Amazon EKS
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Windows Support

This topic describes how to add Windows support to Amazon EKS clusters.

Considerations

Before deploying Windows worker nodes, be aware of the following considerations.

  • Windows workloads are supported with Amazon EKS clusters running Kubernetes version 1.14 or later.

  • Amazon EC2 instance types C3, C4, D2, I2, M4 (excluding m4.16xlarge), and R3 instances are not supported for Windows workloads.

  • Host networking mode is not supported for Windows workloads.

  • Amazon EKS clusters must contain 1 or more Linux worker nodes to run core system pods that only run on Linux, such as coredns and the VPC resource controller.

  • The kubelet and kube-proxy event logs are redirected to the Amazon EKS Windows Event Log and are set to a 200 MB limit.

  • Windows worker nodes support one elastic network interface per node. The number of pods that you can run per Windows worker node is equal to the number of IP addresses available per elastic network interface for the node's instance type, minus one. For more information, see IP Addresses Per Network Interface Per Instance Type in the Amazon EC2 User Guide for Linux Instances.

  • Calico network policy enforcement has not been tested with Amazon EKS Windows nodes.

  • Group Managed Service Accounts (GMSA) for Windows pods and containers is a Kubernetes 1.14 alpha feature that is not supported by Amazon EKS. You can follow the instructions in the Kubernetes documentation to enable and test this alpha feature on your clusters.

  • After you add Windows support to your cluster, you must specify node selectors on your applications so that the pods land on a node with the appropriate operating system. For Linux pods, use the following node selector text in your manifests.

    nodeSelector: beta.kubernetes.io/os: linux beta.kubernetes.io/arch: amd64

    For Windows pods, use the following node selector text in your manifests.

    nodeSelector: beta.kubernetes.io/os: windows beta.kubernetes.io/arch: amd64

Enabling Windows Support

The following steps help you to enable Windows support for your Amazon EKS cluster. Choose the tab below to use eksctl or standard tools on your specific client operating system.

eksctlWindowsmacOS and Linux
eksctl

To enable Windows support for your cluster with eksctl

This procedure assumes that you have installed eksctl, and that your eksctl version is at least 0.7.0. You can check your version with the following command:

eksctl version

For more information on installing or upgrading eksctl, see Installing or Upgrading eksctl.

Note

This procedure only works for clusters that were created with eksctl.

  1. Enable Windows support for your Amazon EKS cluster with the following eksctl command. This command deploys the VPC resource controller and VPC admission controller webhook that are required on Amazon EKS clusters to run Windows workloads.

    eksctl utils install-vpc-controllers --name cluster_name --approve
  2. After you have enabled Windows support, you can launch a Windows node group into your cluster. For more information, see Launching Amazon EKS Windows Worker Nodes.

Windows

To enable Windows support for your cluster with a Windows client

In the following steps, replace the us-west-2 with the region that your cluster resides in.

  1. Deploy the VPC resource controller to your cluster.

    kubectl apply -f https://amazon-eks.s3-us-west-2.amazonaws.com/manifests/us-west-2/vpc-resource-controller/latest/vpc-resource-controller.yaml
  2. Deploy the VPC admission controller webhook to your cluster.

    1. Download the required scripts and deployment files.

      curl -o vpc-admission-webhook-deployment.yaml https://amazon-eks.s3-us-west-2.amazonaws.com/manifests/us-west-2/vpc-admission-webhook/latest/vpc-admission-webhook-deployment.yaml; curl -o Setup-VPCAdmissionWebhook.ps1 https://amazon-eks.s3-us-west-2.amazonaws.com/manifests/us-west-2/vpc-admission-webhook/latest/Setup-VPCAdmissionWebhook.ps1; curl -o webhook-create-signed-cert.ps1 https://amazon-eks.s3-us-west-2.amazonaws.com/manifests/us-west-2/vpc-admission-webhook/latest/webhook-create-signed-cert.ps1; curl -o webhook-patch-ca-bundle.ps1 https://amazon-eks.s3-us-west-2.amazonaws.com/manifests/us-west-2/vpc-admission-webhook/latest/webhook-patch-ca-bundle.ps1;
    2. Install OpenSSL and jq.

    3. Setup the VPC admission webhook.

      ./Setup-VPCAdmissionWebhook.ps1 -DeploymentTemplate ".\vpc-admission-webhook-deployment.yaml"
  3. Deploy the VPC admission webhook.

    kubectl apply -f vpc-admission-webhook-deployment.yaml
  4. Determine if your cluster has the required cluster role binding.

    kubectl get clusterrolebinding eks:kube-proxy-windows

    If output similar to the following example output is returned, then the cluster has the necessary role binding.

    NAME                      AGE
    eks:kube-proxy-windows    10d

    If the output includes Error from server (NotFound), then the cluster does not have the necessary cluster role binding. Add the binding by creating a file named eks-kube-proxy-windows-crb.yaml with the following contents.

    kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: eks:kube-proxy-windows labels: k8s-app: kube-proxy eks.amazonaws.com/component: kube-proxy subjects: - kind: Group name: "eks:kube-proxy-windows" roleRef: kind: ClusterRole name: system:node-proxier apiGroup: rbac.authorization.k8s.io

    Apply the configuration to the cluster.

    kubectl apply -f eks-kube-proxy-windows-crb.yaml
  5. After you have enabled Windows support, you can launch a Windows node group into your cluster. For more information, see Launching Amazon EKS Windows Worker Nodes.

macOS and Linux

To enable Windows support for your cluster with a macOS or Linux client

This procedure requires that the openssl library and jq JSON processor be installed on your client system.

