Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kubernetes / SIG Windows / 27 Oct 2020
Kubernetes / SIG Windows / 27 Oct 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Kubernetes SIG Windows 20201027

Description

Kubernetes SIG Windows 20201027

A

Hello, everybody and welcome to another sig windows meeting it's the 27th of october last meeting for the month, um as always, is a recorded meeting. So please adhere to the cncf code of conduct. uh We're actually entering almost. The final stretch. Like you know, november, is going to be a big month. uh um We have a release coming up with 1.20.

A

We have uh cubicon coming up in the in in mid to late november, and then we have thanksgiving at least for the folks that are in the us.

A

So there's uh not a lot of time left uh to to work on some of our big investments that we're making for 1.20, enabling the container d work, which is probably your number one priority, plus some networking enhancements, and also making progress on the privileged containers uh mark and I chatted offline, given that next week, at least in the u.s it's election day, I want to cancel our meeting.

A

I think that's a strategy that a lot of companies and open source projects are following to give everybody a bigger opportunity to go and exercise the right to vote feel free to use that time. As you see fit, but no meeting next week, it should have already been removed from your calendar uh claudio um last week we were talking about the docker hub and the functional user, but do we have an update? I know deep was gonna work on seeing if we could uh get us some. uh uh Some special sauce from docker.

B

Hey so I updated the uh I posted a link to uh issue com comment. uh That's where I posted like all the findings and notes and what needs to happen at a minimum. Unfortunately, uh all the tracking will be happening on a docker hub user basis, so at a minimum like anonymous polls like there's, nothing, we can do about it because you know those are not related to any any authenticated user.

B

So I think at least the test infra needs to be uh updated to make sure all the tests are indeed logging in first and once we have this docker hub uh user id. That can you know, then you know I can facilitate that thing. Where docker makes sure that you know, because it's open source project we discuss like how we can make sure uh those polls are not getting throttled for that user.

A

So so, what's the uh so did what's the strategy here? Should we go create a user uh and and basically tell docker that this is a functional user that you created for an open source project.

B

Exactly.

A

Or like, I would assume that maybe kubernetes should have that functional user right, not just a sig of kubernetes. Do you know if that's happening anywhere.

B

Yeah so, as I posted in the comment, uh the ideal recommendation would be to create what we call a hub team and then have a bunch of users depending on you know how many users different cigs, need uh as part of that team, and then uh we talked to docker and say: hey just like make sure anyone who is part of this team does not get.

B

You know restricted by the bull limits and forced on them.

B

Basically, yeah.

A

I'll I'll ping uh iron and see if they're, if they're, gonna, create or claudia, if you can ping, I don't ask if they're gonna create this happening.

C

Just just just uh a minor update uh for the moment, I think we might be- maybe the only ones which will require something like this more intensely intensively.

C

That's because uh the the mirror that g dot io images have been updated to also include manifest lists, uh similarly to how they already are on docker hub, which means that uh almost all, almost all the test jobs do not really require uh any special account just for this, and uh what they've done for most of the testing for jobs from what they saw.

C

You can configure the docker demons, there's a config option for docker demons to configure them to use a mirror first, and if an image is not on that mirror, it will pull from docker hub and from what I saw, I think, thursday or friday last week, there's only one image that is not currently mirrored on mirror.js io, which will hurt them, which is the nginx 115-alpine, but I'll have to check if the data image in particular has been created on the mirror or not.

C

But again we might be the only ones which required this.

B

And that's because by v you mean sig windows and mainly because gcr does not support windows. Yes, okay,.

C

The plan is to have all our images on the gcr repos, but at the moment not all of them are on there a couple of images which are only hosted on docker hub, which are the busy box image, the nginx image and the httpd image.

C

So unless we can somehow have them on the kubernetes registry as well, we might still have docker hub for those.

B

Images got it and uh do you think, like uh the user authentication, that should just be a simple step that can be added to the test. Intro, the docker login step.

