|
| 1 | +--- |
| 2 | +reviewers: |
| 3 | +- jayunit100 |
| 4 | +- jsturtevant |
| 5 | +- marosset |
| 6 | +- perithompson |
| 7 | +title: Security For Windows Nodes |
| 8 | +content_type: concept |
| 9 | +weight: 75 |
| 10 | +--- |
| 11 | + |
| 12 | +<!-- overview --> |
| 13 | + |
| 14 | +This page describes security considerations and best practices specific to the Windows operating system. |
| 15 | + |
| 16 | +<!-- body --> |
| 17 | + |
| 18 | +## Protection for Secret data on nodes |
| 19 | + |
| 20 | +On Windows, data from Secrets are written out in clear text onto the node's local |
| 21 | +storage (as compared to using tmpfs / in-memory filesystems on Linux). As a cluster |
| 22 | +operator, you should take both of the following additional measures: |
| 23 | + |
| 24 | +1. Use file ACLs to secure the Secrets' file location. |
| 25 | +1. Apply volume-level encryption using [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server). |
| 26 | + |
| 27 | +## Container users |
| 28 | + |
| 29 | +[RunAsUsername](/docs/tasks/configure-pod-container/configure-runasusername) |
| 30 | +can be specified for Windows Pods or containers to execute the container |
| 31 | +processes as specific user. This is roughly equivalent to |
| 32 | +[RunAsUser](/docs/concepts/policy/pod-security-policy/#users-and-groups). |
| 33 | + |
| 34 | +Windows containers offer two default user accounts, ContainerUser and ContainerAdministrator. |
| 35 | +The differences between these two user accounts are covered in |
| 36 | +[When to use ContainerAdmin and ContainerUser user accounts](https://docs.microsoft.com/virtualization/windowscontainers/manage-containers/container-security#when-to-use-containeradmin-and-containeruser-user-accounts) within Microsoft's _Secure Windows containers_ documentation. |
| 37 | + |
| 38 | +Local users can be added to container images during the container build process. |
| 39 | + |
| 40 | +{{< note >}} |
| 41 | + |
| 42 | +* [Nano Server](https://hub.docker.com/_/microsoft-windows-nanoserver) based images run as `ContainerUser` by default |
| 43 | +* [Server Core](https://hub.docker.com/_/microsoft-windows-servercore) based images run as `ContainerAdministrator` by default |
| 44 | + |
| 45 | +{{< /note >}} |
| 46 | + |
| 47 | +Windows containers can also run as Active Directory identities by utilizing [Group Managed Service Accounts](/docs/tasks/configure-pod-container/configure-gmsa/) |
| 48 | + |
| 49 | +## Pod-level security isolation |
| 50 | + |
| 51 | +Linux-specific pod security context mechanisms (such as SELinux, AppArmor, Seccomp, or custom |
| 52 | +POSIX capabilities) are not supported on Windows nodes. |
| 53 | + |
| 54 | +Privileged containers are [not supported](#compatibility-v1-pod-spec-containers-securitycontext) on Windows. |
| 55 | +Instead [HostProcess containers](/docs/tasks/configure-pod-container/create-hostprocess-pod) can be used on Windows to perform many of the tasks performed by privileged containers on Linux. |
0 commit comments