alphaspirit - Fotolia

Kubernetes for Windows hits GA, with limitations

Kubernetes support for Windows nodes was declared stable in Kubernetes 1.14, but extensive fine print remains.

Kubernetes for Windows hosts has reached a stable release, but significant development work lies ahead to make it equal and interchangeable with Linux systems.

Stable Windows host support, originally slated for Kubernetes 1.13 in December 2018, is the most significant feature of Kubernetes 1.14, released this week. Kubernetes maintainers said users who have experience with Windows Server Containers will find Windows-based Kubernetes nodes reliable enough for production use.

However, Kubernetes for Windows support extends only to worker nodes, so leader or master Kubernetes nodes must still run on Linux operating systems. Kubernetes 1.14 also only supports Windows hosts and containers that run on Windows Server 2019, which means the features likely will not see production use right away in Windows shops that are typically loath to upgrade to the latest version of the OS on first release. The host operating system must match the container operating system with Windows worker nodes, which means users won't be able to use containers to manage legacy workloads yet, either.

The way the Windows operating system handles system privileges also means that privileged containers are not supported on Windows hosts. That means some Kubernetes self-healing features, such as the node problem detector and out of memory process killer, aren't available for Windows. Similarly, Windows nodes don't support read-only file systems.

For now, hosted Kubernetes on Microsoft Azure is the only sure bet for Windows shops that want to containerize their apps, and the Kubernetes for Windows support in release 1.14 isn't enough to change that, enterprise IT experts said.

"This will limit adoption in environments such as smaller departments and groups within enterprises that tend to be 100% Windows," said Chris Riley, DevOps delivery director at CPrime Inc., an Agile software development consulting firm in Foster City, Calif. "There isn't a huge market for Linux masters with Windows [workers], so this is phase one of an incremental [Kubernetes for Windows] rollout."

Chris Riley, DevOps delivery director, CPrime Inc.
Chris Riley, DevOps delivery director, CPrime Inc.

Kubernetes for Windows limitations leave Docker shop in a bind

The basic version Docker Enterprise 18.09 released in November 2018 supports Kubernetes for Windows, and Docker will fill in some of the enterprise feature gaps around Kubernetes for Windows support in the next release of Docker Enterprise in April 2019. Updated features will include support for Active Directory integration through Group Managed Service Accounts, which came out in alpha in version 1.14.

Kubernetes for Windows support in Docker Enterprise raises hopes for one enterprise user that a switch away from Docker Swarm mode for Windows hosts will soon be viable.

"We're still doing tests on Swarm stability, but we believe Kubernetes will be a lot better," said Richard Fong, senior software engineering manager at Mitchell International, an auto insurance software company in San Diego. "We also want to stick with one container orchestration platform instead of supporting both."

Last year, the company suffered a two-hour internal service outage when a Swarm master failed and a quorum algorithm to elect a new master node also did not work. After that incident, the company moved its Linux container workloads to the Amazon EC2 Container Service instead. The company still has legacy Windows applications on premises, and Fong said he hopes the interchangeable support for Swarm and Kubernetes in Docker Enterprise will ease the transition to Kubernetes when the time comes.

"We have many customers using Docker Enterprise with Windows with Swarm today who have not run into this issue, and we also welcome the expanded support of Kubernetes as our Docker Enterprise customers have the choice to leverage either orchestrator," a Docker spokesperson said.

Upstream Kubernetes responds to container security vulnerability

Container security remains a top concern for enterprises that want to put Kubernetes into production this year, and the market had a scare in February 2019 when researchers disclosed a critical security vulnerability that affected all container runtimes. An attacker could gain root-level code execution on the container host and potentially control the rest of a container infrastructure for malicious purposes. Enterprise shops with good defense in depth and security hygiene practices were not at great risk, but at least one report by an IT security vendor showed that the vulnerability compromised hundreds of Docker hosts exposed to the internet.

Simplicity of implementation in security [and] networking will matter more than any other feature -- the more the community can focus on that, the better.
Chris RileyDevOps delivery director, CPrime

Kubernetes 1.14 removes the discovery capability from the APIs that allow for unauthenticated access by default, which limits attackers' ability to exploit the vulnerability.

The API updates don't eliminate the vulnerability entirely, and enterprise IT pros still must properly secure their Kubernetes environments. However anything that can be done upstream to bolster security by default is important, in Riley's view.

"Simplicity of implementation in security and simplicity of networking will matter more than any other feature -- the more the community can focus on that, the better," he said. "That's especially true in cases where the host can start doing major damage to the container infrastructure."

Kubernetes persistent storage boosts stateful app support

After Windows node support, stable support for local persistent storage volumes is the most notable feature of Kubernetes 1.14 among users.

"We get more and more requirements for bare-metal [Kubernetes] servers, so we can repurpose hardware we have sitting around," said Matthew Esser, product owner of container services and infrastructure at Viasat Inc., a satellite telecommunications company in Carlsbad, Calif. The company orchestrates its virtual servers with OpenStack, which requires similar hardware between hosts, but the repurposed hardware could work if used without a hypervisor.

"We can take advantage of the great processing power of servers we purchased for other things without having to be sensitive to whether it runs at the same level as other hardware," Esser said.

Local persistent storage volumes will also be a boon for Kubernetes in remote and edge locations where external storage systems are impractical, CPrime's Riley said.

Features that introduce more nuance into Kubernetes workload orchestration also reach stable status with Kubernetes 1.14. Pod Readiness Gates respond to probes from containers about whether pods are ready to accept traffic, rather than simply up and running. Pod Priority and Preemption let users prioritize workloads for scheduling in Kubernetes clusters as resources become available. Users can also customize commands with the kubectl command-line utility.

Dig Deeper on Containers and virtualization