Deploying Antrea on Windows

Overview

Antrea supports Windows worker Node. On Windows Node, Antrea sets up an overlay network to forward packets between Nodes and implements NetworkPolicies. Currently Geneve, VXLAN, and STT tunnels are supported.

This page shows how to install antrea-agent on Windows Nodes and register the Node to an existing Kubernetes cluster.

For the detailed design of how antrea-agent works on Windows, please refer to the design doc.

Components that run on Windows

The following components should be configured and run on the Windows Node. * kubernetes components * OVS daemons * antrea-agent * kube-proxy

antrea-agent and kube-proxy run as processes on host and are managed by management Pods. It is recommended to run OVS daemons as Windows services.

Deploying Antrea on Windows Worker Node

Prerequisites

Installation

Download & Configure Antrea for Linux

Configure the Antrea for Linux on master Node following Getting started document.

  1. # Example:
  2. kubectl apply -f https://github.com/vmware-tanzu/antrea/releases/download/<TAG>/antrea.yml

Add Windows kube-proxy DaemonSet

Add Windows-compatible versions of kube-proxy by applying file kube-proxy.yaml.

Download kube-proxy.yaml from kubernetes official repository and set kube-proxy version.

  1. # Example:
  2. curl -L https://github.com/kubernetes-sigs/sig-windows-tools/releases/latest/download/kube-proxy.yml | sed 's/VERSION/v1.18.0/g'  > kube-proxy.yml

Replace the content of run-script.ps1 in configmap named kube-proxy-windows as following:

  1. apiVersion: v1
  2. data:
  3.   run-script.ps1: |-
  4.     $ErrorActionPreference = "Stop";
  5.     mkdir -force /host/var/lib/kube-proxy/var/run/secrets/kubernetes.io/serviceaccount
  6.     mkdir -force /host/k/kube-proxy
  8.     cp -force /k/kube-proxy/* /host/k/kube-proxy
  9.     cp -force /var/lib/kube-proxy/* /host/var/lib/kube-proxy
  10.     cp -force /var/run/secrets/kubernetes.io/serviceaccount/* /host/var/lib/kube-proxy/var/run/secrets/kubernetes.io/serviceaccount
  12.     wins cli process run --path /k/kube-proxy/kube-proxy.exe --args "--v=4 --config=/var/lib/kube-proxy/config.conf --proxy-mode=userspace --hostname-override=$env:NODE_NAME"
  14. kind: ConfigMap
  15. metadata:
  16.   labels:
  17.     app: kube-proxy
  18.   name: kube-proxy-windows
  19.   namespace: kube-system

Set the hostNetwork option as true in spec of kube-proxy-windows daemonset.

  1. apiVersion: apps/v1
  2. kind: DaemonSet
  3. metadata:
  4.   labels:
  5.     k8s-app: kube-proxy
  6.   name: kube-proxy-windows
  7.   namespace: kube-system
  8. spec:
  9.   selector:
  10.     matchLabels:
  11.       k8s-app: kube-proxy-windows
  12.   template:
  13.     metadata:
  14.       labels:
  15.         k8s-app: kube-proxy-windows
  16.     spec:
  17.       hostNetwork: true

Then apply the kube-proxy.yml.

  1. kubectl apply -f kube-proxy.yml

Add Windows antrea-agent DaemonSet

Now you can deploy antrea-agent Windows DaemonSet by applying file antrea-windows.yml.

Download and apply antrea-windows.yml. ```

Example:

kubectl apply -f https://github.com/vmware-tanzu/antrea/releases/download//antrea-windows.yml ```

Join Windows worker Nodes

  1. (Optional, Test-Only) Install OVS provided by Antrea

Antrea provides a pre-built OVS package which contains test-signed OVS kernel driver. If you don’t have a self-signed OVS package and just want to try the Antrea on windows, this package can be used for testing. We also provide a help script to install the OVS driver and register userspace binaries as services.

Firstly, please make sure to enable test-signed code on Windows Nodes.

  1. Bcdedit.exe -set TESTSIGNING ON
  2. Restart-Computer

Then, install the OVS using the script.

  1. curl.exe -LO https://raw.githubusercontent.com/vmware-tanzu/antrea/master/hack/windows/Install-OVS.ps1
  2. .\Install-OVS.ps1

Verify the OVS services are installed.

  1. get-service ovsdb-server
  2. get-service ovs-vswitchd
  1. Disable Windows Firewall
  1. Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
  1. Install wins, kubelet, kubeadm and configure kubelet startup params

Firstly, install wins, kubelet, kubeadm using script PrepareNode.ps1 provided by kubernetes. The third component wins is used to run kube-proxy and antrea-agent on Windows host inside the Windows container.

  1. # Example:
  2. curl.exe -LO https://github.com/kubernetes-sigs/sig-windows-tools/releases/latest/download/PrepareNode.ps1
  3. .\PrepareNode.ps1 -KubernetesVersion v1.18.0
  1. Prepare network adapter for kube-proxy

kube-proxy needs a network adapter to configure Kubernetes Service IPs and uses the adapter for proxying connections to Service. Use following script to create the network adapter.

  1. curl.exe -LO https://raw.githubusercontent.com/vmware-tanzu/antrea/master/hack/windows/Prepare-ServiceInterface.ps1
  2. .\Prepare-ServiceInterface.ps1

Note: The interface will be deleted automatically by Windows after Windows Node reboots. So the script needs to be executed after rebooting the Node.

  1. Run kubeadm to join the Node

On Windows Node, run the kubeadm join command to join the cluster. The token is provided by the master Node.

If you forgot the token, or the token has expired, you can run kubeadm token create --print-join-command (on the master Node) to generate a new token and join command.

  1. # Example:
  2. kubeadm join 192.168.101.5:6443 --token tdp0jt.rshv3uobkuoobb4v  --discovery-token-ca-cert-hash sha256:84a163e57bf470f18565e44eaa2a657bed4da9748b441e9643ac856a274a30b9

Then, set the Node IP used by kubelet. Open file /var/lib/kubelet/kubeadm-flags.env:

  1. KUBELET_KUBEADM_ARGS="--cgroup-driver= --network-plugin=cni --pod-infra-container-image=k8s.gcr.io/pause:3.1"

Append --node-ip=$NODE_IP at the end of params. Replace $NODE_IP with the address for kubelet. It should look like:

  1. KUBELET_KUBEADM_ARGS="--cgroup-driver= --network-plugin=cni --pod-infra-container-image=k8s.gcr.io/pause:3.1 --node-ip=$NODE_IP"

Restart kubelet service for changes to take effect.

  1. restart-service kubelet

Verify your installation

There will be temporary network interruption on Windows worker Node on the first startup of antrea-agent. It’s because antrea-agent will set the OVS to take over the host network. After that you should be able to view the Windows Nodes and Pods in your cluster by running:

  1. # Show nodes
  2. kubectl get nodes -o wide -nkube-system
  3. NAME                           STATUS   ROLES    AGE    VERSION   INTERNAL-IP     EXTERNAL-IP   OS-IMAGE                                  KERNEL-VERSION     CONTAINER-RUNTIME
  4. master                         Ready    master   1h   v1.18.3   10.176.27.168   <none>        Ubuntu 18.04.3 LTS                        4.15.0-66-generic   docker://19.3.9
  5. win-5akrf2tpq91                Ready    <none>   1h   v1.18.0   10.176.27.150   <none>        Windows Server 2019 Standard Evaluation   10.0.17763.1158    docker://19.3.5
  6. win-5akrf2tpq92                Ready    <none>   1h   v1.18.0   10.176.27.197   <none>        Windows Server 2019 Standard Evaluation   10.0.17763.1158     docker://19.3.5
  8. # Show antrea-agent and kube-proxy pods
  9. kubectl get pods -o wide -nkube-system | grep windows
  10. antrea-agent-windows-6hvkw                             1/1     Running     0          100s
  11. kube-proxy-windows-2d45w                               1/1     Running     0          102s

Known issues

  1. HNS Network is not persistent on Windows. So after the Windows Node reboots, the HNS Network created by antrea-agent is removed, and the Open vSwitch Extension is disabled by default. In this case, the stale OVS bridge and ports should be removed. A help script Clean-AntreaNetwork.ps1 can be used to clean the OVS bridge.