Windows container considerations with Azure Kubernetes Service
When you create deployments that use Windows Server containers on Azure Kubernetes Service (AKS), there are a few differences relative to Linux deployments you should keep in mind. For a detailed comparison of the differences between Windows and Linux in upstream Kubernetes, see Windows containers in Kubernetes.
Some of the major differences include:
- Identity: Windows Server uses a larger binary security identifier (SID) that's stored in the Windows Security Access Manager (SAM) database. This database isn't shared between the host and containers or between containers.
- File permissions: Windows Server uses an access control list based on SIDs rather than a bitmask of permissions and UID+GID.
- File paths: The convention on Windows Server is to use \ instead of /. In pod specs that mount volumes, specify the path correctly for Windows Server containers. For example, rather than a mount point of /mnt/volume in a Linux container, specify a drive letter and location such as /K/Volume to mount as the K: drive.
Note
For Kubernetes versions 1.25 and higher, Windows Server 2022 is the default OS. Windows Server 2019 is being retired after Kubernetes version 1.32 reaches end-of-life (EOL) and won't be supported in future releases. For more information, see the AKS release notes.
This article covers important considerations to keep in mind when using Windows containers instead of Linux containers in Kubernetes. For an in-depth comparison of Windows and Linux containers, see Comparison with Linux.
Considerations
| Feature | Windows considerations |
|---|---|
| Cluster creation | • The first system node pool must be Linux. • The maximum number of nodes per cluster is 5000. • The Windows Server node pool name has a limit of six characters. |
| Privileged containers | Not supported. The equivalent is HostProcess Containers (HPC) containers. |
| HPC containers | • HostProcess containers are the Windows alternative to Linux privileged containers. For more information, see Create a Windows HostProcess pod. |
| Azure Network Policy Manager (Azure) | Azure Network Policy Manager doesn't support: • Named ports • SCTP protocol • Negative match labels or namespace selectors (all labels except "debug=true") • "except" CIDR blocks (a CIDR with exceptions) • Windows Server 2019 |
| Node upgrade | Windows Server nodes on AKS don't automatically apply Windows updates. Instead, you perform a node pool upgrade or node image upgrade. These upgrades deploy new nodes with the latest Window Server 2019 and Windows Server 2022 base node image and security patches. |
| AKS Image Cleaner | Not supported. |
| BYOCNI | Not supported. |
| Open Service Mesh | Not supported. |
| GPU | Supported in preview. |
| Multi-instance GPU | Not supported. |
| Generation 2 VMs (preview) | Supported but not by default. |
| Custom node config | • Custom node config has two configurations: • kubelet: Supported in preview. • OS config: Not supported. |
Next steps
For more information on Windows containers, see the Windows Server containers FAQ.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for