So you effectively replaced a Process ID with a Process ID plus gMSAs?
jricha34 opened this issue · 1 comments
So if I am reading this right, you have taken the gMSA idea, which was intended to get away from using unmanaged or poorly Process/Service IDs and now coupled them with one or more new possibly unmanaged or poorly managed Process/Service IDs to allow a non-domain joined container hosts to use gMSAs.
The Process/Service ID should still be getting password changes applied to it, will that be happening automatically by the host? if so what frequency is that happening and is it configurable? If not, what is the process for changing that password in environments that require password changes every 30,60,90 days for ALL IDs?
Perhaps I am missing something here but it seems this is protecting more secure IDs with a less secure ID. Unless that process ID password is being changed by the host(s) then some human somewhere will know the password which will likely balloon to more people and now you have how many people who can retrieve the gMSAs that are "protected" behind that ID.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: b6cbabcb-0910-3082-fe93-bafef68f2faa
- Version Independent ID: 6efd7af0-a3f2-9d4a-cee1-722caf001cdd
- Content: Create gMSAs for Windows containers
- Content Source: virtualization/windowscontainers/manage-containers/manage-serviceaccounts.md
- Product: windows-server
- Technology: windows-containers
- GitHub Login: @rpsqrd
- Microsoft Alias: jgerend