-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
📖 Windows Support CAEP #3616
📖 Windows Support CAEP #3616
Conversation
I would remove the
since this is just the proposal |
/assign @CecileRobertMichon @benmoss @devigned |
1a3c1cf
to
0068599
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The overall approach looks good to me, most comments are wording suggestions/asks for clarification
bae43ca
to
7147dcb
Compare
Didn't comment much on the PR, since did most of it in the google docs, so broadly supportive of this CAEP. |
I took a look at /test pull-cluster-api-verify-external-links |
Ignore that error, we're being rate limited by Github for lack of a token. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall lgtm. Just left some grammatical suggestions.
d62ba76
to
0c741f2
Compare
I think for the initial implementation, this is fine. I don't think we need to say much more than this right now. There's going to be a security improvement that we would want to do, and that's where I think maybe having a separate controller that provides one-time domain join accounts and pre-created AD computer resources could be useful and what I'm thinking about implementing. I would however like to treat this as a subset of #3761 rather than blocking on this CAEP. This CAEP does not prohibit doing domain joins via the use of pre/post kubeadm commands, which is the main point. |
01e696c
to
4050406
Compare
@CecileRobertMichon @randomvariable @ncdc This is ready for final review. Based on the meeting today I've removed the retry logic since it should be addressed by recent updates to kubeadm in k8s 1.19 (and backported to 1.17) |
- [Infrastructure provider implementation](#infrastructure-provider-implementation) | ||
- [User Stories](#user-stories) | ||
- [As an operator, I would like to create Windows OS worker nodes with the CAPI API.](#as-an-operator-i-would-like-to-create-windows-os-worker-nodes-with-the-capi-api) | ||
- [As an operator, I would like to manage Windows OS worker nodes with the CAPI API.](#as-an-operator-i-would-like-to-manage-windows-os-worker-nodes-with-the-capi-api) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like some type active directory awareness would be worth diving into.
- [As an operator, i'd like to federate my windows OS worker nodes with active directory]
or is that out of scope? Just a thought from what we think our customers would like to be able to do
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(feel free to merge if its ready , dont wanna hold things up, maybe can iterate if this is in scope)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes definitely. I think we decided to move forward with this and address the AD via #3761
ref: #3616 (comment)
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CecileRobertMichon, devigned The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@jsturtevant: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/test pull-cluster-api-test-main |
I didn't realize my lgtm would auto-apply the approve label, didn't mean for this to merge right away :/ |
/milestone v0.4.0 No worries @CecileRobertMichon, have to investigate why that happened, might be a new behavior that we should take into account. If folks have more outstanding questions on this PR, feel free to comment or amend in a different PR. |
It looks like you might have used the "Approve" feature of the pull request review? I also didn't know that was the same as an Yeah, looks like that's it: |
That looks like new behavior, didn't work that way in the past, eg. #3730 (review) |
we're seeing the same thing in capz: kubernetes-sigs/cluster-api-provider-azure#1002 (review) (also new behavior) cc @devigned |
The default changed 4 days ago because kubernetes/test-infra#19579 removed the deprecated option |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for delayed review @jsturtevant. I asked for some clarifications let me know if you want to discuss them on slack.
- [netbios names](#netbios-names) | ||
- [Infrastructure provider implementation](#infrastructure-provider-implementation) | ||
- [User Stories](#user-stories) | ||
- [As an operator, I would like to create Windows OS worker nodes with the CAPI API.](#as-an-operator-i-would-like-to-create-windows-os-worker-nodes-with-the-capi-api) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
Another example is the the [sig-windows-tools](https://github.com/kubernetes-sigs/sig-windows-tools) which provide scripts for image configuration when using Kubeadm. | ||
|
||
Although the Linux implementation in image-builder uses Ansible for configuration, Windows isn't going to share | ||
the same configuration because [Ansible](https://docs.ansible.com/ansible/latest/user_guide/windows.html) requires [Windows specific modules](https://docs.ansible.com/ansible/latest/modules/list_of_windows_modules.html) to do the configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please elaborate? Which windows specific modules are needed? We used ansible to configure Windows nodes in the past and we had to install modules on the host from which ansible is being run, a linux host in our case but nothing on the Windows except for enabling WinRM.
By leveraging cloudbase-init, an infrastructure provider implementation will require only a few changes which include: | ||
|
||
- Make changes to their provider api to enable Windows OS infra machines ([example](https://github.com/ionutbalutoiu/cluster-api-provider-azure/commit/9c8daedac75959b141fec7ea909c2c1fd0bd484b)) | ||
- Ensuring cloudbase-init is configured properly to read UserData which will contain the cloud-init script. Users must configure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We avoided infrastructure changes as on AWS as userData is automatically executed even on Windows VMs whereas in case of azure, we have a carry patch
But you're right in the sense we need to have consistency across cloud providers however we're a bit worried about the support of cloudbase-init across all the providers. What is the support statement like? Can we get some changes in if we need to immediately or in the long-term should we fork and attribute?
|
||
Wins.exe is currently the [recommended way to use kubeadm](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/). | ||
Limiting access to the named pipes that are required is one way to mitigate access. Wins is currently | ||
required during and after provisioning for running kube-proxy and the CNI daemonset. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unrelated question: How are CNI and kube-proxy DS's container images being built for Windows and who owns building and supporting them?
|
||
## Upgrade Strategy | ||
|
||
Nodes that use this pattern will require the infrastructure to be immutable as specified by CAPI documentation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
Windows does not support Docker in Docker so end to end test can not be added for Windows specific behavior. | ||
If changes are required during development unit tests will be required. | ||
|
||
For infrastructure providers the testing plan is left up to each infrastructure provider. It is recommended to leverage |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a link to jobs that need to be run for every infrastructure provider?
In the future, when support for [Privileged Containers for Windows containers](https://github.com/kubernetes/enhancements/issues/1981) is merged, we might be able to revisit this proposal | ||
and use privileged containers in place of wins.exe enabled containers. | ||
|
||
Each infrastructure providers must provide their own `PreKubeadmCommands`/`PostKubeadmCommands` scripts that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate on what each infrastructure provider should do? What would be a sample PreKubeadmCommand for azure? Downloading Windows base image like server-core or something like that?
What this PR does / why we need it:
Add proposal for Windows support in CAPI and providers. Related to #2218
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #