This article provides answers to some of the most common questions about using Windows Server containers on Azure Kubernetes Service (AKS).
What kind of disks are supported for Windows?
Azure Disks and Azure Files are the supported volume types, and are accessed as New Technology File System (NTFS) volumes in the Windows Server container.
Does Windows support generation 2 virtual machines (VMs)?
Generation 2 VMs are supported on Windows for WS2022 only.
For more information, see Support for generation 2 VMs on Azure.
How do I patch my Windows nodes?
To get the latest patches for Windows nodes, you can either upgrade the node pool or upgrade the node image.
Is preserving the client source IP supported?
At this time, client source IP preservation isn't supported with Windows nodes.
Can I change the maximum number of pods per node?
Yes. For more information, see Maximum number of pods.
What is the default transmission control protocol (TCP) timeout in Windows OS?
The default TCP timeout in Windows OS is four minutes. This value isn't configurable. When an application uses a longer timeout, the TCP connections between different containers in the same node close after four minutes.
Why am I seeing an error when I try to create a new Windows agent pool?
If you created your cluster before February 2020 and didn't perform any upgrade operations, the cluster still uses an old Windows image. You might see an error that resembles the following example:
"The following list of images referenced from the deployment template isn't found: Publisher: MicrosoftWindowsServer, Offer: WindowsServer, Sku: 2019-datacenter-core-smalldisk-2004, Version: latest. Refer to Find and use Azure Marketplace Virtual Machine images with Azure PowerShell for instructions on finding available images."
To fix this issue, you need to perform the following steps:
- Upgrade the cluster control plane, which updates the image offer and publisher.
- Create new Windows agent pools.
- Move Windows pods from existing Windows agent pools to new Windows agent pools.
- Delete old Windows agent pools.
Why am I seeing an error when I try to deploy Windows pods?
If you specify a value in --max-pods less than the number of pods you want to create, you might see the No available addresses error.
To fix this error, use the az aks nodepool add command with a high enough --max-pods value. For example:
az aks nodepool add \
--cluster-name $CLUSTER_NAME \
--resource-group $RESOURCE_GROUP \
--name $NODEPOOL_NAME \
--max-pods 3
For more details, see the --max-pods documentation.
Why is there an unexpected user named "sshd" on my virtual machine node?
AKS adds a user named "sshd" when installing the OpenSSH service. This user isn't malicious. We recommend that customers update their alerts to ignore this unexpected user account.
How do I rotate the service principal for my Windows node pool?
Windows node pools don't support service principal rotation. To update the service principal, create a new Windows node pool and migrate your pods from the older pool to the new one. After your pods are migrated to the new pool, delete the older node pool.
Instead of service principals, you can use managed identities. For more information, see Use managed identities in AKS.
How do I change the administrator password for Windows Server nodes on my cluster?
To change the administrator password using the Azure CLI, use the az aks update command with the --admin-password parameter. For example:
az aks update \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER_NAME \
--admin-password <new-password>
To change the password using Azure PowerShell, use the Set-AzAksCluster cmdlet with the -AdminPassword parameter. For example:
Set-AzAksCluster `
-ResourceGroupName $RESOURCE_GROUP `
-Name $CLUSTER_NAME `
-AdminPassword <new-password>
Keep in mind that performing a cluster update causes a restart and only updates the Windows Server node pools. For information about Windows Server password requirements, see Windows Server password requirements.
How many node pools can I create?
AKS clusters with Windows node pools have the same resource limits as the default limits specified for the AKS service. For more information, see Quotas, virtual machine size restrictions, and region availability in Azure Kubernetes Service (AKS).
Can I run ingress controllers on Windows nodes?
Yes, you can run ingress controllers that support Windows Server containers.
Can my Windows Server containers use gMSA?
Yes. Group-managed service account (gMSA) support is generally available (GA) for Windows on AKS. For more information, see Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster
Are there any limitations on the number of services on a cluster with Windows nodes?
A cluster with Windows nodes can have approximately 500 services (sometimes less) before it encounters port exhaustion. This limitation applies to a Kubernetes Service with External Traffic Policy set to "Cluster".
When the external traffic policy on a Service is configured as a Cluster, the traffic undergoes an extra Source NAT on the node. This process also results in reservation of a port from the TCPIP dynamic port pool. This port pool is a limited resource (~16K ports by default) and many active connections to a Service can lead to dynamic port pool exhaustion resulting in connection drops.
If the Kubernetes Service is configured with External Traffic Policy set to "Local", port exhaustion problems aren't likely to occur at 500 services.
How do I change the time zone of a running container?
To change the time zone of a running Windows Server container, connect to the running container with a PowerShell session. For example:
kubectl exec -it CONTAINER-NAME -- powershell
In the running container, use Set-TimeZone to set the time zone of the running container. For example:
Set-TimeZone -Id "Russian Standard Time"
To see the current time zone of the running container or an available list of time zones, use Get-TimeZone.
