Windows: Adds RunAsUserName field in WindowsOptions

Adds the field RunAsUserName in the WindowsSecurityContextOptions type, which is used in PodSecurityContext and SecurityContext. This field needs to allow for a valid set of usernames allowed for Windows containers. It must have the format "U This commit also validates the runAsUserName field, making sure that it valid, having the format DOMAIN\USER (case insensitive), where DOMAIN\ is optional and has to be a valid NetBios or DNS domain name. For more information about the restrictions on the DOMAIN and USER parts, look here: [1] [2] Adds the WindowsRunAsUserName alpha feature gate. By default, it is disabled. If the feature gate is not enabled, the WindowsOptions.RunAsUserName field will be dropped from both the PodSecurityContext and container SecurityContext. Co-Authored-By: Claudiu Belu <cbelu@cloudbasesolutions.com> [1] https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and [2] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser?view=powershell-5.1
2026-01-04 23:17:50 +00:00 · 2019-01-30 16:09:04 -08:00
parent 5be1efe9bd
commit e8b369ff3c
7 changed files with 485 additions and 4 deletions
--- a/pkg/api/pod/util.go
+++ b/pkg/api/pod/util.go
@@ -379,6 +379,8 @@ func dropDisabledFields(

 	dropDisabledGMSAFields(podSpec, oldPodSpec)

+	dropDisabledRunAsUserNameFields(podSpec, oldPodSpec)
+
 	if !utilfeature.DefaultFeatureGate.Enabled(features.RuntimeClass) && !runtimeClassInUse(oldPodSpec) {
 		// Set RuntimeClassName to nil only if feature is disabled and it is not used
 		podSpec.RuntimeClassName = nil
@@ -450,6 +452,38 @@ func dropDisabledGMSAFieldsFromContainers(containers []api.Container) {
 	}
 }

+// dropDisabledRunAsUserNameFields removes disabled fields related to WindowsOptions.RunAsUserName
+// from the given PodSpec.
+func dropDisabledRunAsUserNameFields(podSpec, oldPodSpec *api.PodSpec) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.WindowsRunAsUserName) ||
+		runAsUserNameFieldsInUse(oldPodSpec) {
+		return
+	}
+
+	if podSpec.SecurityContext != nil {
+		dropDisabledRunAsUserNameFieldsFromWindowsSecurityOptions(podSpec.SecurityContext.WindowsOptions)
+	}
+	dropDisabledRunAsUserNameFieldsFromContainers(podSpec.Containers)
+	dropDisabledRunAsUserNameFieldsFromContainers(podSpec.InitContainers)
+}
+
+// dropDisabledRunAsUserNameFieldsFromWindowsSecurityOptions removes disabled fields
+// related to RunAsUserName from the given WindowsSecurityContextOptions.
+func dropDisabledRunAsUserNameFieldsFromWindowsSecurityOptions(windowsOptions *api.WindowsSecurityContextOptions) {
+	if windowsOptions != nil {
+		windowsOptions.RunAsUserName = nil
+	}
+}
+
+// dropDisabledRunAsUserNameFieldsFromContainers removes disabled fields
+func dropDisabledRunAsUserNameFieldsFromContainers(containers []api.Container) {
+	for i := range containers {
+		if containers[i].SecurityContext != nil {
+			dropDisabledRunAsUserNameFieldsFromWindowsSecurityOptions(containers[i].SecurityContext.WindowsOptions)
+		}
+	}
+}
+
 // dropDisabledProcMountField removes disabled fields from PodSpec related
 // to ProcMount only if it is not already used by the old spec
 func dropDisabledProcMountField(podSpec, oldPodSpec *api.PodSpec) {
@@ -703,6 +737,39 @@ func gMSAFieldsInUseInAnyContainer(containers []api.Container) bool {
 	return false
 }

+// runAsUserNameFieldsInUse returns true if the pod spec is non-nil and has the RunAsUserName
+// field set in the PodSecurityContext or any container's SecurityContext.
+func runAsUserNameFieldsInUse(podSpec *api.PodSpec) bool {
+	if podSpec == nil {
+		return false
+	}
+
+	if podSpec.SecurityContext != nil && runAsUserNameFieldsInUseInWindowsSecurityOptions(podSpec.SecurityContext.WindowsOptions) {
+		return true
+	}
+
+	return runAsUserNameFieldsInUseInAnyContainer(podSpec.Containers) ||
+		runAsUserNameFieldsInUseInAnyContainer(podSpec.InitContainers)
+}
+
+// runAsUserNameFieldsInUseInWindowsSecurityOptions returns true if the given WindowsSecurityContextOptions is
+// non-nil and its RunAsUserName field is set.
+func runAsUserNameFieldsInUseInWindowsSecurityOptions(windowsOptions *api.WindowsSecurityContextOptions) bool {
+	return windowsOptions != nil && windowsOptions.RunAsUserName != nil
+}
+
+// runAsUserNameFieldsInUseInAnyContainer returns true if any of the given Containers has its
+// SecurityContext's RunAsUserName field set.
+func runAsUserNameFieldsInUseInAnyContainer(containers []api.Container) bool {
+	for _, container := range containers {
+		if container.SecurityContext != nil && runAsUserNameFieldsInUseInWindowsSecurityOptions(container.SecurityContext.WindowsOptions) {
+			return true
+		}
+	}
+
+	return false
+}
+
 // subpathExprInUse returns true if the pod spec is non-nil and has a volume mount that makes use of the subPathExpr feature
 func subpathExprInUse(podSpec *api.PodSpec) bool {
 	if podSpec == nil {