What would be the best way to allow ContainerUser to create symlinks?

[TBBle]

Coming from tektoncd/pipeline#1826 (comment), we have an application that relies on creating symlinks, and so on Windows Containers it cannot function as ContainerUser, but must be ContainerAdministrator or fails as follows:

Creating a symlink "/tekton/steps/0": symlink \tekton\steps\step-hello-windows /tekton/steps/0: A required privilege is not held by the client.

I saw mention that HCS does not currently support configuring privileges, so I assume that adding an option under a Kubernetes Pod's securityContext.windowsOptions is not currently feasible as that must pass through CRI and eventually to the runhcs-provided shim.

My proposed but untested workaround is to have the container image contain a RUN for ntrights to grant the SeCreateSymbolicLinkPrivilege to ContainerUser, but that requires either the ntrights tool or a workalike, and assumes that grant persists when committing the layer and later running from it.

Is there a better way to do this?

Is there any chance SeCreateSymbolicLinkPrivilege could be granted to ContainerUser by default, or support added to HCS to grant extra privileges (either a specifically supported list, or arbitrary by name) to the user running in the container? I assume both of these options would require changes in HCS, and hence are probably not feasible for Windows Server 2022, but it'd be good to confirm that.

[ghost]

This issue has been open for 30 days with no updates.
@msjingli, @brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@msjingli, @brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@msjingli, @brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@msjingli, @brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@msjingli, @brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@msjingli, @brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@msjingli, @brasmith-ms, please provide an update or close this issue.

[brasmith-ms]

Hey @TBBle, thanks for bringing this up. Unfortunately, I believe the ntrights tool is the best option for this. Let me bring this back to the team and we can see how feasible this would be in the short term.

[ghost]

This issue has been open for 30 days with no updates.
@brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@brasmith-ms, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@brasmith-ms, please provide an update or close this issue.

[microsoft-github-policy-service]

This issue has been open for 30 days with no updates.
@brasmith-ms, please provide an update or close this issue.

[microsoft-github-policy-service]

This issue has been open for 30 days with no updates.
@brasmith-ms, please provide an update or close this issue.

[brasmith-ms]

Revisiting this thread, if symlinks are still absolutely needed to the container ntrights is still going to be the best tool and run that using ContainerAdministrator. There may be an avenue to accomplish access permissions for ContainerUser via host configuration using HostProcess containers but that may be a bit of a hack.