Windows support
This topic describes how to add Windows support to Amazon EKS clusters.
Considerations
Before deploying Windows nodes, be aware of the following considerations.
-
Amazon EC2 instance types C3, C4, D2, I2, M4 (excluding m4.16xlarge), and R3 instances are not supported for Windows workloads.
-
Host networking mode is not supported for Windows workloads.
-
Amazon EKS clusters must contain one or more Linux nodes to run core system pods that only run on Linux, such as
coredns
and the VPC resource controller. -
The
kubelet
andkube-proxy
event logs are redirected to theEKS
Windows Event Log and are set to a 200 MB limit. -
You cannot use Security groups for pods with pods running on Windows nodes.
-
Windows nodes support one elastic network interface per node. The number of pods that you can run per Windows node is equal to the number of IP addresses available per elastic network interface for the node's instance type, minus one. For more information, see IP addresses per network interface per instance type in the Amazon EC2 User Guide for Linux Instances.
-
Group Managed Service Accounts (GMSA) for Windows pods and containers is not supported by Amazon EKS versions earlier than 1.16. You can follow the instructions in the Kubernetes documentation to enable and test this alpha feature on clusters that are earlier than 1.16.
Enabling Windows support
The following steps help you to enable Windows support for your Amazon EKS cluster. You can use eksctl, a Windows client, or a macOS or Linux client to enable Windows support for your cluster.
To enable Windows support for your
cluster with eksctl
This procedure only works for clusters that were created with eksctl
and assumes that your eksctl
version is
0.36.2
or later. You can check your version with the
following command.
eksctl version
For more information about installing or upgrading eksctl
, see Installing or upgrading eksctl.
-
Enable Windows support for your Amazon EKS cluster with the following
eksctl
command. This command deploys the VPC resource controller and VPC admission controller webhook that are required on Amazon EKS clusters to run Windows workloads.eksctl utils install-vpc-controllers --cluster <cluster_name> --approve
-
After you have enabled Windows support, you can launch a Windows node group into your cluster. For more information, see Launching self-managed Windows nodes.
After you add Windows support to your cluster, you must specify node selectors on your applications so that the pods land on a node with the appropriate operating system. For Linux pods, use the following node selector text in your manifests.
nodeSelector: kubernetes.io/os: linux kubernetes.io/arch: amd64
For Windows pods, use the following node selector text in your manifests.
nodeSelector: kubernetes.io/os: windows kubernetes.io/arch: amd64
To enable Windows support for your cluster with a Windows client
In the following steps, replace the <region-code> with the Region that your cluster resides in.
-
Deploy the VPC resource controller to your cluster using the command that corresponds to the Region that your cluster is in.
-
All Regions other than China (Beijing) and China (Ningxia)
kubectl apply -f https://s3.us-west-2.amazonaws.com/amazon-eks/manifests/<region-code>/vpc-resource-controller/latest/vpc-resource-controller.yaml
-
China (Beijing) and China (Ningxia)
kubectl apply -f https://s3.cn-north-1.amazonaws.com.cn/amazon-eks/manifests/<region-code>/vpc-resource-controller/latest/vpc-resource-controller.yaml
-
-
Deploy the VPC admission controller webhook to your cluster.
-
Download the required scripts and deployment files that correspond to the Region that your cluster is in.
-
All Regions other than China (Beijing) and China (Ningxia)
curl -o vpc-admission-webhook-deployment.yaml https://s3.us-west-2.amazonaws.com/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/vpc-admission-webhook-deployment.yaml; curl -o Setup-VPCAdmissionWebhook.ps1 https://s3.us-west-2.amazonaws.com/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/Setup-VPCAdmissionWebhook.ps1; curl -o webhook-create-signed-cert.ps1 https://s3.us-west-2.amazonaws.com/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/webhook-create-signed-cert.ps1; curl -o webhook-patch-ca-bundle.ps1 https://s3.us-west-2.amazonaws.com/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/webhook-patch-ca-bundle.ps1;
-
China (Beijing) and China (Ningxia)
curl -o vpc-admission-webhook-deployment.yaml https://s3.cn-north-1.amazonaws.com.cn/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/vpc-admission-webhook-deployment.yaml; curl -o Setup-VPCAdmissionWebhook.ps1 https://s3.cn-north-1.amazonaws.com.cn/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/Setup-VPCAdmissionWebhook.ps1; curl -o webhook-create-signed-cert.ps1 https://s3.cn-north-1.amazonaws.com.cn/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/webhook-create-signed-cert.ps1; curl -o webhook-patch-ca-bundle.ps1 https://s3.cn-north-1.amazonaws.com.cn/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/webhook-patch-ca-bundle.ps1;
-
-
Set up and deploy the VPC admission webhook.
