Windows Troubleshooting

In this chapter, we'll delve into methods for troubleshooting anomalies in Windows containers.

RDP Login to Node

When troubleshooting issues with Windows containers, you often need to log into the Windows node using RDP to check the status and logs of kubelet, Docker, HNS, and so forth. When using a cloud platform, you can assign a public IP to the relevant VM. When deploying on a physical machine, access can be obtained through port mapping on the router.

In addition, there's a simpler method: exposing node's port 3389 externally through the Kubernetes Service (be sure to replace with your own node-ip):

# rdp.yaml
apiVersion: v1
kind: Service
metadata:
  name: rdp
spec:
  type: LoadBalancer
  ports:
  - protocol: TCP
    port: 3389
    targetPort: 3389
---
kind: Endpoints
apiVersion: v1
metadata:
  name: rdp
subsets:
  - addresses:
      - ip: <node-ip>
    ports:
      - port: 3389

Next, you can log into the Node through the external IP of the rdp service, like so: mstsc.exe -v 52.52.52.52.

After you're done, don't forget to delete the RDP service kubectl delete -f rdp.yaml.

Windows Pod Stuck in ContainerCreating State

This typically happens for one of two reasons:

• Incorrect pause image configuration

• Container image version incompatible with Windows system

On Windows Server 1709, images with 1709 labels should be used, like:

• microsoft/aspnet:4.7.2-windowsservercore-1709

• microsoft/windowsservercore:1709

• microsoft/iis:windowsservercore-1709

While on Windows Server 1803, images with 1803 labels should be used, including:

• microsoft/aspnet:4.7.2-windowsservercore-1803

• microsoft/iis:windowsservercore-1803

• microsoft/windowsservercore:1803

DNS Cannot Be Resolved Within Windows Pod

This is a known issue, and there are three temporary solutions:

1. After Windows restarts, clear HNS Policy and reboot KubeProxy service:

1. Directly configure the kube-dns Pod address for the Pod:

1. More simply, run an extra Pod on each Windows Node—meaning at least two Pods are running on each Node. In this case, DNS resolution also works correctly.

If Windows Node is running on Azure, and custom VNET was used when deploying Kubernetes, a route table needs to be added to that VNET:

When the VNET is in a different ResourceGroup, here's the solution:

Remote Endpoint Creation Failed: HNS Failed with Error: The Switch-port Was Not Found

This error occurs when kube-proxy sets up load balancing for a service. To resolve this, install KB4089848:

After rebooting, confirm that the update was successful:

Netx, after updating, if there are still DNS resolution problems, Kubelet and Kube-proxy can be restarted as discussed in the previous section.

ServiceAccount Secret Cannot Be Accessed Within Windows Pod

This is a known issue in older versions of Windows. The problem can be solved by upgrading Windows to 1803, with the upgrade process discussed here.

Kubernetes API Cannot Be Accessed Within Windows Pod

If Hyper-V isolated containers are in use, MAC spoofing needs to be enabled.

Service ClusterIP Cannot Be Accessed Within Windows Node

This is a known problem with the current Windows network protocol stack. Service ClusterIP can only be accessed within the Pod.

Kubelet Can't Start

When using Docker 18.03 and Kubelet v1.12.x, Kubelet can't start and returns an error:

The solution is to set the environment variable for the Docker API version on Windows:

References

• Kubernetes On Windows - Troubleshooting Kubernetes

• Debug Networking issues on Windows