Announcing Active Directory Identity Improvement on AKS on Azure Stack HCI
We’re very pleased to announce that Group Managed Service Account (gMSA) for Containers with non-domain joined host solution is now available in the recently announced AKS on Azure Stack HCI Release Candidate! “gMSA with non-domain joined host” vs. “gMSA with domain-joined host” gMSA with non-domain joined host gMSA with domain-joined host Credentials are stored as K8 secret and authenticated parties can retrieve the secret. These creds are used to retrieve the gMSA identity from AD. This eliminates the need for container host to be domain joined and solves challenges with container host updates. Updates to Windows container host can pose considerable challenges. All previous settings need to be reconfigured to domain join the new container host. Simplified end-to-end gMSA configuration process by build-in cmdlets In AKS on Azure Stack HCI, even though you don't need to domain join Windows worker nodes anymore, there are other configuration steps that you can't skip. These steps include installing the webhook, the custom resource definition (CRD), and the credential spec, as well as enabling role-based access control (RBAC). We provide a few PowerShell cmdlets to simply the end-to-end experience. Please refer to Configure group Managed Service Accounts with AKS on Azure Stack HCI - AKS-HCI | Microsoft Docs. Getting started We have provided detailed documentation on how to integrate your gMSA with containers in AKS-HCI with non-domain joined solution. Preparing gMSA in domain controller Configure group Managed Service Accounts with AKS on Azure Stack HCI - AKS-HCI | Microsoft Docs Prepare the gMSA credential spec JSON file (This is a one-time action. Please use the gMSA account in your domain) Install webhook, add Kubernetes secret and add gMSA Credential Spec can be finished by three cmdlets Deploy your application. As always, we love to see you try it out, and give us feedback. You can share your feedback at our GitHub community Issues · microsoft/Windows-Containers (github.com) , or contact us directly at win-containers@microsoft.com. Jing Twitter: https://twitter.com/JingLi00465231Group Managed Service Accounts (gMSA) on Azure Kubernetes Service - now in Public Preview
Customers are increasingly finding value in migrating their Windows Server workloads to Kubernetes in both the cloud and on the edge. We’re giving this “lift and shift” scenario, as it’s often called, a boost with the public preview of group Managed Service Accounts (gMSA) for Windows containers on Azure Kubernetes Service (AKS).Announcing Windows Container on Azure Kubernetes Service Demos
Today I am very happy to announce the release of Windows Container on Azure Kubernetes Service Demos. This Demos repo is a collection of demos to show how you can modernize Windows Server applications with Windows containers running on Azure Kubernetes Service (AKS). GitHub Repo: Windows Container on Azure Kubernetes Service DemosPortability with Windows Server Annual Channel for Containers
Earlier this month we the Windows Server Annual Channel for Containers and emphasized a new feature that will be available in the 23H2 release that enables container image portability between Windows Servers 2022 LTSC images and annual channel 23H2 host OS coming this fall.Networking considerations for gMSA on AKS
At Ignite, we announced the Public Preview of a very anticipated feature for Azure Kubernetes Service (AKS) - support for Group Managed Service Accounts (gMSA). This preview allows customers to kick the tires on bringing existing applications that require Active Directory authentication to a modern platform in the cloud with AKS. However, in our customer engagements, we’re seeing some common issues around networking that I’d like to clarify in this blog post.
