Merge pull request #124665 from neolit123/1.31-fix-windows-priv-preflight-check

kubeadm: update the IsPriviligedUser preflight check on Windows
2025-08-10 12:32:03 +00:00 · 2024-05-02 13:13:28 -07:00 · 2024-05-02 13:13:28 -07:00 · 201e6262c4
commit 201e6262c4
parent bb838fde5b d105ddd350
1 changed files with 5 additions and 22 deletions
--- a/cmd/kubeadm/app/preflight/checks_windows.go
+++ b/cmd/kubeadm/app/preflight/checks_windows.go
@ -20,34 +20,17 @@ limitations under the License.
 package preflight

 import (
-	"os/user"
-
 	"github.com/pkg/errors"
+	"golang.org/x/sys/windows"
 )

-// The "Well-known SID" of Administrator group
-// https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
-const administratorSID = "S-1-5-32-544"
-
 // Check validates if a user has elevated (administrator) privileges.
 func (ipuc IsPrivilegedUserCheck) Check() (warnings, errorList []error) {
-	currUser, err := user.Current()
-	if err != nil {
-		return nil, []error{errors.Wrap(err, "cannot get current user")}
+	hProcessToken := windows.GetCurrentProcessToken()
+	if hProcessToken.IsElevated() {
+		return nil, nil
 	}
-
-	groupIds, err := currUser.GroupIds()
-	if err != nil {
-		return nil, []error{errors.Wrap(err, "cannot get group IDs for current user")}
-	}
-
-	for _, sid := range groupIds {
-		if sid == administratorSID {
-			return nil, nil
-		}
-	}
-
-	return nil, []error{errors.New("user is not running as administrator")}
+	return nil, []error{errors.New("the kubeadm process must be run by a user with elevated privileges")}
 }

 // Check number of memory required by kubeadm