1podman-play-kube(1)() podman-play-kube(1)()
2
6 podman-play-kube - Create containers, pods or volumes based on Kuber‐
7 netes YAML
8
11 podman play kube [options] file.yml|-
12
15 podman play kube will read in a structured file of Kubernetes YAML. It
16 will then recreate the containers, pods or volumes described in the
17 YAML. Containers within a pod are then started and the ID of the new
18 Pod or the name of the new Volume is output. If the yaml file is speci‐
19 fied as "-" then podman play kube will read the YAML file from stdin.
20 Using the --down command line option, it is also capable of tearing
21 down the pods created by a previous run of podman play kube. Ideally
22 the input file would be one created by Podman (see podman-generate-
23 kube(1)). This would guarantee a smooth import and expected results.
24 Currently, the supported Kubernetes kinds are: - Pod - Deployment -
27 PersistentVolumeClaim
28 Kubernetes Pods or Deployments
31 Only two volume types are supported by play kube, the hostPath and per‐
34 sistentVolumeClaim volume types. For the hostPath volume type, only the
35 default (empty), DirectoryOrCreate, Directory, FileOrCreate, File, and
36 Socket subtypes are supported. The CharDevice and BlockDevice subtypes
37 are not supported. Podman interprets the value of hostPath path as a
38 file path when it contains at least one forward slash, otherwise Podman
39 treats the value as the name of a named volume. When using a persis‐
40 tentVolumeClaim, the value for claimName is the name for the Podman
41 named volume.
42 Note: When playing a kube YAML with init containers, the init container
45 will be created with init type value always.
46 Note: hostPath volume types created by play kube will be given an
49 SELinux private label (Z)
50 Note: If the :latest tag is used, Podman will attempt to pull the image
53 from a registry. If the image was built locally with Podman or Buildah,
54 it will have localhost as the domain, in that case, Podman will use the
55 image from the local store even if it has the :latest tag.
56 Kubernetes PersistentVolumeClaims
59 A Kubernetes PersistentVolumeClaim represents a Podman named volume.
62 Only the PersistentVolumeClaim name is required by Podman to create a
63 volume. Kubernetes annotations can be used to make use of the available
64 options for Podman volumes.
65 • volume.podman.io/driver
68 • volume.podman.io/device
70 • volume.podman.io/type
72 • volume.podman.io/uid
74 • volume.podman.io/gid
76 • volume.podman.io/mount-options
78 Play kube is capable of building images on the fly given the correct
82 directory layout and Containerfiles. This option is not available for
83 remote clients yet. Consider the following excerpt from a YAML file:
84 apiVersion: v1
87 kind: Pod
88 metadata:
89 spec:
90 containers:
91 - command:
92 - top
93 - name: container
94 value: podman
95 image: foobar
96 If there is a directory named foobar in the current working directory
100 with a file named Containerfile or Dockerfile, Podman play kube will
101 build that image and name it foobar. An example directory structure
102 for this example would look like:
103 |- mykubefiles
106 |- myplayfile.yaml
107 |- foobar
108 |- Containerfile
109 The build will consider foobar to be the context directory for the
113 build. If there is an image in local storage called foobar, the image
114 will not be built unless the --build flag is used.
115
118 --authfile=path
119 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
120 ers/auth.json, which is set using podman login. If the authorization
121 state is not found there, $HOME/.docker/config.json is checked, which
122 is set using docker login.
123 Note: You can also override the default path of the authentication file
126 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
127 ISTRY_AUTH_FILE=path
128 --build
131 Build images even if they are found in the local storage.
132 --cert-dir=path
135 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
136 istry. Please refer to containers-certs.d(5) for details. (This option
137 is not available with the remote Podman client)
138 --configmap=path
141 Use Kubernetes configmap YAML at path to provide a source for environ‐
142 ment variable values within the containers of the pod.
143 Note: The --configmap option can be used multiple times or a comma-sep‐
146 arated list of paths can be used to pass multiple Kubernetes configmap
147 YAMLs.
148 --creds
151 The [username[:password]] to use to authenticate with the registry if
152 required. If one or both values are not supplied, a command line
153 prompt will appear and the value can be entered. The password is en‐
154 tered without echo.
155 --down
158 Tears down the pods that were created by a previous run of play kube.
159 The pods are stopped and then removed. Any volumes created are left
160 intact.
161 --ip=IP address
164 Assign a static ip address to the pod. This option can be specified
165 several times when play kube creates more than one pod.
