1podman-play-kube(1)() podman-play-kube(1)()
2
3
4
6 podman-play-kube - Create containers, pods or volumes based on Kuber‐
7 netes YAML
8
9
11 podman play kube [options] file.yml|-
12
13
15 podman play kube will read in a structured file of Kubernetes YAML. It
16 will then recreate the containers, pods or volumes described in the
17 YAML. Containers within a pod are then started and the ID of the new
18 Pod or the name of the new Volume is output. If the yaml file is speci‐
19 fied as "-" then podman play kube will read the YAML file from stdin.
20 Using the --down command line option, it is also capable of tearing
21 down the pods created by a previous run of podman play kube. Ideally
22 the input file would be one created by Podman (see podman-generate-
23 kube(1)). This would guarantee a smooth import and expected results.
24
25
26 Currently, the supported Kubernetes kinds are: - Pod - Deployment -
27 PersistentVolumeClaim
28
29
30 Kubernetes Pods or Deployments
31
32
33 Only two volume types are supported by play kube, the hostPath and per‐
34 sistentVolumeClaim volume types. For the hostPath volume type, only the
35 default (empty), DirectoryOrCreate, Directory, FileOrCreate, File, and
36 Socket subtypes are supported. The CharDevice and BlockDevice subtypes
37 are not supported. Podman interprets the value of hostPath path as a
38 file path when it contains at least one forward slash, otherwise Podman
39 treats the value as the name of a named volume. When using a persis‐
40 tentVolumeClaim, the value for claimName is the name for the Podman
41 named volume.
42
43
44 Note: When playing a kube YAML with init containers, the init container
45 will be created with init type value always.
46
47
48 Note: hostPath volume types created by play kube will be given an
49 SELinux private label (Z)
50
51
52 Note: If the :latest tag is used, Podman will attempt to pull the image
53 from a registry. If the image was built locally with Podman or Buildah,
54 it will have localhost as the domain, in that case, Podman will use the
55 image from the local store even if it has the :latest tag.
56
57
58 Kubernetes PersistentVolumeClaims
59
60
61 A Kubernetes PersistentVolumeClaim represents a Podman named volume.
62 Only the PersistentVolumeClaim name is required by Podman to create a
63 volume. Kubernetes annotations can be used to make use of the available
64 options for Podman volumes.
65
66
67 • volume.podman.io/driver
68
69 • volume.podman.io/device
70
71 • volume.podman.io/type
72
73 • volume.podman.io/uid
74
75 • volume.podman.io/gid
76
77 • volume.podman.io/mount-options
78
79
80
81 Play kube is capable of building images on the fly given the correct
82 directory layout and Containerfiles. This option is not available for
83 remote clients yet. Consider the following excerpt from a YAML file:
84
85
86 apiVersion: v1
87 kind: Pod
88 metadata:
89 spec:
90 containers:
91 - command:
92 - top
93 - name: container
94 value: podman
95 image: foobar
96
97
98
99 If there is a directory named foobar in the current working directory
100 with a file named Containerfile or Dockerfile, Podman play kube will
101 build that image and name it foobar. An example directory structure
102 for this example would look like:
103
104
105 |- mykubefiles
106 |- myplayfile.yaml
107 |- foobar
108 |- Containerfile
109
110
111
112 The build will consider foobar to be the context directory for the
113 build. If there is an image in local storage called foobar, the image
114 will not be built unless the --build flag is used.
115
116
118 --authfile=path
119 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
120 ers/auth.json, which is set using podman login. If the authorization
121 state is not found there, $HOME/.docker/config.json is checked, which
122 is set using docker login.
123
124
125 Note: You can also override the default path of the authentication file
126 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
127 ISTRY_AUTH_FILE=path
128
129
130 --build
131 Build images even if they are found in the local storage.
132
133
134 --cert-dir=path
135 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
136 istry. Please refer to containers-certs.d(5) for details. (This option
137 is not available with the remote Podman client)
138
139
140 --configmap=path
141 Use Kubernetes configmap YAML at path to provide a source for environ‐
142 ment variable values within the containers of the pod.
143
144
145 Note: The --configmap option can be used multiple times or a comma-sep‐
146 arated list of paths can be used to pass multiple Kubernetes configmap
147 YAMLs.
148
149
150 --creds
151 The [username[:password]] to use to authenticate with the registry if
152 required. If one or both values are not supplied, a command line
153 prompt will appear and the value can be entered. The password is en‐
154 tered without echo.
155
156
157 --down
158 Tears down the pods that were created by a previous run of play kube.
159 The pods are stopped and then removed. Any volumes created are left
160 intact.
161
162
163 --ip=IP address
164 Assign a static ip address to the pod. This option can be specified
165 several times when play kube creates more than one pod.
166
167
168 --log-driver=driver
169 Set logging driver for all created containers.
170
171
172 --mac-address=MAC address
173 Assign a static mac address to the pod. This option can be specified
174 several times when play kube creates more than one pod.
175
176
177 --network=mode, --net
178 Change the network mode of the pod. The host and bridge network mode
179 should be configured in the yaml file. Valid mode values are:
180
181
182 • none: Create a network namespace for the container but do not
183 configure network interfaces for it, thus the container has no
184 network connectivity.
185
186 • container:id: Reuse another container's network stack.
187
188 • network: Connect to a user-defined network, multiple networks
189 should be comma-separated.
190
191 • ns:path: Path to a network namespace to join.
192
193 • private: Create a new namespace for the container. This will
194 use the bridge mode for rootfull containers and slirp4netns
195 for rootless ones.
196
197 • slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user
198 network stack. This is the default for rootless containers. It
199 is possible to specify these additional options:
200
201 • allow_host_loopback=true|false: Allow the slirp4netns to
202 reach the host loopback IP (10.0.2.2, which is added to
203 /etc/hosts as host.containers.internal for your conve‐
204 nience). Default is false.
205
206 • mtu=MTU: Specify the MTU to use for this network. (Default
207 is 65520).
208
209 • cidr=CIDR: Specify ip range to use for this network. (De‐
210 fault is 10.0.2.0/24).
211
212 • enable_ipv6=true|false: Enable IPv6. Default is false. (Re‐
213 quired for outbound_addr6).
214
215 • outbound_addr=INTERFACE: Specify the outbound interface
216 slirp should bind to (ipv4 traffic only).
217
218 • outbound_addr=IPv4: Specify the outbound ipv4 address slirp
219 should bind to.
220
221 • outbound_addr6=INTERFACE: Specify the outbound interface
222 slirp should bind to (ipv6 traffic only).
223
224 • outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
225 should bind to.
226
227 • port_handler=rootlesskit: Use rootlesskit for port forward‐
228 ing. Default. Note: Rootlesskit changes the source IP ad‐
229 dress of incoming packets to a IP address in the container
230 network namespace, usually 10.0.2.100. If your application
231 requires the real source IP address, e.g. web server logs,
232 use the slirp4netns port handler. The rootlesskit port han‐
233 dler is also used for rootless containers when connected to
234 user-defined networks.
235
236 • port_handler=slirp4netns: Use the slirp4netns port forward‐
237 ing, it is slower than rootlesskit but preserves the correct
238 source IP address. This port handler cannot be used for
239 user-defined networks.
240
241
242
243
244
245 --quiet, -q
246 Suppress output information when pulling images
247
248
249 --seccomp-profile-root=path
250 Directory path for seccomp profiles (default: "/var/lib/kubelet/sec‐
251 comp"). (This option is not available with the remote Podman client)
252
253
254 --start=true|false
255 Start the pod after creating it, set to false to only create it.
256
257
258 --tls-verify=true|false
259 Require HTTPS and verify certificates when contacting registries (de‐
260 fault: true). If explicitly set to true, then TLS verification will be
261 used. If set to false, then TLS verification will not be used. If not
262 specified, TLS verification will be used unless the target registry is
263 listed as an insecure registry in registries.conf.
264
265
266 --help, -h
267 Print usage statement
268
269
271 Recreate the pod and containers as described in a file called demo.yml
272
273
274 $ podman play kube demo.yml
275 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
276
277
278
279 Recreate the pod and containers as described in a file demo.yml sent to
280 stdin
281
282
283 $ cat demo.yml | podman play kube -
284 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
285
286
287
288
289 Teardown the pod and containers as described in a file demo.yml
290
291
292 $ podman play kube --down demo.yml
293 Pods stopped:
294 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
295 Pods removed:
296 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
297
298
299
300 Provide configmap-foo.yml and configmap-bar.yml as sources for environ‐
301 ment variables within the containers.
302
303
304 $ podman play kube demo.yml --configmap configmap-foo.yml,configmap-bar.yml
305 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
306
307 $ podman play kube demo.yml --configmap configmap-foo.yml --configmap configmap-bar.yml
308 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
309
310
311
312 CNI network(s) can be specified as comma-separated list using --network
313
314
315 $ podman play kube demo.yml --network cni1,cni2
316 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
317
318
319
320 Please take into account that CNI networks must be created first using
321 podman-network-create(1).
322
323
325 podman(1), podman-container(1), podman-pod(1), podman-generate-kube(1),
326 podman-play(1), podman-network-create(1), containers-certs.d(5)
327
328
330 December 2018, Originally compiled by Brent Baude (bbaude at redhat dot
331 com)
332
333
334
335 podman-play-kube(1)()