1podman-kube-play(1) General Commands Manual podman-kube-play(1)
2
6 podman-kube-play - Create containers, pods and volumes based on Kuber‐
7 netes YAML
8
11 podman kube play [options] file.yml|-|https://website.io/file.yml
12
15 podman kube play will read in a structured file of Kubernetes YAML. It
16 will then recreate the containers, pods or volumes described in the
17 YAML. Containers within a pod are then started and the ID of the new
18 Pod or the name of the new Volume is output. If the yaml file is speci‐
19 fied as "-" then podman kube play will read the YAML file from stdin.
20 Using the --down command line option, it is also capable of tearing
21 down the pods created by a previous run of podman kube play. Using the
22 --replace command line option, it will tear down the pods(if any) cre‐
23 ated by a previous run of podman kube play and recreate the pods with
24 the Kubernetes YAML file. Ideally the input file would be one created
25 by Podman (see podman-kube-generate(1)). This would guarantee a smooth
26 import and expected results. The input can also be a URL that points
27 to a YAML file such as https://podman.io/demo.yml. podman kube play
28 will read the YAML from the URL and create pods and containers from it.
29 Currently, the supported Kubernetes kinds are: - Pod - Deployment -
32 PersistentVolumeClaim - ConfigMap
33 Kubernetes Pods or Deployments
36 Only three volume types are supported by kube play, the hostPath, emp‐
39 tyDir, and persistentVolumeClaim volume types. For the hostPath volume
40 type, only the default (empty), DirectoryOrCreate, Directory, FileOr‐
41 Create, File, Socket, CharDevice and BlockDevice subtypes are sup‐
42 ported. Podman interprets the value of hostPath path as a file path
43 when it contains at least one forward slash, otherwise Podman treats
44 the value as the name of a named volume. When using a persistentVolume‐
45 Claim, the value for claimName is the name for the Podman named volume.
46 When using an emptyDir volume, podman creates an anonymous volume that
47 is attached the containers running inside the pod and is deleted once
48 the pod is removed.
49 Note: When playing a kube YAML with init containers, the init container
52 will be created with init type value once. To change the default type,
53 use the io.podman.annotations.init.container.type annotation to set the
54 type to always.
55 Note: hostPath volume types created by kube play will be given an
58 SELinux shared label (z), bind mounts are not relabeled (use chcon -t
59 container_file_t -R <directory>).
60 Note: If the :latest tag is used, Podman will attempt to pull the image
63 from a registry. If the image was built locally with Podman or Buildah,
64 it will have localhost as the domain, in that case, Podman will use the
65 image from the local store even if it has the :latest tag.
66 Note: The command podman play kube is an alias of podman kube play, and
69 will perform the same function.
70 Note: The command podman kube down can be used to stop and remove pods
73 or containers based on the same Kubernetes YAML used by podman kube
74 play to create them.
75 Kubernetes PersistentVolumeClaims
78 A Kubernetes PersistentVolumeClaim represents a Podman named volume.
81 Only the PersistentVolumeClaim name is required by Podman to create a
82 volume. Kubernetes annotations can be used to make use of the available
83 options for Podman volumes.
84 • volume.podman.io/driver
87 • volume.podman.io/device
89 • volume.podman.io/type
91 • volume.podman.io/uid
93 • volume.podman.io/gid
95 • volume.podman.io/mount-options
97 Kube play is capable of building images on the fly given the correct
101 directory layout and Containerfiles. This option is not available for
102 remote clients, including Mac and Windows (excluding WSL2) machines,
103 yet. Consider the following excerpt from a YAML file:
104 apiVersion: v1
107 kind: Pod
108 metadata:
109 spec:
110 containers:
111 - command:
112 - top
113 - name: container
114 value: podman
115 image: foobar
116 If there is a directory named foobar in the current working directory
120 with a file named Containerfile or Dockerfile, Podman kube play will
121 build that image and name it foobar. An example directory structure
122 for this example would look like:
123 |- mykubefiles
126 |- myplayfile.yaml
127 |- foobar
128 |- Containerfile
129 The build will consider foobar to be the context directory for the
133 build. If there is an image in local storage called foobar, the image
134 will not be built unless the --build flag is used. Use --build=false to
135 completely disable builds.