C

Yeah, I think so, oh you can configure you. You can basically create a docker config file which contains the credentials for a particular user, and you can also create a token for authentication.

C

Then we can just tell the infra people to have that mounted as a secret uh to have this stored improv as a circuit and then just mount that secret inside our jobs.

C

Okay sounds good and then we can just uh have docker demons use those docker config files for authentication.

B

Excellent, so do you also think that like given it just affects sig windows? Now we will actually run into the hundred pulls for six hour thing or like 200 pulls for authenticated. uh Is that still a concern, or do you.

C

Think we have a lot of jobs: okay, okay, got it and we pull off a lot of images. Sure uh I think we are. We have at least 20 something images which are currently being used in e3 tests. Okay, and we have two nodes per uh test run. So double that, and we have multiple jobs for container d for darker for uh darker uh darker shim, right, four, eighteen or nine. Eighty three. Ninety one 2004 hyper isolation process, isolation.

C

There are so many use cases right which we test it's impossible, not to hit that.

B

Yeah that that makes complete sense, so I think, like once that authentication framework is there. uh I I can make sure that that that docker user is indeed getting.

C

I still think it would be beneficial to have that as an organization, as you mentioned,.

B

Yeah.

C

At the beginning, in case, someone else also needs uh this privilege yep.

A

Okay, so it kind of to ten boxer discussion, so uh claudia you're, gonna work on the authentication framework and then get back to deep, potentially on that issue common thread and let's figure out how to proceed with the creation of an exempted user. Sure thank.

C

You coordinate with deep on this.

A

Sounds good all right cool sounds good uh jay. Let's uh and I know if the android team is here, you guys had a request to add some cni guidance to the kubernetes windows. Docs.

D

You want to talk about that. Jake sounds like you sounds like we're in agreement. That's probably not a bad idea, but I guess does anybody else have a problem with that.

A

Yeah, essentially they ask here is that when you go to doctor kubernetes and you look for windows, we have some guidance there with our l2 bridge up to uh or you know, we have uh obvious uh ovn solution in there, but we don't have anything about andrea. We don't have anything about calico, so we haven't really expanded that table uh david. uh You had originally created that a year and a half ago, two years ago, almost so, let's make sure we add the updates there, jo whoever ends up adding them.

A

I think someone from the anterior team will also extend the same courtesy to calico. If they want to add their own column in there get a pr out make sure david gets to see it and approve it and push it through.

A

Okay, mark you, okay, with that.

D

Too, working on an end-to-end installation dock for myself, I'm happy to include that if anybody wants it anywhere upstream um sort of uh one other community guidance. Related thing is: um do I have this kind of jar open and I don't really care about the pr. But I just wanted to see if we could get some consensus on um how we want to phrase the I it sounds like.

D

We generally agree that we need to have some kind of a community vision or guidance around that's explicit and that's written about um what we recommend as far as wins and transition as people move off of wins towards um the privileged containers, which seems to be the goal, the long-term goal um since there's so many sharp edges in terms of timelines and how we get there and all that. How?

D

How should we phrase that, as if, as one of the things that the sig kind of is gonna provide, um there was some, I guess mark and me and.

E

Michael yeah, from my perspective, it's like, I am very hesitant to ever endorse um something like wins kind of as a whole sig, primarily because of the kind of security implications.

E

I think that we can say that wins is a great way to help bootstrap uh like a cluster, and we have examples using some like cube adm to do this. This is probably the simplest quickest way to do this, but I know a lot of probably enterprises would um kind of not want to ever deploy wins. I know we're not going to do something like that in azure, just because of the kind of security implications that having that service on the node could possibly do so.

E

We because we don't have privileged containers, we um install cni on the nodes and- um and it's it's not as easy to manage as kind of the deploy your cmi through a pod, but it's kind of a necessity for us too. um So that's why I I I think we should be careful with that, because windows, at least from my experience, like windows, enterprise users, are kind of expecting things to be. um They they come to windows for a lot of compliance reasons. Oh.

