-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blog: Windows HostProcess containers going to stable #37370
Conversation
Signed-off-by: Mark Rossetti <[email protected]>
/sig windows |
@marosset: GitHub didn't allow me to request PR reviews from the following users: brasmith-ms. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@marosset: You must be a member of the kubernetes/website-milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Website milestone maintainers and have them propose you as an additional delegate for this responsibility. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
Hello @marosset! v1.26 Comms shadow here. This feature blog is on a feature tracked for release, the deadline for submitting a draft is the 29th of November; this should be considered the hard limit since we will need to review/edit/discuss the draft, so if at all possible it's better to submit it earlier to avoid any problems. Any doubts, we're here to help! cc @fsmunoz |
Hello @marosset, we're doing a global reminder about submitting a draft for review for all opted-in feature blogs. If it's at all possible, it is very helpful for the release team to have drafts submitted for review before the hard deadline date, to better plan the release dates and avoid missing out. Thank you! |
/lgtm |
/assign @onlydole |
oh wait, we need to remove the todos |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple more things. We could ship this; there is room for polish.
/lgtm
/approve
/hold
OK to unhold once Kubernetes v1.26 is released. Re-LGTMs are available too!
content/en/blog/_posts/2022-12-12-host-process-containers-stable/index.md
Outdated
Show resolved
Hide resolved
content/en/blog/_posts/2022-12-12-host-process-containers-stable/index.md
Outdated
Show resolved
Hide resolved
content/en/blog/_posts/2022-12-12-host-process-containers-stable/index.md
Outdated
Show resolved
Hide resolved
The Kubernetes project strongly recommends against mounting a host volume into a Windows Server | ||
container in order to minimize potential attack surfaces. HostProcess containers enable you to configure | ||
the host, along with privileged helper Pods, so that communication with your Windows workloads | ||
in containers happens within the bounds of a secure pipeline. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, it's be nice to reword.
LGTM label has been added. Git tree hash: 626f974de5cf391780155dc3871ccd9102c76c8b
|
Marking this Ready for Publishing in Comms tracking, thank you for all the work - minor edits/reviews are still doable until the release date. /lgtm |
LGTM label has been added. Git tree hash: 9dad978fe22fd27bbc388e2d630ec32e83bace88
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor nit
/lgtm
|
||
What are HostProcess containers and why are they useful? | ||
|
||
Cluster operators are often faced with the need to configure their nodes upon provisioning. Whether it's |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cluster operators are often faced with the need to configure their nodes upon provisioning. Whether it's | |
Cluster operators are often faced with the need to configure their nodes upon provisioning such as |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dtzar, jayunit100, profnandaa, sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great blog post, @marosset @brasmith-ms. I left a few comments.
making network configuration changes, or even deploying monitoring tools such as a Prometheus's node-exporter. | ||
Previously, performing these actions on Windows nodes was usually done by running PowerShell scripts | ||
over SSH or WinRM sessions and/or working with your cloud provider's virtual machine management tooling. | ||
HostProcess containers now enable you to do all of this and more with minimal effort. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest adding ...with minimal effort using Kubernetes native APIs.
|
||
[HostProcess containers](/docs/tasks/configure-pod-container/create-hostprocess-pod/) differ | ||
quite significantly from regular Windows Server containers. | ||
They are run directly as processes on the host under the access policies of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are run directly as processes on the host under the access policies of | |
They are run directly as processes on the host with the access policies of |
quite significantly from regular Windows Server containers. | ||
They are run directly as processes on the host under the access policies of | ||
a user you specify. HostProcess containers run as either the built-in Windows system accounts or | ||
ephemeral users within a user group defined by you. HostProcess containers also share |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How are these ephemeral users created? Are they in the host or in the container? Maybe just call that out.
If you have a compatible node (for example: Windows as the operating system | ||
containerd v1.7 or later), you can deploy a Pod with one |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you have a compatible node (for example: Windows as the operating system | |
containerd v1.7 or later), you can deploy a Pod with one | |
f you have a compatible node (for example: Windows as the operating system | |
with containerd v1.7 or later as the container runtime), you can deploy a Pod with one |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aravindhp I think there is a typo in your suggestion
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry about that @sftim
If you have a compatible node (for example: Windows as the operating system | |
containerd v1.7 or later), you can deploy a Pod with one | |
If you have a compatible node (for example: Windows as the operating system | |
with containerd v1.7 or later as the container runtime), you can deploy a Pod with one |
I'm going to do another round of updates to incorporate all the feedback tomorrow. |
Hi @marosset ,thanks for your work on this. It would be good to be able to merge this as soon as possible, especially considering that this is one of the very first blogs to go out and we don't have much time until the publication date. |
/hold cancel We have a brief opportunity to do updates before publication; otherwise, it's still OK to make corrections for up to 1 year afterwards. Beyond that time, we de-prioritise review effort and only really consider it if the article is obviously misleading. |
|
||
Cluster operators are often faced with the need to configure their nodes upon provisioning. Whether it's | ||
installing Windows services, configuring registry keys, managing TLS certificates, | ||
making network configuration changes, or even deploying monitoring tools such as a Prometheus's node-exporter. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prometheus's windows_exporter
Also may want to add a link: https://github.com/prometheus-community/windows_exporter/blob/master/kubernetes/kubernetes.md
node exporter is for linux
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch. Could you open PR for these fixes? They would got live as soon as we merge it, if I understand correctly
Here are just a few of the many use use cases with example deployments: | ||
|
||
- [CNI solutions and kube-proxy](https://github.com/kubernetes-sigs/sig-windows-tools/tree/master/hostprocess/calico#calico-example) | ||
- [windows-exporter](https://github.com/prometheus-community/windows_exporter/blob/master/kubernetes/windows-exporter-daemonset.yaml) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
windows_exporter
Signed-off-by: Mark Rossetti [email protected]