Windows RuntimeClass KEP

[PatrickLang]

This is the KEP for #1301

Adding @tallclair @derekwaynecarr @benmoss @dchen1107 @m2 as reviewers since they provided feedback in the SIG meetings

/sig windows
/sig node
/milestone v1.17

[PatrickLang]

/assign @tallclair
/assign @dchen1107

[dchen1107]

The KEP looks good to me, but want to make sure SIG Auth know the newly proposed self-labeling here. Will leave @tallclair to make the final call here.

[ddebroy]

Looks pretty good with some minor nits and clarifications.

[pjh]

Thanks for writing the KEP Patrick!

[derekwaynecarr]

I agree with @dchen1107 that this generally looks good, but I would prefer we have a consistent opinion around osversion across windows and linux hosts. Right now, osversion seems to match the kernel label that we can apply from node-feature discovery centrally via its fleecing daemon. Otherwise, I agree with the approach of RuntimeClass per SIG Node discussion.

defer to final approval on label to SIG Auth.

[tallclair]

Mostly LGTM with a few nits & a question about the osversion label schema for linux.

[tallclair]

What is the schema for linux versions? Or will this be a windows-only label? If the latter, I'd prefer to use something like node.kubernetes.io/windows-build for the label.

[derekwaynecarr]

windows-build is fine w/ me.

[PatrickLang]

alright will change to windows-build. Thanks!

[liggitt]

does this version change on every windows update?

something similar was discussed for linux kernel version in kubernetes/kubernetes#51006 (comment)

were the need for the node to update the label value (as opposed to the set-once labels it sets now), and the issues with fine-grained selection discussed?

[liggitt]

Therefore, a value such as node.kubernetes.io/osversion = 10.0.17763 will be used.

Are we confident the version portion will always fit within label values validation?

The final .805 refers to the monthly patches and isn't required for compatibility. Therefore, a value such as node.kubernetes.io/osversion = 10.0.17763 will be used.

Would a container ever have to target a specific fix level?

[PatrickLang]

yeah I think that validation should be ok for a few reasons:

1. The internal Windows build name (the full string) is limited to that character set. Anything we would use is a subset of that. Here's an example from Windows 10, but server follows the same format: 18362.1.amd64fre.19h1_release.190318-1202
2. That version is not used as-is today. It's already massaged into
   a more readable format returned from kubectl describe node
   https://github.com/kubernetes/kubernetes/blob/0599ca2bcfcae7d702f95284f3c2e2c2978c7772/vendor/github.com/docker/docker/pkg/parsers/operatingsystem/operatingsystem_windows.go#L10 . For the kubelet's purpose, I'll be implementing something like that to not include the patch (UBR) number and instead just return the build number such as 10.0.17763

[liggitt]

sounds reasonable. might be worth adding a note with those findings.

[PatrickLang]

sure, working on it now.

[PatrickLang]

added @ line 290 in latest revision

[PatrickLang]

added at line 290 below

[tallclair]

The recommended approach is to create a new RuntimeClass and update the deployment. The reason is that forcing the deployment update means that the new class will be rolled out in a more controlled and predictable manner (through a rolling update). You sort of get that with drain, but the tooling around a proper rolling update is purpose built for dealing with rollouts.

[PatrickLang]

so do you think it's better to update an existing RuntimeClass to "work again", or just delete it and fail scheduling if someone mistakenly uses one that doesn't exist?

[tallclair]

Hmm, I see. That's probably a case-by-case decision. The cluster admin will need to decide if they want people to explicitly opt-in to using hyperv.

[tallclair]

/lgtm
For the RuntimeClass changes. I'm also ok with the windows-specific label.

/hold
To let the other reviewers comment on the label schema.

[jterry75]

I'm concerned we need this for other ImageService methods as well. For example if we use the ImageStatus call to determine if an image is present it will also need the RuntimeHandler to know if the "specific" version of the image is present. Otherwise it could return the appropriate status for the wrong version.

[jterry75]

I think for the same reasons above we want this to be Build and 1809 -> 10.0.17763

[PatrickLang]

Agreed, will update for consistency but it shouldn't block merging. This section is detailing out an alternative that was rejected and won't be implemented

[jterry75]

Any idea what SandboxConfig is passed here? Is the order for Kubelet

1. RunPodSandbox
2. PullImage(worker1 image, config from step 1)
3. CreateContainer(worker1, config from step 1)
   ?
   Or is PullImage allowed to run before a RunPodSandbox? The reason I ask is because, if it is a requirement that PullImage happens AFTER RunPodSandbox then I guess we can lookup the sandbox RuntimeHandler by finding the existing sandbox from the SandboxConfig.Metadata. This although seems to be a very light contract and I would prefer we dont do it this way.

[PatrickLang]

during the main sync loop, sandbox is created first https://github.com/kubernetes/kubernetes/blob/344054bf4aa47fbcf1f3776a8210b7992ea08d11/pkg/kubelet/kuberuntime/kuberuntime_manager.go#L631

then the image is checked, pulled if needed
https://github.com/kubernetes/kubernetes/blob/344054bf4aa47fbcf1f3776a8210b7992ea08d11/pkg/kubelet/kuberuntime/kuberuntime_container.go#L93

then container created then started
https://github.com/kubernetes/kubernetes/blob/344054bf4aa47fbcf1f3776a8210b7992ea08d11/pkg/kubelet/kuberuntime/kuberuntime_container.go#L126

Based on that ordering, I think you're right that the other image actions need the runtimeClass defined.

@Random-Liu - what do you think? Should we

1. keep this as a loose contract as Justin mentioned where the runtimeHandler is assumed to match that of the sandbox

or

2. also add runtimeClass to all of the image operations: PullImageRequest ListImagesRequest and RemoveImageRequest

[jterry75]

Yep. The first thing it does is get the ImageStatus and use that to determine if a PullImage is required which means we do need RuntimeHandler for the others.

--

I think that my idea is a bad one for the record. Because it also doesn't solve the ImageStatus issue above where it doesnt have the SandboxConfig. So even though the sandbox is indeed created we would fail the check.

[ddebroy]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ddebroy, PatrickLang, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-windows/OWNERS [PatrickLang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liggitt]

the kubelet will shorten to just what's needed

Wherever the transformation is implemented, the output of that transforming code needs to be treated as an API, since for a given windows build, consumers will write manifests with selectors against that label value.

[PatrickLang]

sure makes sense. I was planning to add a node unit test for it and cover it in the e2e runtimeclass tests for Windows.

[liggitt]

/hold
To let the other reviewers comment on the label schema.

mechanics of the proposed label look good to me (interaction with noderestriction plugins, considerations for label value validation and stability over time). based on #1302, node folks were ok with it as well

/hold cancel