1podman-kube-play(1) General Commands Manual podman-kube-play(1)
2
3
4
6 podman-kube-play - Create containers, pods and volumes based on Kuber‐
7 netes YAML
8
9
11 podman kube play [options] file.yml|-|https://website.io/file.yml
12
13
15 podman kube play will read in a structured file of Kubernetes YAML. It
16 will then recreate the containers, pods or volumes described in the
17 YAML. Containers within a pod are then started and the ID of the new
18 Pod or the name of the new Volume is output. If the yaml file is speci‐
19 fied as "-" then podman kube play will read the YAML file from stdin.
20 Using the --down command line option, it is also capable of tearing
21 down the pods created by a previous run of podman kube play. Using the
22 --replace command line option, it will tear down the pods(if any) cre‐
23 ated by a previous run of podman kube play and recreate the pods with
24 the Kubernetes YAML file. Ideally the input file would be one created
25 by Podman (see podman-kube-generate(1)). This would guarantee a smooth
26 import and expected results. The input can also be a URL that points
27 to a YAML file such as https://podman.io/demo.yml. podman kube play
28 will read the YAML from the URL and create pods and containers from it.
29
30
31 Currently, the supported Kubernetes kinds are: - Pod - Deployment -
32 PersistentVolumeClaim - ConfigMap
33
34
35 Kubernetes Pods or Deployments
36
37
38 Only three volume types are supported by kube play, the hostPath, emp‐
39 tyDir, and persistentVolumeClaim volume types. For the hostPath volume
40 type, only the default (empty), DirectoryOrCreate, Directory, FileOr‐
41 Create, File, Socket, CharDevice and BlockDevice subtypes are sup‐
42 ported. Podman interprets the value of hostPath path as a file path
43 when it contains at least one forward slash, otherwise Podman treats
44 the value as the name of a named volume. When using a persistentVolume‐
45 Claim, the value for claimName is the name for the Podman named volume.
46 When using an emptyDir volume, podman creates an anonymous volume that
47 is attached the containers running inside the pod and is deleted once
48 the pod is removed.
49
50
51 Note: When playing a kube YAML with init containers, the init container
52 will be created with init type value once. To change the default type,
53 use the io.podman.annotations.init.container.type annotation to set the
54 type to always.
55
56
57 Note: hostPath volume types created by kube play will be given an
58 SELinux shared label (z), bind mounts are not relabeled (use chcon -t
59 container_file_t -R <directory>).
60
61
62 Note: If the :latest tag is used, Podman will attempt to pull the image
63 from a registry. If the image was built locally with Podman or Buildah,
64 it will have localhost as the domain, in that case, Podman will use the
65 image from the local store even if it has the :latest tag.
66
67
68 Note: The command podman play kube is an alias of podman kube play, and
69 will perform the same function.
70
71
72 Note: The command podman kube down can be used to stop and remove pods
73 or containers based on the same Kubernetes YAML used by podman kube
74 play to create them.
75
76
77 Kubernetes PersistentVolumeClaims
78
79
80 A Kubernetes PersistentVolumeClaim represents a Podman named volume.
81 Only the PersistentVolumeClaim name is required by Podman to create a
82 volume. Kubernetes annotations can be used to make use of the available
83 options for Podman volumes.
84
85
86 • volume.podman.io/driver
87
88 • volume.podman.io/device
89
90 • volume.podman.io/type
91
92 • volume.podman.io/uid
93
94 • volume.podman.io/gid
95
96 • volume.podman.io/mount-options
97
98
99
100 Kube play is capable of building images on the fly given the correct
101 directory layout and Containerfiles. This option is not available for
102 remote clients, including Mac and Windows (excluding WSL2) machines,
103 yet. Consider the following excerpt from a YAML file:
104
105
106 apiVersion: v1
107 kind: Pod
108 metadata:
109 spec:
110 containers:
111 - command:
112 - top
113 - name: container
114 value: podman
115 image: foobar
116
117
118
119 If there is a directory named foobar in the current working directory
120 with a file named Containerfile or Dockerfile, Podman kube play will
121 build that image and name it foobar. An example directory structure
122 for this example would look like:
123
124
125 |- mykubefiles
126 |- myplayfile.yaml
127 |- foobar
128 |- Containerfile
129
130
131
132 The build will consider foobar to be the context directory for the
133 build. If there is an image in local storage called foobar, the image
134 will not be built unless the --build flag is used. Use --build=false to
135 completely disable builds.
136
137
138 Kubernetes ConfigMap
139
140
141 Kubernetes ConfigMap can be referred as a source of environment vari‐
142 ables or volumes in Pods or Deployments. ConfigMaps aren't a stand‐
143 alone object in Podman; instead, when a container uses a ConfigMap,
144 Podman will create environment variables or volumes as needed.
145
146
147 For example, the following YAML document defines a ConfigMap and then
148 uses it in a Pod:
149
150
151 apiVersion: v1
152 kind: ConfigMap
153 metadata:
154 name: foo
155 data:
156 FOO: bar
157 ---
158 apiVersion: v1
159 kind: Pod
160 metadata:
161 name: foobar
162 spec:
163 containers:
164 - command:
165 - top
166 name: container-1
167 image: foobar
168 envFrom:
169 - configMapRef:
170 name: foo
171 optional: false
172
173
174
175 and as a result environment variable FOO will be set to bar for con‐
176 tainer container-1.
177
178
180 --annotation=key=value
181 Add an annotation to the container or pod. This option can be set mul‐
182 tiple times.
183
184
185 --authfile=path
186 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
187 ers/auth.json, which is set using podman login. If the authorization
188 state is not found there, $HOME/.docker/config.json is checked, which
189 is set using docker login.
190
191
192 Note: There is also the option to override the default path of the au‐
193 thentication file by setting the REGISTRY_AUTH_FILE environment vari‐
194 able. This can be done with export REGISTRY_AUTH_FILE=path.
195
196
197 --build
198 Build images even if they are found in the local storage. Use
199 --build=false to completely disable builds. (This option is not avail‐
200 able with the remote Podman client)
201
202
203 --cert-dir=path
204 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
205 istry. (Default: /etc/containers/certs.d) Please refer to containers-
206 certs.d(5) for details. (This option is not available with the remote
207 Podman client, including Mac and Windows (excluding WSL2) machines)
208
209
210 --configmap=path
211 Use Kubernetes configmap YAML at path to provide a source for environ‐
212 ment variable values within the containers of the pod. (This option is
213 not available with the remote Podman client)
214
215
216 Note: The --configmap option can be used multiple times or a comma-sep‐
217 arated list of paths can be used to pass multiple Kubernetes configmap
218 YAMLs.
219
220
221 --context-dir=path
222 Use path as the build context directory for each image. Requires
223 --build option be true. (This option is not available with the remote
224 Podman client)
225
226
227 --creds=[username[:password]]
228 The [username[:password]] to use to authenticate with the registry, if
229 required. If one or both values are not supplied, a command line
230 prompt will appear and the value can be entered. The password is en‐
231 tered without echo.
232
233
234 --help, -h
235 Print usage statement
236
237
238 --ip=IP address
239 Assign a static ip address to the pod. This option can be specified
240 several times when kube play creates more than one pod. Note: When
241 joining multiple networks you should use the --network name:ip=<ip>
242 syntax.
243
244
245 --log-driver=driver
246 Set logging driver for all created containers.
247
248
249 --log-opt=name=value
250 Logging driver specific options.
251
252
253 Set custom logging configuration. The following *name*s are supported:
254
255
256 path: specify a path to the log file
257 (e.g. --log-opt path=/var/log/container/mycontainer.json);
258
259
260 max-size: specify a max size of the log file
261 (e.g. --log-opt max-size=10mb);
262
263
264 tag: specify a custom log tag for the container
265 (e.g. --log-opt tag="{{.ImageName}}". It supports the same keys as
266 podman inspect --format. This option is currently supported only by
267 the journald log driver.
268
269
270 --mac-address=MAC address
271 Assign a static mac address to the pod. This option can be specified
272 several times when kube play creates more than one pod. Note: When
273 joining multiple networks you should use the --network name:mac=<mac>
274 syntax.
275
276
277 --network=mode, --net
278 Set the network mode for the pod.
279
280
281 Valid mode values are:
282
283
284 • bridge[:OPTIONS,...]: Create a network stack on the default
285 bridge. This is the default for rootful containers. It is pos‐
286 sible to specify these additional options:
287
288 • alias=name: Add network-scoped alias for the container.
289
290 • ip=IPv4: Specify a static ipv4 address for this container.
291
292 • ip=IPv6: Specify a static ipv6 address for this container.
293
294 • mac=MAC: Specify a static mac address for this container.
295
296 • interface_name: Specify a name for the created network in‐
297 terface inside the container.
298
299
300
301
302
303 For example to set a static ipv4 address and a static mac address, use
304 --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99. - <network name
305 or ID>[:OPTIONS,...]: Connect to a user-defined network; this is the
306 network name or ID from a network created by podman network create. Us‐
307 ing the network name implies the bridge network mode. It is possible to
308 specify the same options described under the bridge mode above. You can
309 use the --network option multiple times to specify additional networks.
310 - none: Create a network namespace for the container but do not config‐
311 ure network interfaces for it, thus the container has no network con‐
312 nectivity. - container:id: Reuse another container's network stack. -
313 host: Do not create a network namespace, the container will use the
314 host's network. Note: The host mode gives the container full access to
315 local system services such as D-bus and is therefore considered inse‐
316 cure. - ns:path: Path to a network namespace to join. - private: Cre‐
317 ate a new namespace for the container. This will use the bridge mode
318 for rootful containers and slirp4netns for rootless ones. -
319 slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user network
320 stack. This is the default for rootless containers. It is possible to
321 specify these additional options, they can also be set with net‐
322 work_cmd_options in containers.conf:
323 - allow_host_loopback=true|false: Allow slirp4netns to reach the host
324 loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr
325 subnet when changed, see the cidr option below). The default is false.
326 - mtu=MTU: Specify the MTU to use for this network. (Default is
327 65520).
328 - cidr=CIDR: Specify ip range to use for this network. (Default is
329 10.0.2.0/24).
330 - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for
331 outbound_addr6).
332 - outbound_addr=INTERFACE: Specify the outbound interface slirp
333 should bind to (ipv4 traffic only).
334 - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should
335 bind to.
336 - outbound_addr6=INTERFACE: Specify the outbound interface slirp
337 should bind to (ipv6 traffic only).
338 - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should
339 bind to.
340 - port_handler=rootlesskit: Use rootlesskit for port forwarding. De‐
341 fault.
342 Note: Rootlesskit changes the source IP address of incoming packets
343 to an IP address in the container network namespace, usually
344 10.0.2.100. If your application requires the real source IP address,
345 e.g. web server logs, use the slirp4netns port handler. The rootlesskit
346 port handler is also used for rootless containers when connected to
347 user-defined networks.
348 - port_handler=slirp4netns: Use the slirp4netns port forwarding, it
349 is slower than rootlesskit but preserves the correct source IP address.
350 This port handler cannot be used for user-defined networks.
351
352
353 When no network option is specified and host network mode is not con‐
354 figured in the YAML file, a new network stack is created and pods are
355 attached to it making possible pod to pod communication.
356
357
358 --no-hosts
359 Do not create /etc/hosts for the pod. By default, Podman will manage
360 /etc/hosts, adding the container's own IP address and any hosts from
361 --add-host. --no-hosts disables this, and the image's /etc/hosts will
362 be preserved unmodified.
363
364
365 This option conflicts with host added in the Kubernetes YAML.
366
367
368 --quiet, -q
369 Suppress output information when pulling images
370
371
372 --replace
373 Tears down the pods created by a previous run of kube play and recre‐
374 ates the pods. This option is used to keep the existing pods up to date
375 based upon the Kubernetes YAML.
376
377
378 --seccomp-profile-root=path
379 Directory path for seccomp profiles (default: "/var/lib/kubelet/sec‐
380 comp"). (This option is not available with the remote Podman client,
381 including Mac and Windows (excluding WSL2) machines)
382
383
384 --start
385 Start the pod after creating it, set to false to only create it.
386
387
388 --tls-verify
389 Require HTTPS and verify certificates when contacting registries (de‐
390 fault: true). If explicitly set to true, TLS verification will be
391 used. If set to false, TLS verification will not be used. If not
392 specified, TLS verification will be used unless the target registry is
393 listed as an insecure registry in containers-registries.conf(5)
394
395
396 --userns=mode
397 Set the user namespace mode for the container. It defaults to the POD‐
398 MAN_USERNS environment variable. An empty value ("") means user name‐
399 spaces are disabled unless an explicit mapping is set with the --uidmap
400 and --gidmap options.
401
402
403 This option is incompatible with --gidmap, --uidmap, --subuidname and
404 --subgidname.
405
406
407 Rootless user --userns=Key mappings:
408
409
410 ┌────────┬───────────┬─────────────────────┐
411 │Key │ Host User │ Container User │
412 ├────────┼───────────┼─────────────────────┤
413 │"" │ $UID │ 0 (Default User ac‐ │
414 │ │ │ count mapped to │
415 │ │ │ root user in con‐ │
416 │ │ │ tainer.) │
417 ├────────┼───────────┼─────────────────────┤
418 │keep-id │ $UID │ $UID (Map user ac‐ │
419 │ │ │ count to same UID │
420 │ │ │ within container.) │
421 ├────────┼───────────┼─────────────────────┤
422 │auto │ $UID │ nil (Host User UID │
423 │ │ │ is not mapped into │
424 │ │ │ container.) │
425 ├────────┼───────────┼─────────────────────┤
426 │nomap │ $UID │ nil (Host User UID │
427 │ │ │ is not mapped into │
428 │ │ │ container.) │
429 └────────┴───────────┴─────────────────────┘
430
431 Valid mode values are:
432
433
434 auto[:OPTIONS,...]: automatically create a unique user namespace.
435
436
437 The --userns=auto flag, requires that the user name containers and a
438 range of subordinate user ids that the Podman container is allowed to
439 use be specified in the /etc/subuid and /etc/subgid files.
440
441
442 Example: containers:2147483647:2147483648.
443
444
445 Podman allocates unique ranges of UIDs and GIDs from the containers
446 subordinate user ids. The size of the ranges is based on the number of
447 UIDs required in the image. The number of UIDs and GIDs can be overrid‐
448 den with the size option.
449
450
451 The rootless option --userns=keep-id uses all the subuids and subgids
452 of the user. Using --userns=auto when starting new containers will not
453 work as long as any containers exist that were started with
454 --userns=keep-id.
455
456
457 Valid auto options:
458
459
460 • gidmapping=_CONTAINER_GID:HOSTGID:SIZE: to force a GID mapping
461 to be present in the user namespace.
462
463 • size=SIZE: to specify an explicit size for the automatic user
464 namespace. e.g. --userns=auto:size=8192. If size is not speci‐
465 fied, auto will estimate a size for the user namespace.
466
467 • uidmapping=_CONTAINER_UID:HOSTUID:SIZE: to force a UID mapping
468 to be present in the user namespace.
469
470
471
472 container:id: join the user namespace of the specified container.
473
474
475 host: run in the user namespace of the caller. The processes running in
476 the container will have the same privileges on the host as any other
477 process launched by the calling user (default).
478
479
480 keep-id: creates a user namespace where the current rootless user's
481 UID:GID are mapped to the same values in the container. This option is
482 not allowed for containers created by the root user.
483
484
485 Valid keep-id options:
486
487
488 • uid=UID: override the UID inside the container that will be
489 used to map the current rootless user to.
490
491 • gid=GID: override the GID inside the container that will be
492 used to map the current rootless user to.
493
494
495
496 nomap: creates a user namespace where the current rootless user's
497 UID:GID are not mapped into the container. This option is not allowed
498 for containers created by the root user.
499
500
501 ns:namespace: run the pod in the given existing user namespace.
502
503
505 Recreate the pod and containers as described in a file called demo.yml
506
507
508 $ podman kube play demo.yml
509 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
510
511
512
513 Recreate the pod and containers as described in a file demo.yml sent to
514 stdin
515
516
517 $ cat demo.yml | podman kube play -
518 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
519
520
521
522
523 Teardown the pod and containers as described in a file demo.yml
524
525
526 $ podman kube play --down demo.yml
527 Pods stopped:
528 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
529 Pods removed:
530 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
531
532
533
534 Provide configmap-foo.yml and configmap-bar.yml as sources for environ‐
535 ment variables within the containers.
536
537
538 $ podman kube play demo.yml --configmap configmap-foo.yml,configmap-bar.yml
539 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
540
541 $ podman kube play demo.yml --configmap configmap-foo.yml --configmap configmap-bar.yml
542 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
543
544
545
546 Create a pod connected to two networks (called net1 and net2) with a
547 static ip
548
549
550 $ podman kube play demo.yml --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10
551 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
552
553
554
555 Please take into account that networks must be created first using pod‐
556 man-network-create(1).
557
558
559 Create and teardown from a URL pointing to a YAML file
560
561
562 $ podman kube play https://podman.io/demo.yml
563 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
564
565 $ podman kube play --down https://podman.io/demo.yml
566 Pods stopped:
567 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
568 Pods removed:
569 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
570
571
572
573 podman kube play --down will not work with a URL if the YAML file the
574 URL points to has been changed or altered.
575
576
577
579 This document outlines the kube yaml fields that are currently sup‐
580 ported by the podman kube play command.
