kubeadm: update the IsPriviligedUser preflight check on Windows

Use GetCurrentProcessToken() instead of checking the groups of a user. The Go stdlib way of fetching the groups of an user appears to be failing on some Windows setups. Which could be a regression in later Go versions, or simply the code does not work on certain setups.
2025-08-30 06:09:11 +00:00 · 2024-05-02 12:03:39 +03:00 · 2024-05-02 12:03:39 +03:00 · d105ddd350
commit d105ddd350
parent 82cd82aa15
1 changed files with 5 additions and 22 deletions
--- a/cmd/kubeadm/app/preflight/checks_windows.go
+++ b/cmd/kubeadm/app/preflight/checks_windows.go
@ -20,34 +20,17 @@ limitations under the License.
 package preflight

 import (
-	"os/user"
-
 	"github.com/pkg/errors"
+	"golang.org/x/sys/windows"
 )

-// The "Well-known SID" of Administrator group
-// https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
-const administratorSID = "S-1-5-32-544"
-
 // Check validates if a user has elevated (administrator) privileges.
 func (ipuc IsPrivilegedUserCheck) Check() (warnings, errorList []error) {
-	currUser, err := user.Current()
-	if err != nil {
-		return nil, []error{errors.Wrap(err, "cannot get current user")}
+	hProcessToken := windows.GetCurrentProcessToken()
+	if hProcessToken.IsElevated() {
+		return nil, nil
 	}
-
-	groupIds, err := currUser.GroupIds()
-	if err != nil {
-		return nil, []error{errors.Wrap(err, "cannot get group IDs for current user")}
-	}
-
-	for _, sid := range groupIds {
-		if sid == administratorSID {
-			return nil, nil
-		}
-	}
-
-	return nil, []error{errors.New("user is not running as administrator")}
+	return nil, []error{errors.New("the kubeadm process must be run by a user with elevated privileges")}
 }

 // Check number of memory required by kubeadm