D

Yeah, I'm I mean I'm not saying we should endorse anything, I'm just saying we should like how do how should we phrase the this whole thing so that we're not endorsing something, but at least we're being explicit about what the boundaries of the cigar, because I assume we have some goal of helping people who who are using wins, or maybe we don't, and maybe that's what we should be explicit about. I don't know.

A

Right so so, so a better way to phrase that j is um or a different way of phrasing. Not better sorry uh so, like mark said, like you know, wins is also not under our governance right so, and we tend to you know if it's not under our governance, you know we don't own this future direction. We don't know the level of testing that's happening. We don't know what the direction it is.

A

uh The second thing is that I want to ask- and I echo what everything that mark said, that we need to make sure that we're pretty clear about what we do own here is the code that's coming out of sick windows and kubernetes. That's the only thing we can claim that we own, but um I understand, like you know, is the goal here. That wins is a necessary component for cluster api and boost up your windows notes like what's what's the usage of wins that you guys are looking for.

D

I mean, I think, that the only thing I'm looking for for this conversation is us defining a boundary of what we are willing to talk about and not talk about in terms of helping people. So I I'm not. I don't think, there's anything wrong with saying we don't want.

A

Anything to do with wins or whatever. No, no, we're not saying that right, so I mean there's a lot of open source solutions are adjacent to to kubernetes and to windows in general that are very acceptable for a great deal of customers, we're just not making an endorsement about any of them. uh We're not making any statements.

A

So my question was to you like with respect to win since that was brought up. Is it something that we're looking to leverage somewhere yeah? I mean, I think my understanding is that.

D

um It was possibly going to be used at some level in cluster api um and I guess that's kind of where this whole thing comes from right. Is that like, if we can, if it's being used in some things that are semi-official kubernetes related projects?

D

You know it would be great for us to at least provide some guidance to the cluster api people about hey, don't do this or hey do do this, or if you do do this, this is going to be the consequences, and this is how we'll be able to help you get yourself out of it. That kind of thing. I guess it's a circular question right, I'm not really sure what I I don't really know what we're capable.

D

What kind of I assume we want to help the cluster api people in some ways, but maybe that's out of scope too. I'm not really sure.

E

I think it might be good to I, like I kind of see our kind of purview as helping what both like you know, making the technical changes or making the changes in the various components to get windows working, but also providing kind of maybe reference examples of here's how you can bootstrack this here's, how you can bootstrap a cluster, and maybe if we say maybe if we phrase it as like, a reference architecture that would be appropriate and then also caution and say you know, like every enterprise or user needs, to evaluate all the components that they deploy for any compliance that they may have and just kind of reiterate that message.

D

Oh okay, so you'd be willing to get behind. Like here's a concrete thing, this we're not saying you should do this concrete thing, but it's something that you can.

E

Yeah, I think I like, if I think I I'm more than happy to say here's an easy way to get a windows cluster up and running, um we're not going to say this is the way to to do this, but here's an example of how you can kind of get yourself a cluster running windows to experiment on yeah I mean like that. Michael I mean I.

A

I'm okay with that uh as a reference implementation.

D

Okay, cool, maybe I'll, just rephrase the pr to say something like supporting reference implementations, which aren't necessarily best practices but which can show people how to build their own windows solutions. On top of something like that, I.

A

Mean ultimately, we're going to look to some of the commercial distributions to figure out how to productize some of these uh tools into a coherent offering, um maybe for you, rephraser, jay, uh you and james uh and and and others from the cluster api team? You guys should talk about this and figure out. You know: do we have to use wings? I know that we use components of wings as part of the cube adm bootstrap process when we do the cube adm uh work for beta. So let's figure out this winston necessity here.

