1podman-kube-play(1)         General Commands Manual        podman-kube-play(1)
2
3
4

NAME

6       podman-kube-play  - Create containers, pods and volumes based on Kuber‐
7       netes YAML
8
9

SYNOPSIS

11       podman kube play [options] file.yml|-|https://website.io/file.yml
12
13

DESCRIPTION

15       podman kube play will read in a structured file of Kubernetes YAML.  It
16       will  then  recreate  the  containers, pods or volumes described in the
17       YAML.  Containers within a pod are then started and the ID of  the  new
18       Pod or the name of the new Volume is output. If the yaml file is speci‐
19       fied as "-" then podman kube play will read the YAML file  from  stdin.
20       Using  the  --down  command  line option, it is also capable of tearing
21       down the pods created by a previous run of podman kube play.  Using the
22       --replace  command line option, it will tear down the pods(if any) cre‐
23       ated by a previous run of podman kube play and recreate the  pods  with
24       the  Kubernetes YAML file.  Ideally the input file would be one created
25       by Podman (see podman-kube-generate(1)).  This would guarantee a smooth
26       import  and  expected results.  The input can also be a URL that points
27       to a YAML file such as  https://podman.io/demo.yml.  podman  kube  play
28       will read the YAML from the URL and create pods and containers from it.
29
30
31       Currently,  the  supported  Kubernetes  kinds are: - Pod - Deployment -
32       PersistentVolumeClaim - ConfigMap
33
34
35       Kubernetes Pods or Deployments
36
37
38       Only three volume types are supported by kube play, the hostPath,  emp‐
39       tyDir,  and persistentVolumeClaim volume types. For the hostPath volume
40       type, only the  default (empty), DirectoryOrCreate, Directory,  FileOr‐
41       Create,  File,  Socket,  CharDevice  and  BlockDevice subtypes are sup‐
42       ported. Podman interprets the value of hostPath path  as  a  file  path
43       when  it  contains  at least one forward slash, otherwise Podman treats
44       the value as the name of a named volume. When using a persistentVolume‐
45       Claim, the value for claimName is the name for the Podman named volume.
46       When using an emptyDir volume, podman creates an anonymous volume  that
47       is  attached  the containers running inside the pod and is deleted once
48       the pod is removed.
49
50
51       Note: When playing a kube YAML with init containers, the init container
52       will  be created with init type value once. To change the default type,
53       use the io.podman.annotations.init.container.type annotation to set the
54       type to always.
55
56
57       Note:  hostPath  volume  types  created  by  kube play will be given an
58       SELinux shared label (z), bind mounts are not relabeled (use  chcon  -t
59       container_file_t -R <directory>).
60
61
62       Note: If the :latest tag is used, Podman will attempt to pull the image
63       from a registry. If the image was built locally with Podman or Buildah,
64       it will have localhost as the domain, in that case, Podman will use the
65       image from the local store even if it has the :latest tag.
66
67
68       Note: The command podman play kube is an alias of podman kube play, and
69       will perform the same function.
70
71
72       Note:  The command podman kube down can be used to stop and remove pods
73       or containers based on the same Kubernetes YAML  used  by  podman  kube
74       play to create them.
75
76
77       Kubernetes PersistentVolumeClaims
78
79
80       A  Kubernetes  PersistentVolumeClaim  represents a Podman named volume.
81       Only the PersistentVolumeClaim name is required by Podman to  create  a
82       volume. Kubernetes annotations can be used to make use of the available
83       options for Podman volumes.
84
85
86              • volume.podman.io/driver
87
88              • volume.podman.io/device
89
90              • volume.podman.io/type
91
92              • volume.podman.io/uid
93
94              • volume.podman.io/gid
95
96              • volume.podman.io/mount-options
97
98
99
100       Kube play is capable of building images on the fly  given  the  correct
101       directory  layout  and Containerfiles. This option is not available for
102       remote clients, including Mac and Windows  (excluding  WSL2)  machines,
103       yet. Consider the following excerpt from a YAML file:
104
105
106              apiVersion: v1
107              kind: Pod
108              metadata:
109              spec:
110                containers:
111                - command:
112                  - top
113                  - name: container
114                    value: podman
115                  image: foobar
116
117
118
119       If  there  is a directory named foobar in the current working directory
120       with a file named Containerfile or Dockerfile, Podman  kube  play  will
121       build  that  image  and name it foobar.  An example directory structure
122       for this example would look like:
123
124
125              |- mykubefiles
126                  |- myplayfile.yaml
127                  |- foobar
128                       |- Containerfile
129
130
131
132       The build will consider foobar to be  the  context  directory  for  the
133       build.  If  there is an image in local storage called foobar, the image
134       will not be built unless the --build flag is used. Use --build=false to
135       completely disable builds.
136
137
138       Kubernetes ConfigMap
139
140
141       Kubernetes  ConfigMap  can be referred as a source of environment vari‐
142       ables or volumes in Pods or Deployments.  ConfigMaps  aren't  a  stand‐
143       alone  object  in  Podman;  instead, when a container uses a ConfigMap,
144       Podman will create environment variables or volumes as needed.
145
146
147       For example, the following YAML document defines a ConfigMap  and  then
148       uses it in a Pod:
149
150
151              apiVersion: v1
152              kind: ConfigMap
153              metadata:
154                name: foo
155              data:
156                  FOO: bar
157              ---
158              apiVersion: v1
159              kind: Pod
160              metadata:
161                name: foobar
162              spec:
163                containers:
164                - command:
165                  - top
166                  name: container-1
167                  image: foobar
168                  envFrom:
169                  - configMapRef:
170                      name: foo
171                      optional: false
172
173
174
175       and  as  a  result environment variable FOO will be set to bar for con‐
176       tainer container-1.
177
178