136 Kubernetes ConfigMap
139 Kubernetes ConfigMap can be referred as a source of environment vari‐
142 ables or volumes in Pods or Deployments. ConfigMaps aren't a stand‐
143 alone object in Podman; instead, when a container uses a ConfigMap,
144 Podman will create environment variables or volumes as needed.
145 For example, the following YAML document defines a ConfigMap and then
148 uses it in a Pod:
149 apiVersion: v1
152 kind: ConfigMap
153 metadata:
154 name: foo
155 data:
156 FOO: bar
157 ---
158 apiVersion: v1
159 kind: Pod
160 metadata:
161 name: foobar
162 spec:
163 containers:
164 - command:
165 - top
166 name: container-1
167 image: foobar
168 envFrom:
169 - configMapRef:
170 name: foo
171 optional: false
172 and as a result environment variable FOO will be set to bar for con‐
176 tainer container-1.
177
180 --annotation=key=value
181 Add an annotation to the container or pod. This option can be set mul‐
182 tiple times.
183 --authfile=path
186 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
187 ers/auth.json, which is set using podman login. If the authorization
188 state is not found there, $HOME/.docker/config.json is checked, which
189 is set using docker login.
190 Note: There is also the option to override the default path of the au‐
193 thentication file by setting the REGISTRY_AUTH_FILE environment vari‐
194 able. This can be done with export REGISTRY_AUTH_FILE=path.
195 --build
198 Build images even if they are found in the local storage. Use
199 --build=false to completely disable builds. (This option is not avail‐
200 able with the remote Podman client)
201 --cert-dir=path
204 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
205 istry. (Default: /etc/containers/certs.d) Please refer to containers-
206 certs.d(5) for details. (This option is not available with the remote
207 Podman client, including Mac and Windows (excluding WSL2) machines)
208 --configmap=path
211 Use Kubernetes configmap YAML at path to provide a source for environ‐
212 ment variable values within the containers of the pod. (This option is
213 not available with the remote Podman client)
214 Note: The --configmap option can be used multiple times or a comma-sep‐
217 arated list of paths can be used to pass multiple Kubernetes configmap
218 YAMLs.
219 --context-dir=path
222 Use path as the build context directory for each image. Requires
223 --build option be true. (This option is not available with the remote
224 Podman client)
225 --creds=[username[:password]]
228 The [username[:password]] to use to authenticate with the registry, if
229 required. If one or both values are not supplied, a command line
230 prompt will appear and the value can be entered. The password is en‐
231 tered without echo.
232 --help, -h
235 Print usage statement
236 --ip=IP address
239 Assign a static ip address to the pod. This option can be specified
240 several times when kube play creates more than one pod. Note: When
241 joining multiple networks you should use the --network name:ip=<ip>
242 syntax.
243 --log-driver=driver
246 Set logging driver for all created containers.
247 --log-opt=name=value
250 Logging driver specific options.
251 Set custom logging configuration. The following *name*s are supported:
254 path: specify a path to the log file
257 (e.g. --log-opt path=/var/log/container/mycontainer.json);
258 max-size: specify a max size of the log file
261 (e.g. --log-opt max-size=10mb);
262 tag: specify a custom log tag for the container
265 (e.g. --log-opt tag="{{.ImageName}}". It supports the same keys as
266 podman inspect --format. This option is currently supported only by
267 the journald log driver.
268 --mac-address=MAC address
271 Assign a static mac address to the pod. This option can be specified
272 several times when kube play creates more than one pod. Note: When
273 joining multiple networks you should use the --network name:mac=<mac>
274 syntax.
275 --network=mode, --net
278 Set the network mode for the pod.
279 Valid mode values are:
282 • bridge[:OPTIONS,...]: Create a network stack on the default
285 bridge. This is the default for rootful containers. It is pos‐
286 sible to specify these additional options:
287 • alias=name: Add network-scoped alias for the container.
289 • ip=IPv4: Specify a static ipv4 address for this container.
291 • ip=IPv6: Specify a static ipv6 address for this container.
293 • mac=MAC: Specify a static mac address for this container.
295 • interface_name: Specify a name for the created network in‐
297 terface inside the container.
298 For example to set a static ipv4 address and a static mac address, use
304 --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99. - <network name
305 or ID>[:OPTIONS,...]: Connect to a user-defined network; this is the
306 network name or ID from a network created by podman network create. Us‐
307 ing the network name implies the bridge network mode. It is possible to
308 specify the same options described under the bridge mode above. You can
309 use the --network option multiple times to specify additional networks.
310 - none: Create a network namespace for the container but do not config‐
311 ure network interfaces for it, thus the container has no network con‐
312 nectivity. - container:id: Reuse another container's network stack. -
313 host: Do not create a network namespace, the container will use the
314 host's network. Note: The host mode gives the container full access to
315 local system services such as D-bus and is therefore considered inse‐
316 cure. - ns:path: Path to a network namespace to join. - private: Cre‐
317 ate a new namespace for the container. This will use the bridge mode
318 for rootful containers and slirp4netns for rootless ones. -
319 slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user network
320 stack. This is the default for rootless containers. It is possible to
321 specify these additional options, they can also be set with net‐
322 work_cmd_options in containers.conf:
323 - allow_host_loopback=true|false: Allow slirp4netns to reach the host
324 loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr
325 subnet when changed, see the cidr option below). The default is false.
326 - mtu=MTU: Specify the MTU to use for this network. (Default is
327 65520).
328 - cidr=CIDR: Specify ip range to use for this network. (Default is
329 10.0.2.0/24).
330 - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for
331 outbound_addr6).
332 - outbound_addr=INTERFACE: Specify the outbound interface slirp
333 should bind to (ipv4 traffic only).
334 - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should
335 bind to.
336 - outbound_addr6=INTERFACE: Specify the outbound interface slirp
337 should bind to (ipv6 traffic only).
338 - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should
339 bind to.
340 - port_handler=rootlesskit: Use rootlesskit for port forwarding. De‐
341 fault.
342 Note: Rootlesskit changes the source IP address of incoming packets
343 to an IP address in the container network namespace, usually
344 10.0.2.100. If your application requires the real source IP address,
345 e.g. web server logs, use the slirp4netns port handler. The rootlesskit
346 port handler is also used for rootless containers when connected to
347 user-defined networks.
348 - port_handler=slirp4netns: Use the slirp4netns port forwarding, it
349 is slower than rootlesskit but preserves the correct source IP address.
350 This port handler cannot be used for user-defined networks.
351 When no network option is specified and host network mode is not con‐
354 figured in the YAML file, a new network stack is created and pods are
355 attached to it making possible pod to pod communication.
356 --no-hosts
359 Do not create /etc/hosts for the pod. By default, Podman will manage
360 /etc/hosts, adding the container's own IP address and any hosts from
361 --add-host. --no-hosts disables this, and the image's /etc/hosts will
362 be preserved unmodified.
363 This option conflicts with host added in the Kubernetes YAML.
366 --quiet, -q
369 Suppress output information when pulling images
370 --replace
373 Tears down the pods created by a previous run of kube play and recre‐
374 ates the pods. This option is used to keep the existing pods up to date
375 based upon the Kubernetes YAML.
376 --seccomp-profile-root=path
379 Directory path for seccomp profiles (default: "/var/lib/kubelet/sec‐
380 comp"). (This option is not available with the remote Podman client,
381 including Mac and Windows (excluding WSL2) machines)
382 --start
385 Start the pod after creating it, set to false to only create it.
386 --tls-verify
389 Require HTTPS and verify certificates when contacting registries (de‐
390 fault: true). If explicitly set to true, TLS verification will be
391 used. If set to false, TLS verification will not be used. If not
392 specified, TLS verification will be used unless the target registry is
393 listed as an insecure registry in containers-registries.conf(5)
394 --userns=mode
397 Set the user namespace mode for the container. It defaults to the POD‐
398 MAN_USERNS environment variable. An empty value ("") means user name‐
399 spaces are disabled unless an explicit mapping is set with the --uidmap
400 and --gidmap options.
401 This option is incompatible with --gidmap, --uidmap, --subuidname and
404 --subgidname.
405 Rootless user --userns=Key mappings:
408 ┌────────┬───────────┬─────────────────────┐
411 │Key │ Host User │ Container User │
412 ├────────┼───────────┼─────────────────────┤
413 │"" │ $UID │ 0 (Default User ac‐ │
414 │ │ │ count mapped to │
415 │ │ │ root user in con‐ │
416 │ │ │ tainer.) │
417 ├────────┼───────────┼─────────────────────┤
418 │keep-id │ $UID │ $UID (Map user ac‐ │
419 │ │ │ count to same UID │
420 │ │ │ within container.) │
421 ├────────┼───────────┼─────────────────────┤
422 │auto │ $UID │ nil (Host User UID │
423 │ │ │ is not mapped into │
424 │ │ │ container.) │
425 ├────────┼───────────┼─────────────────────┤
426 │nomap │ $UID │ nil (Host User UID │
427 │ │ │ is not mapped into │
428 │ │ │ container.) │
429 └────────┴───────────┴─────────────────────┘
430 Valid mode values are:
432 auto[:OPTIONS,...]: automatically create a unique user namespace.
435 The --userns=auto flag, requires that the user name containers and a
438 range of subordinate user ids that the Podman container is allowed to
439 use be specified in the /etc/subuid and /etc/subgid files.
440 Example: containers:2147483647:2147483648.
443 Podman allocates unique ranges of UIDs and GIDs from the containers
446 subordinate user ids. The size of the ranges is based on the number of
447 UIDs required in the image. The number of UIDs and GIDs can be overrid‐
448 den with the size option.
449 The rootless option --userns=keep-id uses all the subuids and subgids
452 of the user. Using --userns=auto when starting new containers will not
453 work as long as any containers exist that were started with
454 --userns=keep-id.
455 Valid auto options:
458 • gidmapping=_CONTAINER_GID:HOSTGID:SIZE: to force a GID mapping
461 to be present in the user namespace.
462 • size=SIZE: to specify an explicit size for the automatic user
464 namespace. e.g. --userns=auto:size=8192. If size is not speci‐
465 fied, auto will estimate a size for the user namespace.
466 • uidmapping=_CONTAINER_UID:HOSTUID:SIZE: to force a UID mapping
468 to be present in the user namespace.
469 container:id: join the user namespace of the specified container.
473 host: run in the user namespace of the caller. The processes running in
476 the container will have the same privileges on the host as any other
477 process launched by the calling user (default).
478 keep-id: creates a user namespace where the current rootless user's
481 UID:GID are mapped to the same values in the container. This option is
482 not allowed for containers created by the root user.
483 Valid keep-id options:
486 • uid=UID: override the UID inside the container that will be
489 used to map the current rootless user to.
490 • gid=GID: override the GID inside the container that will be
492 used to map the current rootless user to.
493 nomap: creates a user namespace where the current rootless user's
497 UID:GID are not mapped into the container. This option is not allowed
498 for containers created by the root user.
499 ns:namespace: run the pod in the given existing user namespace.
502
505 Recreate the pod and containers as described in a file called demo.yml
506 $ podman kube play demo.yml
509 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
510 Recreate the pod and containers as described in a file demo.yml sent to
514 stdin
515 $ cat demo.yml | podman kube play -
518 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
519 Teardown the pod and containers as described in a file demo.yml
524 $ podman kube play --down demo.yml
527 Pods stopped:
528 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
529 Pods removed:
530 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
531 Provide configmap-foo.yml and configmap-bar.yml as sources for environ‐
535 ment variables within the containers.
536 $ podman kube play demo.yml --configmap configmap-foo.yml,configmap-bar.yml
539 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
540 $ podman kube play demo.yml --configmap configmap-foo.yml --configmap configmap-bar.yml
542 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
543 Create a pod connected to two networks (called net1 and net2) with a
547 static ip
548 $ podman kube play demo.yml --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10
551 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
552 Please take into account that networks must be created first using pod‐
556 man-network-create(1).
557 Create and teardown from a URL pointing to a YAML file
560 $ podman kube play https://podman.io/demo.yml
563 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
564 $ podman kube play --down https://podman.io/demo.yml
566 Pods stopped:
567 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
568 Pods removed:
569 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
570 podman kube play --down will not work with a URL if the YAML file the
574 URL points to has been changed or altered.
575
579 This document outlines the kube yaml fields that are currently sup‐
580 ported by the podman kube play command.
581 Note: N/A means that the option cannot be supported in a single-node
584 Podman environment.
585
588 ┌──────────────────────────────┬─────────┐
589 │Field │ Support │
590 ├──────────────────────────────┼─────────┤
591 │containers │ ✅ │
592 ├──────────────────────────────┼─────────┤
593 │initContainers │ ✅ │
594 ├──────────────────────────────┼─────────┤
595 │imagePullSecrets │ │
596 ├──────────────────────────────┼─────────┤
597 │enableServiceLinks │ │
598 ├──────────────────────────────┼─────────┤
599 │os.name │ │
600 ├──────────────────────────────┼─────────┤
601 │volumes │ │
602 ├──────────────────────────────┼─────────┤
603 │nodeSelector │ N/A │
604 ├──────────────────────────────┼─────────┤
605 │nodeName │ N/A │
606 ├──────────────────────────────┼─────────┤
607 │affinity.nodeAffinity │ N/A │
608 ├──────────────────────────────┼─────────┤
609 │affinity.podAffinity │ N/A │
610 ├──────────────────────────────┼─────────┤
611 │affinity.podAntiAffinity │ N/A │
612 ├──────────────────────────────┼─────────┤
613 │tolerations.key │ N/A │
614 ├──────────────────────────────┼─────────┤
615 │tolerations.operator │ N/A │
616 ├──────────────────────────────┼─────────┤
617 │tolerations.effect │ N/A │
618 ├──────────────────────────────┼─────────┤
619 │tolerations.tolerationSeconds │ N/A │
620 ├──────────────────────────────┼─────────┤
621 │schedulerName │ N/A │
622 ├──────────────────────────────┼─────────┤
623 │runtimeClassName │ │
624 ├──────────────────────────────┼─────────┤
625 │priorityClassName │ │
626 ├──────────────────────────────┼─────────┤
627 │priority │ │
628 ├──────────────────────────────┼─────────┤
629 │topologySpreadCon‐ │ │
630 │straints.maxSkew │ │
631 ├──────────────────────────────┼─────────┤
632 │ │ N/A │
633 ├──────────────────────────────┼─────────┤
634 │topologySpreadCon‐ │ │
635 │straints.topologyKey │ │
636 ├──────────────────────────────┼─────────┤
637 │ │ N/A │
638 ├──────────────────────────────┼─────────┤
639 │topologySpreadCon‐ │ │
640 │straints.whenUnsatisfiable │ │
641 ├──────────────────────────────┼─────────┤
642 │ │ N/A │
643 ├──────────────────────────────┼─────────┤
644 │topologySpreadConstraints.la‐ │ │
645 │belSelector │ │
646 ├──────────────────────────────┼─────────┤
647 │ │ N/A │
648 ├──────────────────────────────┼─────────┤
649 │topologySpreadCon‐ │ │
650 │straints.minDomains │ │
651 ├──────────────────────────────┼─────────┤
652 │ │ N/A │
653 ├──────────────────────────────┼─────────┤
654 │restartPolicy │ ✅ │
655 ├──────────────────────────────┼─────────┤
656 │terminationGracePeriod │ │
657 ├──────────────────────────────┼─────────┤
658 │activeDeadlineSeconds │ │
659 ├──────────────────────────────┼─────────┤
660 │readinessGates.conditionType │ │
661 ├──────────────────────────────┼─────────┤
662 │hostname │ ✅ │
663 ├──────────────────────────────┼─────────┤
664 │setHostnameAsFQDN │ │
665 ├──────────────────────────────┼─────────┤
666 │subdomain │ │
667 ├──────────────────────────────┼─────────┤
668 │hostAliases.hostnames │ ✅ │
669 ├──────────────────────────────┼─────────┤
670 │hostAliases.ip │ ✅ │
671 ├──────────────────────────────┼─────────┤
672 │dnsConfig.nameservers │ ✅ │
673 ├──────────────────────────────┼─────────┤
674 │dnsConfig.options.name │ ✅ │
675 ├──────────────────────────────┼─────────┤
676 │dnsConfig.options.value │ ✅ │
677 ├──────────────────────────────┼─────────┤
678 │dnsConfig.searches │ ✅ │
679 ├──────────────────────────────┼─────────┤
680 │dnsPolicy │ │
681 ├──────────────────────────────┼─────────┤
682 │hostNetwork │ ✅ │
683 ├──────────────────────────────┼─────────┤
684 │hostPID │ │
685 ├──────────────────────────────┼─────────┤
686 │hostIPC │ │
687 ├──────────────────────────────┼─────────┤
688 │shareProcessNamespace │ ✅ │
689 ├──────────────────────────────┼─────────┤
690 │serviceAccountName │ │
691 ├──────────────────────────────┼─────────┤
692 │automountServiceAccountToken │ │
693 ├──────────────────────────────┼─────────┤
694 │securityContext.runAsUser │ │
695 ├──────────────────────────────┼─────────┤
696 │securityContext.runAsNonRoot │ │
697 ├──────────────────────────────┼─────────┤
698 │securityContext.runAsGroup │ │
699 ├──────────────────────────────┼─────────┤
700 │securityContext.supplemental‐ │ │
701 │Groups │ │
702 ├──────────────────────────────┼─────────┤
703 │ │ │
704 ├──────────────────────────────┼─────────┤
705 │securityContext.fsGroup │ │
706 ├──────────────────────────────┼─────────┤
707 │securityContext.fs‐ │ │
708 │GroupChangePolicy │ │
709 ├──────────────────────────────┼─────────┤
710 │ │ │
711 ├──────────────────────────────┼─────────┤
712 │securityContext.seccompPro‐ │ │
713 │file.type │ │
714 ├──────────────────────────────┼─────────┤
715 │ │ │
716 ├──────────────────────────────┼─────────┤
717 │securityContext.seccompPro‐ │ │
718 │file.localhostProfile │ │
719 ├──────────────────────────────┼─────────┤
720 │ │ │
721 ├──────────────────────────────┼─────────┤
722 │securityContext.seLinuxOp‐ │ │
723 │tions.level │ │
724 ├──────────────────────────────┼─────────┤
725 │ │ │
726 ├──────────────────────────────┼─────────┤
727 │securityContext.seLinuxOp‐ │ │
728 │tions.role │ │
729 ├──────────────────────────────┼─────────┤
730 │ │ │
731 ├──────────────────────────────┼─────────┤
732 │securityContext.seLinuxOp‐ │ │
733 │tions.type │ │
734 ├──────────────────────────────┼─────────┤
735 │ │ │
736 ├──────────────────────────────┼─────────┤
737 │securityContext.seLinuxOp‐ │ │
738 │tions.user │ │
739 ├──────────────────────────────┼─────────┤
740 │ │ │
741 ├──────────────────────────────┼─────────┤
742 │securityContext.sysctls.name │ │
743 ├──────────────────────────────┼─────────┤
744 │securityContext.sysctls.value │ │
745 ├──────────────────────────────┼─────────┤
746 │securityContext.windowsOp‐ │ │
747 │tions.gmsaCredentialSpec │ │
748 ├──────────────────────────────┼─────────┤
749 │ │ │
750 ├──────────────────────────────┼─────────┤
751 │securityContext.windowsOp‐ │ │
752 │tions.hostProcess │ │
753 ├──────────────────────────────┼─────────┤
754 │ │ │
755 ├──────────────────────────────┼─────────┤
756 │securityContext.windowsOp‐ │ │
757 │tions.runAsUserName │ │
758 ├──────────────────────────────┼─────────┤
759 │ │ │
760 └──────────────────────────────┴─────────┘
761
763 ┌───────────────────────────────────┬─────────┐
764 │Field │ Support │
765 ├───────────────────────────────────┼─────────┤
766 │name │ ✅ │
767 ├───────────────────────────────────┼─────────┤
768 │image │ ✅ │
769 ├───────────────────────────────────┼─────────┤
770 │imagePullPolicy │ ✅ │
771 ├───────────────────────────────────┼─────────┤
772 │command │ ✅ │
773 ├───────────────────────────────────┼─────────┤
774 │args │ ✅ │
775 ├───────────────────────────────────┼─────────┤
776 │workingDir │ ✅ │
777 ├───────────────────────────────────┼─────────┤
778 │ports.containerPort │ ✅ │
779 ├───────────────────────────────────┼─────────┤
780 │ports.hostIP │ ✅ │
781 ├───────────────────────────────────┼─────────┤
782 │ports.hostPort │ ✅ │
783 ├───────────────────────────────────┼─────────┤
784 │ports.name │ ✅ │
785 ├───────────────────────────────────┼─────────┤
786 │ports.protocol │ ✅ │
787 ├───────────────────────────────────┼─────────┤
788 │env.name │ ✅ │
789 ├───────────────────────────────────┼─────────┤
790 │env.value │ ✅ │
791 ├───────────────────────────────────┼─────────┤
792 │env.valueFrom.configMapKeyRef.key │ │
793 ├───────────────────────────────────┼─────────┤
794 │ │ ✅ │
795 ├───────────────────────────────────┼─────────┤
796 │env.valueFrom.configMapKeyRef.name │ ✅ │
797 ├───────────────────────────────────┼─────────┤
798 │env.valueFrom.configMapKeyRef.op‐ │ │
799 │tional │ │
800 ├───────────────────────────────────┼─────────┤
801 │ │ ✅ │
802 ├───────────────────────────────────┼─────────┤
803 │env.valueFrom.fieldRef │ ✅ │
804 ├───────────────────────────────────┼─────────┤
805 │env.valueFrom.resourceFieldRef │ ✅ │
806 ├───────────────────────────────────┼─────────┤
807 │env.valueFrom.secretKeyRef.key │ ✅ │
808 ├───────────────────────────────────┼─────────┤
809 │env.valueFrom.secretKeyRef.name │ ✅ │
810 ├───────────────────────────────────┼─────────┤
811 │env.valueFrom.secretKeyRef.op‐ │ │
812 │tional │ │
813 ├───────────────────────────────────┼─────────┤
814 │ │ ✅ │
815 ├───────────────────────────────────┼─────────┤
816 │envFrom.configMapRef.name │ ✅ │
817 ├───────────────────────────────────┼─────────┤
818 │envFrom.configMapRef.optional │ ✅ │
819 ├───────────────────────────────────┼─────────┤
820 │envFrom.prefix │ │
821 ├───────────────────────────────────┼─────────┤
822 │envFrom.secretRef.name │ ✅ │
823 ├───────────────────────────────────┼─────────┤
824 │envFrom.secretRef.optional │ ✅ │
825 ├───────────────────────────────────┼─────────┤
826 │volumeMounts.mountPath │ ✅ │
827 ├───────────────────────────────────┼─────────┤
828 │volumeMounts.name │ ✅ │
829 ├───────────────────────────────────┼─────────┤
830 │volumeMounts.mountPropagation │ │
831 ├───────────────────────────────────┼─────────┤
832 │volumeMounts.readOnly │ ✅ │
833 ├───────────────────────────────────┼─────────┤
834 │volumeMounts.subPath │ │
835 ├───────────────────────────────────┼─────────┤
836 │volumeMounts.subPathExpr │ │
837 ├───────────────────────────────────┼─────────┤
838 │volumeDevices.devicePath │ │
839 ├───────────────────────────────────┼─────────┤
840 │volumeDevices.name │ │
841 ├───────────────────────────────────┼─────────┤
842 │resources.limits │ ✅ │
843 ├───────────────────────────────────┼─────────┤
844 │resources.requests │ ✅ │
845 ├───────────────────────────────────┼─────────┤
846 │lifecycle.postStart │ │
847 ├───────────────────────────────────┼─────────┤
848 │lifecycle.preStop │ │
849 ├───────────────────────────────────┼─────────┤
850 │terminationMessagePath │ │
851 ├───────────────────────────────────┼─────────┤
852 │terminationMessagePolicy │ │
853 ├───────────────────────────────────┼─────────┤
854 │livenessProbe │ ✅ │
855 ├───────────────────────────────────┼─────────┤
856 │readinessProbe │ │
857 ├───────────────────────────────────┼─────────┤
858 │startupProbe │ │
859 ├───────────────────────────────────┼─────────┤
860 │securityContext.runAsUser │ ✅ │
861 ├───────────────────────────────────┼─────────┤
862 │securityContext.runAsNonRoot │ │
863 ├───────────────────────────────────┼─────────┤
864 │securityContext.runAsGroup │ ✅ │
865 ├───────────────────────────────────┼─────────┤
866 │securityContext.readOnlyRoot‐ │ │
867 │Filesystem │ │
868 ├───────────────────────────────────┼─────────┤
869 │ │ ✅ │
870 ├───────────────────────────────────┼─────────┤
871 │securityContext.procMount │ │
872 ├───────────────────────────────────┼─────────┤
873 │securityContext.privileged │ ✅ │
874 ├───────────────────────────────────┼─────────┤
875 │securityContext.allowPrivi‐ │ │
876 │legeEscalation │ │
877 ├───────────────────────────────────┼─────────┤
878 │ │ ✅ │
879 ├───────────────────────────────────┼─────────┤
880 │securityContext.capabilities.add │ │
881 ├───────────────────────────────────┼─────────┤
882 │ │ ✅ │
883 ├───────────────────────────────────┼─────────┤
884 │securityContext.capabilities.drop │ │
885 ├───────────────────────────────────┼─────────┤
886 │ │ ✅ │
887 ├───────────────────────────────────┼─────────┤
888 │securityContext.seccompPro‐ │ │
889 │file.type │ │
890 ├───────────────────────────────────┼─────────┤
891 │ │ │
892 ├───────────────────────────────────┼─────────┤
893 │securityContext.seccompProfile.lo‐ │ │
894 │calhostProfile │ │
895 ├───────────────────────────────────┼─────────┤
896 │ │ │
897 ├───────────────────────────────────┼─────────┤
898 │securityContext.seLinuxOp‐ │ │
899 │tions.level │ │
900 ├───────────────────────────────────┼─────────┤
901 │ │ ✅ │
902 ├───────────────────────────────────┼─────────┤
903 │securityContext.seLinuxOp‐ │ │
904 │tions.role │ │
905 ├───────────────────────────────────┼─────────┤
906 │ │ ✅ │
907 ├───────────────────────────────────┼─────────┤
908 │securityContext.seLinuxOp‐ │ │
909 │tions.type │ │
910 ├───────────────────────────────────┼─────────┤
911 │ │ ✅ │
912 ├───────────────────────────────────┼─────────┤
913 │securityContext.seLinuxOp‐ │ │
914 │tions.user │ │
915 ├───────────────────────────────────┼─────────┤
916 │ │ ✅ │
917 ├───────────────────────────────────┼─────────┤
918 │securityContext.windowsOptions.gm‐ │ │
919 │saCredentialSpec │ │
920 ├───────────────────────────────────┼─────────┤
921 │ │ │
922 ├───────────────────────────────────┼─────────┤
923 │securityContext.windowsOp‐ │ │
924 │tions.hostProcess │ │
925 ├───────────────────────────────────┼─────────┤
926 │ │ │
927 ├───────────────────────────────────┼─────────┤
928 │securityContext.windowsOp‐ │ │
929 │tions.runAsUserName │ │
930 ├───────────────────────────────────┼─────────┤
931 │ │ │
932 ├───────────────────────────────────┼─────────┤
933 │stdin │ │
934 ├───────────────────────────────────┼─────────┤
935 │stdinOnce │ │
936 ├───────────────────────────────────┼─────────┤
937 │tty │ │
938 └───────────────────────────────────┴─────────┘
939
941 ┌───────────────────┬─────────┐
942 │Field │ Support │
943 ├───────────────────┼─────────┤
944 │volumeName │ │
945 ├───────────────────┼─────────┤
946 │storageClassName │ ✅ │
947 ├───────────────────┼─────────┤
948 │volumeMode │ │
949 ├───────────────────┼─────────┤
950 │accessModes │ ✅ │
951 ├───────────────────┼─────────┤
952 │selector │ │
953 ├───────────────────┼─────────┤
954 │resources.limits │ │
955 ├───────────────────┼─────────┤
956 │resources.requests │ ✅ │
957 └───────────────────┴─────────┘
958
960 ┌───────────┬─────────┐
961 │Field │ Support │
962 ├───────────┼─────────┤
963 │binaryData │ ✅ │
964 ├───────────┼─────────┤
965 │data │ ✅ │
966 ├───────────┼─────────┤
967 │immutable │ │
968 └───────────┴─────────┘
969
971 ┌────────────────────────┬─────────┐
972 │Field │ Support │
973 ├────────────────────────┼─────────┤
974 │replicas │ ✅ │
975 ├────────────────────────┼─────────┤
976 │selector │ ✅ │
977 ├────────────────────────┼─────────┤
978 │template │ ✅ │
979 ├────────────────────────┼─────────┤
980 │minReadySeconds │ │
981 ├────────────────────────┼─────────┤
982 │strategy.type │ │
983 ├────────────────────────┼─────────┤
984 │strategy.rollingUp‐ │ │
985 │date.maxSurge │ │
986 ├────────────────────────┼─────────┤
987 │ │ │
988 ├────────────────────────┼─────────┤
989 │strategy.rollingUp‐ │ │
990 │date.maxUnavailable │ │
991 ├────────────────────────┼─────────┤
992 │ │ │
993 ├────────────────────────┼─────────┤
994 │revisionHistoryLimit │ │
995 ├────────────────────────┼─────────┤
996 │progressDeadlineSeconds │ │
997 ├────────────────────────┼─────────┤
998 │paused │ │
999 └────────────────────────┴─────────┘
1000
1002 podman(1), podman-kube(1), podman-kube-down(1), podman-network-cre‐
1003 ate(1), podman-kube-generate(1), containers-certs.d(5)
1004 podman-kube-play(1)