Skip to content

Extend Upgrade Controller for Windows Node Compatibility #386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ponmuthudev wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Extend Upgrade Controller for Windows Node Compatibility #386

ponmuthudev wants to merge 3 commits into from

Conversation

@ponmuthudev
Copy link

@ponmuthudev ponmuthudev commented Nov 14, 2025
edited
Loading

Summary
Adds support for Windows nodes by enabling the controller to detect when a node is running Windows and use a Windows-compatible kubectl image and appropriate security context settings.

Key Changes
Introduces a new environment variable SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE_WINDOWS for specifying the windows kubectl image to use when performing upgrades targeting Windows nodes.

In the job creation logic (in job.go):

  • Detects whether the node OS label (kubernetes.io/os) equals “windows” and switches to the Windows image accordingly.
  • For Windows nodes, sets SecurityContext.WindowsOptions.HostProcess = true and RunAsUserName = "NT AUTHORITY\SYSTEM" on init-containers (prepare, drain, cordon) and the main upgrade container path.
  • Updates the default manifest (manifests/system-upgrade-controller.yaml) to include the new variable comment and default value for SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE_WINDOWS.

Why this is needed
Up to now the upgrade controller assumed Linux nodes and used a Linux kubectl image and Linux-style security context. Windows nodes have different requirements (e.g., HostProcess containers and Windows security context) which this change enables. Supporting Windows nodes helps extend the controller to heterogeneous clusters.

Impact & Considerations

  • Operators upgrading Windows worker or master nodes will need to set the SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE_WINDOWS env var to a Windows-e.g., tagged kubectl image.
  • The logic enforces a fatal error if the env var is not set when targeting a Windows node.
  • Security contexts differ: Windows containers require HostProcess=true and run under NT AUTHORITY\SYSTEM, so this may affect privileges and cluster security; review accordingly.
  • Existing Linux-only flows remain unchanged, so backward compatibility is maintained.

Testing & Validation

  • Verified that for a node labelled kubernetes.io/os=windows, the Windows image is picked and the pod spec has the Windows security settings.
  • Verified Linux nodes continue to use the original image and security context path.
  • Verified that the upgrade workflow successfully triggers on both Linux and Windows nodes.

brandond
brandond reviewed Nov 15, 2025
View reviewed changes
brandond
brandond requested changes Nov 15, 2025
View reviewed changes
@ponmuthudev ponmuthudev requested a review from brandond November 19, 2025 04:44
brandond
brandond reviewed Nov 21, 2025
View reviewed changes
@ponmuthudev ponmuthudev requested a review from brandond November 24, 2025 04:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brandond brandond Awaiting requested review from brandond

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ponmuthudev @brandond