Windows Server containers on GKE

This page provides an overview of Windows Server containers in Google Kubernetes Engine (GKE) Standard mode. To learn how to create a cluster, see Creating a cluster using Windows Server node pools. Windows Server node images and containers aren't available in GKE Autopilot mode.

Overview

You can run your Windows Server and Linux containers side by side in the same cluster, which allows for a central management plane for both container platforms. Microsoft Hyper-V containers are not supported.

Node images

You can build your Windows Server container node images using Windows Server Long-Term Servicing Channel (LTSC). A single cluster can have multiple Windows Server node pools using different Windows Server versions, but each individual node pool can only use one Windows Server version. To learn more about the differences between these versions, see Choosing your Windows Server node images.

Storage

Your Windows Server containers can take advantage of many of the storage options that GKE provides. For an example of using GKE storage options with Windows, see Local SSDs.

When working with Windows Server containers, you must create a StorageClass object, and specify the name of that object in the storageClassName field of the PersistentVolumeClaim object because the ext4 file storage type is not supported with Windows. If you are using a Compute Engine persistent disk, you must use NTFS as the file storage type.

The Compute Engine persistent disk CSI Driver is also available for Windows Server containers. For more details, see Using the Compute Engine persistent disk CSI Driver.

Security

Like Linux containers, Windows containers provide a process and resource isolation boundary. Windows Server containers can be used for enterprise multi-tenancy. However, because Microsoft does not intend to service Windows container escape vulnerabilities, the use of Windows nodes is not recommended in hostile multi-tenancy scenarios or those where differing risk levels are needed. Instead, give each application or development team a separate cluster and Google Cloud project to achieve isolation.

Limitations

The following features aren't supported with Windows Server node pools:

• Compute and node features:

  • Autopilot mode
  • Node auto-provisioning
  • Machine series above the third generation
  • Z3 machine series
  • Image streaming
  • Alpha clusters
  • Accelerators, including GPUs and TPUs

• Networking features:

  • Configuring the maximum Pods per node greater than the default limit of 110
  • Intranode visibility
  • Node Local DNS cache
  • Network policy logging
  • IP masquerade agent. Windows nodes perform IP masquerading for external destinations, but the agent is not supported.
  • IPv4/IPv6 dual-stack networking. IPv6 networking is not supported on Windows nodes.
  • Private use of Class E IP addresses
  • Private use of public IP addresses
  • Full GKE Dataplane V2 support. Windows nodes with GKE Dataplane V2 are limited to network policy enforcement, in addition to the limitations described in the referenced document.

• Security features:

  • Confidential GKE Nodes
  • Linux-specific security features (for example, Seccomp, Apparmor, and SELinux)

• Kubernetes features

  • Host namespaces (for example, hostNetwork, hostPID, and hostIPC). These aren't supported by the Windows operating system.
  • Kubernetes service.spec.sessionAffinity
  • Features listed in the Compatibility and limitations section of the "Windows containers in Kubernetes" document

• Storage features:

  • The default fstype (ext4), which is used with the balanced persistent disk type. For more information, see StorageClasses.
  • Filestore CSI driver
  • Local SSD with NVMe interfaces for Ephemeral Storage

• Microsoft features:

  • Microsoft Hyper-V isolation

• Miscellaneous:

  • Docker-based CloudSQL Auth proxy
  • You can't create a cluster with only Windows Server node pools; at least one Linux node pool is required.

For specific limitations with other Google Cloud products that you might want to use with GKE clusters, refer to the respective documentation for that product.

Resources

The following sections provide links to relevant resources for Windows Server containers on GKE.

Discover

Review these resources to discover information about Windows on GKE:

• Read the Run Windows Server containers on GKE blog.
• Read the Windows Server containers on GKE now GA blog.
• Read the Windows Server support comes to Google Distributed Cloud blog.
• Read the Migrating Legacy OSes to Google Cloud case study.

Get started

Consider these resources for getting started:

• Watch the How to modernize and run Windows apps in GKE Enterprise GKE video.
• Watch the Migrate, Manage & Modernize: Windows Workloads Powered by GKE and GKE Enterprise webinar.
• Try out the New Microsoft and Windows on Google Cloud Demo Center demos.
• Learn how to Create a cluster using Windows Server node pools.

Create & deploy

For guidance on creating and deploying your applications, see these pages:

• Deploying a Windows Server application
• Deploying a stateful application
• Building Windows Server multi-arch images
• Using the Compute Engine persistent disk CSI Driver

Integrate with Active Directory

For guidance on Active Directory integration, see these pages:

• Best practices for running Active Directory on Google Cloud
• Configure Windows Server nodes to automatically join an Active Directory domain
• Deploy ASP.NET apps with Windows Authentication in GKE Windows containers

Troubleshoot

For help with troubleshooting, see Collecting diagnostic information.

Explore

To explore and learn about using GKE Enterprise for Windows, see these resources:

• Learn about Migrate to Containers for migrating Windows workloads.
• Learn about using Windows node pools in Google Distributed Cloud.

Partner solutions

When you modernize your applications, you also want to incorporate them into an end-to-end DevOps management experience that works with your existing tooling and workflows. To that end, Google has worked with several partners to make sure that your build, test, deploy, config and monitoring applications work well with Windows containers. Here are some use cases and partner solutions that we've tested to support Windows containers in GKE:

Use case	Description	Partner
CI/CD	Partner's CI/CD solution can build, test and deploy applications running on Windows containers.	CircleCI CloudBees Codefresh Gitlab JFrog
Observability	Partner's ITOps and application performance management (APM) solution can collect telemetry and provide visibility (dashboards, reports, insights) for infrastructure and applications managed on Windows containers.	Datadog New Relic
Config management and policy	Patner's solution provides secrets management or provisioning capabilities for Windows applications on Google Cloud.	Chef
Security	Patner's solution can secure the development and configuration of an application that runs on Windows containers.	Aqua Prisma Cloud