Add a tutorial to provision and configure swap on a node

iholder101 · iholder101 · commit bec9d0d50a70 · 2025-07-10T19:27:52.000+03:00
Signed-off-by: Itamar Holder &lt;iholder@redhat.com&gt;
diff --git a/content/en/docs/concepts/security/linux-security.md b/content/en/docs/concepts/security/linux-security.md
@@ -0,0 +1,62 @@
+---
+reviewers:
+- jayunit100
+- jsturtevant
+- marosset
+- perithompson
+title:    Security For Windows Nodes
+content_type: concept
+weight: 40
+---
+
+<!-- overview -->
+
+This page describes security considerations and best practices specific to the Linux operating system.
+
+<!-- body -->
+
+## Protection for Secret data on nodes
+
+On Windows, data from Secrets are written out in clear text onto the node's local
+storage (as compared to using tmpfs / in-memory filesystems on Linux). As a cluster
+operator, you should take both of the following additional measures:
+
+1. Use file ACLs to secure the Secrets' file location.
+1. Apply volume-level encryption using
+   [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server).
+
+## Container users
+
+[RunAsUsername](/docs/tasks/configure-pod-container/configure-runasusername)
+can be specified for Windows Pods or containers to execute the container
+processes as specific user. This is roughly equivalent to
+[RunAsUser](/docs/concepts/security/pod-security-policy/#users-and-groups).
+
+Windows containers offer two default user accounts, ContainerUser and ContainerAdministrator.
+The differences between these two user accounts are covered in
+[When to use ContainerAdmin and ContainerUser user accounts](https://docs.microsoft.com/virtualization/windowscontainers/manage-containers/container-security#when-to-use-containeradmin-and-containeruser-user-accounts)
+within Microsoft's _Secure Windows containers_ documentation.
+
+Local users can be added to container images during the container build process.
+
+{{< note >}}
+
+* [Nano Server](https://hub.docker.com/_/microsoft-windows-nanoserver) based images run as
+  `ContainerUser` by default
+* [Server Core](https://hub.docker.com/_/microsoft-windows-servercore) based images run as
+  `ContainerAdministrator` by default
+
+{{< /note >}}
+
+Windows containers can also run as Active Directory identities by utilizing
+[Group Managed Service Accounts](/docs/tasks/configure-pod-container/configure-gmsa/)
+
+## Pod-level security isolation
+
+Linux-specific pod security context mechanisms (such as SELinux, AppArmor, Seccomp, or custom
+POSIX capabilities) are not supported on Windows nodes.
+
+Privileged containers are [not supported](/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext)
+on Windows.
+Instead [HostProcess containers](/docs/tasks/configure-pod-container/create-hostprocess-pod)
+can be used on Windows to perform many of the tasks performed by privileged containers on Linux.
diff --git a/content/en/docs/tutorials/configuration/provision-swap-memory.md b/content/en/docs/tutorials/configuration/provision-swap-memory.md
@@ -0,0 +1,131 @@
+---
+reviewers:
+- lmktfy
+title: Configuring swap memory on Kubernetes nodes
+content_type: tutorial
+weight: 35
+min-kubernetes-server-version: "1.33"
+---
+
+<!-- overview -->
+
+This page provides an example of how to provision and configure swap memory on a Kubernetes node using kubeadm.
+
+<!-- lessoncontent -->
+
+## {{% heading "objectives" %}}
+
+* Provision swap memory on a Kubernetes node using kubeadm.
+* Learn to configure both encrypted and unencrypted swap.
+* Learn to enable swap on boot.
+
+## {{% heading "prerequisites" %}}
+
+
+{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
+
+You need at least one worker node in your cluster which needs to run a Linux operating system.
+It is required for this demo that the kubeadm tool be installed, following the steps outlined in the
+[kubeadm installation guide](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm).
+
+On each worker node where you will configure swap use, you need:
+* `fallocate`
+* `mkswap`
+* `swapon`
+
+* For encrypted swap space (recommended), you also need:
+* `cryptsetup`
+
+<!-- lessoncontent -->
+
+
+## Install a swap-enabled cluster with kubeadm
+
+### Create a swap file and turn swap on
+
+If swap is not enabled, there's a need to provision swap on the node. 
+The following sections demonstrate creating 4GiB of swap, both in the encrypted and unencrypted case.
+
+{{< tabs name="Create a swap file and turn swap on" >}}
+
+{{% tab name="Setting up encrypted swap" %}}
+An encrypted swap file can be set up as follows.
+Bear in mind that this example uses the `cryptsetup` binary (which is available
+on most Linux distributions).
+
+```bash
+# Allocate storage and restrict access
+fallocate --length 4GiB /swapfile
+chmod 600 /swapfile
+
+# Create an encrypted device backed by the allocated storage
+cryptsetup --type plain --cipher aes-xts-plain64 --key-size 256 -d /dev/urandom open /swapfile cryptswap
+
+# Format the swap space
+mkswap /dev/mapper/cryptswap
+
+# Activate the swap space for paging
+swapon /dev/mapper/cryptswap
+```
+
+{{% /tab %}}
+
+{{% tab name="Setting up unencrypted swap" %}}
+An unencrypted swap file can be set up as follows.
+
+```bash
+# Allocate storage and restrict access
+fallocate --length 4GiB /swapfile
+chmod 600 /swapfile
+
+# Format the swap space
+mkswap /swapfile
+
+# Activate the swap space for paging
+swapon /swapfile
+```
+
+{{% /tab %}}
+
+{{< /tabs >}}
+
+#### Verify that swap is enabled
+
+Swap can be verified to be enabled with both `swapon -s` command or the `free` command.
+
+Using `swapon -s`:
+```
+Filename       Type		Size		Used		Priority
+/dev/dm-0      partition 	4194300		0		-2
+```
+
+Using `free -h`:
+```
+               total        used        free      shared  buff/cache   available
+Mem:           3.8Gi       1.3Gi       249Mi        25Mi       2.5Gi       2.5Gi
+Swap:          4.0Gi          0B       4.0Gi
+```
+
+#### Enable swap on boot
+
+After setting up swap, to start the swap file at boot time,
+you typically either set up a systemd unit to activate (encrypted) swap, or you
+add a line similar to `/swapfile swap swap defaults 0 0` into `/etc/fstab`.
+
+Using systemd for swap activation allows the system to delay kubelet start until swap is available,
+if that is something you want to ensure.
+In a similar way, using systemd allows your server to leave swap active until kubelet
+(and, typically, your container runtime) have shut down.
+
+### Set up kubelet configuration
+
+After enabling swap on the node, kubelet needs to be configured in the following way:
+
+```yaml
+ # this fragment goes into the kubelet's configuration file
+ failSwapOn: false
+ memorySwap:
+     swapBehavior: LimitedSwap
+```
+
+In order for these configurations to take effect, kubelet needs to be restarted. 
