microsoft/Azure-Key-Vault-Plugin-gMSA

Use of the AKV Plugin in a non-AKS Kubernetes distribution

jmmckenz opened this issue · 1 comments

jmmckenz commented

Are there any examples of this plugin being used in a non-AKS Kubernetes implementation?

I was able to get the DLL compiled, however do not have any solid information on how to use it outside of the instructions provided for AKS, which I am not sure how to translate to "vanilla" kubernetes steps.

I am also unsure if the DLL I have compiled will work appropriately, considering there are no clear "instructions" on how to compile the code. The restore.cmd has an outdated branch for vcpkg, and to get it to run I had to update it to a new branch and make sure my PS was launched as administrator.

Here are the steps I followed to compile:

AKVCCGPLUGIN build steps.txt

A bit of background to provide context to my situation:

  • I am a Kubernetes Admin, with a primarily *nix Administration background and some development
  • I have limited knowledge/experience administering Windows systems
  • I have limited knowledge/experience administering AD
  • I have internal/external customers requesting gMSA in containers

As the demand for Windows based containers continues to grow and more organizations want to take advantage of gMSA in containers, are there plans to keep maintaining this project or providing a more generic ccg plugin capable of using other external key providers like Hashicorp Vault? Is there a pre-compiled generic version of the plugin AKV DLL available for download/use with instructions on how to implement? I feel that my use case is not unique, and I am looking for a way to work together to bridge some of the knowledge gaps that other admins with similar circumstances are undoubtedly going to encounter as more and more *nix shops adopt Kubernetes for container workloads.

Thank you for your time.
James M McKenzie

judyliu-ms commented

Hi @jmmckenz - this project is intended to serve as a template to the open-source community for how to integrate with key vaults, please feel free to modify this template to best suit the key vault you are looking to integrate with. I would recommend to start with modifying contents in your credspec file and seeing where potential tweaks are needed in the code.