|
| 1 | +--- |
| 2 | +title: Upgrade Kubernetes workloads from Windows Server 2019 to 2022 |
| 3 | +description: Learn how to upgrade the OS version for Windows workloads on AKS |
| 4 | +services: container-service |
| 5 | +ms.topic: article |
| 6 | +ms.date: 8/18/2022 |
| 7 | +ms.author: viniap |
| 8 | + |
| 9 | +--- |
| 10 | + |
| 11 | +# Upgrade Kubernetes workloads from Windows Server 2019 to 2022 |
| 12 | + |
| 13 | +Upgrading the OS version of a running Windows workload on Azure Kubernetes Service (AKS) requires you to deploy a new node pool as Windows versions must match on each node pool. This article describes the steps to upgrade the OS version for Windows workloads as well as other important aspects. |
| 14 | + |
| 15 | +## Limitations |
| 16 | + |
| 17 | +Windows Server 2019 and Windows Server 2022 cannot co-exist on the same node pool on AKS. A new node pool must be created to host the new OS version. It's important that you match the permissions and access of the previous node pool to the new one. |
| 18 | + |
| 19 | +## Before you begin |
| 20 | + |
| 21 | +- Update the FROM statement on your dockerfile to the new OS version. |
| 22 | +- Check your application and verify that the container app works on the new OS version. |
| 23 | +- Deploy the verified container app on AKS to a development or testing environment. |
| 24 | +- Take note of the new image name or tag. This will be used below to replace the 2019 version of the image on the YAML file to be deployed to AKS. |
| 25 | + |
| 26 | +> [!NOTE] |
| 27 | +> Check out [Dockerfile on Windows](/virtualization/windowscontainers/manage-docker/manage-windows-dockerfile) and [Optimize Windows Dockerfiles](/virtualization/windowscontainers/manage-docker/optimize-windows-dockerfile) to learn more about how to build a dockerfile for Windows workloads. |
| 28 | +
|
| 29 | +## Add a Windows Server 2022 node pool to the existing cluster |
| 30 | + |
| 31 | +Windows Server 2019 and 2022 cannot co-exist on the same node pool on AKS. To upgrade your application, you need a separate node pool for Windows Server 2022. |
| 32 | +For more information on how to add a new Windows Server 2022 node pool to an existing AKS cluster, see [Add a Windows Server 2022 node pool](./learn/quick-windows-container-deploy-cli.md). |
| 33 | + |
| 34 | +## Update your YAML file |
| 35 | + |
| 36 | +Node Selector is the most common and recommended option for placement of Windows pods on Windows nodes. To use Node Selector, make the following annotation to your YAML files: |
| 37 | + |
| 38 | +```yaml |
| 39 | + nodeSelector: |
| 40 | + "kubernetes.io/os": windows |
| 41 | +``` |
| 42 | +
|
| 43 | +The above annotation will find *any* Windows node available and place the pod on that node (of course, following all other scheduling rules). When upgrading from Windows Server 2019 to Windows Server 2022, you need to enforce not only the placement on a Windows node, but also on a node that is running the latest OS version. To accomplish this, one option is to use a different annotation: |
| 44 | +
|
| 45 | +```yaml |
| 46 | + nodeSelector: |
| 47 | + "kubernetes.azure.com/os-sku": Windows2022 |
| 48 | +``` |
| 49 | +
|
| 50 | +Once you update the nodeSelector on the YAML file, you should also update the container image to be used. You can get this information from the previous step on which you created a new version of the containerized application by changing the FROM statement on your dockerfile. |
| 51 | +
|
| 52 | +> [!NOTE] |
| 53 | +> You should leverage the same YAML file you used to deploy the application in the first place - this will ensure no other configuration is changed, only the nodeSelector and the image to be used. |
| 54 | +
|
| 55 | +## Apply the new YAML file to the existing workload |
| 56 | +
|
