Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 5. Enabling Windows container workloads

Before adding Windows workloads to your cluster, you must install the Windows Machine Config Operator (WMCO), which is available in the OpenShift Container Platform OperatorHub. The WMCO orchestrates the process of deploying and managing Windows workloads on a cluster.

Note

Dual NIC is not supported on WMCO-managed Windows instances.

5.1. Prerequisites
Copiar o link

  • You have access to an OpenShift Container Platform cluster using an account with cluster-admin permissions.
  • You have installed the OpenShift CLI (oc).
  • You have installed your cluster using installer-provisioned infrastructure, or using user-provisioned infrastructure with the platform: none field set in your install-config.yaml file.
  • You have configured hybrid networking with OVN-Kubernetes for your cluster. For more information, see Configuring hybrid networking.
  • You are running an OpenShift Container Platform cluster version 4.6.8 or later.
Note

Windows instances deployed by the WMCO are configured with the containerd container runtime. Because WMCO installs and manages the runtime, it is recommended that you do not manually install containerd on nodes.

For the comprehensive prerequisites for the Windows Machine Config Operator, see "Windows Machine Config Operator prerequisites".

5.2. Installing the Windows Machine Config Operator
Copiar o link

You can install the Windows Machine Config Operator using either the web console or OpenShift CLI (oc).

Note

Due to a limitation within the Windows operating system, clusterNetwork CIDR addresses of class E, such as 240.0.0.0, are not compatible with Windows nodes.

5.2.1. Installing the Windows Machine Config Operator using the web console
Copiar o link

You can use the OpenShift Container Platform web console to install the Windows Machine Config Operator (WMCO).

Note

Dual NIC is not supported on WMCO-managed Windows instances.

Procedure

  1. From the Administrator perspective in the OpenShift Container Platform web console, navigate to the Operators OperatorHub page.
  2. Use the Filter by keyword box to search for Windows Machine Config Operator in the catalog. Click the Windows Machine Config Operator tile.
  3. Review the information about the Operator and click Install.

  4. On the Install Operator page:

    1. Select the stable channel as the Update Channel. The stable channel enables the latest stable release of the WMCO to be installed.
    2. The Installation Mode is preconfigured because the WMCO must be available in a single namespace only.
    3. Choose the Installed Namespace for the WMCO. The default Operator recommended namespace is openshift-windows-machine-config-operator.
    4. Click the Enable Operator recommended cluster monitoring on the Namespace checkbox to enable cluster monitoring for the WMCO.

    5. Select an Approval Strategy.

      • The Automatic strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available.
      • The Manual strategy requires a user with appropriate credentials to approve the Operator update.

  5. Click Install. The WMCO is now listed on the Installed Operators page.

    Note

    The WMCO is installed automatically into the namespace you defined, like openshift-windows-machine-config-operator.

  6. Verify that the Status shows Succeeded to confirm successful installation of the WMCO.

5.2.2. Installing the Windows Machine Config Operator using the CLI
Copiar o link

You can use the OpenShift CLI (oc) to install the Windows Machine Config Operator (WMCO).

Note

Dual NIC is not supported on WMCO-managed Windows instances.

Procedure

  1. Create a namespace for the WMCO.

    1. Create a Namespace object YAML file for the WMCO. For example, wmco-namespace.yaml: 

      apiVersion: v1
kind: Namespace
metadata:
  name: openshift-windows-machine-config-operator
      1 
      
  labels:
    openshift.io/cluster-monitoring: "true"
      2
      Copy to Clipboard Toggle word wrap
      1
      It is recommended to deploy the WMCO in the openshift-windows-machine-config-operator namespace.
      2
      This label is required for enabling cluster monitoring for the WMCO.

    2. Create the namespace: 

      $ oc create -f <file-name>.yaml
      Copy to Clipboard Toggle word wrap

      For example: 

      $ oc create -f wmco-namespace.yaml
      Copy to Clipboard Toggle word wrap

  2. Create the Operator group for the WMCO.

    1. Create an OperatorGroup object YAML file. For example, wmco-og.yaml: 

      apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: windows-machine-config-operator
  namespace: openshift-windows-machine-config-operator
spec:
  targetNamespaces:
  - openshift-windows-machine-config-operator
      Copy to Clipboard Toggle word wrap

    2. Create the Operator group: 

      $ oc create -f <file-name>.yaml
      Copy to Clipboard Toggle word wrap

      For example: 

      $ oc create -f wmco-og.yaml
      Copy to Clipboard Toggle word wrap

  3. Subscribe the namespace to the WMCO.

    1. Create a Subscription object YAML file. For example, wmco-sub.yaml: 

      apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: windows-machine-config-operator
  namespace: openshift-windows-machine-config-operator
spec:
  channel: "stable"
      1 
      
  installPlanApproval: "Automatic"
      2 
      
  name: "windows-machine-config-operator"
  source: "redhat-operators"
      3 
      
  sourceNamespace: "openshift-marketplace"
      4
      Copy to Clipboard Toggle word wrap
      1
      Specify stable as the channel.
      2
      Set an approval strategy. You can set Automatic or Manual.
      3
      Specify the redhat-operators catalog source, which contains the windows-machine-config-operator package manifests. If your OpenShift Container Platform is installed on a restricted network, also known as a disconnected cluster, specify the name of the CatalogSource object you created when you configured the Operator LifeCycle Manager (OLM).
      4
      Namespace of the catalog source. Use openshift-marketplace for the default OperatorHub catalog sources.

    2. Create the subscription: 

      $ oc create -f <file-name>.yaml
      Copy to Clipboard Toggle word wrap

      For example: 

      $ oc create -f wmco-sub.yaml
      Copy to Clipboard Toggle word wrap

      The WMCO is now installed to the openshift-windows-machine-config-operator.

  4. Verify the WMCO installation: 

    $ oc get csv -n openshift-windows-machine-config-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                    DISPLAY                           VERSION   REPLACES   PHASE
windows-machine-config-operator.2.0.0   Windows Machine Config Operator   2.0.0                Succeeded
    Copy to Clipboard Toggle word wrap

5.3. Configuring a secret for the Windows Machine Config Operator
Copiar o link

To run the Windows Machine Config Operator (WMCO), you must create a secret in the WMCO namespace containing a private key. This is required to allow the WMCO to communicate with the Windows virtual machine (VM).

Prerequisites

  • You installed the Windows Machine Config Operator (WMCO) using Operator Lifecycle Manager (OLM).

  • You created a PEM-encoded file containing a private key by using a strong algorithm, such as ECDSA.

    If you created the key pair on a Red Hat Enterprise Linux (RHEL) system, before you can use the public key on a Windows system, make sure the public key is saved using ASCII encoding. For example, the following PowerShell command copies a public key, encoding it for the ASCII character set: 

    C:\> echo "ssh-rsa <ssh_pub_key>" | Out-File <ssh_key_path> -Encoding ascii
    Copy to Clipboard Toggle word wrap

    where:

    <ssh_pub_key>
    Specifies the SSH public key used to access the cluster.
    <ssh_key_path>
    Specifies the path to the SSH public key.

Procedure

  • Define the secret required to access the Windows VMs: 

    $ oc create secret generic cloud-private-key --from-file=private-key.pem=${HOME}/.ssh/<key> \
    -n openshift-windows-machine-config-operator
    1
    Copy to Clipboard Toggle word wrap
1
You must create the private key in the WMCO namespace, like openshift-windows-machine-config-operator.

It is recommended to use a different private key than the one used when installing the cluster.

5.4. Configuring debug-level logging for the Windows Machine Config Operator
Copiar o link

By default, the Windows Machine Config Operator (WMCO) is configured to use the info log level. You can change the log level to debug by editing the WMCO Subscription object.

Procedure

  1. Edit the windows-machine-config-operator subscription in the windows-machine-config-operator namespace by using the following command: 

    $ oc edit subscription windows-machine-config-operator -n openshift-windows-machine-config-operator
    Copy to Clipboard Toggle word wrap

  2. Add the follwing parameters to the .spec.config.env stanza: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
# ...
  name: windows-machine-config-operator
  namespace: openshift-windows-machine-config-operator
# ...
spec:
# ...
  config:
    env:
    - name: ARGS
    1 
    
      value: --debugLogging
    2
    Copy to Clipboard Toggle word wrap
    1
    Defines a list of environment variables that must exist in all containers in the pod.
    2
    Specifies the debug level of verbosity for log messages.

You can revert to the default info log level by removing the name and value parameters that you added.

5.5. Using Windows containers in a proxy-enabled cluster
Copiar o link

The Windows Machine Config Operator (WMCO) can consume and use a cluster-wide egress proxy configuration when making external requests outside the cluster’s internal network.

This allows you to add Windows nodes and run workloads in a proxy-enabled cluster, allowing your Windows nodes to pull images from registries that are secured behind your proxy server or to make requests to off-cluster services and services that use a custom public key infrastructure.

Note

The cluster-wide proxy affects system components only, not user workloads.

In proxy-enabled clusters, the WMCO is aware of the NO_PROXY, HTTP_PROXY, and HTTPS_PROXY values that are set for the cluster. The WMCO periodically checks whether the proxy environment variables have changed. If there is a discrepancy, the WMCO reconciles and updates the proxy environment variables on the Windows instances.

Windows workloads created on Windows nodes in proxy-enabled clusters do not inherit proxy settings from the node by default, the same as with Linux nodes. Also, by default PowerShell sessions do not inherit proxy settings on Windows nodes in proxy-enabled clusters.

5.6. Using Windows containers with a mirror registry
Copiar o link

The Windows Machine Config Operator (WMCO) can pull images from a registry mirror rather than from a public registry by using an ImageDigestMirrorSet (IDMS) or ImageTagMirrorSet (ITMS) object to configure your cluster to pull images from the mirror registry.

A mirror registry has the following benefits:

  • Avoids public registry outages
  • Speeds up node and pod creation
  • Pulls images from behind your organization’s firewall

A mirror registry can also be used with a OpenShift Container Platform cluster in a disconnected, or air-gapped, network. A disconnected network is a restricted network without direct internet connectivity. Because the cluster does not have access to the internet, any external container images cannot be referenced.

Using a mirror registry requires the following general steps:

  • Create the mirror registry, using a tool such as Red Hat Quay.
  • Create a container image registry credentials file.
  • Copy the images from your online image repository to your mirror registry.

For information about these steps, see "About disconnected installation mirroring."

After creating the mirror registry and mirroring the images, you can use an ImageDigestMirrorSet (IDMS) or ImageTagMirrorSet (ITMS) object to configure your cluster to pull images from the mirror registry without needing to update each of your pod specs. The IDMS and ITMS objects redirect requests to pull images from a repository on a source image registry and have it resolved by the mirror repository instead.

If changes are made to the IDMS or ITMS object, the WMCO automatically updates the appropriate hosts.toml file on your Windows nodes with the new information. Note that the WMCO sequentially updates each Windows node when mirror settings are changed. As such, the time required for these updates increases with the number of Windows nodes in the cluster.

Because Windows nodes configured by the WMCO rely on the containerd container runtime, the WMCO ensures that the containerd configuration files are up-to-date with the registry settings. For new nodes, these files are copied to the instances upon creation. For existing nodes, after activating the mirror registry, the registry controller uses SSH to access each node and copy the generated configuration files, replacing any existing files.

You can use a mirror registry with machine set or Bring-Your-Own-Host (BYOH) Windows nodes.

When using an IDMS or ITMS object to mirror container images on Windows nodes, take note of the following behaviors that differ from Linux nodes:

  • Mirroring on Windows nodes works on the registry level, rather than on the image level used by Linux nodes. As such, Windows images mirrored by using IDMS or ITMS objects have specific naming requirements.

    The final portion of the namespace and the image name of the mirror image must match the image being mirrored. For example, when mirroring the mcr.microsoft.com/oss/kubernetes/pause:3.9 image, the mirror must be in the $mirrorRegistry/<organization>/oss/kubernetes/pause:3.9 format, where $org can be any organization name or namespace or excluded entirely. Some valid values are $mirrorRegistry/oss/kubernetes/pause:3.9, $mirrorRegistry/custom/oss/kubernetes/pause:3.9, and $mirrorRegistry/x/y/z/oss/kubernetes/pause:3.9.

  • A Windows node takes the ITMS object and uses it to configure registry-wide mirrors. In the following example, configuring quay.io/remote-org/image to mirror to quay.io/my-org/image results in the Windows node using that mirror for all images from quay.io/remote-org. As such, quay.io/remote-org/image:tag uses the quay.io/my-org/image:tag image, as expected, but another container using quay.io/remote-org/different-image:tag would also try to use the quay.io/remote-org/different-image:tag mirror. This can cause unintended behavior if it is not accounted for.

    For this reason, specify container images using a digest by an IDMS object instead of an ITMS object. Using a digest can prevent the wrong container image from being used, by ensuring that the image the container specifies and the image being pulled have the same digest.

5.6.1. Understanding image registry repository mirroring
Copiar o link

Setting up container registry repository mirroring enables you to perform the following tasks:

  • Configure your OpenShift Container Platform cluster to redirect requests to pull images from a repository on a source image registry and have it resolved by a repository on a mirrored image registry.
  • Identify multiple mirrored repositories for each target repository, to make sure that if one mirror is down, another can be used.

Repository mirroring in OpenShift Container Platform includes the following attributes:

  • Image pulls are resilient to registry downtimes.
  • Clusters in disconnected environments can pull images from critical locations, such as quay.io, and have registries behind a company firewall provide the requested images.
  • A particular order of registries is tried when an image pull request is made, with the permanent registry typically being the last one tried.
  • The mirror information you enter is added to the appropriate hosts.toml containerd configuration file(s) on every Windows node in the OpenShift Container Platform cluster.
  • When a node makes a request for an image from the source repository, it tries each mirrored repository in turn until it finds the requested content. If all mirrors fail, the cluster tries the source repository. If successful, the image is pulled to the node.

Setting up repository mirroring can be done in the following ways:

  • At OpenShift Container Platform installation:

    By pulling container images needed by OpenShift Container Platform and then bringing those images behind your company’s firewall, you can install OpenShift Container Platform into a data center that is in a disconnected environment.

  • After OpenShift Container Platform installation:

    If you did not configure mirroring during OpenShift Container Platform installation, you can do so postinstallation by using any of the following custom resource (CR) objects:

    • ImageDigestMirrorSet (IDMS). This object allows you to pull images from a mirrored registry by using digest specifications. The IDMS CR enables you to set a fall back policy that allows or stops continued attempts to pull from the source registry if the image pull fails.
    • ImageTagMirrorSet (ITMS). This object allows you to pull images from a mirrored registry by using image tags. The ITMS CR enables you to set a fall back policy that allows or stops continued attempts to pull from the source registry if the image pull fails.

Each of these custom resource objects identify the following information:

  • The source of the container image repository you want to mirror.
  • A separate entry for each mirror repository you want to offer the content requested from the source repository.

Note the following actions and how they affect node drain behavior:

  • If you create an IDMS or ICSP CR object, the MCO does not drain or reboot the node.
  • If you create an ITMS CR object, the MCO drains and reboots the node.
  • If you delete an ITMS, IDMS, or ICSP CR object, the MCO drains and reboots the node.

  • If you modify an ITMS, IDMS, or ICSP CR object, the MCO drains and reboots the node.

