Orchestrate containers with a gMSA
Applies to: Windows Server 2022, Windows Server 2019
In production environments, you'll often use a container orchestrator such as the hosted Kubernetes service, Azure Kubernetes Service (AKS), to deploy and manage your apps and cluster services. Each orchestrator has its own management paradigms and is responsible for accepting credential specs to give to the Windows container platform.
When you're orchestrating containers with Group Managed Service Accounts (gMSAs), make sure that:
- All container hosts that can be scheduled to run containers with gMSAs are domain joined
- The container hosts have access to retrieve the passwords for all gMSAs used by containers
- The credential spec files are created and uploaded to the orchestrator or copied to every container host, depending on how the orchestrator prefers to handle them.
- Container networks allow the containers to communicate with the Active Directory Domain Controllers to retrieve gMSA tickets
Use gMSA with Kubernetes
You can use gMSA with AKS and also with AKS on Azure Stack HCI, which is the on-premises implementation of the AKS orchestrator. For more information about how to use gMSA with Kubernetes, see Use gMSA on Azure Kubernetes Service in Windows Containers and Configure group Managed Service Account with AKS on Azure Stack HCI.
To read about the latest industry information about this feature, see Configure gMSA for Windows pods and containers.
Use gMSA with Service Fabric
Service Fabric supports running Windows containers with a gMSA when you specify the credential spec location in your application manifest. You'll need to create the credential spec file and place in the CredentialSpecs subdirectory of the Docker data directory on each host so that Service Fabric can locate it. You can run the Get-CredentialSpec cmdlet, part of the CredentialSpec PowerShell module, to verify if your credential spec is in the correct location.
See Quickstart: Deploy Windows containers to Service Fabric and Set up gMSA for Windows containers running on Service Fabric for more information about how to configure your application.
How to use gMSA with Docker Swarm
To use a gMSA with containers managed by Docker Swarm, run the docker service create command with the --credential-spec parameter:
docker service create --credential-spec "file://contoso_webapp01.json" --hostname "WebApp01" <image name>
See the Docker Swarm example for more information about how to use credential specs with Docker services.
Next steps
In addition to orchestrating containers, you can also use gMSAs to:
If you run into any issues during setup, check our troubleshooting guide for possible solutions.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for