In the following steps, replace the us-west-2 with the region that your cluster resides in.

  1. Deploy the VPC resource controller to your cluster.

    kubectl apply -f https://amazon-eks.s3-us-west-2.amazonaws.com/manifests/us-west-2/vpc-resource-controller/latest/vpc-resource-controller.yaml
  2. Create the VPC admission controller webhook manifest for your cluster.

    1. Download the required scripts and deployment files.

      curl -o webhook-create-signed-cert.sh https://amazon-eks.s3-us-west-2.amazonaws.com/manifests/us-west-2/vpc-admission-webhook/latest/webhook-create-signed-cert.sh curl -o webhook-patch-ca-bundle.sh https://amazon-eks.s3-us-west-2.amazonaws.com/manifests/us-west-2/vpc-admission-webhook/latest/webhook-patch-ca-bundle.sh curl -o vpc-admission-webhook-deployment.yaml https://amazon-eks.s3-us-west-2.amazonaws.com/manifests/us-west-2/vpc-admission-webhook/latest/vpc-admission-webhook-deployment.yaml
    2. Add execute file permissions to the shell scripts.

      chmod +x webhook-create-signed-cert.sh webhook-patch-ca-bundle.sh
    3. Create a secret for secure communication.

      ./webhook-create-signed-cert.sh
    4. Verify the secret.

      kubectl get secret -n kube-system vpc-admission-webhook-certs
    5. Configure the webhook and create a deployment file.

      cat ./vpc-admission-webhook-deployment.yaml | ./webhook-patch-ca-bundle.sh > vpc-admission-webhook.yaml
  3. Deploy the VPC admission webhook.

    kubectl apply -f vpc-admission-webhook.yaml
  4. Determine whether your cluster has the required cluster role binding.

    kubectl get clusterrolebinding eks:kube-proxy-windows

    If output similar to the following example output is returned, then the cluster has the necessary role binding.

    NAME                      AGE
    eks:kube-proxy-windows    10d

    If the output includes Error from server (NotFound), then the cluster does not have the necessary cluster role binding. Add the binding by creating a file named eks-kube-proxy-windows-crb.yaml with the following contents.

    kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: eks:kube-proxy-windows labels: k8s-app: kube-proxy eks.amazonaws.com/component: kube-proxy subjects: - kind: Group name: "eks:kube-proxy-windows" roleRef: kind: ClusterRole name: system:node-proxier apiGroup: rbac.authorization.k8s.io

    Apply the configuration to the cluster.

    kubectl apply -f eks-kube-proxy-windows-crb.yaml
  5. After you have enabled Windows support, you can launch a Windows node group into your cluster. For more information, see Launching Amazon EKS Windows Worker Nodes.

Deploy a Windows Sample Application

To deploy a Windows sample application

  1. Create a file named windows-server-iis.yaml with the following contents.

    apiVersion: apps/v1 kind: Deployment metadata: name: windows-server-iis spec: selector: matchLabels: app: windows-server-iis tier: backend track: stable replicas: 1 template: metadata: labels: app: windows-server-iis tier: backend track: stable spec: containers: - name: windows-server-iis image: mcr.microsoft.com/windows/servercore:1809 ports: - name: http containerPort: 80 imagePullPolicy: IfNotPresent command: - powershell.exe - -command - "Add-WindowsFeature Web-Server; Invoke-WebRequest -UseBasicParsing -Uri 'https://dotnetbinaries.blob.core.windows.net/servicemonitor/2.0.1.6/ServiceMonitor.exe' -OutFile 'C:\\ServiceMonitor.exe'; echo '<html><body><br/><br/><marquee><H1>Hello EKS!!!<H1><marquee></body><html>' > C:\\inetpub\\wwwroot\\default.html; C:\\ServiceMonitor.exe 'w3svc'; " nodeSelector: beta.kubernetes.io/os: windows --- apiVersion: v1 kind: Service metadata: name: windows-server-iis-service namespace: default spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: app: windows-server-iis tier: backend track: stable sessionAffinity: None type: LoadBalancer
  2. Deploy the application to the cluster.

    kubectl apply -f windows-server-iis.yaml
  3. Get the status of the pod.

    kubectl get pods -o wide --watch

    Wait for the pod to transition to the Running state.

  4. Query the services in your cluster and wait until the External IP column for the windows-server-iis-service service is populated.

    Note

    It might take several minutes before the IP address is available.

    kubectl get services -o wide
  5. After your external IP address is available, point a web browser to that address to view the IIS home page. For example, http://a341875bfe61311e98376029b52cbbb6-1884437540.us-west-2.elb.amazonaws.com

    Note

    It might take several minutes for DNS to propagate and for your sample application to load in your web browser.