From 89e744666c9e2062ac39691d2855d7b962feca23 Mon Sep 17 00:00:00 2001 From: ravisantoshgudimetla Date: Tue, 23 Nov 2021 08:13:06 -0500 Subject: [PATCH] [docs][windows]: Pod OS field update Co-authored-by: James Sturtevant Co-authored-by: Tim Bannister --- .../feature-gates.md | 3 ++ .../windows/intro-windows-in-kubernetes.md | 31 +++++++++++++++++++ .../windows/user-guide-windows-containers.md | 14 +++++++++ 3 files changed, 48 insertions(+) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 81e53092cb..9c582b1472 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -120,6 +120,7 @@ different Kubernetes components. | `GracefulNodeShutdown` | `true` | Beta | 1.21 | | | `HPAContainerMetrics` | `false` | Alpha | 1.20 | | | `HPAScaleToZero` | `false` | Alpha | 1.16 | | +| `IdentifyPodOS` | `false` | Alpha | 1.23 | | | `IndexedJob` | `false` | Alpha | 1.21 | 1.21 | | `IndexedJob` | `true` | Beta | 1.22 | | | `InTreePluginAWSUnregister` | `false` | Alpha | 1.21 | | @@ -779,6 +780,8 @@ Each feature gate is designed for enabling/disabling a specific feature: - `HyperVContainer`: Enable [Hyper-V isolation](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container) for Windows containers. +- `IdentifyPodOS`: Allows the Pod OS field to be specified. This helps in identifying the OS of the pod + authoritatively during the API server admission time. In Kubernetes {{< skew currentVersion >}}, the allowed values for the `pod.spec.os.name` are `windows` and `linux`. - `ImmutableEphemeralVolumes`: Allows for marking individual Secrets and ConfigMaps as immutable for better safety and performance. - `InTreePluginAWSUnregister`: Stops registering the aws-ebs in-tree plugin in kubelet diff --git a/content/en/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md b/content/en/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md index c2160e330f..1140403fd7 100644 --- a/content/en/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md +++ b/content/en/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md @@ -153,6 +153,37 @@ section refers to several key workload enablers and how they map to Windows. * `emptyDir` volumes * Named pipe host mounts * Resource limits + * OS field: + {{< feature-state for_k8s_version="v1.23" state="alpha" >}} + `.spec.os.name` should be set to `windows` to indicate that the current Pod uses Windows containers. + `IdentifyPodOS` feature gate needs to be enabled for this field to be recognized and used by control plane + components and kubelet. + {{< note >}} + If the `IdentifyPodOS` feature gate is enabled and you set the `.spec.os.name` field to `windows`, you must not set the following fields in the `.spec` of that Pod: + * `spec.hostPID` + * `spec.hostIPC` + * `spec.securityContext.seLinuxOptions` + * `spec.securityContext.seccompProfile` + * `spec.securityContext.fsGroup` + * `spec.securityContext.fsGroupChangePolicy` + * `spec.securityContext.sysctls` + * `spec.shareProcessNamespace` + * `spec.securityContext.runAsUser` + * `spec.securityContext.runAsGroup` + * `spec.securityContext.supplementalGroups` + * `spec.containers[*].securityContext.seLinuxOptions` + * `spec.containers[*].securityContext.seccompProfile` + * `spec.containers[*].securityContext.capabilities` + * `spec.containers[*].securityContext.readOnlyRootFilesystem` + * `spec.containers[*].securityContext.privileged` + * `spec.containers[*].securityContext.allowPrivilegeEscalation` + * `spec.containers[*].securityContext.procMount` + * `spec.containers[*].securityContext.runAsUser` + * `spec.containers[*].securityContext.runAsGroup` + + Note: In this table, wildcards (*) indicate all elements in a list. For example, spec.containers[*].securityContext refers to the Security Context object for all defined containers. If not, Pod API validation would fail causing admission failures. + {{< /note >}} + * [Workload resources](/docs/concepts/workloads/controllers/) including: * ReplicaSet * Deployments diff --git a/content/en/docs/setup/production-environment/windows/user-guide-windows-containers.md b/content/en/docs/setup/production-environment/windows/user-guide-windows-containers.md index ec47f5637a..177f7623f6 100644 --- a/content/en/docs/setup/production-environment/windows/user-guide-windows-containers.md +++ b/content/en/docs/setup/production-environment/windows/user-guide-windows-containers.md @@ -160,7 +160,21 @@ Users today need to use some combination of taints and node selectors in order t keep Linux and Windows workloads on their respective OS-specific nodes. This likely imposes a burden only on Windows users. The recommended approach is outlined below, with one of its main goals being that this approach should not break compatibility for existing Linux workloads. + {{< note >}} +If the `IdentifyPodOS` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is +enabled, you can (and should) set `.spec.os.name` for a Pod to indicate the operating system +that the containers in that Pod are designed for. For Pods that run Linux containers, set +`.spec.os.name` to `linux`. For Pods that run Windows containers, set `.spec.os.name` +to Windows. +The scheduler does not use the value of `.spec.os.name` when assigning Pods to nodes. You should +use normal Kubernetes mechanisms for +[assigning pods to nodes](/docs/concepts/scheduling-eviction/assign-pod-node/) +to ensure that the control plane for your cluster places pods onto nodes that are running the +appropriate operating system. + no effect on the scheduling of the Windows pods, so taints and tolerations and node selectors are still required + to ensure that the Windows pods land onto appropriate Windows nodes. + {{< /note >}} ### Ensuring OS-specific workloads land on the appropriate container host Users can ensure Windows containers can be scheduled on the appropriate host using Taints and Tolerations.