA on Amazon EKS cluster¶
In November 2020, AWS published a step-by-step on how to set up an Amazon EKS cluster to use gMSA. This guide can be used for any scenario that requires Active Directory authentication, including the use cases mentioned above. The blog post walks-through:
- Creating an EKS cluster with self-managed Windows worker nodes
- Joining the Windows worker node to an Active Directory Domain
- Creating and configure gMSA accounts on Active Directory Domain
- Installing the gMSA CredentialSpec CRD
- Installing the Windows gMSA Webhook Admission controller
- Creating gMSA credential spec resources
- Creating a Kubernetes ClusterRole to be defined for each gMSA credential spec
- Assigning the Kubernetes ClusterRole to a service accounts to use specific gMSA credential specs
- Configuring DNS forwarder with CoreDNS
- Configuring the gMSA credential spec in the Windows pod spec
- Testing the Windows Authentication from inside the Windows pod
Blog link: https://aws.amazon.com/blogs/containers/windows-authentication-on-amazon-eks-windows-pods/