Add support of hyperv isolation for windows containers #58751
Conversation
k8s-ci-robot
added
release-note
|
/sig windows |
k8s-ci-robot
added
the
sig/windows
|
@feiskyer: GitHub didn't allow me to request PR reviews from the following users: PatrickLang, JiangtianLi. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/sig node /cc @yujuhong |
k8s-ci-robot
added
the
sig/node
| @@ -587,6 +587,8 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig, | |||
| return nil, fmt.Errorf("failed to generate sandbox security options for sandbox %q: %v", c.Metadata.Name, err) | |||
| } | |||
| hc.SecurityOpt = append(hc.SecurityOpt, securityOpts...) | |||
|
|
|||
| applyExperimentalCreateConfig(createConfig, c.Annotations) | |||
There was a problem hiding this comment.
Do we need apply the isolation specific config to sandbox? For Windows Hyper-V container, the POD infra container is not used and needs to be minimal, and therefore process container is sufficient.
There was a problem hiding this comment.
It is not used now, but not future. I think we'd better keep sandbox same with containers, WDYT?
There was a problem hiding this comment.
That's fine with me. We can reserve it as place holder.
| @@ -52,6 +70,8 @@ func (ds *dockerService) updateCreateConfig( | |||
| modifyHostNetworkOptionForContainer(false, podSandboxID, createConfig.HostConfig) | |||
There was a problem hiding this comment.
For Hyper-V container, no need to call modifyHostNetworkOptionForContainer.
| // Do not return any IP, so that we would continue and get the IP of the Sandbox | ||
| ds.getIP(sandboxID, r) | ||
| if r.HostConfig.Isolation == hypervIsolationAnnotationValue { | ||
| if containerIP := ds.getIP(c.ID, r); containerIP != "" { |
There was a problem hiding this comment.
Can we add a comment here saying "Return the first non-sandbox container IP as POD IP for Hyper-V container"?
|
/cc @madhanrm |
|
@JiangtianLi: GitHub didn't allow me to request PR reviews from the following users: madhanrm. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| @@ -29,6 +29,11 @@ import ( | |||
| runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime" | |||
| ) | |||
|
|
|||
| const ( | |||
| hypervIsolationAnnotationKey = "windows.kubernetes.io/isolation-type" | |||
| hypervIsolationAnnotationValue = "hyperv" | |||
There was a problem hiding this comment.
Refer to const in https://github.com/moby/moby/blob/master/api/types/container/host_config.go or add a comment with link to where this string comes from?
There was a problem hiding this comment.
ack, will add a refer link
| @@ -40,18 +47,41 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune) | |||
| return nil, nil | |||
| } | |||
|
|
|||
| func shouldIsolatedByHyperV(annotations map[string]string) bool { | |||
| if v, ok := annotations[hypervIsolationAnnotationKey]; ok { | |||
There was a problem hiding this comment.
nit: prefer
v, ok := annotations[hypervIsolationAnnotationKey]
return ok && v == hypervIsolation| @@ -29,6 +29,13 @@ import ( | |||
| runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime" | |||
| ) | |||
|
|
|||
| const ( | |||
| hypervIsolationAnnotationKey = "windows.kubernetes.io/isolation-type" | |||
There was a problem hiding this comment.
Please include experimental in the key. I want to make it clear that this is not an official API, and won't be supported long term -- eventually we will have a native secure container concept that this should move to.
| createConfig.HostConfig.Isolation = hypervIsolation | ||
|
|
||
| if networkMode := os.Getenv("CONTAINER_NETWORK"); networkMode == "" { | ||
| createConfig.HostConfig.NetworkMode = dockercontainer.NetworkMode("none") |
There was a problem hiding this comment.
Does this mean that hyperV isolated containers will not have any networking by default?
There was a problem hiding this comment.
no, hyperV container's network will be set by CNI plugins
| // Do not return any IP, so that we would continue and get the IP of the Sandbox | ||
| ds.getIP(sandboxID, r) | ||
| if r.HostConfig.Isolation == hypervIsolation { | ||
| // Return the first non-sandbox container IP as POD IP for Hyper-V container. |
There was a problem hiding this comment.
As noticed here, HyperV only support one container per Pod yet. And container will receive a different IP from sandbox. So we need to get the real container's IP.
There was a problem hiding this comment.
Could you include information that in the comment?
|
@tallclair Addressed comments. PTAL |
|
@yujuhong Addressed comments and squashed. PTAL |
|
Should this be behind a feature gate? I'm on the fence... |
@tallclair I'm thinking only API changes requires feature gates, while the PR doesn't change any API. WDYT? |
|
/retest |
No, we require feature gates for changed functionality too. Besides, you are changing the API by adding the annotation (just not the "official" API). What is the status of windows support? Are there users using it in production? If the answer is yes, this should be feature gated. Otherwise, I'm OK leaving it ungated. |
Yep, there are. OK, let me add a feature gate in kubelet. |
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
removed
the
needs-rebase
|
@tallclair Feature gates added. PTAL |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/lgtm |
|
/assign @brendandburns |
|
@brendandburns could you help to take a look? |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: brendandburns, feiskyer, michmike, tallclair The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-ci-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
@feiskyer Hi, we wanted to use this feature gate in v1.20 k8s, met the same issue in https://stackoverflow.com/questions/51634469/kubernetes-windows-hyper-v-no-network-in-pod. |
What this PR does / why we need it:
Add support of hyperv isolation for windows containers.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #58750
Special notes for your reviewer:
Only one container per pod is supported yet.
Release note: