Windows Container Support for OpenShift


OpenShift Container Platform 4.19

Red Hat OpenShift for Windows Containers Guide

Red Hat OpenShift Documentation Team

Abstract

Red Hat OpenShift for Windows Containers provides built-in support for running Microsoft Windows Server containers on OpenShift Container Platform. This guide provides all the details.

Red Hat OpenShift support for Windows Containers is a feature providing the ability to run Windows compute nodes in an OpenShift Container Platform cluster. This is possible by using the Red Hat Windows Machine Config Operator (WMCO) to install and manage Windows nodes. With a Red Hat subscription, you can get support for running Windows workloads in OpenShift Container Platform. Windows instances deployed by the WMCO are configured with the containerd container runtime. For more information, see the release notes.

You can add Windows nodes either by creating a compute machine set or by specifying existing Bring-Your-Own-Host (BYOH) Window instances through a configuration map.

Note

Compute machine sets are not supported for bare metal or provider agnostic clusters.

For workloads including both Linux and Windows, OpenShift Container Platform allows you to deploy Windows workloads running on Windows Server containers while also providing traditional Linux workloads hosted on Red Hat Enterprise Linux CoreOS (RHCOS) or Red Hat Enterprise Linux (RHEL). For more information, see getting started with Windows container workloads.

You need the WMCO to run Windows workloads in your cluster. The WMCO orchestrates the process of deploying and managing Windows workloads on a cluster. For more information, see how to enable Windows container workloads.

You can create a Windows MachineSet object to create infrastructure Windows machine sets and related machines so that you can move supported Windows workloads to the new Windows machines. You can create a Windows MachineSet object on multiple platforms.

You can schedule Windows workloads to Windows compute nodes.

You can perform Windows Machine Config Operator upgrades to ensure that your Windows nodes have the latest updates.

You can remove a Windows node by deleting a specific machine.

You can use Bring-Your-Own-Host (BYOH) Windows instances to repurpose Windows Server VMs and bring them to OpenShift Container Platform. BYOH Windows instances benefit users who are looking to mitigate major disruptions in the event that a Windows server goes offline. You can use BYOH Windows instances as nodes on OpenShift Container Platform 4.8 and later versions.

You can disable Windows container workloads by performing the following:

  • Uninstalling the Windows Machine Config Operator
  • Deleting the Windows Machine Config Operator namespace

Chapter 2. Release notes

This release of the WMCO provides bug fixes for running Windows compute nodes in an OpenShift Container Platform cluster.

The components of the WMCO 10-19.0 were released in RHSA-2025:14048.

2.1.1.1. New features and improvements
2.1.1.1.1. WMCO kubelet configuration changes

With this release, the WMCO now sets the following values in the KubeletConfig custom resource (CR):

  • The system-reserved parameter on new Windows nodes is now set to 2GiB of memory for system processes by default, as recommended in the Kubernetes documentation. (WINC-1373)
  • The enforceNodeAllocatable on new Windows nodes is now set to none by default. Previously, the value was set to [] to avoid a known issue. Both settings disable the enforcement of node allocatable resource limits. (WINC-926)
  • The evictionHard parameters, imagefs.available and nodefs.available, are now set to 15% and 10% respectively by default, as recommended in the Kubernetes documentation. (WINC-1374)

The KubeletConfig object configures the kubelet service, which runs on each node in the cluster to ensure that containers in a pod are running.

2.1.1.1.2. WMCO kubelet configuration changes

For disconnected clusters, the Windows AMI that you are using must have the EC2LaunchV2 agent version 2.0.2107 or later installed. Previously, the minimum required EC2LaunchV2 agent version was 2.0.1643. For more information, see the Install the latest version of EC2Launch v2 in the AWS documentation.

2.1.1.2. Bug fixes
  • Previously, when using the optional_namespaces parameter in an ImageTagMirrorSet CR, Windows nodes could fail to pull the specified image, resulting in a image not found error. With this fix, the optional_namespace parameter works as expected. (OCPBUGS-47696)
  • Previously, Windows Server 2019 nodes did not have a running an SSH server because of network instability. As a result, you were unable to SSH into that node. With this fix, the WMCO installs the SSH server node creation. As a result, you can SSH into the Windows nodes as expected. (OCPBUGS-56131)
  • Previously, because an Endpoint_IP variable was not resolving, the Windows Instance Config Daemon (WICD) repeatedly reported an Endpoint_IP error. This fix adds retries to ensure that the Endpoint_IP is created before continuing. As a result, the error message is no longer reported. (OCPBUGS-1721)
2.1.1.3. Known issues
  • Some Windows 2019 Bring-Your-Own-Host (BYOH) Window instances could enter a non-ready state after upgrading to 4.19. Red Hat has not been able to reproduce the issue outside the testing environment, and advises caution when upgrading. If you experience this situation, restart the non-ready instance. (OCPBUGS-47696)

2.2. Windows Machine Config Operator prerequisites

The following information details the supported platform versions, Windows Server versions, and networking configurations for the Windows Machine Config Operator (WMCO). See the vSphere documentation for any information that is relevant to only that platform.

2.2.1. WMCO supported installation method

The WMCO fully supports installing Windows nodes into installer-provisioned infrastructure (IPI) clusters. This is the preferred OpenShift Container Platform installation method.

For user-provisioned infrastructure (UPI) clusters, the WMCO supports installing Windows nodes only into a UPI cluster installed with the platform: none field set in the install-config.yaml file (bare-metal or provider-agnostic) and only for the BYOH (Bring Your Own Host) use case. UPI is not supported for any other platform.

The following table lists the Windows Server versions that are supported by WMCO 10-19.0, based on the applicable platform. Windows Server versions not listed are not supported and attempting to use them will cause errors. To prevent these errors, use only an appropriate version for your platform.

Expand
PlatformSupported Windows Server version

Amazon Web Services (AWS)

  • Windows Server 2022, OS Build 20348.681 or later [1]
  • Windows Server 2019, version 1809

Microsoft Azure

  • Windows Server 2022, OS Build 20348.681 or later
  • Windows Server 2019, version 1809

VMware vSphere

Windows Server 2022, OS Build 20348.681 or later

Google Cloud Platform (GCP)

Windows Server 2022, OS Build 20348.681 or later

Nutanix

Windows Server 2022, OS Build 20348.681 or later

Bare metal or provider agnostic

  • Windows Server 2022, OS Build 20348.681 or later
  • Windows Server 2019, version 1809
  1. For disconnected clusters, the Windows AMI must have the EC2LaunchV2 agent version 2.0.2107 or later installed. For more information, see the Install the latest version of EC2Launch v2 in the AWS documentation.

2.2.3. Supported networking

Hybrid networking with OVN-Kubernetes is the only supported networking configuration. See the additional resources below for more information on this functionality. The following tables outline the type of networking configuration and Windows Server versions to use based on your platform. You must specify the network configuration when you install the cluster.

Note
  • The WMCO does not support OVN-Kubernetes without hybrid networking or OpenShift SDN.
  • Dual NIC is not supported on WMCO-managed Windows instances.
Expand
Table 2.1. Platform networking support
PlatformSupported networking

Amazon Web Services (AWS)

Hybrid networking with OVN-Kubernetes

Microsoft Azure

Hybrid networking with OVN-Kubernetes

VMware vSphere

Hybrid networking with OVN-Kubernetes with a custom VXLAN port

Google Cloud Platform (GCP)

Hybrid networking with OVN-Kubernetes

Nutanix

Hybrid networking with OVN-Kubernetes

Bare metal or provider agnostic

Hybrid networking with OVN-Kubernetes

Expand
Table 2.2. Hybrid OVN-Kubernetes Windows Server support
Hybrid networking with OVN-KubernetesSupported Windows Server version

Default VXLAN port

  • Windows Server 2022, OS Build 20348.681 or later
  • Windows Server 2019, version 1809

Custom VXLAN port

Windows Server 2022, OS Build 20348.681 or later

Note the following limitations when working with Windows nodes managed by the WMCO (Windows nodes):

  • The following OpenShift Container Platform features are not supported on Windows nodes:

    • Image builds
    • OpenShift Pipelines
    • OpenShift Service Mesh
    • OpenShift monitoring of user-defined projects
    • OpenShift Serverless
    • Horizontal Pod Autoscaling
    • Vertical Pod Autoscaling
    • Hosted Control Planes
  • The following Red Hat features are not supported on Windows nodes:

  • Dual NIC is not supported on WMCO-managed Windows instances.
  • Windows nodes do not support workloads created by using deployment configs. You can use a deployment or other method to deploy workloads.
  • Red Hat OpenShift support for Windows Containers does not support adding Windows nodes to a cluster through a trunk port. The only supported networking configuration for adding Windows nodes is through an access port that carries traffic for the VLAN.
  • Red Hat OpenShift support for Windows Containers does not support any Windows operating system language other than English (United States).
  • Due to a limitation within the Windows operating system, clusterNetwork CIDR addresses of class E, such as 240.0.0.0, are not compatible with Windows nodes.
  • Kubernetes has identified the following node feature limitations :

    • Huge pages are not supported for Windows containers.
    • Privileged containers are not supported for Windows containers.
  • Kubernetes has identified several API compatibility issues.

Chapter 3. Getting support

Windows Container Support for Red Hat OpenShift is provided and available as an optional, installable component. Windows Container Support for Red Hat OpenShift is not part of the OpenShift Container Platform subscription. It requires an additional Red Hat subscription and is supported according to the Scope of coverage and Service level agreements.

You must have this separate subscription to receive support for Windows Container Support for Red Hat OpenShift. Without this additional Red Hat subscription, deploying Windows container workloads in production clusters is not supported. You can request support through the Red Hat Customer Portal.

For more information, see the Red Hat OpenShift Container Platform Life Cycle Policy document for Red Hat OpenShift support for Windows Containers.

If you do not have this additional Red Hat subscription, you can use the Community Windows Machine Config Operator, a distribution that lacks official support.

Red Hat OpenShift support for Windows Containers provides built-in support for running Microsoft Windows Server containers on OpenShift Container Platform. For those that administer heterogeneous environments with a mix of Linux and Windows workloads, OpenShift Container Platform allows you to deploy Windows workloads running on Windows Server containers while also providing traditional Linux workloads hosted on Red Hat Enterprise Linux CoreOS (RHCOS) or Red Hat Enterprise Linux (RHEL).

Note

Multi-tenancy for clusters that have Windows nodes is not supported. Clusters are considered multi-tenant when multiple workloads operate on shared infrastructure and resources. If one or more workloads running on an infrastructure cannot be trusted, the multi-tenant environment is considered hostile.

Hostile multi-tenant clusters introduce security concerns in all Kubernetes environments. Additional security features like pod security policies, or more fine-grained role-based access control (RBAC) for nodes, make exploiting your environment more difficult. However, if you choose to run hostile multi-tenant workloads, a hypervisor is the only security option you should use. The security domain for Kubernetes encompasses the entire cluster, not an individual node. For these types of hostile multi-tenant workloads, you should use physically isolated clusters.

Windows Server Containers provide resource isolation using a shared kernel but are not intended to be used in hostile multitenancy scenarios.

4.1. Windows workload management

To run Windows workloads in your cluster, you must first install the Windows Machine Config Operator (WMCO). The WMCO is a Linux-based Operator that runs on Linux-based control plane and compute nodes. The WMCO orchestrates the process of deploying and managing Windows workloads on a cluster.

Figure 4.1. WMCO design

Before deploying Windows workloads, you must create a Windows compute node and have it join the cluster. The Windows node hosts the Windows workloads in a cluster, and can run alongside other Linux-based compute nodes. You can create a Windows compute node by creating a Windows compute machine set to host Windows Server compute machines. You must apply a Windows-specific label to the compute machine set that specifies a Windows OS image.

The WMCO watches for machines with the Windows label. After a Windows compute machine set is detected and its respective machines are provisioned, the WMCO configures the underlying Windows virtual machine (VM) so that it can join the cluster as a compute node.

Figure 4.2. Mixed Windows and Linux workloads

The WMCO expects a predetermined secret in its namespace containing a private key that is used to interact with the Windows instance. WMCO checks for this secret during boot up time and creates a user data secret which you must reference in the Windows MachineSet object that you created. Then the WMCO populates the user data secret with a public key that corresponds to the private key. With this data in place, the cluster can connect to the Windows VM using an SSH connection.

After the cluster establishes a connection with the Windows VM, you can manage the Windows node using similar practices as you would a Linux-based node.

Note

The OpenShift Container Platform web console provides most of the same monitoring capabilities for Windows nodes that are available for Linux nodes. However, the ability to monitor workload graphs for pods running on Windows nodes is not available at this time.

Scheduling Windows workloads to a Windows node can be done with typical pod scheduling practices like taints, tolerations, and node selectors; alternatively, you can differentiate your Windows workloads from Linux workloads and other Windows-versioned workloads by using a RuntimeClass object.

4.2. Windows node services

The following Windows-specific services are installed on each Windows node:

Expand
ServiceDescription

kubelet

Registers the Windows node and manages its status.

Container Network Interface (CNI) plugins

Exposes networking for Windows nodes.

Windows Instance Config Daemon (WICD)

Maintains the state of all services running on the Windows instance to ensure the instance functions as a worker node.

Windows Exporter

Exports Prometheus metrics from Windows nodes

Kubernetes Cloud Controller Manager (CCM)

Interacts with the underlying Azure cloud platform.

hybrid-overlay

Creates the OpenShift Container Platform Host Network Service (HNS).

kube-proxy

Maintains network rules on nodes allowing outside communication.

containerd container runtime

Manages the complete container lifecycle.

CSI Proxy

Enables CSI drivers to perform storage operations on the node, which allows containerized CSI drivers to run on Windows nodes.

Chapter 5. Enabling Windows container workloads

Before adding Windows workloads to your cluster, you must install the Windows Machine Config Operator (WMCO), which is available in the OpenShift Container Platform OperatorHub. The WMCO orchestrates the process of deploying and managing Windows workloads on a cluster.

Note

Dual NIC is not supported on WMCO-managed Windows instances.

5.1. Prerequisites

  • You have access to an OpenShift Container Platform cluster using an account with cluster-admin permissions.
  • You have installed the OpenShift CLI (oc).
  • You have installed your cluster using installer-provisioned infrastructure, or using user-provisioned infrastructure with the platform: none field set in your install-config.yaml file.
  • You have configured hybrid networking with OVN-Kubernetes for your cluster. For more information, see Configuring hybrid networking.
  • You are running an OpenShift Container Platform cluster version 4.6.8 or later.
Note

Windows instances deployed by the WMCO are configured with the containerd container runtime. Because WMCO installs and manages the runtime, it is recommended that you do not manually install containerd on nodes.

For the comprehensive prerequisites for the Windows Machine Config Operator, see "Windows Machine Config Operator prerequisites".

You can install the Windows Machine Config Operator using either the web console or OpenShift CLI (oc).

Note

Due to a limitation within the Windows operating system, clusterNetwork CIDR addresses of class E, such as 240.0.0.0, are not compatible with Windows nodes.

You can use the OpenShift Container Platform web console to install the Windows Machine Config Operator (WMCO).

Note

Dual NIC is not supported on WMCO-managed Windows instances.

Procedure

  1. From the Administrator perspective in the OpenShift Container Platform web console, navigate to the Operators → OperatorHub page.
  2. Use the Filter by keyword box to search for Windows Machine Config Operator in the catalog. Click the Windows Machine Config Operator tile.
  3. Review the information about the Operator and click Install.
  4. On the Install Operator page:

    1. Select the stable channel as the Update Channel. The stable channel enables the latest stable release of the WMCO to be installed.
    2. The Installation Mode is preconfigured because the WMCO must be available in a single namespace only.
    3. Choose the Installed Namespace for the WMCO. The default Operator recommended namespace is openshift-windows-machine-config-operator.
    4. Click the Enable Operator recommended cluster monitoring on the Namespace checkbox to enable cluster monitoring for the WMCO.
    5. Select an Approval Strategy.

      • The Automatic strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available.
      • The Manual strategy requires a user with appropriate credentials to approve the Operator update.
  5. Click Install. The WMCO is now listed on the Installed Operators page.

    Note

    The WMCO is installed automatically into the namespace you defined, like openshift-windows-machine-config-operator.

  6. Verify that the Status shows Succeeded to confirm successful installation of the WMCO.

You can use the OpenShift CLI (oc) to install the Windows Machine Config Operator (WMCO).

Note

Dual NIC is not supported on WMCO-managed Windows instances.

Procedure

  1. Create a namespace for the WMCO.

    1. Create a Namespace object YAML file for the WMCO. For example, wmco-namespace.yaml:

      apiVersion: v1
      kind: Namespace
      metadata:
        name: openshift-windows-machine-config-operator 
      1
      
        labels:
          openshift.io/cluster-monitoring: "true" 
      2
      Copy to Clipboard Toggle word wrap
      1
      It is recommended to deploy the WMCO in the openshift-windows-machine-config-operator namespace.
      2
      This label is required for enabling cluster monitoring for the WMCO.
    2. Create the namespace:

      $ oc create -f <file-name>.yaml
      Copy to Clipboard Toggle word wrap

      For example:

      $ oc create -f wmco-namespace.yaml
      Copy to Clipboard Toggle word wrap
  2. Create the Operator group for the WMCO.

    1. Create an OperatorGroup object YAML file. For example, wmco-og.yaml:

      apiVersion: operators.coreos.com/v1
      kind: OperatorGroup
      metadata:
        name: windows-machine-config-operator
        namespace: openshift-windows-machine-config-operator
      spec:
        targetNamespaces:
        - openshift-windows-machine-config-operator
      Copy to Clipboard Toggle word wrap
    2. Create the Operator group:

      $ oc create -f <file-name>.yaml
      Copy to Clipboard Toggle word wrap

      For example:

      $ oc create -f wmco-og.yaml
      Copy to Clipboard Toggle word wrap
  3. Subscribe the namespace to the WMCO.

    1. Create a Subscription object YAML file. For example, wmco-sub.yaml:

      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: windows-machine-config-operator
        namespace: openshift-windows-machine-config-operator
      spec:
        channel: "stable" 
      1
      
        installPlanApproval: "Automatic" 
      2
      
        name: "windows-machine-config-operator"
        source: "redhat-operators" 
      3
      
        sourceNamespace: "openshift-marketplace" 
      4
      Copy to Clipboard Toggle word wrap
      1
      Specify stable as the channel.
      2
      Set an approval strategy. You can set Automatic or Manual.
      3
      Specify the redhat-operators catalog source, which contains the windows-machine-config-operator package manifests. If your OpenShift Container Platform is installed on a restricted network, also known as a disconnected cluster, specify the name of the CatalogSource object you created when you configured the Operator LifeCycle Manager (OLM).
      4
      Namespace of the catalog source. Use openshift-marketplace for the default OperatorHub catalog sources.
    2. Create the subscription:

      $ oc create -f <file-name>.yaml
      Copy to Clipboard Toggle word wrap

      For example:

      $ oc create -f wmco-sub.yaml
      Copy to Clipboard Toggle word wrap

      The WMCO is now installed to the openshift-windows-machine-config-operator.

  4. Verify the WMCO installation:

    $ oc get csv -n openshift-windows-machine-config-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                    DISPLAY                           VERSION   REPLACES   PHASE
    windows-machine-config-operator.2.0.0   Windows Machine Config Operator   2.0.0                Succeeded
    Copy to Clipboard Toggle word wrap

To run the Windows Machine Config Operator (WMCO), you must create a secret in the WMCO namespace containing a private key. This is required to allow the WMCO to communicate with the Windows virtual machine (VM).

Prerequisites

  • You installed the Windows Machine Config Operator (WMCO) using Operator Lifecycle Manager (OLM).
  • You created a PEM-encoded file containing a private key by using a strong algorithm, such as ECDSA.

    If you created the key pair on a Red Hat Enterprise Linux (RHEL) system, before you can use the public key on a Windows system, make sure the public key is saved using ASCII encoding. For example, the following PowerShell command copies a public key, encoding it for the ASCII character set:

    C:\> echo "ssh-rsa <ssh_pub_key>" | Out-File <ssh_key_path> -Encoding ascii
    Copy to Clipboard Toggle word wrap

    where:

    <ssh_pub_key>
    Specifies the SSH public key used to access the cluster.
    <ssh_key_path>
    Specifies the path to the SSH public key.

Procedure

  • Define the secret required to access the Windows VMs:

    $ oc create secret generic cloud-private-key --from-file=private-key.pem=${HOME}/.ssh/<key> \
        -n openshift-windows-machine-config-operator 
    1
    Copy to Clipboard Toggle word wrap
1
You must create the private key in the WMCO namespace, like openshift-windows-machine-config-operator.

It is recommended to use a different private key than the one used when installing the cluster.

By default, the Windows Machine Config Operator (WMCO) is configured to use the info log level. You can change the log level to debug by editing the WMCO Subscription object.

Procedure

  1. Edit the windows-machine-config-operator subscription in the windows-machine-config-operator namespace by using the following command:

    $ oc edit subscription windows-machine-config-operator -n openshift-windows-machine-config-operator
    Copy to Clipboard Toggle word wrap
  2. Add the follwing parameters to the .spec.config.env stanza:

    apiVersion: operators.coreos.com/v1alpha1
    kind: Subscription
    # ...
      name: windows-machine-config-operator
      namespace: openshift-windows-machine-config-operator
    # ...
    spec:
    # ...
      config:
        env:
        - name: ARGS 
    1
    
          value: --debugLogging 
    2
    Copy to Clipboard Toggle word wrap
    1
    Defines a list of environment variables that must exist in all containers in the pod.
    2
    Specifies the debug level of verbosity for log messages.

You can revert to the default info log level by removing the name and value parameters that you added.

The Windows Machine Config Operator (WMCO) can consume and use a cluster-wide egress proxy configuration when making external requests outside the cluster’s internal network.

This allows you to add Windows nodes and run workloads in a proxy-enabled cluster, allowing your Windows nodes to pull images from registries that are secured behind your proxy server or to make requests to off-cluster services and services that use a custom public key infrastructure.

Note

The cluster-wide proxy affects system components only, not user workloads.

In proxy-enabled clusters, the WMCO is aware of the NO_PROXY, HTTP_PROXY, and HTTPS_PROXY values that are set for the cluster. The WMCO periodically checks whether the proxy environment variables have changed. If there is a discrepancy, the WMCO reconciles and updates the proxy environment variables on the Windows instances.

Windows workloads created on Windows nodes in proxy-enabled clusters do not inherit proxy settings from the node by default, the same as with Linux nodes. Also, by default PowerShell sessions do not inherit proxy settings on Windows nodes in proxy-enabled clusters.

The Windows Machine Config Operator (WMCO) can pull images from a registry mirror rather than from a public registry by using an ImageDigestMirrorSet (IDMS) or ImageTagMirrorSet (ITMS) object to configure your cluster to pull images from the mirror registry.

A mirror registry has the following benefits:

  • Avoids public registry outages
  • Speeds up node and pod creation
  • Pulls images from behind your organization’s firewall

A mirror registry can also be used with a OpenShift Container Platform cluster in a disconnected, or air-gapped, network. A disconnected network is a restricted network without direct internet connectivity. Because the cluster does not have access to the internet, any external container images cannot be referenced.

Using a mirror registry requires the following general steps:

  • Create the mirror registry, using a tool such as Red Hat Quay.
  • Create a container image registry credentials file.
  • Copy the images from your online image repository to your mirror registry.

For information about these steps, see "About disconnected installation mirroring."

After creating the mirror registry and mirroring the images, you can use an ImageDigestMirrorSet (IDMS) or ImageTagMirrorSet (ITMS) object to configure your cluster to pull images from the mirror registry without needing to update each of your pod specs. The IDMS and ITMS objects redirect requests to pull images from a repository on a source image registry and have it resolved by the mirror repository instead.

If changes are made to the IDMS or ITMS object, the WMCO automatically updates the appropriate hosts.toml file on your Windows nodes with the new information. Note that the WMCO sequentially updates each Windows node when mirror settings are changed. As such, the time required for these updates increases with the number of Windows nodes in the cluster.

Because Windows nodes configured by the WMCO rely on the containerd container runtime, the WMCO ensures that the containerd configuration files are up-to-date with the registry settings. For new nodes, these files are copied to the instances upon creation. For existing nodes, after activating the mirror registry, the registry controller uses SSH to access each node and copy the generated configuration files, replacing any existing files.

You can use a mirror registry with machine set or Bring-Your-Own-Host (BYOH) Windows nodes.

When using an IDMS or ITMS object to mirror container images on Windows nodes, take note of the following behaviors that differ from Linux nodes:

  • Mirroring on Windows nodes works on the registry level, rather than on the image level used by Linux nodes. As such, Windows images mirrored by using IDMS or ITMS objects have specific naming requirements.

    The final portion of the namespace and the image name of the mirror image must match the image being mirrored. For example, when mirroring the mcr.microsoft.com/oss/kubernetes/pause:3.9 image, the mirror must be in the $mirrorRegistry/<organization>/oss/kubernetes/pause:3.9 format, where $org can be any organization name or namespace or excluded entirely. Some valid values are $mirrorRegistry/oss/kubernetes/pause:3.9, $mirrorRegistry/custom/oss/kubernetes/pause:3.9, and $mirrorRegistry/x/y/z/oss/kubernetes/pause:3.9.

  • A Windows node takes the ITMS object and uses it to configure registry-wide mirrors. In the following example, configuring quay.io/remote-org/image to mirror to quay.io/my-org/image results in the Windows node using that mirror for all images from quay.io/remote-org. As such, quay.io/remote-org/image:tag uses the quay.io/my-org/image:tag image, as expected, but another container using quay.io/remote-org/different-image:tag would also try to use the quay.io/remote-org/different-image:tag mirror. This can cause unintended behavior if it is not accounted for.

    For this reason, specify container images using a digest by an IDMS object instead of an ITMS object. Using a digest can prevent the wrong container image from being used, by ensuring that the image the container specifies and the image being pulled have the same digest.

Setting up container registry repository mirroring enables you to perform the following tasks:

  • Configure your OpenShift Container Platform cluster to redirect requests to pull images from a repository on a source image registry and have it resolved by a repository on a mirrored image registry.
  • Identify multiple mirrored repositories for each target repository, to make sure that if one mirror is down, another can be used.

Repository mirroring in OpenShift Container Platform includes the following attributes:

  • Image pulls are resilient to registry downtimes.
  • Clusters in disconnected environments can pull images from critical locations, such as quay.io, and have registries behind a company firewall provide the requested images.
  • A particular order of registries is tried when an image pull request is made, with the permanent registry typically being the last one tried.
  • The mirror information you enter is added to the appropriate hosts.toml containerd configuration file(s) on every Windows node in the OpenShift Container Platform cluster.
  • When a node makes a request for an image from the source repository, it tries each mirrored repository in turn until it finds the requested content. If all mirrors fail, the cluster tries the source repository. If successful, the image is pulled to the node.

Setting up repository mirroring can be done in the following ways:

  • At OpenShift Container Platform installation:

    By pulling container images needed by OpenShift Container Platform and then bringing those images behind your company’s firewall, you can install OpenShift Container Platform into a data center that is in a disconnected environment.

  • After OpenShift Container Platform installation:

    If you did not configure mirroring during OpenShift Container Platform installation, you can do so postinstallation by using any of the following custom resource (CR) objects:

    • ImageDigestMirrorSet (IDMS). This object allows you to pull images from a mirrored registry by using digest specifications. The IDMS CR enables you to set a fall back policy that allows or stops continued attempts to pull from the source registry if the image pull fails.
    • ImageTagMirrorSet (ITMS). This object allows you to pull images from a mirrored registry by using image tags. The ITMS CR enables you to set a fall back policy that allows or stops continued attempts to pull from the source registry if the image pull fails.

Each of these custom resource objects identify the following information:

  • The source of the container image repository you want to mirror.
  • A separate entry for each mirror repository you want to offer the content requested from the source repository.

