Blog: Windows HostProcess containers going to stable #37370
Conversation
Signed-off-by: Mark Rossetti <[email protected]>
k8s-ci-robot
added
do-not-merge/work-in-progress
|
/sig windows |
|
@marosset: GitHub didn't allow me to request PR reviews from the following users: brasmith-ms. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@marosset: You must be a member of the kubernetes/website-milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Website milestone maintainers and have them propose you as an additional delegate for this responsibility. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
sig/windows
k8s-ci-robot
added
area/blog
k8s-ci-robot
added
the
sig/docs
k8s-ci-robot
added
size/L
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
|
Hello @marosset! v1.26 Comms shadow here. This feature blog is on a feature tracked for release, the deadline for submitting a draft is the 29th of November; this should be considered the hard limit since we will need to review/edit/discuss the draft, so if at all possible it's better to submit it earlier to avoid any problems. Any doubts, we're here to help! cc @fsmunoz |
|
Hello @marosset, we're doing a global reminder about submitting a draft for review for all opted-in feature blogs. If it's at all possible, it is very helpful for the release team to have drafts submitted for review before the hard deadline date, to better plan the release dates and avoid missing out. Thank you! |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/assign @onlydole |
|
oh wait, we need to remove the todos |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
content/en/blog/_posts/2022-12-12-host-process-containers-stable/index.md
Outdated
Show resolved
Hide resolved
content/en/blog/_posts/2022-12-12-host-process-containers-stable/index.md
Outdated
Show resolved
Hide resolved
content/en/blog/_posts/2022-12-12-host-process-containers-stable/index.md
Outdated
Show resolved
Hide resolved
| The Kubernetes project strongly recommends against mounting a host volume into a Windows Server | ||
| container in order to minimize potential attack surfaces. HostProcess containers enable you to configure | ||
| the host, along with privileged helper Pods, so that communication with your Windows workloads | ||
| in containers happens within the bounds of a secure pipeline. |
There was a problem hiding this comment.
I agree, it's be nice to reword.
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 626f974de5cf391780155dc3871ccd9102c76c8b
|
k8s-ci-robot
removed
the
lgtm
|
Marking this Ready for Publishing in Comms tracking, thank you for all the work - minor edits/reviews are still doable until the release date. /lgtm |
|
LGTM label has been added. Git tree hash: 9dad978fe22fd27bbc388e2d630ec32e83bace88
|
k8s-ci-robot
added
the
lgtm
|
|
||
| What are HostProcess containers and why are they useful? | ||
|
|
||
| Cluster operators are often faced with the need to configure their nodes upon provisioning. Whether it's |
There was a problem hiding this comment.
| Cluster operators are often faced with the need to configure their nodes upon provisioning. Whether it's | |
| Cluster operators are often faced with the need to configure their nodes upon provisioning such as |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dtzar, jayunit100, profnandaa, sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Great blog post, @marosset @brasmith-ms. I left a few comments.
| making network configuration changes, or even deploying monitoring tools such as a Prometheus's node-exporter. | ||
| Previously, performing these actions on Windows nodes was usually done by running PowerShell scripts | ||
| over SSH or WinRM sessions and/or working with your cloud provider's virtual machine management tooling. | ||
| HostProcess containers now enable you to do all of this and more with minimal effort. |
There was a problem hiding this comment.
I suggest adding ...with minimal effort using Kubernetes native APIs.
|
|
||
| [HostProcess containers](/docs/tasks/configure-pod-container/create-hostprocess-pod/) differ | ||
| quite significantly from regular Windows Server containers. | ||
| They are run directly as processes on the host under the access policies of |
There was a problem hiding this comment.
| They are run directly as processes on the host under the access policies of | |
| They are run directly as processes on the host with the access policies of |
| quite significantly from regular Windows Server containers. | ||
| They are run directly as processes on the host under the access policies of | ||
| a user you specify. HostProcess containers run as either the built-in Windows system accounts or | ||
| ephemeral users within a user group defined by you. HostProcess containers also share |
There was a problem hiding this comment.
How are these ephemeral users created? Are they in the host or in the container? Maybe just call that out.
| If you have a compatible node (for example: Windows as the operating system | ||
| containerd v1.7 or later), you can deploy a Pod with one |
There was a problem hiding this comment.
| If you have a compatible node (for example: Windows as the operating system | |
| containerd v1.7 or later), you can deploy a Pod with one | |
| f you have a compatible node (for example: Windows as the operating system | |
| with containerd v1.7 or later as the container runtime), you can deploy a Pod with one |
There was a problem hiding this comment.
@aravindhp I think there is a typo in your suggestion
There was a problem hiding this comment.
Sorry about that @sftim
| If you have a compatible node (for example: Windows as the operating system | |
| containerd v1.7 or later), you can deploy a Pod with one | |
| If you have a compatible node (for example: Windows as the operating system | |
| with containerd v1.7 or later as the container runtime), you can deploy a Pod with one |
|
I'm going to do another round of updates to incorporate all the feedback tomorrow. |
|
Hi @marosset ,thanks for your work on this. It would be good to be able to merge this as soon as possible, especially considering that this is one of the very first blogs to go out and we don't have much time until the publication date. |
|
/hold cancel We have a brief opportunity to do updates before publication; otherwise, it's still OK to make corrections for up to 1 year afterwards. Beyond that time, we de-prioritise review effort and only really consider it if the article is obviously misleading. |
k8s-ci-robot
removed
the
do-not-merge/hold
|
|
||
| Cluster operators are often faced with the need to configure their nodes upon provisioning. Whether it's | ||
| installing Windows services, configuring registry keys, managing TLS certificates, | ||
| making network configuration changes, or even deploying monitoring tools such as a Prometheus's node-exporter. |
There was a problem hiding this comment.
Prometheus's windows_exporter
Also may want to add a link: https://github.com/prometheus-community/windows_exporter/blob/master/kubernetes/kubernetes.md
node exporter is for linux
There was a problem hiding this comment.
good catch. Could you open PR for these fixes? They would got live as soon as we merge it, if I understand correctly
| Here are just a few of the many use use cases with example deployments: | ||
|
|
||
| - [CNI solutions and kube-proxy](https://github.com/kubernetes-sigs/sig-windows-tools/tree/master/hostprocess/calico#calico-example) | ||
| - [windows-exporter](https://github.com/prometheus-community/windows_exporter/blob/master/kubernetes/windows-exporter-daemonset.yaml) |
Signed-off-by: Mark Rossetti [email protected]