581
582
583 Note: N/A means that the option cannot be supported in a single-node
584 Podman environment.
585
586
588 ┌──────────────────────────────┬─────────┐
589 │Field │ Support │
590 ├──────────────────────────────┼─────────┤
591 │containers │ ✅ │
592 ├──────────────────────────────┼─────────┤
593 │initContainers │ ✅ │
594 ├──────────────────────────────┼─────────┤
595 │imagePullSecrets │ │
596 ├──────────────────────────────┼─────────┤
597 │enableServiceLinks │ │
598 ├──────────────────────────────┼─────────┤
599 │os.name │ │
600 ├──────────────────────────────┼─────────┤
601 │volumes │ │
602 ├──────────────────────────────┼─────────┤
603 │nodeSelector │ N/A │
604 ├──────────────────────────────┼─────────┤
605 │nodeName │ N/A │
606 ├──────────────────────────────┼─────────┤
607 │affinity.nodeAffinity │ N/A │
608 ├──────────────────────────────┼─────────┤
609 │affinity.podAffinity │ N/A │
610 ├──────────────────────────────┼─────────┤
611 │affinity.podAntiAffinity │ N/A │
612 ├──────────────────────────────┼─────────┤
613 │tolerations.key │ N/A │
614 ├──────────────────────────────┼─────────┤
615 │tolerations.operator │ N/A │
616 ├──────────────────────────────┼─────────┤
617 │tolerations.effect │ N/A │
618 ├──────────────────────────────┼─────────┤
619 │tolerations.tolerationSeconds │ N/A │
620 ├──────────────────────────────┼─────────┤
621 │schedulerName │ N/A │
622 ├──────────────────────────────┼─────────┤
623 │runtimeClassName │ │
624 ├──────────────────────────────┼─────────┤
625 │priorityClassName │ │
626 ├──────────────────────────────┼─────────┤
627 │priority │ │
628 ├──────────────────────────────┼─────────┤
629 │topologySpreadCon‐ │ │
630 │straints.maxSkew │ │
631 ├──────────────────────────────┼─────────┤
632 │ │ N/A │
633 ├──────────────────────────────┼─────────┤
634 │topologySpreadCon‐ │ │
635 │straints.topologyKey │ │
636 ├──────────────────────────────┼─────────┤
637 │ │ N/A │
638 ├──────────────────────────────┼─────────┤
639 │topologySpreadCon‐ │ │
640 │straints.whenUnsatisfiable │ │
641 ├──────────────────────────────┼─────────┤
642 │ │ N/A │
643 ├──────────────────────────────┼─────────┤
644 │topologySpreadConstraints.la‐ │ │
645 │belSelector │ │
646 ├──────────────────────────────┼─────────┤
647 │ │ N/A │
648 ├──────────────────────────────┼─────────┤
649 │topologySpreadCon‐ │ │
650 │straints.minDomains │ │
651 ├──────────────────────────────┼─────────┤
652 │ │ N/A │
653 ├──────────────────────────────┼─────────┤
654 │restartPolicy │ ✅ │
655 ├──────────────────────────────┼─────────┤
656 │terminationGracePeriod │ │
657 ├──────────────────────────────┼─────────┤
658 │activeDeadlineSeconds │ │
659 ├──────────────────────────────┼─────────┤
660 │readinessGates.conditionType │ │
661 ├──────────────────────────────┼─────────┤
662 │hostname │ ✅ │
663 ├──────────────────────────────┼─────────┤
664 │setHostnameAsFQDN │ │
665 ├──────────────────────────────┼─────────┤
666 │subdomain │ │
667 ├──────────────────────────────┼─────────┤
668 │hostAliases.hostnames │ ✅ │
669 ├──────────────────────────────┼─────────┤
670 │hostAliases.ip │ ✅ │
671 ├──────────────────────────────┼─────────┤
672 │dnsConfig.nameservers │ ✅ │
673 ├──────────────────────────────┼─────────┤
674 │dnsConfig.options.name │ ✅ │
675 ├──────────────────────────────┼─────────┤
676 │dnsConfig.options.value │ ✅ │
677 ├──────────────────────────────┼─────────┤
678 │dnsConfig.searches │ ✅ │
679 ├──────────────────────────────┼─────────┤
680 │dnsPolicy │ │
681 ├──────────────────────────────┼─────────┤
682 │hostNetwork │ ✅ │
683 ├──────────────────────────────┼─────────┤
684 │hostPID │ │
685 ├──────────────────────────────┼─────────┤
686 │hostIPC │ │
687 ├──────────────────────────────┼─────────┤
688 │shareProcessNamespace │ ✅ │
689 ├──────────────────────────────┼─────────┤
690 │serviceAccountName │ │
691 ├──────────────────────────────┼─────────┤
692 │automountServiceAccountToken │ │
693 ├──────────────────────────────┼─────────┤
694 │securityContext.runAsUser │ │
695 ├──────────────────────────────┼─────────┤
696 │securityContext.runAsNonRoot │ │
697 ├──────────────────────────────┼─────────┤
698 │securityContext.runAsGroup │ │
699 ├──────────────────────────────┼─────────┤
700 │securityContext.supplemental‐ │ │
701 │Groups │ │
702 ├──────────────────────────────┼─────────┤
703 │ │ │
704 ├──────────────────────────────┼─────────┤
705 │securityContext.fsGroup │ │
706 ├──────────────────────────────┼─────────┤
707 │securityContext.fs‐ │ │
708 │GroupChangePolicy │ │
709 ├──────────────────────────────┼─────────┤
710 │ │ │
711 ├──────────────────────────────┼─────────┤
712 │securityContext.seccompPro‐ │ │
713 │file.type │ │
714 ├──────────────────────────────┼─────────┤
715 │ │ │
716 ├──────────────────────────────┼─────────┤
717 │securityContext.seccompPro‐ │ │
718 │file.localhostProfile │ │
719 ├──────────────────────────────┼─────────┤
720 │ │ │
721 ├──────────────────────────────┼─────────┤
722 │securityContext.seLinuxOp‐ │ │
723 │tions.level │ │
724 ├──────────────────────────────┼─────────┤
725 │ │ │
726 ├──────────────────────────────┼─────────┤
727 │securityContext.seLinuxOp‐ │ │
728 │tions.role │ │
729 ├──────────────────────────────┼─────────┤
730 │ │ │
731 ├──────────────────────────────┼─────────┤
732 │securityContext.seLinuxOp‐ │ │
733 │tions.type │ │
734 ├──────────────────────────────┼─────────┤
735 │ │ │
736 ├──────────────────────────────┼─────────┤
737 │securityContext.seLinuxOp‐ │ │
738 │tions.user │ │
739 ├──────────────────────────────┼─────────┤
740 │ │ │
741 ├──────────────────────────────┼─────────┤
742 │securityContext.sysctls.name │ │
743 ├──────────────────────────────┼─────────┤
744 │securityContext.sysctls.value │ │
745 ├──────────────────────────────┼─────────┤
746 │securityContext.windowsOp‐ │ │
747 │tions.gmsaCredentialSpec │ │
748 ├──────────────────────────────┼─────────┤
749 │ │ │
750 ├──────────────────────────────┼─────────┤
751 │securityContext.windowsOp‐ │ │
752 │tions.hostProcess │ │
753 ├──────────────────────────────┼─────────┤
754 │ │ │
755 ├──────────────────────────────┼─────────┤
756 │securityContext.windowsOp‐ │ │
757 │tions.runAsUserName │ │
758 ├──────────────────────────────┼─────────┤
759 │ │ │
760 └──────────────────────────────┴─────────┘
761
763 ┌───────────────────────────────────┬─────────┐
764 │Field │ Support │
765 ├───────────────────────────────────┼─────────┤
766 │name │ ✅ │
767 ├───────────────────────────────────┼─────────┤
768 │image │ ✅ │
769 ├───────────────────────────────────┼─────────┤
770 │imagePullPolicy │ ✅ │
771 ├───────────────────────────────────┼─────────┤
772 │command │ ✅ │
773 ├───────────────────────────────────┼─────────┤
774 │args │ ✅ │
775 ├───────────────────────────────────┼─────────┤
776 │workingDir │ ✅ │
777 ├───────────────────────────────────┼─────────┤
778 │ports.containerPort │ ✅ │
779 ├───────────────────────────────────┼─────────┤
780 │ports.hostIP │ ✅ │
781 ├───────────────────────────────────┼─────────┤
782 │ports.hostPort │ ✅ │
783 ├───────────────────────────────────┼─────────┤
784 │ports.name │ ✅ │
785 ├───────────────────────────────────┼─────────┤
786 │ports.protocol │ ✅ │
787 ├───────────────────────────────────┼─────────┤
788 │env.name │ ✅ │
789 ├───────────────────────────────────┼─────────┤
790 │env.value │ ✅ │
791 ├───────────────────────────────────┼─────────┤