    Important

    • When the MCO detects any of the following changes, it applies the update without draining or rebooting the node:

      • Changes to the SSH key in the spec.config.passwd.users.sshAuthorizedKeys parameter of a machine config.
      • Changes to the global pull secret or pull secret in the openshift-config namespace.
      • Automatic rotation of the /etc/kubernetes/kubelet-ca.crt certificate authority (CA) by the Kubernetes API Server Operator.

    • When the MCO detects changes to the /etc/containers/registries.conf file, such as editing an ImageDigestMirrorSet, ImageTagMirrorSet, or ImageContentSourcePolicy object, it drains the corresponding nodes, applies the changes, and uncordons the nodes. The node drain does not happen for the following changes:

      • The addition of a registry with the pull-from-mirror = "digest-only" parameter set for each mirror.
      • The addition of a mirror with the pull-from-mirror = "digest-only" parameter set in a registry.
      • The addition of items to the unqualified-search-registries list.

The Windows Machine Config Operator (WMCO) watches for changes to the IDMS and ITMS resources and generates a set of hosts.toml containerd configuration files, one file for each source registry, with those changes. The WMCO then updates any existing Windows nodes to use the new registry configuration.

Note

The IDMS and ITMS objects must be created before you can add Windows nodes using a mirrored registry.

5.6.2. Configuring image registry repository mirroring
Copiar o link

You can create postinstallation mirror configuration custom resources (CR) to redirect image pull requests from a source image registry to a mirrored image registry.

Important

Windows images mirrored through ImageDigestMirrorSet and ImageTagMirrorSet objects have specific naming requirements as described in "Using Windows containers with a mirror registry".

Prerequisites

  • Access to the cluster as a user with the cluster-admin role.

Procedure

  1. Configure mirrored repositories, by either:

    • Setting up a mirrored repository with Red Hat Quay, as described in Red Hat Quay Repository Mirroring. Using Red Hat Quay allows you to copy images from one repository to another and also automatically sync those repositories repeatedly over time.

    • Using a tool such as skopeo to copy images manually from the source repository to the mirrored repository.

      For example, after installing the skopeo RPM package on a Red Hat Enterprise Linux (RHEL) 7 or RHEL 8 system, use the skopeo command as shown in this example: 

      $ skopeo copy --all \
docker://registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:5cf... \
docker://example.io/example/ubi-minimal
      Copy to Clipboard Toggle word wrap

      In this example, you have a container image registry that is named example.io with an image repository named example to which you want to copy the ubi9/ubi-minimal image from registry.access.redhat.com. After you create the mirrored registry, you can configure your OpenShift Container Platform cluster to redirect requests made of the source repository to the mirrored repository.

    Important

    You must mirror the mcr.microsoft.com/oss/kubernetes/pause:3.9 image. For example, you could use the following skopeo command to mirror the image: 

    $ skopeo copy \
docker://mcr.microsoft.com/oss/kubernetes/pause:3.9\
docker://example.io/oss/kubernetes/pause:3.9
    Copy to Clipboard Toggle word wrap
  2. Log in to your OpenShift Container Platform cluster.

  3. Create an ImageDigestMirrorSet or ImageTagMirrorSet CR, as needed, replacing the source and mirrors with your own registry and repository pairs and images: 

