Best Practices for Windows Container Password Rotation?

[ntrappe-msft]

Important

Migrating Discussions to Issues. All customer inquiries should be in Issues.

Discussed in https://github.com/microsoft/Windows-Containers/discussions/542

^{Originally posted by jordanabakerafs September 30, 2024}
We currently have a set of services running in windows containers, we're using the mcr.microsoft.com/dotnet/runtime:8.0-nanoserver-1809 base image.

We create user in our dockerfile using net user for running the service, but are running into issues where the default password rotation period causes us to need to redeploy our services every 40 days or so because the password expires, then the services can't be updated.

Currently - it appears if we do not update the dockerfile to use a new username, the image layer is cached and redeploying does not fix this issue. Alternatively, updating a password and redeploying really just solves the problem a different way with the same process.

We've done a good bit of reading but really haven't found any best practices for CI/CD when it comes to windows container account password/rotation - has anyone done this in a larger enterprise before and have some examples of best practices to follow?

Edit: Setting the passwords to never expire via wmic is not a viable option for us due to org security policy.

[github-actions]

Thank you for creating an Issue. Please note that GitHub is not an official channel for Microsoft support requests. To create an official support request, please open a ticket here. Microsoft and the GitHub Community strive to provide a best effort in answering questions and supporting Issues on GitHub.

[ntrappe-msft]

@vrapolinario / @lucillex / @riyapatel-ms / @akarshm would any of you know if we have best practice docs on the following?