Kubernetes on Windows nodes hits GA in Rancher, Amazon EKS
Kubernetes on Windows nodes is now fully supported by two container management vendors, broadening the platform’s reach into legacy enterprise applications.
Rancher 2.3 and Amazon EKS were first to roll out support for Windows nodes in Kubernetes clusters this week, as well as mixed-mode clusters that encompass both Windows and Linux nodes. Most Kubernetes platforms already supported Windows containers but running on Linux host nodes; in all cases, including upstream Kubernetes, the Kubernetes master node still runs on Linux.
However, Rancher CEO Sheng Liang said his company’s engineers may be able to change that.
“We’re working on something that may eliminate that requirement, based on our k3s work,” Liang said, referring to Rancher’s lightweight distro of Kubernetes, designed to run on edge devices. “It’s really just packaging.”
Liang didn’t specify a timeframe for that feature, or whether Rancher would contribute it to Kubernetes upstream.
Meanwhile, the usual gaggle of Kubernetes management competitors will soon join Rancher and AWS in the Kubernetes for Windows game. Docker Enterprise, Red Hat OpenShift, VMware PKS, Microsoft Azure Kubernetes Service and Google Kubernetes Engine all have support in the works, and most plan to make it generally available by the end of 2019. Kubernetes on Windows support reached a stable upstream release in version 1.14 in March.
Kubernetes on Windows broadens platform’s reach
IT pros said Kubernetes on Windows support will prompt them to evaluate the open source container orchestration framework, now the de facto standard for cloud-native apps, for a broader set of legacy applications.Support for a more ephemeral Windows deployment model enables things like test environments to be candidates for Kubernetes.Matthew EsserProduct owner of container services and infrastructure, Viasat
“Previously, we skipped over these because Linux-based applications were the easier, lower-hanging fruit,” said Rancher user Matthew Esser, product owner of container services and infrastructure at Viasat, a satellite telecommunications company in Carlsbad, Calif. “Support for a more ephemeral Windows deployment model enables things like test environments to be candidates for Kubernetes. … I also suspect that as container support for Windows matures, more applications that rely on Windows libraries to run will start to crop up in Kubernetes environments.”
Microsoft itself has wholeheartedly embraced Linux for newer applications, through .NET Core. A Windows 10 and Windows Server 2019 feature called Windows Subsystem for Linux allows Linux executables to run directly alongside their Windows counterparts on the same machine.
For some IT shops, then, Kubernetes for Windows will be a temporary measure to support applications that haven’t yet moved to Linux, but soon will.
“We could use Windows Kubernetes support for Octopus Deploy, if it doesn’t move to .NET Core before we move to Rancher 2.3,” said David Sanftenberg, DevOps engineer at Cardano Risk Management Ltd., a U.K.-based division of Cardano Group, a financial services corporation headquartered in the Netherlands. “We’ve moved to Linux otherwise, including our front end.”
But it will be years before that kind of transition happens in most enterprise data centers, enterprise IT consultants said.
“The whole Windows ecosystem that exists to support Active Directory, IIS, etc., is a force to be reckoned with. … I don’t think it will be a temporary measure for most,” said Chris Riley, cloud delivery director responsible for DevOps at Cprime Inc., an Agile software development consulting firm in San Mateo, Calif. “Enterprises that have adopted Windows also have the administrative muscle to support it appropriately, and won’t be interested in making a wholesale OS switch unless there are cost [benefits] that they can achieve.”
Kubernetes for Windows also still has limitations beyond the Linux master node issue. Privileged containers, used by many third-party container security tools in Linux Kubernetes environments, are not supported on Windows nodes as of Kubernetes 1.14. Read-only file systems also aren’t yet supported.
“It’s still early in the game for Windows containers, and honestly, we are going to just have to wait it out to see how it starts to mature before putting a large effort behind it,” Viasat’s Esser said.
Rancher adds Istio support, Kubernetes security updates
Rancher 2.3 now supports the Istio service mesh, a project that was the subject of recent controversy because of its open source governance status. Rancher’s Liang said the company will support Istio as long as the market demand shows no sign of abating; the project still has cachet because of Google’s association with Kubernetes, even though Kubernetes has a service mesh sister project already within the Cloud Native Computing Foundation in Linkerd. Rancher also supports Linkerd.
Finally, Rancher took steps to work out kinks in Kubernetes security hardening for clusters under its management, according to CIS and NIST guidelines. Customers can scan clusters for misconfigurations and deploy clusters based on reusable templates that conform to the hardening guidelines, and enforce the use of those templates to mitigate configuration drift.
Kubernetes security hardening will come in handy for production infrastructure, Cardano’s Sanftenberg said.
“We have SonarQube scans and governance around what happens at deploy time for applications,” he said. “But we also need to detect vulnerabilities in what we’re running, as well as what we’re building.”
Still, a known issue with compatibility between those hardening guidelines and the Rancher UI remains unresolved, Viasat’s Esser said. A Rancher spokesperson said that issue will be addressed in version 2.3.2, and single-click cluster scanning from within the Rancher GUI will be available in version 2.4.