setting Windows Node KEP to implementable #743
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
kind/kep
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
Thanks. I'm looking over the graduation criteria carefully to make sure they are sufficiently clear, to ensure we all agree what we're agreeing to. It's worth mentioning release binary distribution somewhere. I had to go look up whether that issue was already resolved. Example: |
| - QoS (guaranteed, burstable, best effort) (https://github.com/kubernetes/kubernetes/issues/73418) | ||
| - Is terminationGracePeriodSeconds supported (https://github.com/moby/moby/issues/25982) | ||
| - Pod DNS configuration like hostname, subdomain, hostAliases, dnsConfig, dnsPolicy (https://github.com/kubernetes/kubernetes/issues/73414) | ||
|
|
||
| ### Windows Node Roadmap (post-GA work) | ||
| - Group Managed Service Accounts, a way to assign an Active Directory identity to a Windows container, is forthcoming with KEP `Windows Group Managed Service Accounts for Container Identity` | ||
| - `kubectl port-forward` hasn't been implemented due to lack of an `nsenter` equivalent to run a process inside a network namespace. |
There was a problem hiding this comment.
Do exec-based mechanisms work, such as liveness and readiness probes, postStart and preStop lifecycle hooks, and kubectl exec?
There was a problem hiding this comment.
kubectl exec works, readiness and liveness work
There was a problem hiding this comment.
kubectl exec works for sure. i am not sure about the other probes. we can find out
There was a problem hiding this comment.
Is it that these features of Kubernetes are just not tested, or that the existing tests are all Linux-specific?
There was a problem hiding this comment.
added a test issue to cover the rest and documented them in the KEP as well
k8s-ci-robot
added
size/L
|
Regarding graduation criteria, please remove "Advanced" from bullets 8-12, as that's unclear what it means. I imagine some of those topics may be considered optional for GA. I suggest just removing them from this KEP. For instance, hyper-v support isn't part of GA, so it seems like that should be removed. GMSA will be alpha at best in 1.14, and its documentation should be covered by its own KEP, rather than listing it here. OTOH, I think heterogeneous Linux/Windows clusters will be the norm (e.g., does kube-dns run on Windows nodes?), so I'd definitely include that. How to build from source should be in the contributor development guide. |
|
Regarding metrics and Horizontal Pod Autoscaling: from a user point of view, what's different about them for Windows containers that requires Windows-specific documentation? |
| - Resource limits | ||
| - Pod & container metrics | ||
| - Horizontal Pod Autoscaling | ||
| - Volumes can be shared between containers in a Pod |
There was a problem hiding this comment.
It would be helpful to group pod-related features together in this list, for readability.
There was a problem hiding this comment.
Nit: This is still an issue, but not a blocker for merge.
I'd like to see something like:
- Pod
- single and multiple containers
- resource limits
- liveness and readiness probes
- ConfigMap and Secret environment variables and volumes (except volume subpath does not work)
- volumes can be shared between containers within a Pod
- etc.
- Workload controllers
- ReplicaSet / ReplicationController
- Deployment
- Job
- etc.
- Service types ...
- HorizontalPodAutoscaler, except ...
- etc.
Brian, the key thing with that documentation was not that it will all reside in a single doc, but merely outlining all the sections or individual pages we need to fill out. i will clarify that for sure |
there are some metrics that may not be available on windows. we don't know if any will have an impact to autoscaling, but if such an issue exists we will document it. an example is kubernetes/kubernetes#72788 |
| @@ -111,20 +123,29 @@ As of 29-11-2018 much of the work for enabling Windows nodes has already been co | |||
|
|
|||
| ### What will never work (Note that some features are plain unsupported while some will not work without underlying OS changes) | |||
| - Certain Pod functionality | |||
| - Privileged containers and other Pod security context privilege and access control settings | |||
| - Privileged containers | |||
| - Pod security context privilege and access control settings. Any Linux capabilities or any POSIX capabilities are not supported (this includes SELinux, AppArmor, Seccomp, etc) | |||
| - Reservations are not enforced by the OS, but overprovisioning could be blocked with `--enforce-node-allocatable=pods` (pending: tests needed) | |||
| - Certain volume mappings | |||
| - Single file & subpath volume mounting | |||
There was a problem hiding this comment.
Will single-file mapping become possible? This comment makes it sound like it will:
kubernetes/kubernetes#70189 (comment)
There was a problem hiding this comment.
My understanding is that this will be supported with containerd (WIP), but not possible right now with the docker integration (which is used in GA).
