You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md
+24-17Lines changed: 24 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -235,39 +235,42 @@ Overlay (VXLAN) networks on Windows do not support dual-stack networking today.
235
235
236
236
### Limitations
237
237
238
-
#### Control Plane
239
-
240
238
Windows is only supported as a worker node in the Kubernetes architecture and component matrix. This means that a Kubernetes cluster must always include Linux master nodes, zero or more Linux worker nodes, and zero or more Windows worker nodes.
241
239
242
-
#### Compute {#compute-limitations}
243
240
244
-
#####Resource management and process isolation
241
+
#### Resource Handling
245
242
246
243
Linux cgroups are used as a pod boundary for resource controls in Linux. Containers are created within that boundary for network, process and file system isolation. The cgroups APIs can be used to gather cpu/io/memory stats. In contrast, Windows uses a Job object per container with a system namespace filter to contain all processes in a container and provide logical isolation from the host. There is no way to run a Windows container without the namespace filtering in place. This means that system privileges cannot be asserted in the context of the host, and thus privileged containers are not available on Windows. Containers cannot assume an identity from the host because the Security Account Manager (SAM) is separate.
247
244
248
-
##### Operating System Restrictions
245
+
####Resource Reservations
249
246
250
-
Windows has strict compatibility rules, where the host OS version must match the container base image OS version. Only Windows containers with a container operating system of Windows Server 2019 are supported. Hyper-V isolation of containers, enabling some backward compatibility of Windows container image versions, is planned for a future release.
247
+
##### Memory Reservations
248
+
Windows does not have an out-of-memory process killer as Linux does. Windows always treats all user-mode memory allocations as virtual, and pagefiles are mandatory. The net effect is that Windows won't reach out of memory conditions the same way Linux does, and processes page to disk instead of being subject to out of memory (OOM) termination. If memory is over-provisioned and all physical memory is exhausted, then paging can slow down performance.
249
+
250
+
Keeping memory usage within reasonable bounds is possible using the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This reduces [NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable).
251
+
252
+
{{< note >}}
253
+
As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This also subtracts from NodeAllocatable and prevents the scheduler from adding more pods once a node is full.
254
+
{{< /note >}}
255
+
256
+
A best practice to avoid over-provisioning is to configure the kubelet with a system reserved memory of at least 2GB to account for Windows, Docker, and Kubernetes processes.
257
+
258
+
##### CPU Reservations
259
+
To account for Windows, Docker and other Kubernetes host processes it is recommended to reserve a percentage of CPU so they are able to respond to events. This value needs to be scaled based on the number of CPU cores available on the Windows node.To determine this percentage a user should identify the maximum pod density for each of their nodes and monitor the CPU usage of the system services choosing a value that meets their workload needs.
251
260
252
-
##### Feature Restrictions
261
+
Keeping CPU usage within reasonable bounds is possible using the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for CPU usage on the node (outside of containers). This reduces [NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable).
253
262
254
-
* TerminationGracePeriod: requires CRI-containerD
263
+
#### Feature Restrictions
264
+
* TerminationGracePeriod: not implemented
255
265
* Single file mapping: to be implemented with CRI-ContainerD
256
266
* Termination message: to be implemented with CRI-ContainerD
257
267
* Privileged Containers: not currently supported in Windows containers
258
268
* HugePages: not currently supported in Windows containers
259
269
* The existing node problem detector is Linux-only and requires privileged containers. In general, we don't expect this to be used on Windows because privileged containers are not supported
260
270
* Not all features of shared namespaces are supported (see API section for more details)
261
271
262
-
##### Memory Reservations and Handling
263
-
264
-
Windows does not have an out-of-memory process killer as Linux does. Windows always treats all user-mode memory allocations as virtual, and pagefiles are mandatory. The net effect is that Windows won't reach out of memory conditions the same way Linux does, and processes page to disk instead of being subject to out of memory (OOM) termination. If memory is over-provisioned and all physical memory is exhausted, then paging can slow down performance.
265
-
266
-
Keeping memory usage within reasonable bounds is possible with a two-step process. First, use the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This reduces [NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)). As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This also subtracts from NodeAllocatable and prevents the scheduler from adding more pods once a node is full.
267
-
268
-
A best practice to avoid over-provisioning is to configure the kubelet with a system reserved memory of at least 2GB to account for Windows, Docker, and Kubernetes processes.
269
-
270
-
The behavior of the flags behave differently as described below:
272
+
#### Difference in behavior of flags when compared to Linux
273
+
The behavior of the following kubelet flags is different on Windows nodes as described below:
271
274
272
275
*`--kubelet-reserve`, `--system-reserve` , and `--eviction-hard` flags update Node Allocatable
273
276
* Eviction by using `--enforce-node-allocable` is not implemented
@@ -415,6 +418,10 @@ None of the PodSecurityContext fields work on Windows. They're listed here for r
415
418
* V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows
416
419
* V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows.
417
420
421
+
#### Operating System Version Restrictions
422
+
423
+
Windows has strict compatibility rules, where the host OS version must match the container base image OS version. Only Windows containers with a container operating system of Windows Server 2019 are supported. Hyper-V isolation of containers, enabling some backward compatibility of Windows container image versions, is planned for a future release.
424
+
418
425
## Getting Help and Troubleshooting {#troubleshooting}
419
426
420
427
Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](/docs/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. Logs are an important element of troubleshooting issues in Kubernetes. Make sure to include them any time you seek troubleshooting assistance from other contributors. Follow the instructions in the SIG-Windows [contributing guide on gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs).
0 commit comments