OPTIONS

180   --annotation=key=value
181       Add an annotation to the container or pod. This option can be set  mul‐
182       tiple times.
183
184
185   --authfile=path
186       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
187       ers/auth.json, which is set using podman login.  If  the  authorization
188       state  is  not found there, $HOME/.docker/config.json is checked, which
189       is set using docker login.
190
191
192       Note: There is also the option to override the default path of the  au‐
193       thentication  file  by setting the REGISTRY_AUTH_FILE environment vari‐
194       able. This can be done with export REGISTRY_AUTH_FILE=path.
195
196
197   --build
198       Build images  even  if  they  are  found  in  the  local  storage.  Use
199       --build=false  to completely disable builds. (This option is not avail‐
200       able with the remote Podman client)
201
202
203   --cert-dir=path
204       Use certificates at path (*.crt, *.cert, *.key) to connect to the  reg‐
205       istry.  (Default:  /etc/containers/certs.d) Please refer to containers-
206       certs.d(5) for details.  (This option is not available with the  remote
207       Podman client, including Mac and Windows (excluding WSL2) machines)
208
209
210   --configmap=path
211       Use  Kubernetes configmap YAML at path to provide a source for environ‐
212       ment variable values within the containers of the pod.  (This option is
213       not available with the remote Podman client)
214
215
216       Note: The --configmap option can be used multiple times or a comma-sep‐
217       arated list of paths can be used to pass multiple Kubernetes  configmap
218       YAMLs.
219
220
221   --context-dir=path
222       Use  path  as  the  build  context  directory  for each image. Requires
223       --build option be true. (This option is not available with  the  remote
224       Podman client)
225
226
227   --creds=[username[:password]]
228       The  [username[:password]] to use to authenticate with the registry, if
229       required.  If one or both values  are  not  supplied,  a  command  line
230       prompt  will  appear  and the value can be entered. The password is en‐
231       tered without echo.
232
233
234   --help, -h
235       Print usage statement
236
237
238   --ip=IP address
239       Assign a static ip address to the pod. This  option  can  be  specified
240       several  times  when  kube  play creates more than one pod.  Note: When
241       joining multiple networks you should  use  the  --network  name:ip=<ip>
242       syntax.
243
244
245   --log-driver=driver
246       Set logging driver for all created containers.
247
248
249   --log-opt=name=value
250       Logging driver specific options.
251
252
253       Set custom logging configuration. The following *name*s are supported:
254
255
256       path: specify a path to the log file
257           (e.g. --log-opt path=/var/log/container/mycontainer.json);
258
259
260       max-size: specify a max size of the log file
261           (e.g. --log-opt max-size=10mb);
262
263
264       tag: specify a custom log tag for the container
265           (e.g. --log-opt tag="{{.ImageName}}".  It supports the same keys as
266       podman inspect --format.  This option is currently  supported  only  by
267       the journald log driver.
268
269
270   --mac-address=MAC address
271       Assign  a  static  mac address to the pod. This option can be specified
272       several times when kube play creates more than  one  pod.   Note:  When
273       joining  multiple  networks you should use the --network name:mac=<mac>
274       syntax.
275
276
277   --network=mode, --net
278       Set the network mode for the pod.
279
280
281       Valid mode values are:
282
283
284bridge[:OPTIONS,...]: Create a network stack  on  the  default
285                bridge. This is the default for rootful containers. It is pos‐
286                sible to specify these additional options:
287
288alias=name: Add network-scoped alias for the container.
289
290ip=IPv4: Specify a static ipv4 address for this container.
291
292ip=IPv6: Specify a static ipv6 address for this container.
293
294mac=MAC: Specify a static mac address for this container.
295
296interface_name: Specify a name for the created  network  in‐
297                  terface inside the container.
298
299
300
301
302
303       For  example to set a static ipv4 address and a static mac address, use
304       --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99.  - <network  name
305       or  ID>[:OPTIONS,...]:  Connect  to a user-defined network; this is the
306       network name or ID from a network created by podman network create. Us‐
307       ing the network name implies the bridge network mode. It is possible to
308       specify the same options described under the bridge mode above. You can
309       use the --network option multiple times to specify additional networks.
310       - none: Create a network namespace for the container but do not config‐
311       ure  network  interfaces for it, thus the container has no network con‐
312       nectivity.  - container:id: Reuse another container's network stack.  -
313       host:  Do  not  create  a network namespace, the container will use the
314       host's network. Note: The host mode gives the container full access  to
315       local  system  services such as D-bus and is therefore considered inse‐
316       cure.  - ns:path: Path to a network namespace to join.  - private: Cre‐
317       ate  a  new  namespace for the container. This will use the bridge mode
318       for  rootful  containers  and  slirp4netns  for   rootless   ones.    -
319       slirp4netns[:OPTIONS,...]:  use slirp4netns(1) to create a user network
320       stack. This is the default for rootless containers. It is  possible  to
321       specify  these  additional  options,  they  can  also  be set with net‐
322       work_cmd_options in containers.conf:
323         - allow_host_loopback=true|false: Allow slirp4netns to reach the host
324       loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr
325       subnet when changed, see the cidr option below). The default is false.
326         - mtu=MTU: Specify the MTU to  use  for  this  network.  (Default  is
327       65520).
328         -  cidr=CIDR:  Specify  ip range to use for this network. (Default is
329       10.0.2.0/24).
330         - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for
331       outbound_addr6).
332         -  outbound_addr=INTERFACE:  Specify  the  outbound  interface  slirp
333       should bind to (ipv4 traffic only).
334         - outbound_addr=IPv4: Specify the outbound ipv4 address slirp  should
335       bind to.
336         -  outbound_addr6=INTERFACE:  Specify  the  outbound  interface slirp
337       should bind to (ipv6 traffic only).
338         - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should
339       bind to.
340         -  port_handler=rootlesskit: Use rootlesskit for port forwarding. De‐
341       fault.
342         Note: Rootlesskit changes the source IP address of  incoming  packets
343       to   an   IP  address  in  the  container  network  namespace,  usually
344       10.0.2.100. If your application requires the real  source  IP  address,
345       e.g. web server logs, use the slirp4netns port handler. The rootlesskit
346       port handler is also used for rootless  containers  when  connected  to
347       user-defined networks.
348         -  port_handler=slirp4netns:  Use the slirp4netns port forwarding, it
349       is slower than rootlesskit but preserves the correct source IP address.
350       This port handler cannot be used for user-defined networks.
351
352
353       When  no  network option is specified and host network mode is not con‐
354       figured in the YAML file, a new network stack is created and  pods  are
355       attached to it making possible pod to pod communication.
356
357
358   --no-hosts
359       Do  not  create /etc/hosts for the pod.  By default, Podman will manage
360       /etc/hosts, adding the container's own IP address and  any  hosts  from
361       --add-host.   --no-hosts disables this, and the image's /etc/hosts will
362       be preserved unmodified.
363
364
365       This option conflicts with host added in the Kubernetes YAML.
366
367
368   --quiet, -q
369       Suppress output information when pulling images
370
371
372   --replace
373       Tears down the pods created by a previous run of kube play  and  recre‐
374       ates the pods. This option is used to keep the existing pods up to date
375       based upon the Kubernetes YAML.
376
377
378   --seccomp-profile-root=path
379       Directory path for seccomp  profiles  (default:  "/var/lib/kubelet/sec‐
380       comp").  (This  option  is not available with the remote Podman client,
381       including Mac and Windows (excluding WSL2) machines)
382
383
384   --start
385       Start the pod after creating it, set to false to only create it.
386
387
388   --tls-verify
389       Require HTTPS and verify certificates when contacting  registries  (de‐
390       fault:  true).   If  explicitly  set  to true, TLS verification will be
391       used.  If set to false, TLS verification will  not  be  used.   If  not
392       specified,  TLS verification will be used unless the target registry is
393       listed as an insecure registry in containers-registries.conf(5)
394
395
396   --userns=mode
397       Set the user namespace mode for the container. It defaults to the  POD‐
398       MAN_USERNS  environment  variable. An empty value ("") means user name‐
399       spaces are disabled unless an explicit mapping is set with the --uidmap
400       and --gidmap options.
401
402
403       This  option  is incompatible with --gidmap, --uidmap, --subuidname and
404       --subgidname.
405
406
407       Rootless user --userns=Key mappings:
408
409
410       ┌────────┬───────────┬─────────────────────┐
411Key     Host User Container User      
412       ├────────┼───────────┼─────────────────────┤
413       │""      │ $UID      │ 0 (Default User ac‐ │
414       │        │           │ count   mapped   to │
415       │        │           │ root user  in  con‐ │
416       │        │           │ tainer.)            │
417       ├────────┼───────────┼─────────────────────┤
418       │keep-id │ $UID      │ $UID  (Map user ac‐ │
419       │        │           │ count to  same  UID │
420       │        │           │ within container.)  │
421       ├────────┼───────────┼─────────────────────┤
422       │auto    │ $UID      │ nil  (Host User UID │
423       │        │           │ is not mapped  into │
424       │        │           │ container.)         │
425       ├────────┼───────────┼─────────────────────┤
426       │nomap   │ $UID      │ nil  (Host User UID │
427       │        │           │ is not mapped  into │
428       │        │           │ container.)         │
429       └────────┴───────────┴─────────────────────┘
430
431       Valid mode values are:
432
433
434       auto[:OPTIONS,...]: automatically create a unique user namespace.
435
436
437       The  --userns=auto  flag,  requires that the user name containers and a
438       range of subordinate user ids that the Podman container is  allowed  to
439       use be specified in the /etc/subuid and /etc/subgid files.
440
441
442       Example: containers:2147483647:2147483648.
443
444
445       Podman  allocates  unique  ranges  of UIDs and GIDs from the containers
446       subordinate user ids. The size of the ranges is based on the number  of
447       UIDs required in the image. The number of UIDs and GIDs can be overrid‐
448       den with the size option.
449
450
451       The rootless option --userns=keep-id uses all the subuids  and  subgids
452       of  the user. Using --userns=auto when starting new containers will not
453       work  as  long  as  any  containers  exist  that  were   started   with
454       --userns=keep-id.
455
456
457       Valid auto options:
458
459
460gidmapping=_CONTAINER_GID:HOSTGID:SIZE: to force a GID mapping
461                to be present in the user namespace.
462
463size=SIZE: to specify an explicit size for the automatic  user
464                namespace. e.g. --userns=auto:size=8192. If size is not speci‐
465                fied, auto will estimate a size for the user namespace.
466
467uidmapping=_CONTAINER_UID:HOSTUID:SIZE: to force a UID mapping
468                to be present in the user namespace.
469
470
471
472       container:id: join the user namespace of the specified container.
473
474
475       host: run in the user namespace of the caller. The processes running in
476       the container will have the same privileges on the host  as  any  other
477       process launched by the calling user (default).
478
479
480       keep-id:  creates  a  user  namespace where the current rootless user's
481       UID:GID are mapped to the same values in the container. This option  is
482       not allowed for containers created by the root user.
483
484
485       Valid keep-id options:
486
487
488uid=UID:  override  the  UID inside the container that will be
489                used to map the current rootless user to.
490
491gid=GID: override the GID inside the container  that  will  be
492                used to map the current rootless user to.
493
494
495
496       nomap:  creates  a  user  namespace  where  the current rootless user's
497       UID:GID are not mapped into the container. This option is  not  allowed
498       for containers created by the root user.
499
500
501       ns:namespace: run the pod in the given existing user namespace.
502
503

