Security For Windows Nodes

    On Windows, data from Secrets are written out in clear text onto the node’s local storage (as compared to using tmpfs / in-memory filesystems on Linux). As a cluster operator, you should take both of the following additional measures:

    1. Apply volume-level encryption using .

    can be specified for Windows Pods or containers to execute the container processes as specific user. This is roughly equivalent to RunAsUser.

    Local users can be added to container images during the container build process.

    Note:

    • based images run as ContainerAdministrator by default

    Linux-specific pod security context mechanisms (such as SELinux, AppArmor, Seccomp, or custom POSIX capabilities) are not supported on Windows nodes.

    Privileged containers are on Windows. Instead HostProcess containers can be used on Windows to perform many of the tasks performed by privileged containers on Linux.