Skip to content

Update windows-support.adoc with access entry considerations #924

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Mar 31, 2025
Merged

Update windows-support.adoc with access entry considerations #924

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
73fb5a6
Update windows-support.adoc
geoffcline Mar 17, 2025
ea0dbcc
Update windows-support.adoc
geoffcline Mar 17, 2025
7847078
fixup
geoffcline Mar 31, 2025
64ea40d
Merge branch 'mainline' into geoffcline-patch-17
geoffcline Mar 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 17 additions & 7 deletions latest/ug/clusters/windows-support.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,11 @@ include::../attributes.txt[]
Learn how to enable and manage Windows support for your Amazon EKS cluster to run Windows containers alongside Linux containers.
--

Before deploying Windows nodes, be aware of the following considerations.
Learn how to enable and manage Windows support for your Amazon EKS cluster to run Windows containers alongside Linux containers.

== Considerations

Before deploying Windows nodes, be aware of the following considerations.

* EKS Auto Mode does not support Windows nodes
* You can use host networking on Windows nodes using `HostProcess` Pods. For more information, see https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/[Create a Windows HostProcessPod] in the Kubernetes documentation.
Expand All @@ -29,13 +32,16 @@ Before deploying Windows nodes, be aware of the following considerations.
* The source for the controller is managed on GitHub. To contribute to, or file issues against the controller, visit the https://github.com/aws/amazon-vpc-resource-controller-k8s[project] on GitHub.
* When specifying a custom AMI ID for Windows managed node groups, add `eks:kube-proxy-windows` to your {aws} IAM Authenticator configuration map. For more information, see <<mng-ami-id-conditions>>.
* If preserving your available IPv4 addresses is crucial for your subnet, refer to https://aws.github.io/aws-eks-best-practices/windows/docs/networking/#ip-address-management[EKS Best Practices Guide - Windows Networking IP Address Management] for guidance.
* Considerations for EKS Access Entries
** If you use a different Node IAM Role for Windows instances, EKS will automatically create the required Windows Access Entry.
** Access Entries for use with Windows nodes need the type of `EC2_WINDOWS`. For more information, see <<creating-access-entries>>.

== Prerequisites

* An existing cluster.
* Your cluster must have at least one (we recommend at least two) Linux node or Fargate Pod to run CoreDNS. If you enable legacy Windows support, you must use a Linux node (you can't use a Fargate Pod) to run CoreDNS.
* An existing <<cluster-iam-role,Amazon EKS cluster IAM role>>.


[#enable-windows-support]
== Enable Windows support
. If you don't have Amazon Linux nodes in your cluster and use security groups for Pods, skip to the next step. Otherwise, confirm that the `AmazonEKSVPCResourceController` managed policy is attached to your <<cluster-iam-role,cluster role>>. Replace [.replaceable]`eksClusterRole` with your cluster role name.
Expand Down Expand Up @@ -72,7 +78,8 @@ aws iam attach-role-policy \
--role-name eksClusterRole \
--policy-arn {arn-aws}iam::aws:policy/AmazonEKSVPCResourceController
----
. Create a file named [.replaceable]`vpc-resource-controller-configmap.yaml` with the following contents.
. If the VPC CNI *is not* installed as an Amazon EKS Add-on:
Copy link
Contributor

@KlwntSingh KlwntSingh Mar 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

VPC CNI is is always installed for networking in k8s. This command just enable Windows-ipam inside VPC resource controller.

Rephrase the statement to, enable IPAM for Windows nodes in VPC resource controller using following ConfigMap.

Copy link
Contributor Author

@geoffcline geoffcline Mar 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it matters if it's installed as a managed add-on or regular, right?

if it's a managed add-on, they need to configure the add-on

if it's regular, they can just update the config

does that make sense?

Copy link
Contributor

@KlwntSingh KlwntSingh Mar 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CNI for Windows is different from Linux. Windows CNI is shipped in AMIs. It is not installed via addon.

Copy link
Contributor Author

@geoffcline geoffcline Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah tyty

.. Create a file named [.replaceable]`vpc-resource-controller-configmap.yaml` with the following contents.
+
[source,yaml,subs="verbatim,attributes"]
----
Expand All @@ -84,13 +91,16 @@ metadata:
data:
enable-windows-ipam: "true"
----
. Apply the `ConfigMap` to your cluster.
.. Apply the `ConfigMap` to your cluster.
+
[source,bash,subs="verbatim,attributes"]
----
kubectl apply -f vpc-resource-controller-configmap.yaml
----
. Verify that your `aws-auth` `ConfigMap` contains a mapping for the instance role of the Windows node to include the `eks:kube-proxy-windows` RBAC permission group. You can verify by running the following command.
. If the VPC CNI *is* installed as an Amazon EKS Add-on:
** Review <<kubernetes-field-management>> to understand how to configure Amazon EKS Add-ons. Update the configuration of the add-on to include `enable-windows-ipam: "true"`.
. If your cluster has the authentication mode set to enable the `aws-auth` configmap:
** Verify that your `aws-auth` `ConfigMap` contains a mapping for the instance role of the Windows node to include the `eks:kube-proxy-windows` RBAC permission group. You can verify by running the following command.
+
[source,bash,subs="verbatim,attributes"]
----
Expand Down Expand Up @@ -118,7 +128,7 @@ data:
----
+
You should see `eks:kube-proxy-windows` listed under groups. If the group isn't specified, you need to update your `ConfigMap` or create it to include the required group. For more information about the `aws-auth` `ConfigMap`, see <<aws-auth-configmap>>.

. If your cluster has the authentication mode set to disable the `aws-auth` configmap, then you can use EKS Access Entries. Create a new node role for use with Windows instances, and EKS will automatically create an access entry of type `EC2_WINDOWS`.

[#windows-support-pod-deployment]
== Deploy Windows Pods
Expand Down Expand Up @@ -164,4 +174,4 @@ You can enable higher Pod density on Windows nodes by enabling IP prefix delegat
(Number of private IPv4 addresses assigned to the interface attached to the node - 1) * 16
----

With this significantly larger number of available IP addresses, available IP addresses shouldn't limit your ability to scale the number of Pods on your nodes. For more information, see <<cni-increase-ip-addresses>>.
With this significantly larger number of available IP addresses, available IP addresses shouldn't limit your ability to scale the number of Pods on your nodes. For more information, see <<cni-increase-ip-addresses>>.