A

Can we get away with it? We know that privileged containers will land at some time as an alpha potentially like march time frame right. Would they come with sufficient quality level? To just say, wins is a stopgap solution for now and the later on, privileged containers is the right way to go about it. Won't you all chat and come up with a proposal, but you know definitely we can endorse something, that's not in our governance and will base, but it can be a reference implementation without concrete caveats. This is a good start.

D

To that I'll I'll, just keep I'll just keep hammering away that see. We can come up with that's cool. um Can you link to the pr in question as well, jay sure yeah, it's it's a trivial pr. It was just a conversation.

F

Starter but yeah I'll relate to it and we do call out or we we have wins as part of like the cubidium for windows, documentation like michael mentioned, um but we don't call out any of the security implications um they did get called out in the cap, but didn't make it into the dock.

F

Okay kind of it's kind of hard to.

A

Put in a dog don't use this, but here's an example.

E

Yeah yeah, and I think I was looking at the docs a little bit too, and we have a couple of different um sections like kate's dot. Io has a bunch of different sections. There is a section for like production environment and that section didn't mention winds at all. If I remember correctly, there was another kind of section about how to kind of you know, get a cluster up and running, and that tutorial had a page for out of windows. Note and that's where there was the wins reference yeah.

E

So I think we should probably just be a little bit um careful about putting things that are under the the heading. The production environment.

A

Yeah, absolutely I mean the the reason why we did that like that mark is because cuba game is not ga and the big reason why we never ga did was this.

D

Yeah.

A

Yes raising his hand.

D

So he's probably the most uh critical opinion to get here.

G

Yeah, so um I was just gonna say: that's kind of how we framed it was it's a stop gap for uh cluster ap api so that we could get moving forward with knowing that privilege.

G

Containers was coming in the future, and I think I've talked with the um the wins team a little bit and learned a little bit about the way that we can configure it so that it is a little bit more uh safe for um for just from a security perspective like you can tie it to only run these types of binaries and then we can add some extra layers. On top of that which would be similar to like privileged containers scenario. So I think, like I think, yeah.

G

We don't necessarily want to say this in the docs that this is the absolute way to go, but if we can use it as a stop gap for cube adm and for cluster api that moves us in the right direction and should be something that we can swap out once privilege.

D

Proxy to cluster api as the reference implementation and then sig windows can wipe its hands of that and say well, here's one reference implementation that we don't necessarily endorse.

D

It might use wins and according to james, it does but and then everybody's happy right. It's like less work for us and we get the problem solved of having a reference, implementation right.

A

All right folks, so, uh let's time box, this discussion as well so can get through our agenda today. So I think we got some small action items from there so mark james and mars. Next item is yours:.

E

Yeah recently, we've been seeing a lot of issues where customers are reporting that, with high cpu load on their windows, nodes um kind of different random bad things happen um most notably. The node will go into the not ready state and like flip-flop, and also um sometimes the node will stay into the ready state and the metrics will stop reporting correctly so cube ctl top node will um either stop updating or show kind of unknown in uh brackets, and also that causes things like hpa to stop working.

E

um We were digging into this a little bit and um I think that most uh I've captured some of that in that issue.

E

If you want to open that michael and then scroll down to the bottom, but um it looks like a lot of these are stemming from how the changes that patrick made in 118 to enforce cpu limits were implemented.

E

So the previous behavior was that all of the the limits that got added were essentially treated as weights, um so that, even if you were over committing resources, um the system critical processes would get some cpu time which would allow things to mostly work after 118.

E

The cpu limits were more strictly enforced and it's much easier to starve the system, critical services, docker cubelet q, proxy, even the host compute system itself of cpu resources, um so kind of I've been looking with james, had a couple of different solutions here, and I think we have a couple of like kind of mitigations, but none of them can fully resolve the issue um and they can't fully resolve the issue, because we have no way today of guaranteeing that users won't intentionally over commit their resources.

E

They can author a podspec that have much fewer requests than limits and those can gobble up all the cpu.