| 57 | +If you have an application deployed already, ensure you follow the steps recommended above to deploy a new node pool with Windows Server 2022 nodes. Once deployed, your environment will show Windows Server 2019 and 2022 nodes, with the workloads running on the 2019 nodes: |
| 58 | +
|
| 59 | +```console |
| 60 | +kubectl get nodes -o wide |
| 61 | +``` |
| 62 | +The command above will show all nodes on your AKS cluster with additional details on the output: |
| 63 | + |
| 64 | +```output |
| 65 | +NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME |
| 66 | +aks-agentpool-18877473-vmss000000 Ready agent 5h40m v1.23.8 10.240.0.4 <none> Ubuntu 18.04.6 LTS 5.4.0-1085-azure containerd://1.5.11+azure-2 |
| 67 | +akspoolws000000 Ready agent 3h15m v1.23.8 10.240.0.208 <none> Windows Server 2022 Datacenter 10.0.20348.825 containerd://1.6.6+azure |
| 68 | +akspoolws000001 Ready agent 3h17m v1.23.8 10.240.0.239 <none> Windows Server 2022 Datacenter 10.0.20348.825 containerd://1.6.6+azure |
| 69 | +akspoolws000002 Ready agent 3h17m v1.23.8 10.240.1.14 <none> Windows Server 2022 Datacenter 10.0.20348.825 containerd://1.6.6+azure |
| 70 | +akswspool000000 Ready agent 5h37m v1.23.8 10.240.0.115 <none> Windows Server 2019 Datacenter 10.0.17763.3165 containerd://1.6.6+azure |
| 71 | +akswspool000001 Ready agent 5h37m v1.23.8 10.240.0.146 <none> Windows Server 2019 Datacenter 10.0.17763.3165 containerd://1.6.6+azure |
| 72 | +akswspool000002 Ready agent 5h37m v1.23.8 10.240.0.177 <none> Windows Server 2019 Datacenter 10.0.17763.3165 containerd://1.6.6+azure |
| 73 | +``` |
| 74 | + |
| 75 | +With the Windows Server 2022 node pool deployed and the YAML file configured, you can now deploy the new version of the YAML: |
| 76 | + |
| 77 | +```console |
| 78 | +kubectl apply -f <filename> |
| 79 | +``` |
| 80 | + |
| 81 | +The command above should return a "configured" status for the deployment: |
| 82 | + |
| 83 | +```output |
| 84 | +deployment.apps/sample configured |
| 85 | +service/sample unchanged |
| 86 | +``` |
| 87 | +At this point, AKS will start the process of terminating the existing pods and deploying new pods to the Windows Server 2022 nodes. You can check the status of your deployment by running: |
| 88 | + |
| 89 | +```console |
| 90 | +kubectl get pods -o wide |
| 91 | +``` |
| 92 | +The command above return the status of the pods on the default namespace. You might need to change the command above to list the pods on specific namespaces. |
| 93 | + |
| 94 | +```output |
| 95 | +NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES |
| 96 | +sample-7794bfcc4c-k62cq 1/1 Running 0 2m49s 10.240.0.238 akspoolws000000 <none> <none> |
| 97 | +sample-7794bfcc4c-rswq9 1/1 Running 0 2m49s 10.240.1.10 akspoolws000001 <none> <none> |
| 98 | +sample-7794bfcc4c-sh78c 1/1 Running 0 2m49s 10.240.0.228 akspoolws000000 <none> <none> |
| 99 | +``` |
| 100 | + |
| 101 | +## Active Directory, gMSA and Managed Identity implications |
| 102 | + |
| 103 | +If you are leveraging Group Managed Service Accounts (gMSA) you will need to update the Managed Identity configuration for the new node pool. gMSA uses a secret (user account and password) so the node on which the Windows pod is running can authenticate the container against Active Directory. To access that secret on Azure Key Vault, the node uses a Managed Identity that allows the node to access the resource. Since Managed Identities are configured per node pool, and the pod now resides on a new node pool, you need to update that configuration. Check out [Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster](./use-group-managed-service-accounts.md) for more information. |
| 104 | + |
| 105 | +The same principle applies to Managed Identities used for any other pod/node pool when accessing other Azure resources. Any access provided via Managed Identity needs to be updated to reflect the new node pool. To view update and sign-in activities, see [How to view Managed Identity activity](/azure/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-activity). |
0 commit comments