792 │env.valueFrom.configMapKeyRef.key │ │
793 ├───────────────────────────────────┼─────────┤
794 │ │ ✅ │
795 ├───────────────────────────────────┼─────────┤
796 │env.valueFrom.configMapKeyRef.name │ ✅ │
797 ├───────────────────────────────────┼─────────┤
798 │env.valueFrom.configMapKeyRef.op‐ │ │
799 │tional │ │
800 ├───────────────────────────────────┼─────────┤
801 │ │ ✅ │
802 ├───────────────────────────────────┼─────────┤
803 │env.valueFrom.fieldRef │ ✅ │
804 ├───────────────────────────────────┼─────────┤
805 │env.valueFrom.resourceFieldRef │ ✅ │
806 ├───────────────────────────────────┼─────────┤
807 │env.valueFrom.secretKeyRef.key │ ✅ │
808 ├───────────────────────────────────┼─────────┤
809 │env.valueFrom.secretKeyRef.name │ ✅ │
810 ├───────────────────────────────────┼─────────┤
811 │env.valueFrom.secretKeyRef.op‐ │ │
812 │tional │ │
813 ├───────────────────────────────────┼─────────┤
814 │ │ ✅ │
815 ├───────────────────────────────────┼─────────┤
816 │envFrom.configMapRef.name │ ✅ │
817 ├───────────────────────────────────┼─────────┤
818 │envFrom.configMapRef.optional │ ✅ │
819 ├───────────────────────────────────┼─────────┤
820 │envFrom.prefix │ │
821 ├───────────────────────────────────┼─────────┤
822 │envFrom.secretRef.name │ ✅ │
823 ├───────────────────────────────────┼─────────┤
824 │envFrom.secretRef.optional │ ✅ │
825 ├───────────────────────────────────┼─────────┤
826 │volumeMounts.mountPath │ ✅ │
827 ├───────────────────────────────────┼─────────┤
828 │volumeMounts.name │ ✅ │
829 ├───────────────────────────────────┼─────────┤
830 │volumeMounts.mountPropagation │ │
831 ├───────────────────────────────────┼─────────┤
832 │volumeMounts.readOnly │ ✅ │
833 ├───────────────────────────────────┼─────────┤
834 │volumeMounts.subPath │ │
835 ├───────────────────────────────────┼─────────┤
836 │volumeMounts.subPathExpr │ │
837 ├───────────────────────────────────┼─────────┤
838 │volumeDevices.devicePath │ │
839 ├───────────────────────────────────┼─────────┤
840 │volumeDevices.name │ │
841 ├───────────────────────────────────┼─────────┤
842 │resources.limits │ ✅ │
843 ├───────────────────────────────────┼─────────┤
844 │resources.requests │ ✅ │
845 ├───────────────────────────────────┼─────────┤
846 │lifecycle.postStart │ │
847 ├───────────────────────────────────┼─────────┤
848 │lifecycle.preStop │ │
849 ├───────────────────────────────────┼─────────┤
850 │terminationMessagePath │ │
851 ├───────────────────────────────────┼─────────┤
852 │terminationMessagePolicy │ │
853 ├───────────────────────────────────┼─────────┤
854 │livenessProbe │ ✅ │
855 ├───────────────────────────────────┼─────────┤
856 │readinessProbe │ │
857 ├───────────────────────────────────┼─────────┤
858 │startupProbe │ │
859 ├───────────────────────────────────┼─────────┤
860 │securityContext.runAsUser │ ✅ │
861 ├───────────────────────────────────┼─────────┤
862 │securityContext.runAsNonRoot │ │
863 ├───────────────────────────────────┼─────────┤
864 │securityContext.runAsGroup │ ✅ │
865 ├───────────────────────────────────┼─────────┤
866 │securityContext.readOnlyRoot‐ │ │
867 │Filesystem │ │
868 ├───────────────────────────────────┼─────────┤
869 │ │ ✅ │
870 ├───────────────────────────────────┼─────────┤
871 │securityContext.procMount │ │
872 ├───────────────────────────────────┼─────────┤
873 │securityContext.privileged │ ✅ │
874 ├───────────────────────────────────┼─────────┤
875 │securityContext.allowPrivi‐ │ │
876 │legeEscalation │ │
877 ├───────────────────────────────────┼─────────┤
878 │ │ ✅ │
879 ├───────────────────────────────────┼─────────┤
880 │securityContext.capabilities.add │ │
881 ├───────────────────────────────────┼─────────┤
