A standalone Managed Service Account (sMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate the management to other administrators, says Microsoft.
The group Managed Service Account (gMSA) provides the same functionality within the domain, but also extends that functionality over multiple servers.
Stuff you wanna know:
- GMSA credential specs are configured at a Kubernetes cluster-wide scope as Custom Resources.
- Windows Pods, as well as individual containers within a Pod, can be configured to use a gMSA for domain based functions (e.g. Kerberos authentication) when interacting with other Windows services.
- A CustomResourceDefinition(CRD) for GMSA credential spec resources needs to be configured on the cluster to define the custom resource type
GMSACredentialSpec
. - Before Pods in Kubernetes can be configured to use GMSAs, the desired GMSAs need to be provisioned in Active Directory.
- A cluster role needs to be defined for each GMSA credential spec resource.
More stuff:
- Configuring gMSA for Windows pods and containers — https://kubernetes.io/docs/tasks/configure-pod-container/configure-gmsa/
- Microsoft Docs – Group Managed Service Account — https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
- Deploying ASP.NET apps with Windows Authentication in GKE Windows containers — https://cloud.google.com/architecture/deploying-aspnet-with-windows-authentication-in-gke-windows-containers
- Orchestrate containers with a gMSA — https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/gmsa-orchestrate-containers