KEP-3503 Initial KEP for windows host-network support

[marosset]

Signed-off-by: Mark Rossetti marosset@microsoft.com

• One-line PR description:

• Issue link: Host network support for Windows pods #3503

• Other comments:

[aojea]

I remember this discussion 2 years ago in sig-network

https://groups.google.com/g/kubernetes-sig-network/c/bRWRos3H0sM/m/MwNwG0q2AAAJ

and I could check there was a KEP that seems implemented

https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/1981-windows-privileged-container-support#host-network-mode

is this paragraph a reference to that?

[marosset]

Yes, this is related to that.
HostProcessContainers run everything in the root namespaceses so we decided to require hostNetwork=true be set for these pods/contianers. This KEP will focus on non-HostProcessContainers support

[marosset]

@aojea Can I add you as a reviewer or approver for this KEP for sig-network?

[aojea]

@aojea Can I add you as a reviewer or approver for this KEP for sig-network?

I have limited knowledge of windows, but I can be reviewer, just prepare yourself for some naive questions 😄

[marosset]

@aojea Can I add you as a reviewer or approver for this KEP for sig-network?

I have limited knowledge of windows, but I can be reviewer, just prepare yourself for some naive questions 😄

No problem!

[jayunit100]

need user stories, heres a quick take:

#### Story 1

As a user of a legacy application I want to bind many arbitrary ports to a host network namespace on a single node, as opposed to taking all the node ports of a cluster.

#### Story 2 
As a daemonset which runs before CNI providers are installed, for example for security, application bootstrapping, cni bootstrapping, and so on - i want to be able to run a container that isn't fully priveliged (i.e. that isnt a host process) but which is on the host's network

#### Story 3 

As a user creating a windows pod with `hostNetwork` , I want correct behaviour (i.e. I dont want to  silently ignore the  hostNetwork knob.

[jayunit100]

i think lgtm since we know this works, and its really just a bugfix

[marosset]

/assign @saschagrunert

[marosset]

/assign @aojea @johnbelamaric

[marosset]

/hold
For reviews

[mrunalp]

Are there use cases where privileged pods modify the hosts network settings?

[mrunalp]

nvm, I see that covered in use cases below.

[mrunalp]

/lgtm
/approve

[marosset]

/label tide/merge-method-squash
(i'll try to manually squash too)

[mrunalp]

/lgtm

[aojea]

The KEP brings parity between Linux and Windows containers with hostNetwork: true, my knowledge about windows environment is minimal, but we have a good suite of e2e tests for Linux that will help to verify this is correct

I defer the LGTM to @jayunit100 , he knows these area better than me

[jayunit100]

/lgtm
/approve

[johnbelamaric]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jayunit100, johnbelamaric, marosset, mrunalp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS [johnbelamaric]
• keps/sig-windows/OWNERS [jayunit100,johnbelamaric,marosset]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[marosset]

I'm going to squash commits now

[marosset]

/hold cancel
@jayunit100 or @jsturtevant can one of you LGTM?

[jsturtevant]

/lgtm

Excited to see more parity on windows side!