Merge pull request kubernetes#74444 from pjh/gce-windows-no-defender

Disable Windows Defender on Windows nodes.

Author: k8s-ci-robot

cluster/gce/windows/common.psm1

@@ -146,5 +146,20 @@ function MustDownload-File {
   }
 }
 
+# Returns true if this node is part of a test cluster (see
+# cluster/gce/config-test.sh). $KubeEnv is a hash table containing the kube-env
+# metadata keys+values.
+function Test-IsTestCluster {
+  param (
+    [parameter(Mandatory=$true)] [hashtable]$KubeEnv
+  )
+
+  if ($KubeEnv.Contains('TEST_CLUSTER') -and `
+      ($KubeEnv['TEST_CLUSTER'] -eq 'true')) {
+    return $true
+  }
+  return $false
+}
+
 # Export all public functions:
 Export-ModuleMember -Function *-*

cluster/gce/windows/configure.ps1

@@ -77,18 +77,6 @@ function FetchAndImport-ModuleFromMetadata {
   Import-Module -Force C:\$Filename
 }
 
-# Returns true if this node is part of a test cluster (see
-# cluster/gce/config-test.sh).
-#
-# $kube_env must be set before calling this function.
-function Test-IsTestCluster {
-  if ($kube_env.Contains('TEST_CLUSTER') -and `
-      ($kube_env['TEST_CLUSTER'] -eq 'true')) {
-    return $true
-  }
-  return $false
-}
-
 try {
   # Don't use FetchAndImport-ModuleFromMetadata for common.psm1 - the common
   # module includes variables and functions that any other function may depend
@@ -104,8 +92,9 @@ try {
 
   Set-PrerequisiteOptions
   $kube_env = Fetch-KubeEnv
+  Disable-WindowsDefender
 
-  if (Test-IsTestCluster) {
+  if (Test-IsTestCluster $kube_env) {
     Log-Output 'Test cluster detected, installing OpenSSH.'
     FetchAndImport-ModuleFromMetadata 'install-ssh-psm1' 'install-ssh.psm1'
     InstallAndStart-OpenSsh

cluster/gce/windows/k8s-node-setup.psm1

@@ -221,13 +221,6 @@ function Set-PrerequisiteOptions {
   sc.exe config wuauserv start=disabled
   sc.exe stop wuauserv
 
-  # Windows Defender periodically consumes 100% of the CPU.
-  # TODO(pjh): this (all of a sudden, ugh) started failing with "The term
-  # 'Set-MpPreference' is not recognized...". Investigate and fix or remove.
-  #Log-Output "Disabling Windows Defender service"
-  #Set-MpPreference -DisableRealtimeMonitoring $true
-  #Uninstall-WindowsFeature -Name 'Windows-Defender'
-
   # Use TLS 1.2: needed for Invoke-WebRequest downloads from github.com.
   [Net.ServicePointManager]::SecurityProtocol = `
       [Net.SecurityProtocolType]::Tls12
@@ -237,6 +230,24 @@ function Set-PrerequisiteOptions {
   Install-Module -Name powershell-yaml -Force
 }
 
+# Disables Windows Defender realtime scanning if this Windows node is part of a
+# test cluster.
+#
+# ${kube_env} must have already been set.
+function Disable-WindowsDefender {
+  # Windows Defender periodically consumes 100% of the CPU, so disable realtime
+  # scanning. Uninstalling the Windows Feature will prevent the service from
+  # starting after a reboot.
+  # TODO(pjh): move this step to image preparation, since we don't want to do a
+  # full reboot here.
+  if ((Test-IsTestCluster ${kube_env}) -and
+      ((Get-WindowsFeature -Name 'Windows-Defender').Installed)) {
+    Log-Output "Disabling Windows Defender service"
+    Set-MpPreference -DisableRealtimeMonitoring $true
+    Uninstall-WindowsFeature -Name 'Windows-Defender'
+  }
+}
+
 # Creates directories where other functions in this module will read and write
 # data.
 function Create-Directories {