New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP-3503 Initial KEP for windows host-network support #3507
KEP-3503 Initial KEP for windows host-network support #3507
Conversation
9f8620f
to
ab5a67a
Compare
Today it is possible to set `hostNetwork=true` for Windows pods but it doesn't change anything | ||
(unless the pod contains `hostProcess` containers). This can be confusing for users. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I remember this discussion 2 years ago in sig-network
https://groups.google.com/g/kubernetes-sig-network/c/bRWRos3H0sM/m/MwNwG0q2AAAJ
and I could check there was a KEP that seems implemented
is this paragraph a reference to that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is related to that.
HostProcessContainers run everything in the root namespaceses so we decided to require hostNetwork=true
be set for these pods/contianers. This KEP will focus on non-HostProcessContainers support
@aojea Can I add you as a reviewer or approver for this KEP for sig-network? |
I have limited knowledge of windows, but I can be reviewer, just prepare yourself for some naive questions 😄 |
No problem! |
|
||
### User Stories (Optional) | ||
|
||
<!-- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need user stories, heres a quick take:
#### Story 1
As a user of a legacy application I want to bind many arbitrary ports to a host network namespace on a single node, as opposed to taking all the node ports of a cluster.
#### Story 2
As a daemonset which runs before CNI providers are installed, for example for security, application bootstrapping, cni bootstrapping, and so on - i want to be able to run a container that isn't fully priveliged (i.e. that isnt a host process) but which is on the host's network
#### Story 3
As a user creating a windows pod with `hostNetwork` , I want correct behaviour (i.e. I dont want to silently ignore the hostNetwork knob.
i think lgtm since we know this works, and its really just a bugfix |
/assign @saschagrunert |
/assign @aojea @johnbelamaric |
/hold |
|
||
In clusters with large amounts of services Windows nodes can experience port exhaustion. | ||
One such situation is where a small amount of pods need to expose many ports it can then be desirable to use use host networking instead of using nodePorts. | ||
Another situation is using `hostNetwork=true` as alternative to relying on 'hostPort' CNI feature for exposing many ports in many pods. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there use cases where privileged pods modify the hosts network settings?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nvm, I see that covered in use cases below.
keps/sig-windows/3503-host-network-support-for-windows-pods/README.md
Outdated
Show resolved
Hide resolved
/lgtm |
/label tide/merge-method-squash |
/lgtm |
The KEP brings parity between Linux and Windows containers with hostNetwork: true, my knowledge about windows environment is minimal, but we have a good suite of e2e tests for Linux that will help to verify this is correct I defer the LGTM to @jayunit100 , he knows these area better than me |
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jayunit100, johnbelamaric, marosset, mrunalp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I'm going to squash commits now |
Signed-off-by: Mark Rossetti <marosset@microsoft.com>
d8ac55a
to
e154277
Compare
/hold cancel |
/lgtm Excited to see more parity on windows side! |
Signed-off-by: Mark Rossetti <marosset@microsoft.com> Signed-off-by: Mark Rossetti <marosset@microsoft.com>
Signed-off-by: Mark Rossetti marosset@microsoft.com