There was a problem hiding this comment.
you are correct @yujuhong
| - Headless services (https://github.com/kubernetes/kubernetes/issues/73416) | ||
| - OOM reporting (https://github.com/kubernetes/kubernetes/issues/73417) | ||
| - QoS (guaranteed, burstable, best effort) (https://github.com/kubernetes/kubernetes/issues/73418) | ||
| - Is terminationGracePeriodSeconds supported (https://github.com/moby/moby/issues/25982) |
There was a problem hiding this comment.
terminationGracePeriodSeconds is now mentioned below
| @@ -111,20 +123,29 @@ As of 29-11-2018 much of the work for enabling Windows nodes has already been co | |||
|
|
|||
| ### What will never work (Note that some features are plain unsupported while some will not work without underlying OS changes) | |||
| - Certain Pod functionality | |||
| - Privileged containers and other Pod security context privilege and access control settings | |||
| - Privileged containers | |||
| - Pod security context privilege and access control settings. Any Linux capabilities or any POSIX capabilities are not supported (this includes SELinux, AppArmor, Seccomp, etc) | |||
There was a problem hiding this comment.
FYI, capabilities is itself an actual field
|
The more up-to-date PR for skipping tests should be kubernetes/kubernetes#73204 |
|
Why is a windows-specific test needed to verify |
|
Is the reference to kubernetes/kubernetes#56875 still relevant? The KEP asserts that FlexVolume now works. |
|
The other issues in the References section are to closed issues, also |
|
Do service environment variables work, or only DNS? |
k8s-ci-robot
added
the
lgtm
One of the apps & charts I used in Kubecon used service environment variables: https://github.com/PatrickLang/fabrikamfiber/tree/helm-2019-mssql-linux
|
| 9. How to use Group Managed Service Accounts | ||
| 10. How to use Taints and Tolerations for a heterogeneous compute cluster (Windows + Linux) | ||
| 11. How to use Hyper-V isolation (not a stable feature yet) | ||
| 12. How to build Kubernetes for Windows from source |
There was a problem hiding this comment.
There was a problem hiding this comment.
we will revamp it, but yes that's a good start
There was a problem hiding this comment.
I think that's only if you need to build k8s on a Windows dev box. On Linux or OSX make cross KUBE_BUILD_PLATFORMS="windows/amd64" is all you need.
|
@michmike i'd like the
|
k8s-ci-robot
removed
the
lgtm
added |
| - `V1.Pod.shareProcessNamespace` - this is an beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. | ||
| - `V1.Pod.terminationGracePeriodSeconds` - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent `CTRL_SHUTDOWN_EVENT`, then Windows waits 5 seconds by hardcoded default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. Runtime configuration will be feasible in CRI-ContainerD but not for v1.14. Issue [#73434](https://github.com/kubernetes/kubernetes/issues/73434) is tracking this for a later release. | ||
| - `V1.Pod.volumeDevices` - this is an beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. | ||
| - `V1.Pod.Volumes` - EmptyDir, Secret, ConfigMap, HostPath - all work and have tests in TestGrid |
There was a problem hiding this comment.
Nit: This is the Go field name whereas the above are json field names. But this can be cleaned up later. Definitely it should be consistent in user documentation. Ditto for the field below.
|
/lgtm Thanks for all the work on this. I have a much more complete picture of the knowns and unknowns now. I'm sure we'll discover more things as work progresses, so let's keep this up to date. |
k8s-ci-robot
added
the
lgtm
|
Please squash. Remaining issues can be addressed by follow-up PRs |
| As noted above, there are compatibility issues enforced by Microsoft where the host OS version must match the container base image OS. Changes to this compatibility policy must come from Microsoft. For GA, since we will only support Windows Server 2019 (aka 1809), both `container host OS` and `container OS` must be running the same version of Windows, 1809. | ||
|
|
||
| Having said that, a customer can deploy Kubernetes v1.14 with Windows 1809. | ||
| - We will support Windows 1809 with at least 2 additional Kuberneres minor releases (v1.15 and v.1.16) |
|
/lgtm |
k8s-ci-robot
added
size/M
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: benmoss, bgrant0607, michmike, yujuhong The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@spiffxp said he'd follow up later on test infrastructure issues, such as provider-specific dependencies So: |
k8s-ci-robot
removed
the
do-not-merge/hold
| - Workload controllers ReplicaSet, ReplicationController, Deployments, StatefulSets, DaemonSet, Job, CronJob | ||
| - ConfigMap, Secrets: as environment variables or volumes | ||
| - ConfigMap, Secrets: as environment variables or volumes (Volume subpath does not work) |
There was a problem hiding this comment.
When I was reviewing kubernetes/kubernetes#73204, another difference occurred to me: On Linux, Secret volumes are written to tmpfs, but I assume that they are written unencrypted to persistent storage on Windows, since it doesn't support ram disks?
this PR should be the final one to set the Windows Node KEP to implementable for the 1.14 release of K8s. We want to promote the functionality to stable