|
| 1 | +--- |
| 2 | +layout: blog |
| 3 | +title: 'Alpha in v1.22: Windows HostProcess Containers' |
| 4 | +date: 2021-08-16 |
| 5 | +slug: windows-hostprocess-containers |
| 6 | +--- |
| 7 | + |
| 8 | +**Authors:** Brandon Smith (Microsoft) |
| 9 | + |
| 10 | +Kubernetes v1.22 introduced a new alpha feature for clusters that |
| 11 | +include Windows nodes: HostProcess containers. |
| 12 | + |
| 13 | +HostProcess containers aim to extend the Windows container model to enable a wider |
| 14 | +range of Kubernetes cluster management scenarios. HostProcess containers run |
| 15 | +directly on the host and maintain behavior and access similar to that of a regular |
| 16 | +process. With HostProcess containers, users can package and distribute management |
| 17 | +operations and functionalities that require host access while retaining versioning |
| 18 | +and deployment methods provided by containers. This allows Windows containers to |
| 19 | +be used for a variety of device plugin, storage, and networking management scenarios |
| 20 | +in Kubernetes. With this comes the enablement of host network mode—allowing |
| 21 | +HostProcess containers to be created within the host's network namespace instead of |
| 22 | +their own. HostProcess containers can also be built on top of existing Windows server |
| 23 | +2019 (or later) base images, managed through the Windows container runtime, and run |
| 24 | +as any user that is available on or in the domain of the host machine. |
| 25 | + |
| 26 | +Linux privileged containers are currently used for a variety of key scenarios in |
| 27 | +Kubernetes, including kube-proxy (via kubeadm), storage, and networking scenarios. |
| 28 | +Support for these scenarios in Windows previously required workarounds via proxies |
| 29 | +or other implementations. Using HostProcess containers, cluster operators no longer |
| 30 | +need to log onto and individually configure each Windows node for administrative |
| 31 | +tasks and management of Windows services. Operators can now utilize the container |
| 32 | +model to deploy management logic to as many clusters as needed with ease. |
| 33 | + |
| 34 | +## How does it work? |
| 35 | + |
| 36 | +Windows HostProcess containers are implemented with Windows _Job Objects_, a break from the |
| 37 | +previous container model using server silos. Job objects are components of the Windows OS which offer the ability to |
| 38 | +manage a group of processes as a group (a.k.a. _jobs_) and assign resource constraints to the |
| 39 | +group as a whole. Job objects are specific to the Windows OS and are not associated with the Kubernetes [Job API](https://kubernetes.io/docs/concepts/workloads/controllers/job/). They have no process or file system isolation, |
| 40 | +enabling the privileged payload to view and edit the host file system with the |
| 41 | +correct permissions, among other host resources. The init process, and any processes |
| 42 | +it launches or that are explicitly launched by the user, are all assigned to the |
| 43 | +job object of that container. When the init process exits or is signaled to exit, |
| 44 | +all the processes in the job will be signaled to exit, the job handle will be |
| 45 | +closed and the storage will be unmounted. |
| 46 | + |
| 47 | +HostProcess and Linux privileged containers enable similar scenarios but differ |
| 48 | +greatly in their implementation (hence the naming difference). HostProcess containers |
| 49 | +have their own pod security policies. Those used to configure Linux privileged |
| 50 | +containers **do not** apply. Enabling privileged access to a Windows host is a |
| 51 | +fundamentally different process than with Linux so the configuration and |
| 52 | +capabilities of each differ significantly. Below is a diagram detailing the |
| 53 | +overall architecture of Windows HostProcess containers: |
| 54 | + |
| 55 | +{{< figure src="hostprocess-architecture.png" alt="HostProcess Architecture" >}} |
| 56 | + |
| 57 | +## How do I use it? |
| 58 | + |
| 59 | +HostProcess containers can be run from within a |
| 60 | +[HostProcess Pod](/docs/tasks/configure-pod-container/create-hostprocess-pod). |
| 61 | +With the feature enabled on Kubernetes version 1.22, a containerd container runtime of |
| 62 | +1.5.4 or higher, and the latest version of hcsshim, deploying a pod spec with the |
| 63 | +[correct HostProcess configuration](/docs/tasks/configure-pod-container/create-hostprocess-pod/#before-you-begin) |
| 64 | +will enable you to run HostProcess containers. To get started with running |
| 65 | +Windows containers see the general guidance for [Windows in Kubernetes](/docs/setup/production-environment/windows/) |
| 66 | + |
| 67 | +## How can I learn more? |
| 68 | + |
| 69 | +- Work through [Create a Windows HostProcess Pod](/docs/tasks/configure-pod-container/create-hostprocess-pod/) |
| 70 | + |
| 71 | +- Read about Kubernetes [Pod Security Standards](/docs/concepts/security/pod-security-standards/) |
| 72 | + |
| 73 | +- Read the enhancement proposal [Windows Privileged Containers and Host Networking Mode](https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/1981-windows-privileged-container-support) (KEP-1981) |
| 74 | + |
| 75 | +## How do I get involved? |
| 76 | + |
| 77 | +HostProcess containers are in active development. SIG Windows welcomes suggestions from the community. |
| 78 | +Get involved with [SIG Windows](https://github.com/kubernetes/community/tree/master/sig-windows) |
| 79 | +to contribute! |
0 commit comments