166 --log-driver=driver
169 Set logging driver for all created containers.
170 --mac-address=MAC address
173 Assign a static mac address to the pod. This option can be specified
174 several times when play kube creates more than one pod.
175 --network=mode, --net
178 Change the network mode of the pod. The host and bridge network mode
179 should be configured in the yaml file. Valid mode values are:
180 • none: Create a network namespace for the container but do not
183 configure network interfaces for it, thus the container has no
184 network connectivity.
185 • container:id: Reuse another container's network stack.
187 • network: Connect to a user-defined network, multiple networks
189 should be comma-separated.
190 • ns:path: Path to a network namespace to join.
192 • private: Create a new namespace for the container. This will
194 use the bridge mode for rootfull containers and slirp4netns
195 for rootless ones.
196 • slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user
198 network stack. This is the default for rootless containers. It
199 is possible to specify these additional options:
200 • allow_host_loopback=true|false: Allow the slirp4netns to
202 reach the host loopback IP (10.0.2.2, which is added to
203 /etc/hosts as host.containers.internal for your conve‐
204 nience). Default is false.
205 • mtu=MTU: Specify the MTU to use for this network. (Default
207 is 65520).
208 • cidr=CIDR: Specify ip range to use for this network. (De‐
210 fault is 10.0.2.0/24).
211 • enable_ipv6=true|false: Enable IPv6. Default is false. (Re‐
213 quired for outbound_addr6).
214 • outbound_addr=INTERFACE: Specify the outbound interface
216 slirp should bind to (ipv4 traffic only).
217 • outbound_addr=IPv4: Specify the outbound ipv4 address slirp
219 should bind to.
220 • outbound_addr6=INTERFACE: Specify the outbound interface
222 slirp should bind to (ipv6 traffic only).
223 • outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
225 should bind to.
226 • port_handler=rootlesskit: Use rootlesskit for port forward‐
228 ing. Default. Note: Rootlesskit changes the source IP ad‐
229 dress of incoming packets to a IP address in the container
230 network namespace, usually 10.0.2.100. If your application
231 requires the real source IP address, e.g. web server logs,
232 use the slirp4netns port handler. The rootlesskit port han‐
233 dler is also used for rootless containers when connected to
234 user-defined networks.
235 • port_handler=slirp4netns: Use the slirp4netns port forward‐
237 ing, it is slower than rootlesskit but preserves the correct
238 source IP address. This port handler cannot be used for
239 user-defined networks.
240 --quiet, -q
246 Suppress output information when pulling images
247 --seccomp-profile-root=path
250 Directory path for seccomp profiles (default: "/var/lib/kubelet/sec‐
251 comp"). (This option is not available with the remote Podman client)
252 --start=true|false
255 Start the pod after creating it, set to false to only create it.
256 --tls-verify=true|false
259 Require HTTPS and verify certificates when contacting registries (de‐
260 fault: true). If explicitly set to true, then TLS verification will be
261 used. If set to false, then TLS verification will not be used. If not
262 specified, TLS verification will be used unless the target registry is
263 listed as an insecure registry in registries.conf.
264 --help, -h
267 Print usage statement
268
271 Recreate the pod and containers as described in a file called demo.yml
272 $ podman play kube demo.yml
275 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
276 Recreate the pod and containers as described in a file demo.yml sent to
280 stdin
281 $ cat demo.yml | podman play kube -
284 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
285 Teardown the pod and containers as described in a file demo.yml
290 $ podman play kube --down demo.yml
293 Pods stopped:
294 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
295 Pods removed:
296 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
297 Provide configmap-foo.yml and configmap-bar.yml as sources for environ‐
301 ment variables within the containers.
302 $ podman play kube demo.yml --configmap configmap-foo.yml,configmap-bar.yml
305 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
306 $ podman play kube demo.yml --configmap configmap-foo.yml --configmap configmap-bar.yml
308 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
309 CNI network(s) can be specified as comma-separated list using --network
313 $ podman play kube demo.yml --network cni1,cni2
316 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
317 Please take into account that CNI networks must be created first using
321 podman-network-create(1).
322
325 podman(1), podman-container(1), podman-pod(1), podman-generate-kube(1),
326 podman-play(1), podman-network-create(1), containers-certs.d(5)
327
330 December 2018, Originally compiled by Brent Baude (bbaude at redhat dot
331 com)
332 podman-play-kube(1)()