Create KEP for Windows Node Support #676
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,112 @@ | ||
| --- | ||
| kep-number: 0 | ||
| title: Windows node support | ||
| authors: | ||
| - "@benmoss" | ||
| - "@astrieanna" | ||
| owning-sig: sig-windows | ||
| participating-sigs: | ||
| - sig-architecture | ||
| reviewers: | ||
| - TBD | ||
| approvers: | ||
| - TBD | ||
| editor: TBD | ||
| creation-date: 2018-11-29 | ||
| last-updated: 2019-01-03 | ||
| status: provisional | ||
| --- | ||
|
|
||
| # Windows node support | ||
|
|
||
|
|
||
| ## Table of Contents | ||
|
|
||
| * [Windows node support](#windows-node-support) | ||
| * [Table of Contents](#table-of-contents) | ||
| * [Summary](#summary) | ||
| * [Motivation](#motivation) | ||
| * [Goals](#goals) | ||
| * [Non-Goals](#non-goals) | ||
| * [Proposal](#proposal) | ||
| * [What works today](#what-works-today) | ||
| * [What will work eventually](#what-will-work-eventually) | ||
| * [What will never work (without underlying OS changes)](#what-will-never-work-without-underlying-os-changes) | ||
| * [Relevant resources/conversations](#relevant-resourcesconversations) | ||
| * [Risks and Mitigations](#risks-and-mitigations) | ||
| * [Graduation Criteria](#graduation-criteria) | ||
| * [Implementation History](#implementation-history) | ||
| * [Other references](#other-references) | ||
|
|
||
|
|
||
| ## Summary | ||
|
|
||
| There is strong interest in the community for adding support for workloads running on Microsoft Windows. This is non-trivial due to the significant differences in the implementation of Windows from the Linux-based OSes that have so far been supported by Kubernetes. | ||
|
|
||
|
|
||
| ## Motivation | ||
|
|
||
| Windows-native workloads still account for a significant portion of the enterprise software space. While containerization technologies emerged first in the UNIX ecosystem, Microsoft has made investments in recent years to enable support for containers in its Windows OS. As users of Windows increasingly turn to containers as the preferred abstraction for running software, the Kubernetes ecosystem stands to benefit by becoming a cross-platform cluster manager. | ||
|
|
||
| ### Goals | ||
|
|
||
| - Enable users to run nodes on Windows servers | ||
| - Document the differences and limitations compared to Linux | ||
| - Test results added to testgrid to prevent regression of functionality | ||
|
|
||
| ### Non-Goals | ||
|
|
||
| - Adding Windows support to all projects in the Kubernetes ecosystem (Cluster Lifecycle, etc) | ||
|
|
||
| ## Proposal | ||
|
|
||
| As of 29-11-2018 much of the work for enabling Windows nodes has already been completed. Both `kubelet` and `kube-proxy` have been adapted to work on Windows Server, and so the first goal of this KEP is largely already complete. | ||
|
|
||
| ### What works today | ||
| - Windows-based containers can be created by kubelet, [provided the host OS version matches the container base image](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) | ||
| - ConfigMap, Secrets: as environment variables or volumes | ||
|
There was a problem hiding this comment. How about volumes, such as emptyDir, shared between containers within a Pod? There was a problem hiding this comment. What about storage medium Memory or HugePages? |
||
| - Resource limits | ||
| - Pod & container metrics | ||
| - Pod networking with [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md), [OVN-Kubernetes](https://github.com/openvswitch/ovn-kubernetes), [two CNI meta-plugins](https://github.com/containernetworking/plugins), [Flannel](https://github.com/coreos/flannel) and [Calico](https://github.com/projectcalico/calico) | ||
| - Dockershim CRI | ||
| - Many<sup id="a1">[1]</sup> of the e2e conformance tests when run with [alternate Windows-based images](https://hub.docker.com/r/e2eteam/) which are being moved to [kubernetes-sigs/windows-testing](https://www.github.com/kubernetes-sigs/windows-testing) | ||
| - Persistent storage: FlexVolume with [SMB + iSCSI](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows), and in-tree AzureFile and AzureDisk providers | ||
|
|
||
|
There was a problem hiding this comment. Do pod hostname and subdomain fields work? How about hostAliases? dnsConfig? There was a problem hiding this comment. Basically I expect someone to read through PodSpec field by field to make sure we haven't forgotten something. |
||
| <sup id="a1">1</sup> This list should be available at https://k8s-testgrid.appspot.com/sig-windows but this test setup is not currently working. https://k8s-testgrid.appspot.com/google-windows#windows-prototype is also running against a Windows cluster. | ||
|
There was a problem hiding this comment. Is addressing those issues part of #685? There was a problem hiding this comment. Current list of skipped tests appears to be here: There was a problem hiding this comment. I'm clarifying those in #685 |
||
|
|
||
| ### What will work eventually | ||
| - `kubectl port-forward` hasn't been implemented due to lack of an `nsenter` equivalent to run a process inside a network namespace. | ||
| - CRIs other than Dockershim: CRI-containerd support is forthcoming | ||
|
|
||
|
|
||
| ### What will never work (without underlying OS changes) | ||
| - Certain Pod functionality | ||
| - Privileged containers | ||
|
There was a problem hiding this comment. I assume Linux capabilities don't work? There was a problem hiding this comment. And Linux-specific security features, such as seccomp, SELinux, and AppArmor There was a problem hiding this comment. We should enumerate all of the fields of PodSecurityContext that don't make sense for Windows |
||
| - Reservations are not enforced by the OS, but overprovisioning could be blocked with `--enforce-node-allocatable=pods` (pending: tests needed) | ||
|
There was a problem hiding this comment. I assume that QoS (burstable, best effort) doesn't work There was a problem hiding this comment. Are there equivalents of any of the shared namespaces (e.g., shareProcessNamespace)? Can containers within a pod see each other in any way? There was a problem hiding this comment. Does terminationGracePeriodSeconds work? |
||
| - CSI plugins, which require privileged containers | ||
|
|
||
| - [Some parts of the V1 API](https://github.com/kubernetes/kubernetes/issues/70604) | ||
|
There was a problem hiding this comment. Please inline the contents of that issue into this document There was a problem hiding this comment. Also, it seems we lost quite a bit of detail compared to previous discussions. Do those issues still hold true? For instance, some pod features didn't work due to: Single file volume mappings. No shipped releases of Windows can map a single file, only an entire folder, into a pod/container. There was a problem hiding this comment. Other persistent issues: uid/guid vs usernames, per-user Linux filesystem permissions, read-only root filesystems Other resolvable issues: images using Linux-specific tools, hardcoded images with no windows equivalent |
||
| - Overlay networking support in Windows Server 1803 is not fully functional using the `win-overlay` CNI plugin. Specifically service IPs do not work on Windows nodes. This is currently specific to `win-overlay` - other CNI plugins (OVS, AzureCNI) work. | ||
|
|
||
| ### Relevant resources/conversations | ||
|
|
||
| - [sig-architecture thread](https://groups.google.com/forum/#!topic/kubernetes-sig-architecture/G2zKJ7QK22E) | ||
| - [cncf-k8s-conformance thread](https://lists.cncf.io/g/cncf-k8s-conformance/topic/windows_conformance_tests/27913232) | ||
| - [kubernetes/enhancements proposal](https://github.com/kubernetes/features/issues/116) | ||
|
|
||
|
|
||
| ### Risks and Mitigations | ||
|
|
||
| **Second class support**: Kubernetes contributors are likely to be thinking of Linux-based solutions to problems, as Linux remains the primary OS supported. Keeping Windows support working will be an ongoing burden potentially limiting the pace of development. | ||
|
|
||
| **User experience**: Users today will need to use some combination of taints and node selectors in order to keep Linux and Windows workloads separated. In the best case this imposes a burden only on Windows users, but this is still less than ideal. | ||
|
|
||
| ## Graduation Criteria | ||
|
|
||
|
There was a problem hiding this comment. @craiglpeters agreed to draft these To use as a starting point, here are some issues discussed in email and in prior SIG Arch meetings:
Note that a draft document stated "you may want to wait for Windows Server 2019 availability from Microsoft and support in Kubernetes for production workloads", which needs to be clarified. There were also questions about the user experience, particular for mixed-OS clusters. Alternatives for ensuring Windows containers land on Windows nodes and Linux containers land on Linux nodes include:
Some issues with the above:
Some of this was discussed in a document: |
||
|
|
||
| ## Implementation History | ||
|
|
||
|
|
||
|
|
||
| ## Other references | ||
|
|
||
| [Past release proposal for v1.12/13](https://docs.google.com/document/d/1YkLZIYYLMQhxdI2esN5PuTkhQHhO0joNvnbHpW68yg8/edit#) | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| reviewers: | ||
| - sig-windows-leads | ||
| approvers: | ||
| - sig-windows-leads | ||
| labels: | ||
| - sig/windows |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have written: