Windows Worker Nodes
Purpose: For platform engineers, shows how to add Windows Server nodes using the opencenter-windows Ansible collection.
Windows worker nodes are not part of the GA support boundary for openCenter 2026.01.0. This page is retained for historical and exploratory use only.
Prerequisites
- A running Kubernetes cluster deployed via Kubespray (Linux control plane nodes)
- Windows Server 2022 VMs provisioned and accessible via WinRM from the Ansible control node
kubeconfig.yamlfor the target cluster- Ansible installed with the
opencenter-windowscollection - A valid
kubeadm jointoken (generated from the control plane)
When to Use Windows Workers
Windows worker nodes run Windows container workloads — ASP.NET applications, .NET Framework services, IIS-hosted apps, and Windows-native services. The control plane remains Linux-only; Windows nodes join as workers.
Steps
1. Install the Ansible collection
ansible-galaxy collection install opencenter-cloud.opencenter_windows_workers
2. Prepare the inventory
Create an inventory file listing your Windows nodes:
# windows-inventory.ini
[windows_workers]
win-worker-01 ansible_host=192.168.1.30
win-worker-02 ansible_host=192.168.1.31
[windows_workers:vars]
ansible_user=Administrator
ansible_password={{ vault_windows_password }}
ansible_connection=winrm
ansible_winrm_transport=ntlm
ansible_winrm_server_cert_validation=ignore
3. Generate a join token
On a Linux control plane node:
kubeadm token create --print-join-command
Save the output — you need the token and CA cert hash for the playbook variables.
4. Create the playbook
# windows-workers.yml
- name: Setup Windows Kubernetes Workers
hosts: windows_workers
vars:
containerd_version: "1.7.13"
kube_version: "1.34.3"
k8s_internal_ip: "192.168.1.20" # Control plane API endpoint
join_token: "<token-from-step-3>"
ca_cert_hash: "sha256:<hash-from-step-3>"
calico_version: "v3.31.3"
roles:
- opencenter-cloud.opencenter_windows_workers.win-containerd
- opencenter-cloud.opencenter_windows_workers.win-kubeadm
5. Run the playbook
ansible-playbook -i windows-inventory.ini windows-workers.yml
The roles execute in order:
win-containerd— installs the Containers and Hyper-V Windows features, installs containerd, configures Windows Defender exclusions for Kubernetes paths.win-kubeadm— installs kubeadm and kubelet, joins the node to the cluster, configures kubelet as a Windows service, sets up Calico BGP networking.
Expect 10–20 minutes per node.
6. Verify the nodes joined
kubectl get nodes -o wide
Windows nodes appear with OS-Image: Windows Server 2022 and status Ready:
NAME STATUS ROLES AGE VERSION OS-IMAGE
win-worker-01 Ready <none> 2m v1.34.3 Windows Server 2022 Datacenter
win-worker-02 Ready <none> 2m v1.34.3 Windows Server 2022 Datacenter
7. Apply a Windows node taint (optional)
To prevent Linux workloads from scheduling on Windows nodes:
kubectl taint nodes win-worker-01 os=windows:NoSchedule
kubectl taint nodes win-worker-02 os=windows:NoSchedule
Windows workloads should include a matching toleration and nodeSelector:
spec:
nodeSelector:
kubernetes.io/os: windows
tolerations:
- key: os
value: windows
effect: NoSchedule
Verification
# Node status
kubectl get nodes -l kubernetes.io/os=windows
# Run a test Windows pod
kubectl run win-test --image=mcr.microsoft.com/windows/nanoserver:ltsc2022 \
--overrides='{"spec":{"nodeSelector":{"kubernetes.io/os":"windows"}}}' \
--command -- ping -t localhost
kubectl get pod win-test -w
# Should reach Running state
# Cleanup
kubectl delete pod win-test
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
kubeadm join fails with timeout | Control plane IP unreachable from Windows node | Verify network connectivity: Test-NetConnection -ComputerName <CP_IP> -Port 6443 |
Node shows NotReady | containerd service not running | On the Windows node: Get-Service containerd and Start-Service containerd |
| WinRM connection refused | WinRM not enabled | On the Windows node: winrm quickconfig -force |
| Calico pods not running on Windows | BGP configuration mismatch | Verify calico_version matches the Linux cluster's Calico version |
Windows pod stuck in ContainerCreating | Missing Windows container base image | Pull the base image: crictl pull mcr.microsoft.com/windows/nanoserver:ltsc2022 |