    apiVersion: config.openshift.io/v1
    1 
    
kind: ImageDigestMirrorSet
    2 
    
metadata:
  name: ubi9repo
spec:
  imageDigestMirrors:
    3 
    
  - mirrors:
    - example.io/example/ubi-minimal
    4 
    
    - example.com/example2/ubi-minimal
    5 
    
    source: registry.access.redhat.com/ubi9/ubi-minimal
    6 
    
    mirrorSourcePolicy: AllowContactingSource
    7 
    
  - mirrors:
    - mirror.example.com
    source: registry.redhat.io
    mirrorSourcePolicy: NeverContactSource
  - mirrors:
    - docker.io
    source: docker-mirror.internal
    mirrorSourcePolicy: AllowContactingSource
    Copy to Clipboard Toggle word wrap
    1
    Indicates the API to use with this CR. This must be config.openshift.io/v1.
    2
    Indicates the kind of object according to the pull type:
    • ImageDigestMirrorSet: Pulls a digest reference image.
    • ImageTagMirrorSet: Pulls a tag reference image.
    3
    Indicates the type of image pull method, either:
    • imageDigestMirrors: Use for an ImageDigestMirrorSet CR.
    • imageTagMirrors: Use for an ImageTagMirrorSet CR.
    4
    Indicates the name of the mirrored image registry and repository.
    5
    Optional: Indicates a secondary mirror repository for each target repository. If one mirror is down, the target repository can use another mirror.
    6
    Indicates the registry and repository source, which is the repository that is referred to in image pull specifications.
    7
    Optional: Indicates the fallback policy if the image pull fails:
    • AllowContactingSource: Allows continued attempts to pull the image from the source repository. This is the default.
    • NeverContactSource: Prevents continued attempts to pull the image from the source repository.

  4. Create the new object: 

    $ oc create -f registryrepomirror.yaml
    Copy to Clipboard Toggle word wrap

  5. To check that the mirrored configuration settings are applied, do the following on one of the nodes.

    1. List your nodes: 

      $ oc get node
      Copy to Clipboard Toggle word wrap

      Example output

      NAME                           STATUS                     ROLES    AGE  VERSION
ip-10-0-137-44.ec2.internal    Ready                      worker   7m   v1.30.3
ip-10-0-138-148.ec2.internal   Ready                      master   11m  v1.30.3
ip-10-0-139-122.ec2.internal   Ready                      master   11m  v1.30.3
ip-10-0-147-35.ec2.internal    Ready                      worker   7m   v1.30.3
ip-10-0-153-12.ec2.internal    Ready                      worker   7m   v1.30.3
ip-10-0-154-10.ec2.internal    Ready                      master   11m  v1.30.3
      Copy to Clipboard Toggle word wrap

    2. Start the debugging process to access the node: 

      $ oc debug node/ip-10-0-147-35.ec2.internal
      Copy to Clipboard Toggle word wrap

      Example output

      Starting pod/ip-10-0-147-35ec2internal-debug ...
To use host binaries, run `chroot /host`
      Copy to Clipboard Toggle word wrap

    3. Change your root directory to /host: 

      sh-4.2# chroot /host
      Copy to Clipboard Toggle word wrap

    4. Check that the WMCO generated a hosts.toml file for each registry on each Windows instance. For the previous example IDMS object, there should be three files in the following file structure: 

      $ tree $config_path
      Copy to Clipboard Toggle word wrap

      Example output

      C:/k/containerd/registries/
|── registry.access.redhat.com
|   └── hosts.toml
|── mirror.example.com
|   └── hosts.toml
└── docker.io
    └── hosts.toml:
      Copy to Clipboard Toggle word wrap

      The following output represents a hosts.toml containerd configuration file where the previous example IDMS object was applied.

      Example host.toml files

      $ cat "$config_path"/registry.access.redhat.com/host.toml
server = "https://registry.access.redhat.com" # default fallback server since "AllowContactingSource" mirrorSourcePolicy is set

[host."https://example.io/example/ubi-minimal"]
 capabilities = ["pull"]

[host."https://example.com/example2/ubi-minimal"] # secondary mirror
 capabilities = ["pull"]


$ cat "$config_path"/registry.redhat.io/host.toml
# "server" omitted since "NeverContactSource" mirrorSourcePolicy is set

[host."https://mirror.example.com"]
 capabilities = ["pull"]


$ cat "$config_path"/docker.io/host.toml
server = "https://docker.io"

[host."https://docker-mirror.internal"]
 capabilities = ["pull", "resolve"] # resolve tags
      Copy to Clipboard Toggle word wrap

    5. Pull an image to the node from the source and check if it is resolved by the mirror. 

      sh-4.2# podman pull --log-level=debug registry.access.redhat.com/ubi9/ubi-minimal@sha256:5cf...
      Copy to Clipboard Toggle word wrap

Troubleshooting repository mirroring

If the repository mirroring procedure does not work as described, use the following information about how repository mirroring works to help troubleshoot the problem.

  • The first working mirror is used to supply the pulled image.
  • The main registry is only used if no other mirror works.
  • From the system context, the Insecure flags are used as fallback.

5.7. Rebooting a node gracefully
Copiar o link

The Windows Machine Config Operator (WMCO) minimizes node reboots whenever possible. However, certain operations and updates require a reboot to ensure that changes are applied correctly and securely. To safely reboot your Windows nodes, use the graceful reboot process. For information on gracefully rebooting a standard OpenShift Container Platform node, see "Rebooting a node gracefully" in the Nodes documentation.

Before rebooting a node, it is recommended to backup etcd data to avoid any data loss on the node.

Note

For single-node OpenShift clusters that require users to perform the oc login command rather than having the certificates in kubeconfig file to manage the cluster, the oc adm commands might not be available after cordoning and draining the node. This is because the openshift-oauth-apiserver pod is not running due to the cordon. You can use SSH to access the nodes as indicated in the following procedure.

In a single-node OpenShift cluster, pods cannot be rescheduled when cordoning and draining. However, doing so gives the pods, especially your workload pods, time to properly stop and release associated resources.

Procedure

To perform a graceful restart of a node:

  1. Mark the node as unschedulable: 

    $ oc adm cordon <node1>
    Copy to Clipboard Toggle word wrap

  2. Drain the node to remove all the running pods: 

    $ oc adm drain <node1> --ignore-daemonsets --delete-emptydir-data --force
    Copy to Clipboard Toggle word wrap

    You might receive errors that pods associated with custom pod disruption budgets (PDB) cannot be evicted.

    Example error

    error when evicting pods/"rails-postgresql-example-1-72v2w" -n "rails" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
    Copy to Clipboard Toggle word wrap

    In this case, run the drain command again, adding the disable-eviction flag, which bypasses the PDB checks: 

    $ oc adm drain <node1> --ignore-daemonsets --delete-emptydir-data --force --disable-eviction
    Copy to Clipboard Toggle word wrap

  3. SSH into the Windows node and enter PowerShell by running the following command: 

    C:\> powershell
    Copy to Clipboard Toggle word wrap

  4. Restart the node by running the following command: 

    C:\>  Restart-Computer -Force
    Copy to Clipboard Toggle word wrap

  5. Windows nodes on Amazon Web Services (AWS) do not return to READY state after a graceful reboot due to an inconsistency with the EC2 instance metadata routes and the Host Network Service (HNS) networks.

    After the reboot, SSH into any Windows node on AWS and add the route by running the following command in a shell prompt: 

    C:\> route add 169.254.169.254 mask 255.255.255.0 <gateway_ip>
    Copy to Clipboard Toggle word wrap

    where:

    169.254.169.254
    Specifies the address of the EC2 instance metadata endpoint.
    255.255.255.255
    Specifies the network mask of the EC2 instance metadata endpoint.
    <gateway_ip>

    Specifies the corresponding IP address of the gateway in the Windows instance, which you can find by running the following command: 

    C:\> ipconfig | findstr /C:"Default Gateway"
    Copy to Clipboard Toggle word wrap

  6. After the reboot is complete, mark the node as schedulable by running the following command: 

    $ oc adm uncordon <node1>
    Copy to Clipboard Toggle word wrap

  7. Verify that the node is ready: 

    $ oc get node <node1>
    Copy to Clipboard Toggle word wrap

    Example output

    NAME    STATUS  ROLES    AGE     VERSION
<node1> Ready   worker   6d22h   v1.18.3+b0068a8
    Copy to Clipboard Toggle word wrap

Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat