Add support of hyperv isolation for windows containers

[feiskyer]

What this PR does / why we need it:

Add support of hyperv isolation for windows containers.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #58750

Special notes for your reviewer:

Only one container per pod is supported yet.

Release note:

Windows containers now support experimental Hyper-V isolation by setting annotation `experimental.windows.kubernetes.io/isolation-type=hyperv` and feature gates HyperVContainer. Only one container per pod is supported yet.

[feiskyer]

/sig windows

[feiskyer]

/cc @PatrickLang @JiangtianLi @michmike

[k8s-ci-robot]

@feiskyer: GitHub didn't allow me to request PR reviews from the following users: PatrickLang, JiangtianLi.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @PatrickLang @JiangtianLi @michmike

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[feiskyer]

/sig node

/cc @yujuhong

[JiangtianLi]

Do we need apply the isolation specific config to sandbox? For Windows Hyper-V container, the POD infra container is not used and needs to be minimal, and therefore process container is sufficient.

[feiskyer]

It is not used now, but not future. I think we'd better keep sandbox same with containers, WDYT?

[JiangtianLi]

That's fine with me. We can reserve it as place holder.

[JiangtianLi]

For Hyper-V container, no need to call modifyHostNetworkOptionForContainer.

[feiskyer]

Ack, will fix

[JiangtianLi]

Can we add a comment here saying "Return the first non-sandbox container IP as POD IP for Hyper-V container"?

[feiskyer]

ack

[JiangtianLi]

/cc @madhanrm

[k8s-ci-robot]

@JiangtianLi: GitHub didn't allow me to request PR reviews from the following users: madhanrm.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @madhanrm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[JiangtianLi]

Refer to const in https://github.com/moby/moby/blob/master/api/types/container/host_config.go or add a comment with link to where this string comes from?

[feiskyer]

ack, will add a refer link

[JiangtianLi]

lgtm

[tallclair]

nit: prefer

v, ok := annotations[hypervIsolationAnnotationKey]
return ok && v == hypervIsolation

[feiskyer]

ack

[tallclair]

Please include experimental in the key. I want to make it clear that this is not an official API, and won't be supported long term -- eventually we will have a native secure container concept that this should move to.

[feiskyer]

ack

[tallclair]

Does this mean that hyperV isolated containers will not have any networking by default?

[feiskyer]

no, hyperV container's network will be set by CNI plugins

[tallclair]

Can you explain this to me?

[feiskyer]

As noticed here, HyperV only support one container per Pod yet. And container will receive a different IP from sandbox. So we need to get the real container's IP.

[yujuhong]

Could you include information that in the comment?

[feiskyer]

added

[feiskyer]

@tallclair Addressed comments. PTAL

[feiskyer]

@yujuhong Addressed comments and squashed. PTAL

[tallclair]

Should this be behind a feature gate? I'm on the fence...

[feiskyer]

Should this be behind a feature gate? I'm on the fence...

@tallclair I'm thinking only API changes requires feature gates, while the PR doesn't change any API. WDYT?

[feiskyer]

/retest

[tallclair]

I'm thinking only API changes requires feature gates, while the PR doesn't change any API. WDYT?

No, we require feature gates for changed functionality too. Besides, you are changing the API by adding the annotation (just not the "official" API).

What is the status of windows support? Are there users using it in production? If the answer is yes, this should be feature gated. Otherwise, I'm OK leaving it ungated.

[feiskyer]

What is the status of windows support? Are there users using it in production? If the answer is yes, this should be feature gated. Otherwise, I'm OK leaving it ungated.

Yep, there are. OK, let me add a feature gate in kubelet.

[feiskyer]

@tallclair Feature gates added. PTAL

[michmike]

/lgtm

[tallclair]

/lgtm

[feiskyer]

/assign @brendandburns

[feiskyer]

@brendandburns could you help to take a look?

[brendandburns]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns, feiskyer, michmike, tallclair

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these OWNERS Files:

• pkg/OWNERS [brendandburns]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

[yuwei1chen]

@feiskyer Hi, we wanted to use this feature gate in v1.20 k8s, met the same issue in https://stackoverflow.com/questions/51634469/kubernetes-windows-hyper-v-no-network-in-pod.
Hyperv containers started do not have network configured. It even do not have a pod ip. Do you have any clues?