EXAMPLES

505       Recreate the pod and containers as described in a file called demo.yml
506
507
508              $ podman kube play demo.yml
509              52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
510
511
512
513       Recreate the pod and containers as described in a file demo.yml sent to
514       stdin
515
516
517              $ cat demo.yml | podman kube play -
518              52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
519
520
521
522
523       Teardown the pod and containers as described in a file demo.yml
524
525
526              $  podman kube play --down demo.yml
527              Pods stopped:
528              52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
529              Pods removed:
530              52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
531
532
533
534       Provide configmap-foo.yml and configmap-bar.yml as sources for environ‐
535       ment variables within the containers.
536
537
538              $ podman kube play demo.yml --configmap configmap-foo.yml,configmap-bar.yml
539              52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
540
541              $ podman kube play demo.yml --configmap configmap-foo.yml --configmap configmap-bar.yml
542              52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
543
544
545
546       Create  a  pod  connected to two networks (called net1 and net2) with a
547       static ip
548
549
550              $ podman kube play demo.yml --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10
551              52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
552
553
554
555       Please take into account that networks must be created first using pod‐
556       man-network-create(1).
557
558
559       Create and teardown from a URL pointing to a YAML file
560
561
562              $ podman kube play https://podman.io/demo.yml
563              52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
564
565              $ podman kube play --down https://podman.io/demo.yml
566              Pods stopped:
567              52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
568              Pods removed:
569              52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
570
571
572
573       podman  kube  play --down will not work with a URL if the YAML file the
574       URL points to has been changed or altered.
575
576
577

Podman Kube Play Support

579       This document outlines the kube yaml fields  that  are  currently  sup‐
580       ported by the podman kube play command.
581
582
583       Note:  N/A  means  that the option cannot be supported in a single-node
584       Podman environment.
585
586

Pod Fields

588       ┌──────────────────────────────┬─────────┐
589Field                         Support 
590       ├──────────────────────────────┼─────────┤
591       │containers                    │ ✅      │
592       ├──────────────────────────────┼─────────┤
593       │initContainers                │ ✅      │
594       ├──────────────────────────────┼─────────┤
595       │imagePullSecrets              │         │
596       ├──────────────────────────────┼─────────┤
597       │enableServiceLinks            │         │
598       ├──────────────────────────────┼─────────┤
599       │os.name                       │         │
600       ├──────────────────────────────┼─────────┤
601       │volumes                       │         │
602       ├──────────────────────────────┼─────────┤
603       │nodeSelector                  │ N/A     │
604       ├──────────────────────────────┼─────────┤
605       │nodeName                      │ N/A     │
606       ├──────────────────────────────┼─────────┤
607       │affinity.nodeAffinity         │ N/A     │
608       ├──────────────────────────────┼─────────┤
609       │affinity.podAffinity          │ N/A     │
610       ├──────────────────────────────┼─────────┤
611       │affinity.podAntiAffinity      │ N/A     │
612       ├──────────────────────────────┼─────────┤
613       │tolerations.key               │ N/A     │
614       ├──────────────────────────────┼─────────┤
615       │tolerations.operator          │ N/A     │
616       ├──────────────────────────────┼─────────┤
617       │tolerations.effect            │ N/A     │
618       ├──────────────────────────────┼─────────┤
619       │tolerations.tolerationSeconds │ N/A     │
620       ├──────────────────────────────┼─────────┤
621       │schedulerName                 │ N/A     │
622       ├──────────────────────────────┼─────────┤
623       │runtimeClassName              │         │
624       ├──────────────────────────────┼─────────┤
625       │priorityClassName             │         │
626       ├──────────────────────────────┼─────────┤
627       │priority                      │         │
628       ├──────────────────────────────┼─────────┤
629       │topologySpreadCon‐            │         │
630       │straints.maxSkew              │         │
631       ├──────────────────────────────┼─────────┤
632       │                              │ N/A     │
633       ├──────────────────────────────┼─────────┤
634       │topologySpreadCon‐            │         │
635       │straints.topologyKey          │         │
636       ├──────────────────────────────┼─────────┤
637       │                              │ N/A     │
638       ├──────────────────────────────┼─────────┤
639       │topologySpreadCon‐            │         │
640       │straints.whenUnsatisfiable    │         │
641       ├──────────────────────────────┼─────────┤
642       │                              │ N/A     │
643       ├──────────────────────────────┼─────────┤
644       │topologySpreadConstraints.la‐ │         │
645       │belSelector                   │         │
646       ├──────────────────────────────┼─────────┤
647       │                              │ N/A     │
648       ├──────────────────────────────┼─────────┤
649       │topologySpreadCon‐            │         │
650       │straints.minDomains           │         │
651       ├──────────────────────────────┼─────────┤
652       │                              │ N/A     │
653       ├──────────────────────────────┼─────────┤
654       │restartPolicy                 │ ✅      │
655       ├──────────────────────────────┼─────────┤
656       │terminationGracePeriod        │         │
657       ├──────────────────────────────┼─────────┤
658       │activeDeadlineSeconds         │         │
659       ├──────────────────────────────┼─────────┤
660       │readinessGates.conditionType  │         │
661       ├──────────────────────────────┼─────────┤
662       │hostname                      │ ✅      │
663       ├──────────────────────────────┼─────────┤
664       │setHostnameAsFQDN             │         │
665       ├──────────────────────────────┼─────────┤
666       │subdomain                     │         │
667       ├──────────────────────────────┼─────────┤
668       │hostAliases.hostnames         │ ✅      │
669       ├──────────────────────────────┼─────────┤
670       │hostAliases.ip                │ ✅      │
671       ├──────────────────────────────┼─────────┤
672       │dnsConfig.nameservers         │ ✅      │
673       ├──────────────────────────────┼─────────┤
674       │dnsConfig.options.name        │ ✅      │
675       ├──────────────────────────────┼─────────┤
676       │dnsConfig.options.value       │ ✅      │
677       ├──────────────────────────────┼─────────┤
678       │dnsConfig.searches            │ ✅      │
679       ├──────────────────────────────┼─────────┤
680       │dnsPolicy                     │         │
681       ├──────────────────────────────┼─────────┤
682       │hostNetwork                   │ ✅      │
683       ├──────────────────────────────┼─────────┤
684       │hostPID                       │         │
685       ├──────────────────────────────┼─────────┤
686       │hostIPC                       │         │
687       ├──────────────────────────────┼─────────┤
688       │shareProcessNamespace         │ ✅      │
689       ├──────────────────────────────┼─────────┤
690       │serviceAccountName            │         │
691       ├──────────────────────────────┼─────────┤
692       │automountServiceAccountToken  │         │
693       ├──────────────────────────────┼─────────┤
694       │securityContext.runAsUser     │         │
695       ├──────────────────────────────┼─────────┤
696       │securityContext.runAsNonRoot  │         │
697       ├──────────────────────────────┼─────────┤
698       │securityContext.runAsGroup    │         │
699       ├──────────────────────────────┼─────────┤
700       │securityContext.supplemental‐ │         │
701       │Groups                        │         │
702       ├──────────────────────────────┼─────────┤
703       │                              │         │
704       ├──────────────────────────────┼─────────┤
705       │securityContext.fsGroup       │         │
706       ├──────────────────────────────┼─────────┤
707       │securityContext.fs‐           │         │
708       │GroupChangePolicy             │         │
709       ├──────────────────────────────┼─────────┤
710       │                              │         │
711       ├──────────────────────────────┼─────────┤
712       │securityContext.seccompPro‐   │         │
713       │file.type                     │         │
714       ├──────────────────────────────┼─────────┤
715       │                              │         │
716       ├──────────────────────────────┼─────────┤
717       │securityContext.seccompPro‐   │         │
718       │file.localhostProfile         │         │
719       ├──────────────────────────────┼─────────┤
720       │                              │         │
721       ├──────────────────────────────┼─────────┤
722       │securityContext.seLinuxOp‐    │         │
723       │tions.level                   │         │
724       ├──────────────────────────────┼─────────┤
725       │                              │         │
726       ├──────────────────────────────┼─────────┤
727       │securityContext.seLinuxOp‐    │         │
728       │tions.role                    │         │
729       ├──────────────────────────────┼─────────┤
730       │                              │         │
731       ├──────────────────────────────┼─────────┤
732       │securityContext.seLinuxOp‐    │         │
733       │tions.type                    │         │
734       ├──────────────────────────────┼─────────┤
735       │                              │         │
736       ├──────────────────────────────┼─────────┤
737       │securityContext.seLinuxOp‐    │         │
738       │tions.user                    │         │
739       ├──────────────────────────────┼─────────┤
740       │                              │         │
741       ├──────────────────────────────┼─────────┤
742       │securityContext.sysctls.name  │         │
743       ├──────────────────────────────┼─────────┤
744       │securityContext.sysctls.value │         │
745       ├──────────────────────────────┼─────────┤
746       │securityContext.windowsOp‐    │         │
747       │tions.gmsaCredentialSpec      │         │
748       ├──────────────────────────────┼─────────┤
749       │                              │         │
750       ├──────────────────────────────┼─────────┤
751       │securityContext.windowsOp‐    │         │
752       │tions.hostProcess             │         │
753       ├──────────────────────────────┼─────────┤
754       │                              │         │
755       ├──────────────────────────────┼─────────┤
756       │securityContext.windowsOp‐    │         │
757       │tions.runAsUserName           │         │
758       ├──────────────────────────────┼─────────┤
759       │                              │         │
760       └──────────────────────────────┴─────────┘
761

Container Fields

763       ┌───────────────────────────────────┬─────────┐
764Field                              Support 
765       ├───────────────────────────────────┼─────────┤
766       │name                               │ ✅      │
767       ├───────────────────────────────────┼─────────┤
768       │image                              │ ✅      │
769       ├───────────────────────────────────┼─────────┤
770       │imagePullPolicy                    │ ✅      │
771       ├───────────────────────────────────┼─────────┤
772       │command                            │ ✅      │
773       ├───────────────────────────────────┼─────────┤
774       │args                               │ ✅      │
775       ├───────────────────────────────────┼─────────┤
776       │workingDir                         │ ✅      │
777       ├───────────────────────────────────┼─────────┤
778       │ports.containerPort                │ ✅      │
779       ├───────────────────────────────────┼─────────┤
780       │ports.hostIP                       │ ✅      │
781       ├───────────────────────────────────┼─────────┤
782       │ports.hostPort                     │ ✅      │
783       ├───────────────────────────────────┼─────────┤
784       │ports.name                         │ ✅      │
785       ├───────────────────────────────────┼─────────┤
786       │ports.protocol                     │ ✅      │
787       ├───────────────────────────────────┼─────────┤
788       │env.name                           │ ✅      │
789       ├───────────────────────────────────┼─────────┤
790       │env.value                          │ ✅      │
791       ├───────────────────────────────────┼─────────┤
792       │env.valueFrom.configMapKeyRef.key  │         │
793       ├───────────────────────────────────┼─────────┤
794       │                                   │ ✅      │
795       ├───────────────────────────────────┼─────────┤
796       │env.valueFrom.configMapKeyRef.name │ ✅      │
797       ├───────────────────────────────────┼─────────┤
798       │env.valueFrom.configMapKeyRef.op‐  │         │
799       │tional                             │         │
800       ├───────────────────────────────────┼─────────┤
801       │                                   │ ✅      │
802       ├───────────────────────────────────┼─────────┤
803       │env.valueFrom.fieldRef             │ ✅      │
804       ├───────────────────────────────────┼─────────┤
805       │env.valueFrom.resourceFieldRef     │ ✅      │
806       ├───────────────────────────────────┼─────────┤
807       │env.valueFrom.secretKeyRef.key     │ ✅      │
808       ├───────────────────────────────────┼─────────┤
809       │env.valueFrom.secretKeyRef.name    │ ✅      │
810       ├───────────────────────────────────┼─────────┤
811       │env.valueFrom.secretKeyRef.op‐     │         │
812       │tional                             │         │
813       ├───────────────────────────────────┼─────────┤
814       │                                   │ ✅      │
815       ├───────────────────────────────────┼─────────┤
816       │envFrom.configMapRef.name          │ ✅      │
817       ├───────────────────────────────────┼─────────┤
818       │envFrom.configMapRef.optional      │ ✅      │
819       ├───────────────────────────────────┼─────────┤
820       │envFrom.prefix                     │         │
821       ├───────────────────────────────────┼─────────┤
822       │envFrom.secretRef.name             │ ✅      │
823       ├───────────────────────────────────┼─────────┤
824       │envFrom.secretRef.optional         │ ✅      │
825       ├───────────────────────────────────┼─────────┤
826       │volumeMounts.mountPath             │ ✅      │
827       ├───────────────────────────────────┼─────────┤
828       │volumeMounts.name                  │ ✅      │
829       ├───────────────────────────────────┼─────────┤
830       │volumeMounts.mountPropagation      │         │
831       ├───────────────────────────────────┼─────────┤
832       │volumeMounts.readOnly              │ ✅      │
833       ├───────────────────────────────────┼─────────┤
834       │volumeMounts.subPath               │         │
835       ├───────────────────────────────────┼─────────┤
836       │volumeMounts.subPathExpr           │         │
837       ├───────────────────────────────────┼─────────┤
838       │volumeDevices.devicePath           │         │
839       ├───────────────────────────────────┼─────────┤
840       │volumeDevices.name                 │         │
841       ├───────────────────────────────────┼─────────┤
842       │resources.limits                   │ ✅      │
843       ├───────────────────────────────────┼─────────┤
844       │resources.requests                 │ ✅      │
845       ├───────────────────────────────────┼─────────┤
846       │lifecycle.postStart                │         │
847       ├───────────────────────────────────┼─────────┤
848       │lifecycle.preStop                  │         │
849       ├───────────────────────────────────┼─────────┤
850       │terminationMessagePath             │         │
851       ├───────────────────────────────────┼─────────┤
852       │terminationMessagePolicy           │         │
853       ├───────────────────────────────────┼─────────┤
854       │livenessProbe                      │ ✅      │
855       ├───────────────────────────────────┼─────────┤
856       │readinessProbe                     │         │
857       ├───────────────────────────────────┼─────────┤
858       │startupProbe                       │         │
859       ├───────────────────────────────────┼─────────┤
860       │securityContext.runAsUser          │ ✅      │
861       ├───────────────────────────────────┼─────────┤
862       │securityContext.runAsNonRoot       │         │
863       ├───────────────────────────────────┼─────────┤
864       │securityContext.runAsGroup         │ ✅      │
865       ├───────────────────────────────────┼─────────┤
866       │securityContext.readOnlyRoot‐      │         │
867       │Filesystem                         │         │
868       ├───────────────────────────────────┼─────────┤
869       │                                   │ ✅      │
870       ├───────────────────────────────────┼─────────┤
871       │securityContext.procMount          │         │
872       ├───────────────────────────────────┼─────────┤
873       │securityContext.privileged         │ ✅      │
874       ├───────────────────────────────────┼─────────┤
875       │securityContext.allowPrivi‐        │         │
876       │legeEscalation                     │         │
877       ├───────────────────────────────────┼─────────┤
878       │                                   │ ✅      │
879       ├───────────────────────────────────┼─────────┤
880       │securityContext.capabilities.add   │         │
881       ├───────────────────────────────────┼─────────┤
882       │                                   │ ✅      │
883       ├───────────────────────────────────┼─────────┤
884       │securityContext.capabilities.drop  │         │
885       ├───────────────────────────────────┼─────────┤
886       │                                   │ ✅      │
887       ├───────────────────────────────────┼─────────┤
888       │securityContext.seccompPro‐        │         │
889       │file.type                          │         │
890       ├───────────────────────────────────┼─────────┤
891       │                                   │         │
892       ├───────────────────────────────────┼─────────┤
893       │securityContext.seccompProfile.lo‐ │         │
894       │calhostProfile                     │         │
895       ├───────────────────────────────────┼─────────┤
896       │                                   │         │
897       ├───────────────────────────────────┼─────────┤
898       │securityContext.seLinuxOp‐         │         │
899       │tions.level                        │         │
900       ├───────────────────────────────────┼─────────┤
901       │                                   │ ✅      │
902       ├───────────────────────────────────┼─────────┤
903       │securityContext.seLinuxOp‐         │         │
904       │tions.role                         │         │
905       ├───────────────────────────────────┼─────────┤
906       │                                   │ ✅      │
907       ├───────────────────────────────────┼─────────┤
908       │securityContext.seLinuxOp‐         │         │
909       │tions.type                         │         │
910       ├───────────────────────────────────┼─────────┤
911       │                                   │ ✅      │
912       ├───────────────────────────────────┼─────────┤
913       │securityContext.seLinuxOp‐         │         │
914       │tions.user                         │         │
915       ├───────────────────────────────────┼─────────┤
916       │                                   │ ✅      │
917       ├───────────────────────────────────┼─────────┤
918       │securityContext.windowsOptions.gm‐ │         │
919       │saCredentialSpec                   │         │
920       ├───────────────────────────────────┼─────────┤
921       │                                   │         │
922       ├───────────────────────────────────┼─────────┤
923       │securityContext.windowsOp‐         │         │
924       │tions.hostProcess                  │         │
925       ├───────────────────────────────────┼─────────┤
926       │                                   │         │
927       ├───────────────────────────────────┼─────────┤
928       │securityContext.windowsOp‐         │         │
929       │tions.runAsUserName                │         │
930       ├───────────────────────────────────┼─────────┤
931       │                                   │         │
932       ├───────────────────────────────────┼─────────┤
933       │stdin                              │         │
934       ├───────────────────────────────────┼─────────┤
935       │stdinOnce                          │         │
936       ├───────────────────────────────────┼─────────┤
937       │tty                                │         │
938       └───────────────────────────────────┴─────────┘
939

PersistentVolumeClaim Fields

941       ┌───────────────────┬─────────┐
942Field              Support 
943       ├───────────────────┼─────────┤
944       │volumeName         │         │
945       ├───────────────────┼─────────┤
946       │storageClassName   │ ✅      │
947       ├───────────────────┼─────────┤
948       │volumeMode         │         │
949       ├───────────────────┼─────────┤
950       │accessModes        │ ✅      │
951       ├───────────────────┼─────────┤
952       │selector           │         │
953       ├───────────────────┼─────────┤
954       │resources.limits   │         │
955       ├───────────────────┼─────────┤
956       │resources.requests │ ✅      │
957       └───────────────────┴─────────┘
958

ConfigMap Fields

960       ┌───────────┬─────────┐
961Field      Support 
962       ├───────────┼─────────┤
963       │binaryData │ ✅      │
964       ├───────────┼─────────┤
965       │data       │ ✅      │
966       ├───────────┼─────────┤
967       │immutable  │         │
968       └───────────┴─────────┘
969

Deployment Fields

971       ┌────────────────────────┬─────────┐
972Field                   Support 
973       ├────────────────────────┼─────────┤
974       │replicas                │ ✅      │
975       ├────────────────────────┼─────────┤
976       │selector                │ ✅      │
977       ├────────────────────────┼─────────┤
978       │template                │ ✅      │
979       ├────────────────────────┼─────────┤
980       │minReadySeconds         │         │
981       ├────────────────────────┼─────────┤
982       │strategy.type           │         │
983       ├────────────────────────┼─────────┤
984       │strategy.rollingUp‐     │         │
985       │date.maxSurge           │         │
986       ├────────────────────────┼─────────┤
987       │                        │         │
988       ├────────────────────────┼─────────┤
989       │strategy.rollingUp‐     │         │
990       │date.maxUnavailable     │         │
991       ├────────────────────────┼─────────┤
992       │                        │         │
993       ├────────────────────────┼─────────┤
994       │revisionHistoryLimit    │         │
995       ├────────────────────────┼─────────┤
996       │progressDeadlineSeconds │         │
997       ├────────────────────────┼─────────┤
998       │paused                  │         │
999       └────────────────────────┴─────────┘
1000

SEE ALSO

1002       podman(1),   podman-kube(1),  podman-kube-down(1),  podman-network-cre‐
1003       ate(1), podman-kube-generate(1), containers-certs.d(5)
1004
1005
1006
1007                                                           podman-kube-play(1)
Impressum