The gMSA strategy Microsoft recommends for Containers here and here works very well. The general idea is the Container host retrieves the gMSA password from an Active Directory domain controller and gives it to the Container. The Identity configuration is stored in a JSON Credential Spec file, which is expected to live at the location C:\\ProgramData\\docker\\CredentialSpecs
on the Container host. This file contains metadata about the gMSA and is ultimately passed to the Docker Engine that runs the containers. Below is an example of doing this via docker run:
docker run --security-opt "credentialspec=file://myspec.json" --hostname myappname -it myimage powershell
The issue with this is if multiple teams use the same Container hosts, how can you protect against one team from using another team's Credential Spec and thus run their containers with that team's permissions? For example, if the host has the below CredentialSpecs, Team A could use Team C's.
C:\\ProgramData\\docker\\CredentialSpecs\\TeamA.json
C:\\ProgramData\\docker\\CredentialSpecs\\TeamB.json
C:\\ProgramData\\docker\\CredentialSpecs\\TeamC.json