./Setup-VPCAdmissionWebhook.ps1 -DeploymentTemplate ".\vpc-admission-webhook-deployment.yaml"
-
-
Determine if your cluster has the required cluster role binding.
kubectl get clusterrolebinding eks:kube-proxy-windows
If output similar to the following example output is returned, then the cluster has the necessary role binding.
NAME AGE eks:kube-proxy-windows 10d
If the output includes
Error from server (NotFound)
, then the cluster does not have the necessary cluster role binding. Add the binding by creating a file namedeks-kube-proxy-windows-crb.yaml
with the following content.kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: eks:kube-proxy-windows labels: k8s-app: kube-proxy eks.amazonaws.com/component: kube-proxy subjects: - kind: Group name: "eks:kube-proxy-windows" roleRef: kind: ClusterRole name: system:node-proxier apiGroup: rbac.authorization.k8s.io
Apply the configuration to the cluster.
kubectl apply -f eks-kube-proxy-windows-crb.yaml
-
After you have enabled Windows support, you can launch a Windows node group into your cluster. For more information, see Launching self-managed Windows nodes.
After you add Windows support to your cluster, you must specify node selectors on your applications so that the pods land on a node with the appropriate operating system. For Linux pods, use the following node selector text in your manifests.
nodeSelector: kubernetes.io/os: linux kubernetes.io/arch: amd64
For Windows pods, use the following node selector text in your manifests.
nodeSelector: kubernetes.io/os: windows kubernetes.io/arch: amd64
To enable Windows support for your cluster with a macOS or Linux client
This procedure requires that the openssl
library and jq
JSON processor are installed on your client system.
In the following steps, replace <region-code> with the Region that your cluster resides in.
-
Deploy the VPC resource controller to your cluster using the command that corresponds to the Region that your cluster is in.
-
All Regions other than China (Beijing) and China (Ningxia)
kubectl apply -f https://s3.us-west-2.amazonaws.com/amazon-eks/manifests/<region-code>/vpc-resource-controller/latest/vpc-resource-controller.yaml
-
China (Beijing) and China (Ningxia)
kubectl apply -f https://s3.cn-north-1.amazonaws.com.cn/amazon-eks/manifests/<region-code>/vpc-resource-controller/latest/vpc-resource-controller.yaml
-
-
Create the VPC admission controller webhook manifest for your cluster.
-
Download the required scripts and deployment files for the Region that your cluster is in.
-
All Regions other than China (Beijing) and China (Ningxia)
curl -o webhook-create-signed-cert.sh https://s3.us-west-2.amazonaws.com/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/webhook-create-signed-cert.sh curl -o webhook-patch-ca-bundle.sh https://s3.us-west-2.amazonaws.com/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/webhook-patch-ca-bundle.sh curl -o vpc-admission-webhook-deployment.yaml https://s3.us-west-2.amazonaws.com/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/vpc-admission-webhook-deployment.yaml
-
China (Beijing) and China (Ningxia)
curl -o webhook-create-signed-cert.sh https://s3.cn-north-1.amazonaws.com.cn/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/webhook-create-signed-cert.sh curl -o webhook-patch-ca-bundle.sh https://s3.cn-north-1.amazonaws.com.cn/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/webhook-patch-ca-bundle.sh curl -o vpc-admission-webhook-deployment.yaml https://s3.cn-north-1.amazonaws.com.cn/amazon-eks/manifests/<region-code>/vpc-admission-webhook/latest/vpc-admission-webhook-deployment.yaml
-
-
Add permissions to the shell scripts so that they can be executed.
chmod +x webhook-create-signed-cert.sh webhook-patch-ca-bundle.sh
-
Create a secret for secure communication.
