0

The gMSA strategy Microsoft recommends for Containers here and here works very well. The general idea is the Container host retrieves the gMSA password from an Active Directory domain controller and gives it to the Container. The Identity configuration is stored in a JSON Credential Spec file, which is expected to live at the location C:\\ProgramData\\docker\\CredentialSpecs on the Container host. This file contains metadata about the gMSA and is ultimately passed to the Docker Engine that runs the containers. Below is an example of doing this via docker run:

docker run --security-opt "credentialspec=file://myspec.json" --hostname myappname -it myimage powershell

The issue with this is if multiple teams use the same Container hosts, how can you protect against one team from using another team's Credential Spec and thus run their containers with that team's permissions? For example, if the host has the below CredentialSpecs, Team A could use Team C's.

C:\\ProgramData\\docker\\CredentialSpecs\\TeamA.json
C:\\ProgramData\\docker\\CredentialSpecs\\TeamB.json
C:\\ProgramData\\docker\\CredentialSpecs\\TeamC.json
Howard_Roark
  • 55
  • 6
  • If a server is authorized to retrieve credentials for a GMSA, any user with sufficient access to that server can use that GMSA -- regardless of the CredentialSpecs. For example, you can start an arbitrary process using PSExec64.exe -i -u DOMAIN\gMSA-Account$ -p ~ powershell.exe – Jaykul Feb 05 '21 at 15:32

1 Answers1

0

Even tho I did not read nor use that technology, I suggest NTFS permissions.
Remove permissions on the files and only apply read permission for the allowed group or user.
Docker can't read the credential file and thus can't run under a different/unallowed user.
Only works if docker also runs under different user contexts.

unNamed
  • 523
  • 2
  • 10