About Windows Container Support for Red Hat OpenShift

Windows Container Support for Red Hat OpenShift is a feature providing the ability to run Windows compute nodes in an OKD cluster. This is possible by using the Red Hat Windows Machine Config Operator (WMCO) to install and manage Windows nodes. With Windows nodes available, you can run Windows container workloads in OKD.

The release notes for Red Hat OpenShift for Windows Containers tracks the development of the WMCO, which provides all Windows container workload capabilities in OKD.

Getting support

You must have a subscription to receive support for the Red Hat WMCO. Deploying Windows container workloads in production clusters is not supported without a subscription. If you do not have a subscription, you can use the community WMCO, a distribution that lacks official support. Request support through the Red Hat Customer Portal.

Windows Machine Config Operator prerequisites

The following information details the supported cloud provider versions, Windows Server versions, and networking configurations for the Windows Machine Config Operator. See the vSphere documentation for any information that is relevant to only that platform.

Supported cloud providers based on OKD and WMCO versions

Cloud provider Supported OKD version Supported WMCO version

Amazon Web Services (AWS)

4.6+

WMCO 1.0+

Microsoft Azure

4.6+

WMCO 1.0+

VMware vSphere

4.7+

WMCO 2.0+

Supported Windows Server versions

The following table lists the supported Windows Server version based on the applicable cloud provider. Any unlisted Windows Server version is not supported and will cause errors. To prevent these errors, only use the appropriate version according to the cloud provider in use.

Cloud provider Supported Windows Server version

Amazon Web Services (AWS)

Windows Server Long-Term Servicing Channel (LTSC): Windows Server 2019

Microsoft Azure

Windows Server Long-Term Servicing Channel (LTSC): Windows Server 2019

VMware vSphere

Windows Server Semi-Annual Channel (SAC): Windows Server 2004 and 20H2

Supported networking

Hybrid networking with OVN-Kubernetes is the only supported networking configuration. See the additional resources below for more information on this functionality. The following tables outline the type of networking configuration and Windows Server versions to use based on your cloud provider. You must specify the network configuration when you install the cluster. Be aware that OpenShift SDN networking is the default network for OKD clusters. However, OpenShift SDN is not supported by WMCO.

Table 1. Cloud provider networking support
Cloud provider Supported networking

Amazon Web Services (AWS)

Hybrid networking with OVN-Kubernetes

Microsoft Azure

Hybrid networking with OVN-Kubernetes

VMware vSphere

Hybrid networking with OVN-Kubernetes with a custom VXLAN port

Table 2. Hybrid OVN-Kubernetes Windows Server support
Hybrid networking with OVN-Kubernetes Supported Windows Server version

Default VXLAN port

Windows Server Long-Term Servicing Channel (LTSC): Windows Server 2019

Custom VXLAN port

Windows Server Semi-Annual Channel (SAC): Windows Server 2004 and 20H2

Supported installation method

The installer-provisioned infrastructure installation method is the only supported installation method. This is consistent across all supported cloud providers. User-provisioned infrastructure installation method is not supported.

Release notes for Red Hat Windows Machine Config Operator 2.0.3

Issued: 2021-07-28

The WMCO 2.0.3 is now available with bug fixes. The components of the WMCO were released in RHBA-2021:2926.

Bug fixes

  • This WMCO release fixes a bug that prevented users from upgrading to WMCO 3.0.0. Users should upgrade to WMCO 2.0.3 before upgrading to OKD 4.8, which only supports WMCO 3.0.0. (BZ#1985349)

Release notes for Red Hat Windows Machine Config Operator 2.0.2

Issued: 2021-07-08

The WMCO 2.0.2 is now available with bug fixes. The components of the WMCO were released in RHBA-2021:2671.

Users who are running a version of WMCO prior to 2.0.3 should first upgrade to WMCO 2.0.3 prior to upgrading to WMCO 3.0.0. (BZ#1983153)

Bug fixes

  • OKD 4.8 enables the BoundServiceAccountTokenVolume option by default. This option attaches the projected volumes to all of the pods. In addition, OKD 4.8 adds the RunAsUser option to the SecurityContext. This combination results in Windows pods being stuck in the ContainerCreating status. To work around this issue, you should upgrade to WMCO 2.0.2 before upgrading your cluster to OKD 4.8. (BZ#1975553)

Release notes for Red Hat Windows Machine Config Operator 2.0.1

Issued: 2021-06-23

The WMCO 2.0.1 is now available with bug fixes. The components of the WMCO were released in RHSA-2021:2130.

New features and improvements

This release adds the following new features and improvements.

Increased image pull time-out duration

Image pull time-out has been increased to 30 minutes.

Bug fixes

  • Previously, when using the Windows kube-proxy component on an AWS installation, when you created a LoadBalancer service, packets would be misrouted and reached an unintended destination. Now, packets are no longer wrongly routed to unintended destinations. (BZ#1946538)

  • Previously, Windows nodes were not reporting some key node-level metrics via telemetry monitoring. The windows_exporter reports various metrics as windows_* instead of the node_exporter equivalent of node_*. Now, the telemetry results cover all of the expected metrics. (BZ#1955319)

  • Previously, when the WMCO configured Windows instances, if the hybrid-overlay or kube-proxy components failed, the node might report itself as Ready. Now, the error is detected and the node reports itself as NotReady. (BZ#1956412)

  • Previously, the kube-proxy service would terminate unexpectedly after the load balancer is created if you created the load balancer after the Windows pods begin running. Now, the kube-proxy service does not crash when recreating the load balancer service. (BZ#1939968)

RHSA-2021:2130 - Windows Container support for OKD security update

As part of the previously noted bug fix (BZ#1946538), an update for Windows kube-proxy is now available for Red Hat Windows Machine Config Operator 2.0.1. Details of the update are documented in the RHSA-2021:2130 advisory.

Release notes for Red Hat Windows Machine Config Operator 2.0.0

This release of the WMCO provides bug fixes and enhancements for running Windows compute nodes in an OKD cluster. The components of the WMCO 2.0.0 were released in RHBA-2021:0440.

Running Windows container workloads is not supported for clusters in a restricted network or disconnected environment.

Version 2.x of the WMCO is only compatible with OKD 4.7.

New features and improvements

This release adds the following new features and improvements.

Support for clusters running on VMware vSphere

You can now run Windows nodes on a cluster installed on VMware vSphere version 6.5, 6.7, or 7.0. You can create a Windows MachineSet object on vSphere to host Windows Server compute nodes. For more information, see Creating a Windows MachineSet object on vSphere.

Enhanced Windows node monitoring

Windows nodes are now fully integrated with most of the monitoring capabilities provided by the web console. However, it is not possible to view workload graphs for pods running on Windows nodes in this release.

Known issues

  • When you create Windows pods with RunAsUserName set in its "SecurityContext" with a projected volume associated with these pods, the file ownership permissions for the projected entities are ignored, resulting in incorrectly configured ownership permissions.

  • The filesystem graphs available in the web console do not display for Windows nodes. This is caused by changes in the filesystem queries. This will be fixed in a future release of WMCO. (BZ#1930347)

  • The Prometheus windows_exporter used by the WMCO currently collects metrics through HTTP, so it is considered unsafe. You must ensure that only trusted users can retrieve metrics from the endpoint. The windows_exporter feature recently added support for HTTPS configuration, but this configuration has not been implemented for WMCO. Support for HTTPS configuration in the WMCO will be added in a future release.