E

um A couple of the kind of possible fixes that I wanted to bring up here for discussion were, we can and probably should be bumping the process. Priority classes for the system, critical services that we own, potentially even making that um just extra flags to the processes and then um we're also looking at the documentation and the the current documentation recommends, setting um a memory buffer with a system reserves cubot flag, but not a cpu buffer and we're finding that under high cpu load um kind of scenarios.

E

That is really important to re, to carve that out. So probably looking towards updating some recommendations, we have found that that does need to scale based on the number of processors on the machine as well. um So I think james and myself we're still kind of digging into this and are going to probably proof of concept or start some documentation for some of these uh solutions.

E

But we wanted to kind of bring this up to the larger to the community and see if, if anybody else is running into these issues, if they have mitigations that they're putting in place in their own environments and kind of what kind of documentation we should have as a as a sig for how to make sure that your windows nodes are healthy.

A

I mean I'm hoping that most most customers are putting this in production, have some monitoring that's basically looking at both the host resources and and before placing uh uh pods into that and kind of monitoring, both everything from storage to to memory to networking. But I agree with your recommendations here. Some of the possible fixes right, like elevate the cubelet in terms of the cpu allocation that it gets, and then I don't know like how we have can scale the system reserves based on the number of cpus, how that would look like.

A

But if your poc comes out with some really good recommendations, you know, I think, I think, between those two. It should get us in a much better state and then there's some responsibility to customers to make sure that they're monitoring this.

E

Yeah yeah, I was thinking that the the cpu reserves would have to just be recommendations in the docs um one. Other thing that we've kind of noticed is that a lot of other projects, even in the uh kubernetes six orgs, aren't adhering to the guidance that we have where for windows, pods or containers that limits must equal reserves.

E

I'd also like to update our documentation to more strongly kind of say that this is kind of a necessity for windows right now to to work healthy.

H

Agreed yeah and michael just I mean from uh from a customer point of view. The one of the reason is, I mean first of all, monitoring for windows is a little bit harder than linux, but even if you have monitoring in place because of the image size, even by the time, they understand that you know they're over limit, or uh I mean they can't they scale up in real time right.

H

um So so that's why they're trying to like provision it in a perfect amount where they get all the density, but they don't go over it and that's kind of a hard problem for windows.

A

I mean we could also come up with another recommendation, rather than just saying, like set the reserve to 500x, we could say, never commit more than 70 capacity of a host to containers like no, then it becomes a percentage right yeah and that usually works, because it leaves you enough capacity to also do upgrades right, because you're going to have to upgrade these things, you're going to have to do uh things that always eat up a little bit more. So I think a good rule of thumb is somewhere in the 70 range we can talk.

A

You can add that in our docs, if that's something that our poc proves, that it's a necessary component.

A

All right, so we have about one minute: deep, csi, proxy beta.2.

B

Yeah we released a second beta recently. It had lots of fixes from everyone working on csi proxy. So thanks for all the contributions, uh one of the major things I wanted to point out was the support for iscsi. As a fresh api group, I was put in by dan ellen uh so yeah. uh If, if you were or if anyone who was thinking about.

C

Like writing.

B

A iscsi csi driver, then uh that basic support is now in awesome.

A

Thank you deep and one follow-up deep. Have we heard anything back from the aws folks for the csi work for aws or no.

B

No, I have not. uh I spoke to chang, who used to maintain the ebs driver, the ubia csi, and he has left aws recently. So I think he was like. I don't know where this is going and I pinged wangma. I think michael wong yeah and uh didn't hear back from him.

A

Can you add my email to that thread and I will escalate at aws it's time that we do that? Okay sounds good. I add my email to that I'll escalate, all right cool, all right, everybody, it's time! Thank you all for attending have a great rest of your week and no meeting next week, we'll see you all in two weeks bye. Thank you. Bye, bye, everybody.