Cannot project azure identity token on Windows 10 container image.

[Meertman]

When deploying a container with a Windows 10 base image and enabling Azure workload identity, we get the following error when the pods are trying to startup:

MountVolume.SetUp failed for volume "azure-identity-token" : chown c:\var\lib\kubelet\pods\a3abe5b9-5235-498b-acc3-b350bf0d21a0\volumes\kubernetes.io~projected\azure-identity-token\..2023_07_05_08_47_27.1110042648\azure-identity-token: not supported by windows

When we try to enable the sidecars instead (as the application running uses adalsql), AKS is unable to pull the image for the sidecar, stating the following message:

Failed to pull image "mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v1.0.0": rpc error: code = NotFound desc = failed to pull and unpack image "mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v1.0.0": no match for platform in manifest: not found

Environment

• Kubernetes version (use kubectl version): v1.26.3
• Cloud provider or hardware configuration: Azure
• OS (e.g: cat /etc/os-release): Windows 10 - mcr.microsoft.com/windows:1809

[Meertman]

The following issue kubernetes/kubernetes#102849 on the Kubernetes GitHub pages has led me to a solution for the chown xxx: not supported by Windows issue.

By specifying the pod os field (documented here: https://kubernetes.io/docs/concepts/workloads/pods/#pod-os, it seemed that we were setting the security context as such:

securityContext:
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  runAsUser: 1000

The values readOnlyRootFilesystem, allowPrivilegeEscalation and runAsUser are not supported and caused the chown xxx: not supported by Windows issue.

Removing these fields ensured that the azure identity token got projected.

[Meertman]

Closing this issue as it was resolved by correcting our HELM chart.