Configure RunAsUserName for Windows pods and containers

This feature is currently in a beta state, meaning:

• The version names contain beta (e.g. v2beta3).
• Code is well tested. Enabling the feature is considered safe. Enabled by default.
• Support for the overall feature will not be dropped, though details may change.
• The schema and/or semantics of objects may change in incompatible ways in a subsequent beta or stable release. When this happens, we will provide instructions for migrating to the next version. This may require deleting, editing, and re-creating API objects. The editing process may require some thought. This may require downtime for applications that rely on the feature.
• Recommended for only non-business-critical uses because of potential for incompatible changes in subsequent releases. If you have multiple clusters that can be upgraded independently, you may be able to relax this restriction.
• Please do try our beta features and give feedback on them! After they exit beta, it may not be practical for us to make more changes.

This page shows how to enable and use the RunAsUserName feature for pods and containers that will run on Windows nodes. This feature is meant to be the Windows equivalent of the Linux-specific runAsUser feature, allowing users to run the container entrypoints with a different username that their default ones.

You need to have a Kubernetes cluster and the kubectl command-line tool must be configured to communicate with your cluster. The cluster is expected to have Windows worker nodes where pods with containers running Windows workloads will get scheduled.

Set the Username for a Pod

To specify the username with which to execute the Pod’s container processes, include the securityContext field ( in the Pod specification, and within it, the windowsOptions (WindowsSecurityContextOptions field containing the runAsUserName field.

The Windows security context options that you specify for a Pod apply to all Containers and init Containers in the Pod.

Here is a configuration file for a Windows Pod that has the runAsUserName field set:

Create the Pod:

kubectl apply -f https://k8s.io/examples/windows/run-as-username-pod.yaml

Get a shell to the running Container:

kubectl exec -it run-as-username-pod-demo -- powershell

Check that the shell is running user the correct username:

The output should be:

ContainerUser

To specify the username with which to execute a Container’s processes, include the securityContext field () in the Container manifest, and within it, the windowsOptions (WindowsSecurityContextOptions field containing the runAsUserName field.

The Windows security context options that you specify for a Container apply only to that individual Container, and they override the settings made at the Pod level.

Here is the configuration file for a Pod that has one Container, and the runAsUserName field is set at the Pod level and the Container level:

apiVersion: v1
metadata:
  name: run-as-username-container-demo
spec:
  securityContext:
    windowsOptions:
      runAsUserName: “ContainerUser”
  containers:
  - name: run-as-username-demo
    image: mcr.microsoft.com/windows/servercore:ltsc2019
    command: [“ping”, “-t”, “localhost”]
        windowsOptions:
            runAsUserName: “ContainerAdministrator”
  nodeSelector:
    kubernetes.io/os: windows

Create the Pod:

kubectl apply -f https://k8s.io/examples/windows/run-as-username-container.yaml

Verify that the Pod’s Container is running:

kubectl exec -it run-as-username-container-demo -- powershell

Check that the shell is running user the correct username (the one set at the Container level):

echo $env:USERNAME

The output should be:

Windows Username limitations

In order to use this feature, the value set in the runAsUserName field must be a valid username. It must have the following format: DOMAIN\USER, where DOMAIN\ is optional. Windows user names are case insensitive. Additionally, there are some restrictions regarding the DOMAIN and USER:

• The runAsUserName field cannot be empty, and it cannot contain control characters (ASCII values: 0x00-0x1F, 0x7F)
• The DOMAIN must be either a NetBios name, or a DNS name, each with their own restrictions:
  • NetBios names: maximum 15 characters, cannot start with . (dot), and cannot contain the following characters: \ / : * ? " < > |
  • DNS names: maximum 255 characters, contains only alphanumeric characters, dots, and dashes, and it cannot start or end with a . (dot) or - (dash).
• The USER must have at most 20 characters, it cannot contain only dots or spaces, and it cannot contain the following characters: " / \ [ ] : ; | = , + * ? < > @.

Examples of acceptable values for the runAsUserName field: ContainerAdministrator, ContainerUser, , NT AUTHORITY\LOCAL SERVICE.

For more information about these limtations, check and here.

You must define a steps

This template requires that you provide text that lists a sequence of numbered steps that accomplish the task.’. The text in this block will be displayed under the heading . To get rid of this message and take advantage of this template, capture the steps variable and populate it with content.

What’s next

• Guide for scheduling Windows containers in Kubernetes

Was this page helpful?