|
| 1 | +--- |
| 2 | +title: Use Windows HostProcess containers |
| 3 | +description: Learn how to use HostProcess & Privileged containers for Windows workloads on AKS |
| 4 | +services: container-service |
| 5 | +ms.topic: article |
| 6 | +ms.date: 4/6/2022 |
| 7 | +ms.author: juda |
| 8 | + |
| 9 | +--- |
| 10 | + |
| 11 | +# Use Windows HostProcess containers |
| 12 | + |
| 13 | +HostProcess / Privileged containers extend the Windows container model to enable a wider range of Kubernetes cluster management scenarios. HostProcess containers run directly on the host and maintain behavior and access similar to that of a regular process. HostProcess containers allow users to package and distribute management operations and functionalities that require host access while retaining versioning and deployment methods provided by containers. |
| 14 | + |
| 15 | +A privileged DaemonSet can carry out changes or monitor a Linux host on Kubernetes but not Windows hosts. HostProcess containers are the Windows equivalent of host elevation. |
| 16 | + |
| 17 | + |
| 18 | +## Limitations |
| 19 | + |
| 20 | +* HostProcess containers require Kubernetes 1.23 or greater. |
| 21 | +* HostProcess containers require `containerd` 1.6 or higher container runtime. |
| 22 | +* HostProcess pods can only contain HostProcess containers. This is a current limitation of the Windows operating system. Non-privileged Windows containers can't share a vNIC with the host IP namespace. |
| 23 | +* HostProcess containers run as a process on the host. The only isolation those containers have from the host is the resource constraints imposed on the HostProcess user account. |
| 24 | +* Filesystem isolation and Hyper-V isolation aren't supported for HostProcess containers. |
| 25 | +* Volume mounts are supported and are mounted under the container volume. See Volume Mounts. |
| 26 | +* A limited set of host user accounts are available for Host Process containers by default. See Choosing a User Account. |
| 27 | +* Resource limits such as disk, memory, and cpu count, work the same way as fashion as processes on the host. |
| 28 | +* Named pipe mounts and Unix domain sockets are not directly supported, but can be accessed on their host path, for example `\\.\pipe\*`. |
| 29 | + |
| 30 | + |
| 31 | +## Run a HostProcess workload |
| 32 | + |
| 33 | +To use HostProcess features with your deployment, set *privilaged: true*, *hostProcess: true*, and *hostNetwork: true*: |
| 34 | + |
| 35 | +```yaml |
| 36 | + spec: |
| 37 | + ... |
| 38 | + containers: |
| 39 | + ... |
| 40 | + securityContext: |
| 41 | + privileged: true |
| 42 | + windowsOptions: |
| 43 | + hostProcess: true |
| 44 | + ... |
| 45 | + hostNetwork: true |
| 46 | + ... |
| 47 | +``` |
| 48 | + |
| 49 | +To run an example workload that uses HostProcess features on an existing AKS cluster with Windows nodes, create `hostprocess.yaml` with the following: |
| 50 | + |
| 51 | +```yaml |
| 52 | +apiVersion: apps/v1 |
| 53 | +kind: DaemonSet |
| 54 | +metadata: |
| 55 | + name: privileged-daemonset |
| 56 | + namespace: kube-system |
| 57 | + labels: |
| 58 | + app: privileged-daemonset |
| 59 | +spec: |
| 60 | + selector: |
| 61 | + matchLabels: |
| 62 | + app: privileged-daemonset |
| 63 | + template: |
| 64 | + metadata: |
| 65 | + labels: |
| 66 | + app: privileged-daemonset |
| 67 | + spec: |
| 68 | + nodeSelector: |
| 69 | + kubernetes.io/os: windows |
| 70 | + containers: |
| 71 | + - name: powershell |
| 72 | + image: mcr.microsoft.com/powershell:lts-nanoserver-1809 |
| 73 | + securityContext: |
| 74 | + privileged: true |
| 75 | + windowsOptions: |
| 76 | + hostProcess: true |
| 77 | + runAsUserName: "NT AUTHORITY\\SYSTEM" |
| 78 | + command: |
| 79 | + - pwsh.exe |
| 80 | + - -command |
| 81 | + - | |
| 82 | + $AdminRights = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator") |
| 83 | + Write-Host "Process has admin rights: $AdminRights" |
| 84 | + while ($true) { Start-Sleep -Seconds 2147483 } |
| 85 | + hostNetwork: true |
| 86 | + terminationGracePeriodSeconds: 0 |
| 87 | +``` |
| 88 | +
|
| 89 | +Use `kubectl` to run the example workload: |
| 90 | + |
| 91 | +```azurecli-interactive |
| 92 | +kubectl apply -f hostprocess.yaml |
| 93 | +``` |
| 94 | + |
| 95 | +You should see the following output: |
| 96 | + |
| 97 | +```output |
| 98 | +$ kubectl apply -f hostprocess.yaml |
| 99 | +daemonset.apps/privileged-daemonset created |
| 100 | +``` |
| 101 | + |
| 102 | +You can verify your workload use the features of HostProcess by view the pod's logs. |
| 103 | + |
| 104 | +Use `kubectl` to find the name of the pod in the `kube-system` namespace. |
| 105 | + |
| 106 | +```output |
| 107 | +$ kubectl get pods --namespace kube-system |
| 108 | +
|
| 109 | +NAME READY STATUS RESTARTS AGE |
| 110 | +... |
| 111 | +privileged-daemonset-12345 1/1 Running 0 2m13s |
| 112 | +``` |
| 113 | + |
| 114 | +Use `kubctl log` to view the logs of the pod and verify the pod has administrator rights: |
| 115 | + |
| 116 | +```output |
| 117 | +$ kubectl logs privileged-daemonset-12345 --namespace kube-system |
| 118 | +InvalidOperation: Unable to find type [Security.Principal.WindowsPrincipal]. |
| 119 | +Process has admin rights: |
| 120 | +``` |
| 121 | + |
| 122 | +## Next steps |
| 123 | + |
| 124 | +For more details on HostProcess containers and Microsoft's contribution to Kubernetes upstream, see the [Alpha in v1.22: Windows HostProcess Containers][blog-post]. |
| 125 | + |
| 126 | + |
| 127 | +<!-- LINKS - External --> |
| 128 | +[blog-post]: https://kubernetes.io/blog/2021/08/16/windows-hostprocess-containers/ |
0 commit comments