Note the following actions and how they affect node drain behavior:

  • If you create an IDMS or ICSP CR object, the MCO does not drain or reboot the node.
  • If you create an ITMS CR object, the MCO drains and reboots the node.
  • If you delete an ITMS, IDMS, or ICSP CR object, the MCO drains and reboots the node.
  • If you modify an ITMS, IDMS, or ICSP CR object, the MCO drains and reboots the node.

    Important
    • When the MCO detects any of the following changes, it applies the update without draining or rebooting the node:

      • Changes to the SSH key in the spec.config.passwd.users.sshAuthorizedKeys parameter of a machine config.
      • Changes to the global pull secret or pull secret in the openshift-config namespace.
      • Automatic rotation of the /etc/kubernetes/kubelet-ca.crt certificate authority (CA) by the Kubernetes API Server Operator.
    • When the MCO detects changes to the /etc/containers/registries.conf file, such as editing an ImageDigestMirrorSet, ImageTagMirrorSet, or ImageContentSourcePolicy object, it drains the corresponding nodes, applies the changes, and uncordons the nodes. The node drain does not happen for the following changes:

      • The addition of a registry with the pull-from-mirror = "digest-only" parameter set for each mirror.
      • The addition of a mirror with the pull-from-mirror = "digest-only" parameter set in a registry.
      • The addition of items to the unqualified-search-registries list.

The Windows Machine Config Operator (WMCO) watches for changes to the IDMS and ITMS resources and generates a set of hosts.toml containerd configuration files, one file for each source registry, with those changes. The WMCO then updates any existing Windows nodes to use the new registry configuration.

Note

The IDMS and ITMS objects must be created before you can add Windows nodes using a mirrored registry.

You can create postinstallation mirror configuration custom resources (CR) to redirect image pull requests from a source image registry to a mirrored image registry.

Important

Windows images mirrored through ImageDigestMirrorSet and ImageTagMirrorSet objects have specific naming requirements as described in "Using Windows containers with a mirror registry".

Prerequisites

  • Access to the cluster as a user with the cluster-admin role.

Procedure

  1. Configure mirrored repositories, by either:

    • Setting up a mirrored repository with Red Hat Quay, as described in Red Hat Quay Repository Mirroring. Using Red Hat Quay allows you to copy images from one repository to another and also automatically sync those repositories repeatedly over time.
    • Using a tool such as skopeo to copy images manually from the source repository to the mirrored repository.

      For example, after installing the skopeo RPM package on a Red Hat Enterprise Linux (RHEL) 7 or RHEL 8 system, use the skopeo command as shown in this example:

      $ skopeo copy --all \
      docker://registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:5cf... \
      docker://example.io/example/ubi-minimal
      Copy to Clipboard Toggle word wrap

      In this example, you have a container image registry that is named example.io with an image repository named example to which you want to copy the ubi9/ubi-minimal image from registry.access.redhat.com. After you create the mirrored registry, you can configure your OpenShift Container Platform cluster to redirect requests made of the source repository to the mirrored repository.

    Important

    You must mirror the mcr.microsoft.com/oss/kubernetes/pause:3.9 image. For example, you could use the following skopeo command to mirror the image:

    $ skopeo copy \
    docker://mcr.microsoft.com/oss/kubernetes/pause:3.9\
    docker://example.io/oss/kubernetes/pause:3.9
    Copy to Clipboard Toggle word wrap
  2. Log in to your OpenShift Container Platform cluster.
  3. Create an ImageDigestMirrorSet or ImageTagMirrorSet CR, as needed, replacing the source and mirrors with your own registry and repository pairs and images:

    apiVersion: config.openshift.io/v1 
    1
    
    kind: ImageDigestMirrorSet 
    2
    
    metadata:
      name: ubi9repo
    spec:
      imageDigestMirrors: 
    3
    
      - mirrors:
        - example.io/example/ubi-minimal 
    4
    
        - example.com/example2/ubi-minimal 
    5
    
        source: registry.access.redhat.com/ubi9/ubi-minimal 
    6
    
        mirrorSourcePolicy: AllowContactingSource 
    7
    
      - mirrors:
        - mirror.example.com
        source: registry.redhat.io
        mirrorSourcePolicy: NeverContactSource
      - mirrors:
        - docker.io
        source: docker-mirror.internal
        mirrorSourcePolicy: AllowContactingSource
    Copy to Clipboard Toggle word wrap
    1
    Indicates the API to use with this CR. This must be config.openshift.io/v1.
    2
    Indicates the kind of object according to the pull type:
    • ImageDigestMirrorSet: Pulls a digest reference image.
    • ImageTagMirrorSet: Pulls a tag reference image.
    3
    Indicates the type of image pull method, either:
    • imageDigestMirrors: Use for an ImageDigestMirrorSet CR.
    • imageTagMirrors: Use for an ImageTagMirrorSet CR.
    4
    Indicates the name of the mirrored image registry and repository.
    5
    Optional: Indicates a secondary mirror repository for each target repository. If one mirror is down, the target repository can use another mirror.
    6
    Indicates the registry and repository source, which is the repository that is referred to in image pull specifications.
    7
    Optional: Indicates the fallback policy if the image pull fails:
    • AllowContactingSource: Allows continued attempts to pull the image from the source repository. This is the default.
    • NeverContactSource: Prevents continued attempts to pull the image from the source repository.
  4. Create the new object:

    $ oc create -f registryrepomirror.yaml
    Copy to Clipboard Toggle word wrap
  5. To check that the mirrored configuration settings are applied, do the following on one of the nodes.

    1. List your nodes:

      $ oc get node
      Copy to Clipboard Toggle word wrap

      Example output

      NAME                           STATUS                     ROLES    AGE  VERSION
      ip-10-0-137-44.ec2.internal    Ready                      worker   7m   v1.32.3
      ip-10-0-138-148.ec2.internal   Ready                      master   11m  v1.32.3
      ip-10-0-139-122.ec2.internal   Ready                      master   11m  v1.32.3
      ip-10-0-147-35.ec2.internal    Ready                      worker   7m   v1.32.3
      ip-10-0-153-12.ec2.internal    Ready                      worker   7m   v1.32.3
      ip-10-0-154-10.ec2.internal    Ready                      master   11m  v1.32.3
      Copy to Clipboard Toggle word wrap

    2. Start the debugging process to access the node:

      $ oc debug node/ip-10-0-147-35.ec2.internal
      Copy to Clipboard Toggle word wrap

      Example output

      Starting pod/ip-10-0-147-35ec2internal-debug ...
      To use host binaries, run `chroot /host`
      Copy to Clipboard Toggle word wrap

    3. Change your root directory to /host:

      sh-4.2# chroot /host
      Copy to Clipboard Toggle word wrap
    4. Check that the WMCO generated a hosts.toml file for each registry on each Windows instance. For the previous example IDMS object, there should be three files in the following file structure:

      $ tree $config_path
      Copy to Clipboard Toggle word wrap

      Example output

      C:/k/containerd/registries/
      |── registry.access.redhat.com
      |   └── hosts.toml
      |── mirror.example.com
      |   └── hosts.toml
      └── docker.io
          └── hosts.toml:
      Copy to Clipboard Toggle word wrap

      The following output represents a hosts.toml containerd configuration file where the previous example IDMS object was applied.

      Example host.toml files

      $ cat "$config_path"/registry.access.redhat.com/host.toml
      server = "https://registry.access.redhat.com" # default fallback server since "AllowContactingSource" mirrorSourcePolicy is set
      
      [host."https://example.io/example/ubi-minimal"]
       capabilities = ["pull"]
      
      [host."https://example.com/example2/ubi-minimal"] # secondary mirror
       capabilities = ["pull"]
      
      
      $ cat "$config_path"/registry.redhat.io/host.toml
      # "server" omitted since "NeverContactSource" mirrorSourcePolicy is set
      
      [host."https://mirror.example.com"]
       capabilities = ["pull"]
      
      
      $ cat "$config_path"/docker.io/host.toml
      server = "https://docker.io"
      
      [host."https://docker-mirror.internal"]
       capabilities = ["pull", "resolve"] # resolve tags
      Copy to Clipboard Toggle word wrap

    5. Pull an image to the node from the source and check if it is resolved by the mirror.

      sh-4.2# podman pull --log-level=debug registry.access.redhat.com/ubi9/ubi-minimal@sha256:5cf...
      Copy to Clipboard Toggle word wrap

Troubleshooting repository mirroring

If the repository mirroring procedure does not work as described, use the following information about how repository mirroring works to help troubleshoot the problem.

  • The first working mirror is used to supply the pulled image.
  • The main registry is only used if no other mirror works.
  • From the system context, the Insecure flags are used as fallback.

5.7. Rebooting a node gracefully

The Windows Machine Config Operator (WMCO) minimizes node reboots whenever possible. However, certain operations and updates require a reboot to ensure that changes are applied correctly and securely. To safely reboot your Windows nodes, use the graceful reboot process. For information on gracefully rebooting a standard OpenShift Container Platform node, see "Rebooting a node gracefully" in the Nodes documentation.

Before rebooting a node, it is recommended to backup etcd data to avoid any data loss on the node.

Note

For single-node OpenShift clusters that require users to perform the oc login command rather than having the certificates in kubeconfig file to manage the cluster, the oc adm commands might not be available after cordoning and draining the node. This is because the openshift-oauth-apiserver pod is not running due to the cordon. You can use SSH to access the nodes as indicated in the following procedure.

In a single-node OpenShift cluster, pods cannot be rescheduled when cordoning and draining. However, doing so gives the pods, especially your workload pods, time to properly stop and release associated resources.

Procedure

To perform a graceful restart of a node:

  1. Mark the node as unschedulable:

    $ oc adm cordon <node1>
    Copy to Clipboard Toggle word wrap
  2. Drain the node to remove all the running pods:

    $ oc adm drain <node1> --ignore-daemonsets --delete-emptydir-data --force
    Copy to Clipboard Toggle word wrap

    You might receive errors that pods associated with custom pod disruption budgets (PDB) cannot be evicted.

    Example error

    error when evicting pods/"rails-postgresql-example-1-72v2w" -n "rails" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
    Copy to Clipboard Toggle word wrap

    In this case, run the drain command again, adding the disable-eviction flag, which bypasses the PDB checks:

    $ oc adm drain <node1> --ignore-daemonsets --delete-emptydir-data --force --disable-eviction
    Copy to Clipboard Toggle word wrap
  3. SSH into the Windows node and enter PowerShell by running the following command:

    C:\> powershell
    Copy to Clipboard Toggle word wrap
  4. Restart the node by running the following command:

    C:\>  Restart-Computer -Force
    Copy to Clipboard Toggle word wrap
  5. Windows nodes on Amazon Web Services (AWS) do not return to READY state after a graceful reboot due to an inconsistency with the EC2 instance metadata routes and the Host Network Service (HNS) networks.

    After the reboot, SSH into any Windows node on AWS and add the route by running the following command in a shell prompt:

    C:\> route add 169.254.169.254 mask 255.255.255.0 <gateway_ip>
    Copy to Clipboard Toggle word wrap

    where:

    169.254.169.254
    Specifies the address of the EC2 instance metadata endpoint.
    255.255.255.255
    Specifies the network mask of the EC2 instance metadata endpoint.
    <gateway_ip>

    Specifies the corresponding IP address of the gateway in the Windows instance, which you can find by running the following command:

    C:\> ipconfig | findstr /C:"Default Gateway"
    Copy to Clipboard Toggle word wrap
  6. After the reboot is complete, mark the node as schedulable by running the following command:

    $ oc adm uncordon <node1>
    Copy to Clipboard Toggle word wrap
  7. Verify that the node is ready:

    $ oc get node <node1>
    Copy to Clipboard Toggle word wrap

    Example output

    NAME    STATUS  ROLES    AGE     VERSION
    <node1> Ready   worker   6d22h   v1.18.3+b0068a8
    Copy to Clipboard Toggle word wrap

Chapter 6. Creating Windows machine sets

6.1. Creating a Windows machine set on AWS

You can create a Windows MachineSet object to serve a specific purpose in your OpenShift Container Platform cluster on Amazon Web Services (AWS). For example, you might create infrastructure Windows machine sets and related machines so that you can move supporting Windows workloads to the new Windows machines.

6.1.1. Prerequisites

  • You installed the Windows Machine Config Operator (WMCO) using Operator Lifecycle Manager (OLM).
  • You are using a supported Windows Server as the operating system image.

    Use one of the following aws commands, as appropriate for your Windows Server release, to query valid AMI images:

    Example Windows Server 2022 command

    $ aws ec2 describe-images --region <aws_region_name> --filters "Name=name,Values=Windows_Server-2022*English*Core*Base*" "Name=is-public,Values=true" --query "reverse(sort_by(Images, &CreationDate))[*].{name: Name, id: ImageId}" --output table
    Copy to Clipboard Toggle word wrap

    Example Windows Server 2019 command

    $ aws ec2 describe-images --region <aws_region_name> --filters "Name=name,Values=Windows_Server-2019*English*Core*Base*" "Name=is-public,Values=true" --query "reverse(sort_by(Images, &CreationDate))[*].{name: Name, id: ImageId}" --output table
    Copy to Clipboard Toggle word wrap

    where:

    <aws_region_name>
    Specifies the name of your AWS region.
  • For disconnected clusters, the Windows AMI must have the EC2LaunchV2 agent version 2.0.2107 or later installed. For more information, see the Install the latest version of EC2Launch v2 in the AWS documentation.

6.1.2. Machine API overview

The Machine API is a combination of primary resources that are based on the upstream Cluster API project and custom OpenShift Container Platform resources.

For OpenShift Container Platform 4.19 clusters, the Machine API performs all node host provisioning management actions after the cluster installation finishes. Because of this system, OpenShift Container Platform 4.19 offers an elastic, dynamic provisioning method on top of public or private cloud infrastructure.

The two primary resources are:

Machines
A fundamental unit that describes the host for a node. A machine has a providerSpec specification, which describes the types of compute nodes that are offered for different cloud platforms. For example, a machine type for a compute node might define a specific machine type and required metadata.
Machine sets

MachineSet resources are groups of compute machines. Compute machine sets are to compute machines as replica sets are to pods. If you need more compute machines or must scale them down, you change the replicas field on the MachineSet resource to meet your compute need.

Warning

Control plane machines cannot be managed by compute machine sets.

Control plane machine sets provide management capabilities for supported control plane machines that are similar to what compute machine sets provide for compute machines.

For more information, see “Managing control plane machines".

The following custom resources add more capabilities to your cluster:

Machine autoscaler

The MachineAutoscaler resource automatically scales compute machines in a cloud. You can set the minimum and maximum scaling boundaries for nodes in a specified compute machine set, and the machine autoscaler maintains that range of nodes.

The MachineAutoscaler object takes effect after a ClusterAutoscaler object exists. Both ClusterAutoscaler and MachineAutoscaler resources are made available by the ClusterAutoscalerOperator object.

Cluster autoscaler

This resource is based on the upstream cluster autoscaler project. In the OpenShift Container Platform implementation, it is integrated with the Machine API by extending the compute machine set API. You can use the cluster autoscaler to manage your cluster in the following ways:

  • Set cluster-wide scaling limits for resources such as cores, nodes, memory, and GPU
  • Set the priority so that the cluster prioritizes pods and new nodes are not brought online for less important pods
  • Set the scaling policy so that you can scale up nodes but not scale them down
Machine health check
The MachineHealthCheck resource detects when a machine is unhealthy, deletes it, and, on supported platforms, makes a new machine.

In OpenShift Container Platform version 3.11, you could not roll out a multi-zone architecture easily because the cluster did not manage machine provisioning. Beginning with OpenShift Container Platform version 4.1, this process is easier. Each compute machine set is scoped to a single zone, so the installation program sends out compute machine sets across availability zones on your behalf. And then because your compute is dynamic, and in the face of a zone failure, you always have a zone for when you must rebalance your machines. In global Azure regions that do not have multiple availability zones, you can use availability sets to ensure high availability. The autoscaler provides best-effort balancing over the life of a cluster.

This sample YAML defines a Windows MachineSet object running on Amazon Web Services (AWS) that the Windows Machine Config Operator (WMCO) can react upon.

apiVersion: machine.openshift.io/v1beta1
kind: MachineSet
metadata:
  labels:
    machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
1

  name: <infrastructure_id>-windows-worker-<zone> 
2

  namespace: openshift-machine-api
spec:
  replicas: 1
  selector:
    matchLabels:
      machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
3

      machine.openshift.io/cluster-api-machineset: <infrastructure_id>-windows-worker-<zone> 
4

  template:
    metadata:
      labels:
        machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
5

        machine.openshift.io/cluster-api-machine-role: worker
        machine.openshift.io/cluster-api-machine-type: worker
        machine.openshift.io/cluster-api-machineset: <infrastructure_id>-windows-worker-<zone> 
6

        machine.openshift.io/os-id: Windows 
7

    spec:
      metadata:
        labels:
          node-role.kubernetes.io/worker: "" 
8

      providerSpec:
        value:
          ami:
            id: <windows_container_ami> 
9

          apiVersion: awsproviderconfig.openshift.io/v1beta1
          blockDevices:
            - ebs:
                iops: 0
                volumeSize: 120
                volumeType: gp2
          credentialsSecret:
            name: aws-cloud-credentials
          deviceIndex: 0
          iamInstanceProfile:
            id: <infrastructure_id>-worker-profile 
10

          instanceType: m5a.large
          kind: AWSMachineProviderConfig
          placement:
            availabilityZone: <zone> 
11

            region: <region> 
12

          securityGroups:
          - filters:
            - name: tag:Name
              values:
              - <infrastructure_id>-node 
13

          - filters:
            - name: tag:Name
              values:
              - <infrastructure_id>-lb 
14

          subnet:
            filters:
            - name: tag:Name
              values:
              - <infrastructure_id>-subnet-private-<zone> 
15

          tags:
            - name: kubernetes.io/cluster/<infrastructure_id> 
16

              value: owned
          userDataSecret:
            name: windows-user-data 
17

            namespace: openshift-machine-api
Copy to Clipboard Toggle word wrap
1 3 5 10 13 14 15 16
Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. You can obtain the infrastructure ID by running the following command:
$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster
Copy to Clipboard Toggle word wrap
2 4 6
Specify the infrastructure ID, worker label, and zone.
7
Configure the compute machine set as a Windows machine.
8
Configure the Windows node as a compute machine.
9
Specify the AMI ID of a supported Windows image with a container runtime installed.
Note

For disconnected clusters, the Windows AMI must have the EC2LaunchV2 agent version 2.0.2107 or later installed. For more information, see the Install the latest version of EC2Launch v2 in the AWS documentation.

11
Specify the AWS zone, like us-east-1a.
12
Specify the AWS region, like us-east-1.
17
Created by the WMCO when it is configuring the first Windows machine. After that, the windows-user-data is available for all subsequent compute machine sets to consume.

6.1.4. Creating a compute machine set

In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.

Prerequisites

  • Deploy an OpenShift Container Platform cluster.
  • Install the OpenShift CLI (oc).
  • Log in to oc as a user with cluster-admin permission.
  • In disconnected environments, the image specified in the MachineSet custom resource (CR) must have the OpenSSH server v0.0.1.0 installed.

Procedure

  1. Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named <file_name>.yaml.

    Ensure that you set the <clusterID> and <role> parameter values.

  2. Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster.

    1. To list the compute machine sets in your cluster, run the following command:

      $ oc get machinesets -n openshift-machine-api
      Copy to Clipboard Toggle word wrap

      Example output

      NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
      agl030519-vplxk-worker-us-east-1a   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1b   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1c   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1d   0         0                             55m
      agl030519-vplxk-worker-us-east-1e   0         0                             55m
      agl030519-vplxk-worker-us-east-1f   0         0                             55m
      Copy to Clipboard Toggle word wrap

    2. To view values of a specific compute machine set custom resource (CR), run the following command:

      $ oc get machineset <machineset_name> \
        -n openshift-machine-api -o yaml
      Copy to Clipboard Toggle word wrap

      Example output

      apiVersion: machine.openshift.io/v1beta1
      kind: MachineSet
      metadata:
        labels:
          machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
      1
      
        name: <infrastructure_id>-<role> 
      2
      
        namespace: openshift-machine-api
      spec:
        replicas: 1
        selector:
          matchLabels:
            machine.openshift.io/cluster-api-cluster: <infrastructure_id>
            machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>
        template:
          metadata:
            labels:
              machine.openshift.io/cluster-api-cluster: <infrastructure_id>
              machine.openshift.io/cluster-api-machine-role: <role>
              machine.openshift.io/cluster-api-machine-type: <role>
              machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>
          spec:
            providerSpec: 
      3
      
              ...
      Copy to Clipboard Toggle word wrap

      1
      The cluster infrastructure ID.
      2
      A default node label.
      Note

      For clusters that have user-provisioned infrastructure, a compute machine set can only create worker and infra type machines.

      3
      The values in the <providerSpec> section of the compute machine set CR are platform-specific. For more information about <providerSpec> parameters in the CR, see the sample compute machine set CR configuration for your provider.
  3. Create a MachineSet CR by running the following command:

    $ oc create -f <file_name>.yaml
    Copy to Clipboard Toggle word wrap

Verification

  • View the list of compute machine sets by running the following command:

    $ oc get machineset -n openshift-machine-api
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                       DESIRED   CURRENT   READY   AVAILABLE   AGE
    agl030519-vplxk-windows-worker-us-east-1a  1         1         1       1           11m
    agl030519-vplxk-worker-us-east-1a          1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1b          1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1c          1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1d          0         0                             55m
    agl030519-vplxk-worker-us-east-1e          0         0                             55m
    agl030519-vplxk-worker-us-east-1f          0         0                             55m
    Copy to Clipboard Toggle word wrap

    When the new compute machine set is available, the DESIRED and CURRENT values match. If the compute machine set is not available, wait a few minutes and run the command again.

6.2. Creating a Windows machine set on Azure

You can create a Windows MachineSet object to serve a specific purpose in your OpenShift Container Platform cluster on Microsoft Azure. For example, you might create infrastructure Windows machine sets and related machines so that you can move supporting Windows workloads to the new Windows machines.

6.2.1. Prerequisites

  • You installed the Windows Machine Config Operator (WMCO) using Operator Lifecycle Manager (OLM).
  • You are using a supported Windows Server as the operating system image.

6.2.2. Machine API overview

The Machine API is a combination of primary resources that are based on the upstream Cluster API project and custom OpenShift Container Platform resources.

For OpenShift Container Platform 4.19 clusters, the Machine API performs all node host provisioning management actions after the cluster installation finishes. Because of this system, OpenShift Container Platform 4.19 offers an elastic, dynamic provisioning method on top of public or private cloud infrastructure.

The two primary resources are:

Machines
A fundamental unit that describes the host for a node. A machine has a providerSpec specification, which describes the types of compute nodes that are offered for different cloud platforms. For example, a machine type for a compute node might define a specific machine type and required metadata.
Machine sets

MachineSet resources are groups of compute machines. Compute machine sets are to compute machines as replica sets are to pods. If you need more compute machines or must scale them down, you change the replicas field on the MachineSet resource to meet your compute need.

Warning

Control plane machines cannot be managed by compute machine sets.

Control plane machine sets provide management capabilities for supported control plane machines that are similar to what compute machine sets provide for compute machines.

For more information, see “Managing control plane machines".

The following custom resources add more capabilities to your cluster:

Machine autoscaler

The MachineAutoscaler resource automatically scales compute machines in a cloud. You can set the minimum and maximum scaling boundaries for nodes in a specified compute machine set, and the machine autoscaler maintains that range of nodes.

The MachineAutoscaler object takes effect after a ClusterAutoscaler object exists. Both ClusterAutoscaler and MachineAutoscaler resources are made available by the ClusterAutoscalerOperator object.

Cluster autoscaler

This resource is based on the upstream cluster autoscaler project. In the OpenShift Container Platform implementation, it is integrated with the Machine API by extending the compute machine set API. You can use the cluster autoscaler to manage your cluster in the following ways:

  • Set cluster-wide scaling limits for resources such as cores, nodes, memory, and GPU
  • Set the priority so that the cluster prioritizes pods and new nodes are not brought online for less important pods
  • Set the scaling policy so that you can scale up nodes but not scale them down
Machine health check
The MachineHealthCheck resource detects when a machine is unhealthy, deletes it, and, on supported platforms, makes a new machine.

In OpenShift Container Platform version 3.11, you could not roll out a multi-zone architecture easily because the cluster did not manage machine provisioning. Beginning with OpenShift Container Platform version 4.1, this process is easier. Each compute machine set is scoped to a single zone, so the installation program sends out compute machine sets across availability zones on your behalf. And then because your compute is dynamic, and in the face of a zone failure, you always have a zone for when you must rebalance your machines. In global Azure regions that do not have multiple availability zones, you can use availability sets to ensure high availability. The autoscaler provides best-effort balancing over the life of a cluster.

This sample YAML defines a Windows MachineSet object running on Microsoft Azure that the Windows Machine Config Operator (WMCO) can react upon.

apiVersion: machine.openshift.io/v1beta1
kind: MachineSet
metadata:
  labels:
    machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
1

  name: <windows_machine_set_name> 
2

  namespace: openshift-machine-api
spec:
  replicas: 1
  selector:
    matchLabels:
      machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
3

      machine.openshift.io/cluster-api-machineset: <windows_machine_set_name> 
4

  template:
    metadata:
      labels:
        machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
5

        machine.openshift.io/cluster-api-machine-role: worker
        machine.openshift.io/cluster-api-machine-type: worker
        machine.openshift.io/cluster-api-machineset: <windows_machine_set_name> 
6

        machine.openshift.io/os-id: Windows 
7

    spec:
      metadata:
        labels:
          node-role.kubernetes.io/worker: "" 
8

      providerSpec:
        value:
          apiVersion: azureproviderconfig.openshift.io/v1beta1
          credentialsSecret:
            name: azure-cloud-credentials
            namespace: openshift-machine-api
          image: 
9

            offer: WindowsServer
            publisher: MicrosoftWindowsServer
            resourceID: ""
            sku: 2019-Datacenter-with-Containers
            version: latest
          kind: AzureMachineProviderSpec
          location: <location> 
10

          networkResourceGroup: <infrastructure_id>-rg 
11

          osDisk:
            diskSizeGB: 128
            managedDisk:
              storageAccountType: Premium_LRS
            osType: Windows
          publicIP: false
          resourceGroup: <infrastructure_id>-rg 
12

          subnet: <infrastructure_id>-worker-subnet
          userDataSecret:
            name: windows-user-data 
13

            namespace: openshift-machine-api
          vmSize: Standard_D2s_v3
          vnet: <infrastructure_id>-vnet 
14

          zone: "<zone>" 
15
Copy to Clipboard Toggle word wrap
1 3 5 11 12 14
Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. You can obtain the infrastructure ID by running the following command:
$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster
Copy to Clipboard Toggle word wrap
2 4 6
Specify the Windows compute machine set name. Windows machine names on Azure cannot be more than 15 characters long. Therefore, the compute machine set name cannot be more than 9 characters long, due to the way machine names are generated from it.
7
Configure the compute machine set as a Windows machine.
8
Configure the Windows node as a compute machine.
9
Specify a WindowsServer image offering that defines the 2019-Datacenter-with-Containers SKU.
10
Specify the Azure region, like centralus.
13
Created by the WMCO when it is configuring the first Windows machine. After that, the windows-user-data is available for all subsequent compute machine sets to consume.
15
Specify the zone within your region to place machines on. Be sure that your region supports the zone that you specify.

6.2.4. Creating a compute machine set

In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.

Prerequisites

  • Deploy an OpenShift Container Platform cluster.
  • Install the OpenShift CLI (oc).
  • Log in to oc as a user with cluster-admin permission.
  • In disconnected environments, the image specified in the MachineSet custom resource (CR) must have the OpenSSH server v0.0.1.0 installed.

Procedure

  1. Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named <file_name>.yaml.

    Ensure that you set the <clusterID> and <role> parameter values.

  2. Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster.

    1. To list the compute machine sets in your cluster, run the following command:

      $ oc get machinesets -n openshift-machine-api
      Copy to Clipboard Toggle word wrap

      Example output

      NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
      agl030519-vplxk-worker-us-east-1a   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1b   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1c   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1d   0         0                             55m
      agl030519-vplxk-worker-us-east-1e   0         0                             55m
      agl030519-vplxk-worker-us-east-1f   0         0                             55m
      Copy to Clipboard Toggle word wrap

    2. To view values of a specific compute machine set custom resource (CR), run the following command:

      $ oc get machineset <machineset_name> \
        -n openshift-machine-api -o yaml
      Copy to Clipboard Toggle word wrap

      Example output

      apiVersion: machine.openshift.io/v1beta1
      kind: MachineSet
      metadata:
        labels:
          machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
      1
      
        name: <infrastructure_id>-<role> 
      2
      
        namespace: openshift-machine-api
      spec:
        replicas: 1
        selector:
          matchLabels:
            machine.openshift.io/cluster-api-cluster: <infrastructure_id>
            machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>
        template:
          metadata:
            labels:
              machine.openshift.io/cluster-api-cluster: <infrastructure_id>
              machine.openshift.io/cluster-api-machine-role: <role>
              machine.openshift.io/cluster-api-machine-type: <role>
              machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>
          spec:
            providerSpec: 
      3
      
              ...
      Copy to Clipboard Toggle word wrap

      1
      The cluster infrastructure ID.
      2
      A default node label.
      Note

      For clusters that have user-provisioned infrastructure, a compute machine set can only create worker and infra type machines.

      3
      The values in the <providerSpec> section of the compute machine set CR are platform-specific. For more information about <providerSpec> parameters in the CR, see the sample compute machine set CR configuration for your provider.
  3. Create a MachineSet CR by running the following command:

    $ oc create -f <file_name>.yaml
    Copy to Clipboard Toggle word wrap

Verification

  • View the list of compute machine sets by running the following command:

    $ oc get machineset -n openshift-machine-api
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                       DESIRED   CURRENT   READY   AVAILABLE   AGE
    agl030519-vplxk-windows-worker-us-east-1a  1         1         1       1           11m
    agl030519-vplxk-worker-us-east-1a          1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1b          1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1c          1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1d          0         0                             55m
    agl030519-vplxk-worker-us-east-1e          0         0                             55m
    agl030519-vplxk-worker-us-east-1f          0         0                             55m
    Copy to Clipboard Toggle word wrap

    When the new compute machine set is available, the DESIRED and CURRENT values match. If the compute machine set is not available, wait a few minutes and run the command again.

6.3. Creating a Windows machine set on GCP

You can create a Windows MachineSet object to serve a specific purpose in your OpenShift Container Platform cluster on Google Cloud Platform (GCP). For example, you might create infrastructure Windows machine sets and related machines so that you can move supporting Windows workloads to the new Windows machines.

6.3.1. Prerequisites

  • You installed the Windows Machine Config Operator (WMCO) using Operator Lifecycle Manager (OLM).
  • You are using a supported Windows Server as the operating system image.

6.3.2. Machine API overview

The Machine API is a combination of primary resources that are based on the upstream Cluster API project and custom OpenShift Container Platform resources.

For OpenShift Container Platform 4.19 clusters, the Machine API performs all node host provisioning management actions after the cluster installation finishes. Because of this system, OpenShift Container Platform 4.19 offers an elastic, dynamic provisioning method on top of public or private cloud infrastructure.

The two primary resources are:

Machines
A fundamental unit that describes the host for a node. A machine has a providerSpec specification, which describes the types of compute nodes that are offered for different cloud platforms. For example, a machine type for a compute node might define a specific machine type and required metadata.
Machine sets

MachineSet resources are groups of compute machines. Compute machine sets are to compute machines as replica sets are to pods. If you need more compute machines or must scale them down, you change the replicas field on the MachineSet resource to meet your compute need.

Warning

Control plane machines cannot be managed by compute machine sets.

Control plane machine sets provide management capabilities for supported control plane machines that are similar to what compute machine sets provide for compute machines.

For more information, see “Managing control plane machines".

The following custom resources add more capabilities to your cluster:

Machine autoscaler

The MachineAutoscaler resource automatically scales compute machines in a cloud. You can set the minimum and maximum scaling boundaries for nodes in a specified compute machine set, and the machine autoscaler maintains that range of nodes.

The MachineAutoscaler object takes effect after a ClusterAutoscaler object exists. Both ClusterAutoscaler and MachineAutoscaler resources are made available by the ClusterAutoscalerOperator object.

Cluster autoscaler

This resource is based on the upstream cluster autoscaler project. In the OpenShift Container Platform implementation, it is integrated with the Machine API by extending the compute machine set API. You can use the cluster autoscaler to manage your cluster in the following ways:

  • Set cluster-wide scaling limits for resources such as cores, nodes, memory, and GPU
  • Set the priority so that the cluster prioritizes pods and new nodes are not brought online for less important pods
  • Set the scaling policy so that you can scale up nodes but not scale them down
Machine health check
The MachineHealthCheck resource detects when a machine is unhealthy, deletes it, and, on supported platforms, makes a new machine.

In OpenShift Container Platform version 3.11, you could not roll out a multi-zone architecture easily because the cluster did not manage machine provisioning. Beginning with OpenShift Container Platform version 4.1, this process is easier. Each compute machine set is scoped to a single zone, so the installation program sends out compute machine sets across availability zones on your behalf. And then because your compute is dynamic, and in the face of a zone failure, you always have a zone for when you must rebalance your machines. In global Azure regions that do not have multiple availability zones, you can use availability sets to ensure high availability. The autoscaler provides best-effort balancing over the life of a cluster.

This sample YAML file defines a Windows MachineSet object running on Google Cloud Platform (GCP) that the Windows Machine Config Operator (WMCO) can use.

apiVersion: machine.openshift.io/v1beta1
kind: MachineSet
metadata:
  labels:
    machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
1

  name: <infrastructure_id>-windows-worker-<zone_suffix> 
2

  namespace: openshift-machine-api
spec:
  replicas: 1
  selector:
    matchLabels:
      machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
3

      machine.openshift.io/cluster-api-machineset: <infrastructure_id>-windows-worker-<zone_suffix> 
4

  template:
    metadata:
      labels:
        machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
5

        machine.openshift.io/cluster-api-machine-role: worker
        machine.openshift.io/cluster-api-machine-type: worker
        machine.openshift.io/cluster-api-machineset: <infrastructure_id>-windows-worker-<zone_suffix> 
6

        machine.openshift.io/os-id: Windows 
7

    spec:
      metadata:
        labels:
          node-role.kubernetes.io/worker: "" 
8

      providerSpec:
        value:
          apiVersion: machine.openshift.io/v1beta1
          canIPForward: false
          credentialsSecret:
            name: gcp-cloud-credentials
          deletionProtection: false
          disks:
          - autoDelete: true
            boot: true
            image: <windows_server_image> 
9

            sizeGb: 128
            type: pd-ssd
          kind: GCPMachineProviderSpec
          machineType: n1-standard-4
          networkInterfaces:
          - network: <infrastructure_id>-network 
10

            subnetwork: <infrastructure_id>-worker-subnet
          projectID: <project_id> 
11

          region: <region> 
12

          serviceAccounts:
          - email: <infrastructure_id>-w@<project_id>.iam.gserviceaccount.com
            scopes:
            - https://www.googleapis.com/auth/cloud-platform
          tags:
          - <infrastructure_id>-worker
          userDataSecret:
            name: windows-user-data 
13

          zone: <zone> 
14
Copy to Clipboard Toggle word wrap
1 3 5 10
Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. You can obtain the infrastructure ID by running the following command:
$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster
Copy to Clipboard Toggle word wrap
2 4 6
Specify the infrastructure ID, worker label, and zone suffix (such as a).
7
Configure the machine set as a Windows machine.
8
Configure the Windows node as a compute machine.
9
Specify the full path to an image of a supported version of Windows Server.
11
Specify the GCP project that this cluster was created in.
12
Specify the GCP region, such as us-central1.
13
Created by the WMCO when it configures the first Windows machine. After that, the windows-user-data is available for all subsequent machine sets to consume.
14
Specify the zone within the chosen region, such as us-central1-a.

6.3.4. Creating a compute machine set

In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.

Prerequisites

  • Deploy an OpenShift Container Platform cluster.
  • Install the OpenShift CLI (oc).
  • Log in to oc as a user with cluster-admin permission.

Procedure

  1. Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named <file_name>.yaml.

    Ensure that you set the <clusterID> and <role> parameter values.

  2. Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster.

    1. To list the compute machine sets in your cluster, run the following command:

      $ oc get machinesets -n openshift-machine-api
      Copy to Clipboard Toggle word wrap

      Example output

      NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
      agl030519-vplxk-worker-us-east-1a   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1b   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1c   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1d   0         0                             55m
      agl030519-vplxk-worker-us-east-1e   0         0                             55m
      agl030519-vplxk-worker-us-east-1f   0         0                             55m
      Copy to Clipboard Toggle word wrap

    2. To view values of a specific compute machine set custom resource (CR), run the following command:

      $ oc get machineset <machineset_name> \
        -n openshift-machine-api -o yaml
      Copy to Clipboard Toggle word wrap

      Example output

      apiVersion: machine.openshift.io/v1beta1
      kind: MachineSet
      metadata:
        labels:
          machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
      1
      
        name: <infrastructure_id>-<role> 
      2
      
        namespace: openshift-machine-api
      spec:
        replicas: 1
        selector:
          matchLabels:
            machine.openshift.io/cluster-api-cluster: <infrastructure_id>
            machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>
        template:
          metadata:
            labels:
              machine.openshift.io/cluster-api-cluster: <infrastructure_id>
              machine.openshift.io/cluster-api-machine-role: <role>
              machine.openshift.io/cluster-api-machine-type: <role>
              machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>
          spec:
            providerSpec: 
      3
      
              ...
      Copy to Clipboard Toggle word wrap

      1
      The cluster infrastructure ID.
      2
      A default node label.
      Note

      For clusters that have user-provisioned infrastructure, a compute machine set can only create worker and infra type machines.

      3
      The values in the <providerSpec> section of the compute machine set CR are platform-specific. For more information about <providerSpec> parameters in the CR, see the sample compute machine set CR configuration for your provider.
  3. Create a MachineSet CR by running the following command:

    $ oc create -f <file_name>.yaml
    Copy to Clipboard Toggle word wrap

Verification

  • View the list of compute machine sets by running the following command:

    $ oc get machineset -n openshift-machine-api
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    agl030519-vplxk-infra-us-east-1a    1         1         1       1           11m
    agl030519-vplxk-worker-us-east-1a   1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1b   1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1c   1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1d   0         0                             55m
    agl030519-vplxk-worker-us-east-1e   0         0                             55m
    agl030519-vplxk-worker-us-east-1f   0         0                             55m
    Copy to Clipboard Toggle word wrap

    When the new compute machine set is available, the DESIRED and CURRENT values match. If the compute machine set is not available, wait a few minutes and run the command again.

You can create a Windows MachineSet object to serve a specific purpose in your OpenShift Container Platform cluster on Nutanix. For example, you might create infrastructure Windows machine sets and related machines so that you can move supporting Windows workloads to the new Windows machines.

6.4.1. Prerequisites

  • You installed the Windows Machine Config Operator (WMCO) using Operator Lifecycle Manager (OLM).
  • You are using a supported Windows Server as the operating system image.
  • You added a new DNS entry for the internal API server URL, api-int.<cluster_name>.<base_domain>, that points to the external API server URL, api.<cluster_name>.<base_domain>. This can be a CNAME or an additional A record.

6.4.2. Machine API overview

The Machine API is a combination of primary resources that are based on the upstream Cluster API project and custom OpenShift Container Platform resources.

For OpenShift Container Platform 4.19 clusters, the Machine API performs all node host provisioning management actions after the cluster installation finishes. Because of this system, OpenShift Container Platform 4.19 offers an elastic, dynamic provisioning method on top of public or private cloud infrastructure.

The two primary resources are:

Machines
A fundamental unit that describes the host for a node. A machine has a providerSpec specification, which describes the types of compute nodes that are offered for different cloud platforms. For example, a machine type for a compute node might define a specific machine type and required metadata.
Machine sets

MachineSet resources are groups of compute machines. Compute machine sets are to compute machines as replica sets are to pods. If you need more compute machines or must scale them down, you change the replicas field on the MachineSet resource to meet your compute need.

Warning

Control plane machines cannot be managed by compute machine sets.

Control plane machine sets provide management capabilities for supported control plane machines that are similar to what compute machine sets provide for compute machines.

For more information, see “Managing control plane machines".

The following custom resources add more capabilities to your cluster:

Machine autoscaler

The MachineAutoscaler resource automatically scales compute machines in a cloud. You can set the minimum and maximum scaling boundaries for nodes in a specified compute machine set, and the machine autoscaler maintains that range of nodes.

The MachineAutoscaler object takes effect after a ClusterAutoscaler object exists. Both ClusterAutoscaler and MachineAutoscaler resources are made available by the ClusterAutoscalerOperator object.

Cluster autoscaler

This resource is based on the upstream cluster autoscaler project. In the OpenShift Container Platform implementation, it is integrated with the Machine API by extending the compute machine set API. You can use the cluster autoscaler to manage your cluster in the following ways:

  • Set cluster-wide scaling limits for resources such as cores, nodes, memory, and GPU
  • Set the priority so that the cluster prioritizes pods and new nodes are not brought online for less important pods
  • Set the scaling policy so that you can scale up nodes but not scale them down
Machine health check
The MachineHealthCheck resource detects when a machine is unhealthy, deletes it, and, on supported platforms, makes a new machine.

In OpenShift Container Platform version 3.11, you could not roll out a multi-zone architecture easily because the cluster did not manage machine provisioning. Beginning with OpenShift Container Platform version 4.1, this process is easier. Each compute machine set is scoped to a single zone, so the installation program sends out compute machine sets across availability zones on your behalf. And then because your compute is dynamic, and in the face of a zone failure, you always have a zone for when you must rebalance your machines. In global Azure regions that do not have multiple availability zones, you can use availability sets to ensure high availability. The autoscaler provides best-effort balancing over the life of a cluster.

This sample YAML defines a Windows MachineSet object running on Nutanix that the Windows Machine Config Operator (WMCO) can react upon.

apiVersion: machine.openshift.io/v1beta1
kind: MachineSet
metadata:
  labels:
    machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
1

  name: <infrastructure_id>-windows-worker-<zone> 
2

  namespace: openshift-machine-api
spec:
  replicas: 1
  selector:
    matchLabels:
      machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
3

      machine.openshift.io/cluster-api-machineset: <infrastructure_id>-windows-worker-<zone> 
4

  template:
    metadata:
      labels:
        machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
5

        machine.openshift.io/cluster-api-machine-role: worker
        machine.openshift.io/cluster-api-machine-type: worker
        machine.openshift.io/cluster-api-machineset: <infrastructure_id>-windows-worker-<zone> 
6

        machine.openshift.io/os-id: Windows 
7

    spec:
      metadata:
        labels:
          node-role.kubernetes.io/worker: "" 
8

      providerSpec:
        value:
          apiVersion: machine.openshift.io/v1
          bootType: "" 
9

          categories: null
          cluster: 
10

            type: uuid
            uuid: <cluster_uuid>
          credentialsSecret:
            name: nutanix-credentials 
11

          image: 
12

            name: <image_id>
            type: name
          kind: NutanixMachineProviderConfig 
13

          memorySize: 16Gi 
14

          project:
            type: ""
          subnets: 
15

          - type: uuid
            uuid: <subnet_uuid>
          systemDiskSize: 120Gi 
16

          userDataSecret:
            name: windows-user-data 
17

          vcpuSockets: 4 
18

          vcpusPerSocket: 1 
19
Copy to Clipboard Toggle word wrap
1 3 5
Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. You can obtain the infrastructure ID by running the following command:
$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster
Copy to Clipboard Toggle word wrap
2 4 6
Specify the infrastructure ID, worker label, and zone.
7
Configure the compute machine set as a Windows machine.
8
Configure the Windows node as a compute machine.
9
Specifies the boot type that the compute machines use. For more information about boot types, see Understanding UEFI, Secure Boot, and TPM in the Virtualized Environment. Valid values are Legacy, SecureBoot, or UEFI. The default is Legacy.
Note

You must use the Legacy boot type in OpenShift Container Platform 4.19.

10
Specifies a Nutanix Prism Element cluster configuration. In this example, the cluster type is uuid, so there is a uuid stanza.
11
Specifies the secret name for the cluster. Do not change this value.
12
Specifies the image to use. Use an image from an existing default compute machine set for the cluster.
13
Specifies the cloud provider platform type. Do not change this value.
14
Specifies the amount of memory for the cluster in Gi.
15
Specifies a subnet configuration. In this example, the subnet type is uuid, so there is a uuid stanza.
16
Specifies the size of the system disk in Gi.
17
Specifies the name of the secret in the user data YAML file that is in the openshift-machine-api namespace. Use the value that installation program populates in the default compute machine set.
18
Specifies the number of vCPU sockets.
19
Specifies the number of vCPUs per socket.

6.4.4. Creating a compute machine set

In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.

Prerequisites

  • Deploy an OpenShift Container Platform cluster.
  • Install the OpenShift CLI (oc).
  • Log in to oc as a user with cluster-admin permission.

Procedure

  1. Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named <file_name>.yaml.

    Ensure that you set the <clusterID> and <role> parameter values.

  2. Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster.

    1. To list the compute machine sets in your cluster, run the following command:

      $ oc get machinesets -n openshift-machine-api
      Copy to Clipboard Toggle word wrap

      Example output

      NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
      agl030519-vplxk-worker-us-east-1a   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1b   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1c   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1d   0         0                             55m
      agl030519-vplxk-worker-us-east-1e   0         0                             55m
      agl030519-vplxk-worker-us-east-1f   0         0                             55m
      Copy to Clipboard Toggle word wrap

    2. To view values of a specific compute machine set custom resource (CR), run the following command:

      $ oc get machineset <machineset_name> \
        -n openshift-machine-api -o yaml
      Copy to Clipboard Toggle word wrap

      Example output

      apiVersion: machine.openshift.io/v1beta1
      kind: MachineSet
      metadata:
        labels:
          machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
      1
      
        name: <infrastructure_id>-<role> 
      2
      
        namespace: openshift-machine-api
      spec:
        replicas: 1
        selector:
          matchLabels:
            machine.openshift.io/cluster-api-cluster: <infrastructure_id>
            machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>
        template:
          metadata:
            labels:
              machine.openshift.io/cluster-api-cluster: <infrastructure_id>
              machine.openshift.io/cluster-api-machine-role: <role>
              machine.openshift.io/cluster-api-machine-type: <role>
              machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>
          spec:
            providerSpec: 
      3
      
              ...
      Copy to Clipboard Toggle word wrap

      1
      The cluster infrastructure ID.
      2
      A default node label.
      Note

      For clusters that have user-provisioned infrastructure, a compute machine set can only create worker and infra type machines.

      3
      The values in the <providerSpec> section of the compute machine set CR are platform-specific. For more information about <providerSpec> parameters in the CR, see the sample compute machine set CR configuration for your provider.
  3. Create a MachineSet CR by running the following command:

    $ oc create -f <file_name>.yaml
    Copy to Clipboard Toggle word wrap

Verification

  • View the list of compute machine sets by running the following command:

    $ oc get machineset -n openshift-machine-api
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    agl030519-vplxk-infra-us-east-1a    1         1         1       1           11m
    agl030519-vplxk-worker-us-east-1a   1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1b   1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1c   1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1d   0         0                             55m
    agl030519-vplxk-worker-us-east-1e   0         0                             55m
    agl030519-vplxk-worker-us-east-1f   0         0                             55m
    Copy to Clipboard Toggle word wrap

    When the new compute machine set is available, the DESIRED and CURRENT values match. If the compute machine set is not available, wait a few minutes and run the command again.

6.5. Creating a Windows machine set on vSphere

You can create a Windows MachineSet object to serve a specific purpose in your OpenShift Container Platform cluster on VMware vSphere. For example, you might create infrastructure Windows machine sets and related machines so that you can move supporting Windows workloads to the new Windows machines.

6.5.1. Prerequisites

  • You installed the Windows Machine Config Operator (WMCO) using Operator Lifecycle Manager (OLM).
  • You are using a supported Windows Server as the operating system image.

6.5.2. Machine API overview

The Machine API is a combination of primary resources that are based on the upstream Cluster API project and custom OpenShift Container Platform resources.

For OpenShift Container Platform 4.19 clusters, the Machine API performs all node host provisioning management actions after the cluster installation finishes. Because of this system, OpenShift Container Platform 4.19 offers an elastic, dynamic provisioning method on top of public or private cloud infrastructure.

The two primary resources are:

Machines
A fundamental unit that describes the host for a node. A machine has a providerSpec specification, which describes the types of compute nodes that are offered for different cloud platforms. For example, a machine type for a compute node might define a specific machine type and required metadata.
Machine sets

MachineSet resources are groups of compute machines. Compute machine sets are to compute machines as replica sets are to pods. If you need more compute machines or must scale them down, you change the replicas field on the MachineSet resource to meet your compute need.

Warning

Control plane machines cannot be managed by compute machine sets.

Control plane machine sets provide management capabilities for supported control plane machines that are similar to what compute machine sets provide for compute machines.

For more information, see “Managing control plane machines".

The following custom resources add more capabilities to your cluster:

Machine autoscaler

The MachineAutoscaler resource automatically scales compute machines in a cloud. You can set the minimum and maximum scaling boundaries for nodes in a specified compute machine set, and the machine autoscaler maintains that range of nodes.

The MachineAutoscaler object takes effect after a ClusterAutoscaler object exists. Both ClusterAutoscaler and MachineAutoscaler resources are made available by the ClusterAutoscalerOperator object.

Cluster autoscaler

This resource is based on the upstream cluster autoscaler project. In the OpenShift Container Platform implementation, it is integrated with the Machine API by extending the compute machine set API. You can use the cluster autoscaler to manage your cluster in the following ways:

  • Set cluster-wide scaling limits for resources such as cores, nodes, memory, and GPU
  • Set the priority so that the cluster prioritizes pods and new nodes are not brought online for less important pods
  • Set the scaling policy so that you can scale up nodes but not scale them down
Machine health check
The MachineHealthCheck resource detects when a machine is unhealthy, deletes it, and, on supported platforms, makes a new machine.

In OpenShift Container Platform version 3.11, you could not roll out a multi-zone architecture easily because the cluster did not manage machine provisioning. Beginning with OpenShift Container Platform version 4.1, this process is easier. Each compute machine set is scoped to a single zone, so the installation program sends out compute machine sets across availability zones on your behalf. And then because your compute is dynamic, and in the face of a zone failure, you always have a zone for when you must rebalance your machines. In global Azure regions that do not have multiple availability zones, you can use availability sets to ensure high availability. The autoscaler provides best-effort balancing over the life of a cluster.

You must prepare your vSphere environment for Windows container workloads by creating the vSphere Windows VM golden image and enabling communication with the internal API server for the WMCO.

Create a vSphere Windows virtual machine (VM) golden image.

Prerequisites

  • You have created a private/public key pair, which is used to configure key-based authentication in the OpenSSH server. The private key must be configured in the Windows Machine Config Operator (WMCO) namespace so that the WMCO can communicate with the Windows VM.

    If you created the key pair on a Red Hat Enterprise Linux (RHEL) system, before you can use the public key on a Windows system, make sure the public key is saved using ASCII encoding. For example, the following PowerShell command copies a public key, encoding it for the ASCII character set:

    C:\> echo "ssh-rsa <ssh_pub_key>" | Out-File <ssh_key_path> -Encoding ascii
    Copy to Clipboard Toggle word wrap

    where:

    <ssh_pub_key>
    Specifies the SSH public key used to access the cluster.
    <ssh_key_path>
    Specifies the path to the SSH public key.

    See the "Configuring a secret for the Windows Machine Config Operator" section for more details.

Note

You must use Microsoft PowerShell commands in several cases when creating your Windows VM. PowerShell commands in this guide are distinguished by the PS C:\> prefix.

Procedure

  1. Select a compatible Windows Server version. Currently, the Windows Machine Config Operator (WMCO) stable version supports Windows Server 2022 Long-Term Servicing Channel with the OS-level container networking patch KB5012637.
  2. Create a new VM in the vSphere client using the VM golden image with a compatible Windows Server version. For more information about compatible versions, see the "Windows Machine Config Operator prerequisites" section of the "Red Hat OpenShift support for Windows Containers release notes."

    Important

    The virtual hardware version for your VM must meet the infrastructure requirements for OpenShift Container Platform. For more information, see the "VMware vSphere infrastructure requirements" section in the OpenShift Container Platform documentation. Also, you can refer to VMware’s documentation on virtual machine hardware versions.

  3. Install and configure VMware Tools version 11.0.6 or greater on the Windows VM. See the VMware Tools documentation for more information.
  4. After installing VMware Tools on the Windows VM, verify the following:

    1. The C:\ProgramData\VMware\VMware Tools\tools.conf file exists with the following entry:

      exclude-nics=
      Copy to Clipboard Toggle word wrap

      If the tools.conf file does not exist, create it with the exclude-nics option uncommented and set as an empty value.

      This entry ensures the cloned vNIC generated on the Windows VM by the hybrid-overlay is not ignored.

    2. The Windows VM has a valid IP address in vCenter:

      C:\> ipconfig
      Copy to Clipboard Toggle word wrap
    3. The VMTools Windows service is running:

      PS C:\> Get-Service -Name VMTools | Select Status, StartType
      Copy to Clipboard Toggle word wrap
  5. Install and configure the OpenSSH Server on the Windows VM. See Microsoft’s documentation on installing OpenSSH for more details.
  6. Set up SSH access for an administrative user. See Microsoft’s documentation on the Administrative user to do this.

    Important

    The public key used in the instructions must correspond to the private key you create later in the WMCO namespace that holds your secret. See the "Configuring a secret for the Windows Machine Config Operator" section for more details.

  7. You must create a new firewall rule in the Windows VM that allows incoming connections for container logs. Run the following PowerShell command to create the firewall rule on TCP port 10250:

    PS C:\> New-NetFirewallRule -DisplayName "ContainerLogsPort" -LocalPort 10250 -Enabled True -Direction Inbound -Protocol TCP -Action Allow -EdgeTraversalPolicy Allow
    Copy to Clipboard Toggle word wrap
  8. Clone the Windows VM so it is a reusable image. Follow the VMware documentation on how to clone an existing virtual machine for more details.
  9. In the cloned Windows VM, run the Windows Sysprep tool:

    C:\> C:\Windows\System32\Sysprep\sysprep.exe /generalize /oobe /shutdown /unattend:<path_to_unattend.xml> 
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the path to your unattend.xml file.
    Note

    There is a limit on how many times you can run the sysprep command on a Windows image. Consult Microsoft’s documentation for more information.

    An example unattend.xml is provided, which maintains all the changes needed for the WMCO. You must modify this example; it cannot be used directly.

    Example 6.1. Example unattend.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <unattend xmlns="urn:schemas-microsoft-com:unattend">
       <settings pass="specialize">
          <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
             <InputLocale>0409:00000409</InputLocale>
             <SystemLocale>en-US</SystemLocale>
             <UILanguage>en-US</UILanguage>
             <UILanguageFallback>en-US</UILanguageFallback>
             <UserLocale>en-US</UserLocale>
          </component>
          <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
             <SkipAutoActivation>true</SkipAutoActivation>
          </component>
          <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-SQMApi" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
             <CEIPEnabled>0</CEIPEnabled>
          </component>
          <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
             <ComputerName>winhost</ComputerName> 
    1
    
          </component>
       </settings>
       <settings pass="oobeSystem">
          <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
             <AutoLogon>
                <Enabled>false</Enabled> 
    2
    
             </AutoLogon>
             <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <HideLocalAccountScreen>true</HideLocalAccountScreen>
                <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
                <NetworkLocation>Work</NetworkLocation>
                <ProtectYourPC>1</ProtectYourPC>
                <SkipMachineOOBE>true</SkipMachineOOBE>
                <SkipUserOOBE>true</SkipUserOOBE>
             </OOBE>
             <RegisteredOrganization>Organization</RegisteredOrganization>
             <RegisteredOwner>Owner</RegisteredOwner>
             <DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet>
             <TimeZone>Eastern Standard Time</TimeZone>
             <UserAccounts>
                <AdministratorPassword>
                   <Value>MyPassword</Value> 
    3
    
                   <PlainText>true</PlainText>
                </AdministratorPassword>
             </UserAccounts>
          </component>
       </settings>
    </unattend>
    Copy to Clipboard Toggle word wrap
    1
    Specify the ComputerName, which must follow the Kubernetes' names specification. These specifications also apply to Guest OS customization performed on the resulting template while creating new VMs.
    2
    Disable the automatic logon to avoid the security issue of leaving an open terminal with Administrator privileges at boot. This is the default value and must not be changed.
    3
    Replace the MyPassword placeholder with the password for the Administrator account. This prevents the built-in Administrator account from having a blank password by default. Follow Microsoft’s best practices for choosing a password.

    After the Sysprep tool has completed, the Windows VM will power off. You must not use or power on this VM anymore.

  10. Convert the Windows VM to a template in vCenter.

The Windows Machine Config Operator (WMCO) downloads the Ignition config files from the internal API server endpoint. You must enable communication with the internal API server so that your Windows virtual machine (VM) can download the Ignition config files, and the kubelet on the configured VM can only communicate with the internal API server.

Prerequisites

  • You have installed a cluster on vSphere.

Procedure

  • Add a new DNS entry for api-int.<cluster_name>.<base_domain> that points to the external API server URL api.<cluster_name>.<base_domain>. This can be a CNAME or an additional A record.
Note

The external API endpoint was already created as part of the initial cluster installation on vSphere.

This sample YAML defines a Windows MachineSet object running on VMware vSphere that the Windows Machine Config Operator (WMCO) can react upon.

apiVersion: machine.openshift.io/v1beta1
kind: MachineSet
metadata:
  labels:
    machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
1

  name: <windows_machine_set_name> 
2

  namespace: openshift-machine-api
spec:
  replicas: 1
  selector:
    matchLabels:
      machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
3

      machine.openshift.io/cluster-api-machineset: <windows_machine_set_name> 
4

  template:
    metadata:
      labels:
        machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
5

        machine.openshift.io/cluster-api-machine-role: worker
        machine.openshift.io/cluster-api-machine-type: worker
        machine.openshift.io/cluster-api-machineset: <windows_machine_set_name> 
6

        machine.openshift.io/os-id: Windows 
7

    spec:
      metadata:
        labels:
          node-role.kubernetes.io/worker: "" 
8

      providerSpec:
        value:
          apiVersion: vsphereprovider.openshift.io/v1beta1
          credentialsSecret:
            name: vsphere-cloud-credentials
          diskGiB: 128 
9

          kind: VSphereMachineProviderSpec
          memoryMiB: 16384
          network:
            devices:
            - networkName: "<vm_network_name>" 
10

          numCPUs: 4
          numCoresPerSocket: 1
          snapshot: ""
          template: <windows_vm_template_name> 
11

          userDataSecret:
            name: windows-user-data 
12

          workspace:
             datacenter: <vcenter_data_center_name> 
13

             datastore: <vcenter_datastore_name> 
14

             folder: <vcenter_vm_folder_path> 
15

             resourcePool: <vsphere_resource_pool> 
16

             server: <vcenter_server_ip> 
17
Copy to Clipboard Toggle word wrap
1 3 5
Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. You can obtain the infrastructure ID by running the following command:
$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster
Copy to Clipboard Toggle word wrap
2 4 6
Specify the Windows compute machine set name. The compute machine set name cannot be more than 9 characters long, due to the way machine names are generated in vSphere.
7
Configure the compute machine set as a Windows machine.
8
Configure the Windows node as a compute machine.
9
Specify the size of the vSphere Virtual Machine Disk (VMDK).
Note

This parameter does not set the size of the Windows partition. You can resize the Windows partition by using the unattend.xml file or by creating the vSphere Windows virtual machine (VM) golden image with the required disk size.

10
Specify the vSphere VM network to deploy the compute machine set to. This VM network must be where other Linux compute machines reside in the cluster.
11
Specify the full path of the Windows vSphere VM template to use, such as golden-images/windows-server-template. The name must be unique.
Important

Do not specify the original VM template. The VM template must remain off and must be cloned for new Windows machines. Starting the VM template configures the VM template as a VM on the platform, which prevents it from being used as a template that compute machine sets can apply configurations to.

12
The windows-user-data is created by the WMCO when the first Windows machine is configured. After that, the windows-user-data is available for all subsequent compute machine sets to consume.
13
Specify the vCenter data center to deploy the compute machine set on.
14
Specify the vCenter datastore to deploy the compute machine set on.
15
Specify the path to the vSphere VM folder in vCenter, such as /dc1/vm/user-inst-5ddjd.
16
Optional: Specify the vSphere resource pool for your Windows VMs.
17
Specify the vCenter server IP or fully qualified domain name.

6.5.5. Creating a compute machine set

In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.

Prerequisites

  • Deploy an OpenShift Container Platform cluster.
  • Install the OpenShift CLI (oc).
  • Log in to oc as a user with cluster-admin permission.
  • In disconnected environments, the image specified in the MachineSet custom resource (CR) must have the OpenSSH server v0.0.1.0 installed.

Procedure

  1. Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named <file_name>.yaml.

    Ensure that you set the <clusterID> and <role> parameter values.

  2. Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster.

    1. To list the compute machine sets in your cluster, run the following command:

      $ oc get machinesets -n openshift-machine-api
      Copy to Clipboard Toggle word wrap

      Example output

      NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
      agl030519-vplxk-worker-us-east-1a   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1b   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1c   1         1         1       1           55m
      agl030519-vplxk-worker-us-east-1d   0         0                             55m
      agl030519-vplxk-worker-us-east-1e   0         0                             55m
      agl030519-vplxk-worker-us-east-1f   0         0                             55m
      Copy to Clipboard Toggle word wrap

    2. To view values of a specific compute machine set custom resource (CR), run the following command:

      $ oc get machineset <machineset_name> \
        -n openshift-machine-api -o yaml
      Copy to Clipboard Toggle word wrap

      Example output

      apiVersion: machine.openshift.io/v1beta1
      kind: MachineSet
      metadata:
        labels:
          machine.openshift.io/cluster-api-cluster: <infrastructure_id> 
      1
      
        name: <infrastructure_id>-<role> 
      2
      
        namespace: openshift-machine-api
      spec:
        replicas: 1
        selector:
          matchLabels:
            machine.openshift.io/cluster-api-cluster: <infrastructure_id>
            machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>
        template:
          metadata:
            labels:
              machine.openshift.io/cluster-api-cluster: <infrastructure_id>
              machine.openshift.io/cluster-api-machine-role: <role>
              machine.openshift.io/cluster-api-machine-type: <role>
              machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>
          spec:
            providerSpec: 
      3
      
              ...
      Copy to Clipboard Toggle word wrap

      1
      The cluster infrastructure ID.
      2
      A default node label.
      Note

      For clusters that have user-provisioned infrastructure, a compute machine set can only create worker and infra type machines.

      3
      The values in the <providerSpec> section of the compute machine set CR are platform-specific. For more information about <providerSpec> parameters in the CR, see the sample compute machine set CR configuration for your provider.
  3. Create a MachineSet CR by running the following command:

    $ oc create -f <file_name>.yaml
    Copy to Clipboard Toggle word wrap

Verification

  • View the list of compute machine sets by running the following command:

    $ oc get machineset -n openshift-machine-api
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                       DESIRED   CURRENT   READY   AVAILABLE   AGE
    agl030519-vplxk-windows-worker-us-east-1a  1         1         1       1           11m
    agl030519-vplxk-worker-us-east-1a          1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1b          1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1c          1         1         1       1           55m
    agl030519-vplxk-worker-us-east-1d          0         0                             55m
    agl030519-vplxk-worker-us-east-1e          0         0                             55m
    agl030519-vplxk-worker-us-east-1f          0         0                             55m
    Copy to Clipboard Toggle word wrap

    When the new compute machine set is available, the DESIRED and CURRENT values match. If the compute machine set is not available, wait a few minutes and run the command again.

Chapter 7. Scheduling Windows container workloads

You can schedule Windows workloads to Windows compute nodes.

7.1. Prerequisites

  • You installed the Windows Machine Config Operator (WMCO) using Operator Lifecycle Manager (OLM).
  • You are using a Windows container as the OS image.
  • You have created a Windows compute machine set.

7.2. Windows pod placement

Before deploying your Windows workloads to the cluster, you must configure your Windows node scheduling so pods are assigned correctly. Since you have a machine hosting your Windows node, it is managed the same as a Linux-based node. Likewise, scheduling a Windows pod to the appropriate Windows node is completed similarly, using mechanisms like taints, tolerations, and node selectors.

With multiple operating systems, and the ability to run multiple Windows OS variants in the same cluster, you must map your Windows pods to a base Windows OS variant by using a RuntimeClass object. For example, if you have multiple Windows nodes running on different Windows Server container versions, the cluster could schedule your Windows pods to an incompatible Windows OS variant. You must have RuntimeClass objects configured for each Windows OS variant on your cluster. Using a RuntimeClass object is also recommended if you have only one Windows OS variant available in your cluster.

For more information, see Microsoft’s documentation on Host and container version compatibility.

Also, it is recommended that you set the spec.os.name.windows parameter in your workload pods. The Windows Machine Config Operator (WMCO) uses this field to authoritatively identify the pod operating system for validation and is used to enforce Windows-specific pod security context constraints (SCCs). Currently, this parameter has no effect on pod scheduling. For more information about this parameter, see the Kubernetes Pods documentation.

Important

The container base image must be the same Windows OS version and build number that is running on the node where the conainer is to be scheduled.

Also, if you upgrade the Windows nodes from one version to another, for example going from 20H2 to 2022, you must upgrade your container base image to match the new version. For more information, see Windows container version compatibility.

Using a RuntimeClass object simplifies the use of scheduling mechanisms like taints and tolerations; you deploy a runtime class that encapsulates your taints and tolerations and then apply it to your pods to schedule them to the appropriate node. Creating a runtime class is also necessary in clusters that support multiple operating system variants.

Procedure

  1. Create a RuntimeClass object YAML file. For example, runtime-class.yaml:

    apiVersion: node.k8s.io/v1
    kind: RuntimeClass
    metadata:
      name: windows2019 
    1
    
    handler: 'runhcs-wcow-process'
    scheduling:
      nodeSelector: 
    2
    
        kubernetes.io/os: 'windows'
        kubernetes.io/arch: 'amd64'
        node.kubernetes.io/windows-build: '10.0.17763'
      tolerations: 
    3
    
      - effect: NoSchedule
        key: os
        operator: Equal
        value: "windows"
      - effect: NoSchedule
        key: os
        operator: Equal
        value: "Windows"
    Copy to Clipboard Toggle word wrap
    1
    Specify the RuntimeClass object name, which is defined in the pods you want to be managed by this runtime class.
    2
    Specify labels that must be present on nodes that support this runtime class. Pods using this runtime class can only be scheduled to a node matched by this selector. The node selector of the runtime class is merged with the existing node selector of the pod. Any conflicts prevent the pod from being scheduled to the node.
    • For Windows 2019, specify the node.kubernetes.io/windows-build: '10.0.17763' label.
    • For Windows 2022, specify the node.kubernetes.io/windows-build: '10.0.20348' label.
    3
    Specify tolerations to append to pods, excluding duplicates, running with this runtime class during admission. This combines the set of nodes tolerated by the pod and the runtime class.
  2. Create the RuntimeClass object:

    $ oc create -f <file-name>.yaml
    Copy to Clipboard Toggle word wrap

    For example:

    $ oc create -f runtime-class.yaml
    Copy to Clipboard Toggle word wrap
  3. Apply the RuntimeClass object to your pod to ensure it is scheduled to the appropriate operating system variant:

    apiVersion: v1
    kind: Pod
    metadata:
      name: my-windows-pod
    spec:
      runtimeClassName: windows2019 
    1
    
    # ...
    Copy to Clipboard Toggle word wrap
    1
    Specify the runtime class to manage the scheduling of your pod.

7.4. Sample Windows container workload deployment

You can deploy Windows container workloads to your cluster once you have a Windows compute node available.

Note

This sample deployment is provided for reference only.

Example Service object

apiVersion: v1
kind: Service
metadata:
  name: win-webserver
  labels:
    app: win-webserver
spec:
  ports:
    # the port that this service should serve on
  - port: 80
    targetPort: 80
  selector:
    app: win-webserver
  type: LoadBalancer
Copy to Clipboard Toggle word wrap

Example Deployment object

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: win-webserver
  name: win-webserver
spec:
  selector:
    matchLabels:
      app: win-webserver
  replicas: 1
  template:
    metadata:
      labels:
        app: win-webserver
      name: win-webserver
    spec:
      containers:
      - name: windowswebserver
        image: mcr.microsoft.com/windows/servercore:ltsc2019 
1

        imagePullPolicy: IfNotPresent
        command:
        - powershell.exe 
2

        - -command
        - $listener = New-Object System.Net.HttpListener; $listener.Prefixes.Add('http://*:80/'); $listener.Start();Write-Host('Listening at http://*:80/'); while ($listener.IsListening) { $context = $listener.GetContext(); $response = $context.Response; $content='<html><body><H1>Red Hat OpenShift + Windows Container Workloads</H1></body></html>'; $buffer = [System.Text.Encoding]::UTF8.GetBytes($content); $response.ContentLength64 = $buffer.Length; $response.OutputStream.Write($buffer, 0, $buffer.Length); $response.Close(); };
        securityContext:
          runAsNonRoot: false
          windowsOptions:
            runAsUserName: "ContainerAdministrator"
      os:
        name: "windows"
      runtimeClassName: windows2019 
3
Copy to Clipboard Toggle word wrap

1
Specify the container image to use: mcr.microsoft.com/powershell:<tag> or mcr.microsoft.com/windows/servercore:<tag>. The container image must match the Windows version running on the node.
  • For Windows 2019, use the ltsc2019 tag.
  • For Windows 2022, use the ltsc2022 tag.
2
Specify the commands to execute on the container.
  • For the mcr.microsoft.com/powershell:<tag> container image, you must define the command as pwsh.exe.
  • For the mcr.microsoft.com/windows/servercore:<tag> container image, you must define the command as powershell.exe.
3
Specify the runtime class you created for the Windows operating system variant on your cluster.

7.5. Support for Windows CSI drivers

Red Hat OpenShift support for Windows Containers installs CSI Proxy on all Windows nodes in the cluster. CSI Proxy is a plug-in that enables CSI drivers to perform storage operations on the node.

To use persistent storage with Windows workloads, you must deploy a specific Windows CSI driver daemon set, as described in your storage provider’s documentation. By default, the WMCO does not automatically create the Windows CSI driver daemon set. See the list of production drivers in the Kubernetes CSI Developer Documentation.

Note

Red Hat does not provide support for the third-party production drivers listed in the Kubernetes CSI Developer Documentation.

7.6. Scaling a compute machine set manually

To add or remove an instance of a machine in a compute machine set, you can manually scale the compute machine set.

This guidance is relevant to fully automated, installer-provisioned infrastructure installations. Customized, user-provisioned infrastructure installations do not have compute machine sets.

Prerequisites

  • Install an OpenShift Container Platform cluster and the oc command line.
  • Log in to oc as a user with cluster-admin permission.

Procedure

  1. View the compute machine sets that are in the cluster by running the following command:

    $ oc get machinesets.machine.openshift.io -n openshift-machine-api
    Copy to Clipboard Toggle word wrap

    The compute machine sets are listed in the form of <clusterid>-worker-<aws-region-az>.

  2. View the compute machines that are in the cluster by running the following command:

    $ oc get machines.machine.openshift.io -n openshift-machine-api
    Copy to Clipboard Toggle word wrap
  3. Set the annotation on the compute machine that you want to delete by running the following command:

    $ oc annotate machines.machine.openshift.io/<machine_name> -n openshift-machine-api machine.openshift.io/delete-machine="true"
    Copy to Clipboard Toggle word wrap
  4. Scale the compute machine set by running one of the following commands:

    $ oc scale --replicas=2 machinesets.machine.openshift.io <machineset> -n openshift-machine-api
    Copy to Clipboard Toggle word wrap

    Or:

    $ oc edit machinesets.machine.openshift.io <machineset> -n openshift-machine-api
    Copy to Clipboard Toggle word wrap
    Tip

    You can alternatively apply the following YAML to scale the compute machine set:

    apiVersion: machine.openshift.io/v1beta1
    kind: MachineSet
    metadata:
      name: <machineset>
      namespace: openshift-machine-api
    spec:
      replicas: 2
    Copy to Clipboard Toggle word wrap

    You can scale the compute machine set up or down. It takes several minutes for the new machines to be available.

    Important

    By default, the machine controller tries to drain the node that is backed by the machine until it succeeds. In some situations, such as with a misconfigured pod disruption budget, the drain operation might not be able to succeed. If the drain operation fails, the machine controller cannot proceed removing the machine.

    You can skip draining the node by annotating machine.openshift.io/exclude-node-draining in a specific machine.

Verification

  • Verify the deletion of the intended machine by running the following command:

    $ oc get machines.machine.openshift.io
    Copy to Clipboard Toggle word wrap

Chapter 8. Windows node updates

You can ensure your Windows nodes have the latest updates by updating the Windows Machine Config Operator (WMCO).

You can update the WMCO in any of the following scenarios:

  • Within the current version. for example, from <10.y.z> to <10.y.z+1>.
  • To a new, contiguous version. For example, from <10.y> to <10.y+1>.
  • From an EUS version to another EUS version by using a Control Plane Only update. For example, from <10.y> to <10.y+2>.

8.1. Windows Machine Config Operator updates

When a new version of the Windows Machine Config Operator (WMCO) is released that is compatible with the current cluster version, the Operator is updated based on the update channel and subscription approval strategy it was installed with when using the Operator Lifecycle Manager (OLM). The WMCO update results in the Kubernetes components in the Windows machine being updated.

Note

If you are updating to a new version of the WMCO and want to use cluster monitoring, you must have the openshift.io/cluster-monitoring=true label present in the WMCO namespace. If you add the label to a pre-existing WMCO namespace, and there are already Windows nodes configured, restart the WMCO pod to allow monitoring graphs to display.

For a non-disruptive update, the WMCO terminates the Windows machines configured by the previous version of the WMCO and recreates them using the current version. This is done by deleting the Machine object, which results in the drain and deletion of the Windows node. To facilitate an update, the WMCO adds a version annotation to all the configured nodes. During an update, a mismatch in version annotation results in the deletion and recreation of a Windows machine. To have minimal service disruptions during an update, the WMCO only updates one Windows machine at a time.

After the update, it is recommended that you set the spec.os.name.windows parameter in your workload pods. The WMCO uses this field to authoritatively identify the pod operating system for validation and is used to enforce Windows-specific pod security context constraints (SCCs).

Important

The WMCO is only responsible for updating Kubernetes components, not for Windows operating system updates. You provide the Windows image when creating the VMs; therefore, you are responsible for providing an updated image. You can provide an updated Windows image by changing the image configuration in the MachineSet spec.

OpenShift Container Platform and Windows Machine Config Operator (WMCO) support updating from one EUS version to another EUS version of OpenShift Container Platform, in a process called a Control Plane Only update. After upgrading the cluster, the Windows nodes are updated from the starting EUS version to the new EUS version while keeping the Windows workloads in a healthy state with no disruptions.

Important

This update was previously known as an EUS-to-EUS update and is now referred to as a Control Plane Only update. These updates are only viable between even-numbered minor versions of OpenShift Container Platform.

You can use the OpenShift Container Platform web console to perform a Control Plane Only update of the Windows Machine Config Operator (WMCO).

Prerequisites

  • The cluster must be running on a supported EUS version of OpenShift Container Platform.
  • All Windows nodes must be in a healthy state.
  • All Windows nodes must be running on the same version of the WMCO.
  • All the of the prerequisites of the Control Plane Only update are met, as described in "Performing a Control Plane Only update."

Procedure

  1. Uninstall WMCO operator by using the following the steps:

    Important

    Delete the Operator only. Do not delete the Windows namespace or any Windows workloads.

    1. Log in to the OpenShift Container Platform web console.
    2. Navigate to Operators → OperatorHub.
    3. Use the Filter by keyword box to search for Red Hat Windows Machine Config Operator.
    4. Click the Red Hat Windows Machine Config Operator tile. The Operator tile indicates it is installed.
    5. In the Windows Machine Config Operator descriptor page, click Uninstall.
  2. Update OpenShift Container Platform by following the steps in "Performing a Control Plane Only update."
  3. Install the new WMCO version by following the steps in "Installing the Windows Machine Config Operator using the web console."

You can use the OpenShift CLI (oc) to perform a Control Plane Only update of the Windows Machine Config Operator (WMCO).

Prerequisites

  • The cluster must be running on a supported EUS version of OpenShift Container Platform.
  • All Windows nodes must be in a healthy state.
  • All Windows nodes must be running on the same version of the WMCO.
  • All the of the prerequisites of the Control Plane Only update are met, as described in "Performing a Control Plane Only update."

Procedure

  1. Uninstall the WMCO Operator from the cluster by following the steps in "Deleting Operators from a cluster using the CLI."

    Important

    Delete the Operator only. Do not delete the Windows namespace or any Windows workloads.

  2. Update OpenShift Container Platform by following the steps in "Performing a Control Plane Only update."
  3. Install the new WMCO version by following the steps in "Installing the Windows Machine Config Operator using the CLI."

Verification

  • On the Verify that the Status shows Succeeded to confirm successful installation of the WMCO.

Bring-Your-Own-Host (BYOH) allows for users to repurpose Windows Server VMs and bring them to OpenShift Container Platform. BYOH Windows instances benefit users looking to mitigate major disruptions in the event that a Windows server goes offline.

9.1. Configuring a BYOH Windows instance

Creating a BYOH Windows instance requires creating a config map in the Windows Machine Config Operator (WMCO) namespace.

Prerequisites

Any Windows instances that are to be attached to the cluster as a node must fulfill the following requirements:

  • The instance must be on the same network as the Linux worker nodes in the cluster.
  • Port 22 must be open and running an SSH server.
  • The default shell for the SSH server must be the Windows Command shell, or cmd.exe.
  • Port 10250 must be open for log collection.
  • An administrator user is present with the private key used in the secret set as an authorized SSH key.
  • If you are creating a BYOH Windows instance for an installer-provisioned infrastructure (IPI) AWS cluster, you must add a tag to the AWS instance that matches the spec.template.spec.value.tag value in the compute machine set for your worker nodes. For example, kubernetes.io/cluster/<cluster_id>: owned or kubernetes.io/cluster/<cluster_id>: shared.
  • If you are creating a BYOH Windows instance on vSphere, communication with the internal API server must be enabled.
  • The hostname of the instance must follow the RFC 1123 DNS label requirements, which include the following standards:

    • Contains only lowercase alphanumeric characters or '-'.
    • Starts with an alphanumeric character.
    • Ends with an alphanumeric character.
Note

Windows instances deployed by the WMCO are configured with the containerd container runtime. Because the WMCO installs and manages the runtime, it is recommended that you not manually install containerd on nodes.

Procedure

  1. Create a ConfigMap named windows-instances in the WMCO namespace that describes the Windows instances to be added.

    Note

    Format each entry in the config map’s data section by using the address as the key while formatting the value as username=<username>.

    Example config map

    kind: ConfigMap
    apiVersion: v1
    metadata:
      name: windows-instances
      namespace: openshift-windows-machine-config-operator
    data:
      10.1.42.1: |- 
    1
    
        username=Administrator 
    2
    
      instance.example.com: |-
        username=core
    Copy to Clipboard Toggle word wrap

    1
    The address that the WMCO uses to reach the instance over SSH, either a DNS name or an IPv4 address. A DNS PTR record must exist for this address. It is recommended that you use a DNS name with your BYOH instance if your organization uses DHCP to assign IP addresses. If not, you need to update the windows-instances ConfigMap whenever the instance is assigned a new IP address.
    2
    The name of the administrator user created in the prerequisites.

9.2. Removing BYOH Windows instances

You can remove BYOH instances attached to the cluster by deleting the instance’s entry in the config map. Deleting an instance reverts that instance back to its state prior to adding to the cluster. Any logs and container runtime artifacts are not added to these instances.

For an instance to be cleanly removed, it must be accessible with the current private key provided to WMCO. For example, to remove the 10.1.42.1 instance from the previous example, the config map would be changed to the following:

kind: ConfigMap
apiVersion: v1
metadata:
  name: windows-instances
  namespace: openshift-windows-machine-config-operator
data:
  instance.example.com: |-
    username=core
Copy to Clipboard Toggle word wrap

Deleting windows-instances is viewed as a request to deconstruct all Windows instances added as nodes.

Chapter 10. Removing Windows nodes

You can remove a Windows node by deleting its host Windows machine.

10.1. Deleting a specific machine

You can delete a specific machine.

Important

Do not delete a control plane machine unless your cluster uses a control plane machine set.

Prerequisites

  • Install an OpenShift Container Platform cluster.
  • Install the OpenShift CLI (oc).
  • Log in to oc as a user with cluster-admin permission.

Procedure

  1. View the machines that are in the cluster by running the following command:

    $ oc get machine -n openshift-machine-api
    Copy to Clipboard Toggle word wrap

    The command output contains a list of machines in the <clusterid>-<role>-<cloud_region> format.

  2. Identify the machine that you want to delete.
  3. Delete the machine by running the following command:

    $ oc delete machine <machine> -n openshift-machine-api
    Copy to Clipboard Toggle word wrap
    Important

    By default, the machine controller tries to drain the node that is backed by the machine until it succeeds. In some situations, such as with a misconfigured pod disruption budget, the drain operation might not be able to succeed. If the drain operation fails, the machine controller cannot proceed removing the machine.

    You can skip draining the node by annotating machine.openshift.io/exclude-node-draining in a specific machine.

    If the machine that you delete belongs to a machine set, a new machine is immediately created to satisfy the specified number of replicas.

Chapter 11. Disabling Windows container workloads

You can disable the capability to run Windows container workloads by uninstalling the Windows Machine Config Operator (WMCO) and deleting the namespace that was added by default when you installed the WMCO.

You can uninstall the Windows Machine Config Operator (WMCO) from your cluster.

Prerequisites

  • Delete the Windows Machine objects hosting your Windows workloads.

Procedure

  1. From the Operators → OperatorHub page, use the Filter by keyword box to search for Red Hat Windows Machine Config Operator.
  2. Click the Red Hat Windows Machine Config Operator tile. The Operator tile indicates it is installed.
  3. In the Windows Machine Config Operator descriptor page, click Uninstall.

You can delete the namespace that was generated for the Windows Machine Config Operator (WMCO) by default.

Prerequisites

  • The WMCO is removed from your cluster.

Procedure

  1. Remove all Windows workloads that were created in the openshift-windows-machine-config-operator namespace:

    $ oc delete --all pods --namespace=openshift-windows-machine-config-operator
    Copy to Clipboard Toggle word wrap
  2. Verify that all pods in the openshift-windows-machine-config-operator namespace are deleted or are reporting a terminating state:

    $ oc get pods --namespace openshift-windows-machine-config-operator
    Copy to Clipboard Toggle word wrap
  3. Delete the openshift-windows-machine-config-operator namespace:

    $ oc delete namespace openshift-windows-machine-config-operator
    Copy to Clipboard Toggle word wrap

Legal Notice

Copyright © 2025 Red Hat

OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).

Modified versions must remove all Red Hat trademarks.

Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.

Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat