Replies: 3 comments 4 replies
-
|
Hi @zyloid Thanks for the starting the discussion. We can discuss your questions in detail, we would love to meet you. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @zyloid , Added issue for keytab support. |
Beta Was this translation helpful? Give feedback.
-
|
Adding on here since I have a similar usage scenario as @zyloid. I am using aks and need to allow windows auth from linux containers to access sql server instances hosted on azure vms. This project seems like the way to do that. I am fairly new to kubernetes in general, so I am really unsure how to go about getting this working. Any step-by-step guidance would be appreciated. For some insight into my 'platform', the aks nodes are running ubuntu, our application containers are running .net core on debian I believe but we can change the base image to a different distro if needed. I'm really not sure if I need to create a daemonset in aks to run this and if so how do my pods/containers use it. Also if I need to build the source for a different linux distro like ubuntu, I'm not sure the steps to do that either. Any help would be greatly appreciated. |
Beta Was this translation helpful? Give feedback.
-
|
Just saw this. |
Beta Was this translation helpful? Give feedback.
-
|
Hello @smhmhmd,
%cat secret1.yaml
apiVersion: v1
data:
password: YWJjCg==
kind: Secret
metadata:
name: krb-ticket1
|
Beta Was this translation helpful? Give feedback.
-
The password value is just initialization, it may or may not be valid. However, when credentials-fetcher updates the password value (kerberos ticket), the value will be valid. We are using this to distribute kerberos tickets to pods from an instance running credentials-fetcher.
We have a couple of remaining steps to make it work on ubuntu-20.04, the PR is in progress here. |
Beta Was this translation helpful? Give feedback.
-
|
Great, thanks for the info. |
Beta Was this translation helpful? Give feedback.
-
Hi, I'm trying to get Kerberos authentication working on Linux containers in AKS (Azure Kubernetes Service) and this looks like it could be very useful! I've got gMSA working on Windows containers and am keen to understand how this can be used to achieve the same thing on Linux. I have a few questions on usage if anyone is able to help out.
What's the expected way that this should be deployed and used? The docs mention credentials-fetcher being an analogue for ccg.exe on Windows, however the documentation seems to imply that Linux hosts need to be domain joined - with ccg.exe the nodes do not need to be domain joined (which is a big benefit when cluster nodes are regularly scaled up and down). Would credentials-helper be expected to be deployed onto a domain-joined server outside the cluster that pods call into, or is the expectation that all cluster nodes are domain joined and run the credentials-helper daemon?
My understanding is that the gMSA password resets every 30 days; does the credentials-fetcher daemon automatically regenerate the keytab files when this happens, or should the client application periodically call AddKerberosLease?
With Windows pods gMSA is effectively the only option for Kerberos authentication. On Linux we have the option of generating and refreshing keytabs in a sidecar container. What's the benefit of using credentials-helper instead of a pregenerated keytab - is it simply that it allows us to use gMSA accounts instead of service accounts?
Any guidance would be much appreciated!
Beta Was this translation helpful? Give feedback.
All reactions