./webhook-create-signed-cert.sh
-
Verify the secret.
kubectl get secret -n kube-system vpc-admission-webhook-certs
-
Configure the webhook and create a deployment file.
cat ./vpc-admission-webhook-deployment.yaml | ./webhook-patch-ca-bundle.sh > vpc-admission-webhook.yaml
-
-
Deploy the VPC admission webhook.
kubectl apply -f vpc-admission-webhook.yaml
-
Determine if your cluster has the required cluster role binding.
kubectl get clusterrolebinding eks:kube-proxy-windows
If output similar to the following example output is returned, then the cluster has the necessary role binding.
NAME AGE eks:kube-proxy-windows 10d
If the output includes
Error from server (NotFound)
, then the cluster does not have the necessary cluster role binding. Add the binding by creating a file namedeks-kube-proxy-windows-crb.yaml
with the following content.kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: eks:kube-proxy-windows labels: k8s-app: kube-proxy eks.amazonaws.com/component: kube-proxy subjects: - kind: Group name: "eks:kube-proxy-windows" roleRef: kind: ClusterRole name: system:node-proxier apiGroup: rbac.authorization.k8s.io
Apply the configuration to the cluster.
kubectl apply -f eks-kube-proxy-windows-crb.yaml
-
After you have enabled Windows support, you can launch a Windows node group into your cluster. For more information, see Launching self-managed Windows nodes.
After you add Windows support to your cluster, you must specify node selectors on your applications so that the pods land on a node with the appropriate operating system. For Linux pods, use the following node selector text in your manifests.
nodeSelector: kubernetes.io/os: linux kubernetes.io/arch: amd64
For Windows pods, use the following node selector text in your manifests.
nodeSelector: kubernetes.io/os: windows kubernetes.io/arch: amd64
Deploy a Windows sample application
To deploy a Windows sample application
-
Create a file named
windows-server-iis.yaml
with the following content.apiVersion: apps/v1 kind: Deployment metadata: name: windows-server-iis spec: selector: matchLabels: app: windows-server-iis tier: backend track: stable replicas: 1 template: metadata: labels: app: windows-server-iis tier: backend track: stable spec: containers: - name: windows-server-iis image: mcr.microsoft.com/windows/servercore:1809 ports: - name: http containerPort: 80 imagePullPolicy: IfNotPresent command: - powershell.exe - -command - "Add-WindowsFeature Web-Server; Invoke-WebRequest -UseBasicParsing -Uri 'https://dotnetbinaries.blob.core.windows.net/servicemonitor/2.0.1.6/ServiceMonitor.exe' -OutFile 'C:\\ServiceMonitor.exe'; echo '<html><body><br/><br/><marquee><H1>Hello EKS!!!<H1><marquee></body><html>' > C:\\inetpub\\wwwroot\\default.html; C:\\ServiceMonitor.exe 'w3svc'; " nodeSelector: kubernetes.io/os: windows --- apiVersion: v1 kind: Service metadata: name: windows-server-iis-service namespace: default spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: app: windows-server-iis tier: backend track: stable sessionAffinity: None type: LoadBalancer
-
Deploy the application to the cluster.
kubectl apply -f windows-server-iis.yaml
-
Get the status of the pod.
kubectl get pods -o wide --watch
Wait for the pod to transition to the
Running
state. -
Query the services in your cluster and wait until the External IP column for the
windows-server-iis-service
service is populated.Note It might take several minutes for the IP address to become available.
kubectl get services -o wide
-
After your external IP address is available, point a web browser to that address to view the IIS home page.
Note It might take several minutes for DNS to propagate and for your sample application to load in your web browser.