882 │ │ ✅ │
883 ├───────────────────────────────────┼─────────┤
884 │securityContext.capabilities.drop │ │
885 ├───────────────────────────────────┼─────────┤
886 │ │ ✅ │
887 ├───────────────────────────────────┼─────────┤
888 │securityContext.seccompPro‐ │ │
889 │file.type │ │
890 ├───────────────────────────────────┼─────────┤
891 │ │ │
892 ├───────────────────────────────────┼─────────┤
893 │securityContext.seccompProfile.lo‐ │ │
894 │calhostProfile │ │
895 ├───────────────────────────────────┼─────────┤
896 │ │ │
897 ├───────────────────────────────────┼─────────┤
898 │securityContext.seLinuxOp‐ │ │
899 │tions.level │ │
900 ├───────────────────────────────────┼─────────┤
901 │ │ ✅ │
902 ├───────────────────────────────────┼─────────┤
903 │securityContext.seLinuxOp‐ │ │
904 │tions.role │ │
905 ├───────────────────────────────────┼─────────┤
906 │ │ ✅ │
907 ├───────────────────────────────────┼─────────┤
908 │securityContext.seLinuxOp‐ │ │
909 │tions.type │ │
910 ├───────────────────────────────────┼─────────┤
911 │ │ ✅ │
912 ├───────────────────────────────────┼─────────┤
913 │securityContext.seLinuxOp‐ │ │
914 │tions.user │ │
915 ├───────────────────────────────────┼─────────┤
916 │ │ ✅ │
917 ├───────────────────────────────────┼─────────┤
918 │securityContext.windowsOptions.gm‐ │ │
919 │saCredentialSpec │ │
920 ├───────────────────────────────────┼─────────┤
921 │ │ │
922 ├───────────────────────────────────┼─────────┤
923 │securityContext.windowsOp‐ │ │
924 │tions.hostProcess │ │
925 ├───────────────────────────────────┼─────────┤
926 │ │ │
927 ├───────────────────────────────────┼─────────┤
928 │securityContext.windowsOp‐ │ │
929 │tions.runAsUserName │ │
930 ├───────────────────────────────────┼─────────┤
931 │ │ │
932 ├───────────────────────────────────┼─────────┤
933 │stdin │ │
934 ├───────────────────────────────────┼─────────┤
935 │stdinOnce │ │
936 ├───────────────────────────────────┼─────────┤
937 │tty │ │
938 └───────────────────────────────────┴─────────┘
939
941 ┌───────────────────┬─────────┐
942 │Field │ Support │
943 ├───────────────────┼─────────┤
944 │volumeName │ │
945 ├───────────────────┼─────────┤
946 │storageClassName │ ✅ │
947 ├───────────────────┼─────────┤
948 │volumeMode │ │
949 ├───────────────────┼─────────┤
950 │accessModes │ ✅ │
951 ├───────────────────┼─────────┤
952 │selector │ │
953 ├───────────────────┼─────────┤
954 │resources.limits │ │
955 ├───────────────────┼─────────┤
956 │resources.requests │ ✅ │
957 └───────────────────┴─────────┘
958
960 ┌───────────┬─────────┐
961 │Field │ Support │
962 ├───────────┼─────────┤
963 │binaryData │ ✅ │
964 ├───────────┼─────────┤
965 │data │ ✅ │
966 ├───────────┼─────────┤
967 │immutable │ │
968 └───────────┴─────────┘
969
971 ┌────────────────────────┬─────────┐
972 │Field │ Support │
973 ├────────────────────────┼─────────┤
974 │replicas │ ✅ │
975 ├────────────────────────┼─────────┤
976 │selector │ ✅ │
977 ├────────────────────────┼─────────┤
978 │template │ ✅ │
979 ├────────────────────────┼─────────┤
980 │minReadySeconds │ │
981 ├────────────────────────┼─────────┤
982 │strategy.type │ │
983 ├────────────────────────┼─────────┤
984 │strategy.rollingUp‐ │ │
985 │date.maxSurge │ │
986 ├────────────────────────┼─────────┤
987 │ │ │
988 ├────────────────────────┼─────────┤
989 │strategy.rollingUp‐ │ │
990 │date.maxUnavailable │ │
991 ├────────────────────────┼─────────┤
992 │ │ │
993 ├────────────────────────┼─────────┤
994 │revisionHistoryLimit │ │
995 ├────────────────────────┼─────────┤
996 │progressDeadlineSeconds │ │
997 ├────────────────────────┼─────────┤
998 │paused │ │
999 └────────────────────────┴─────────┘
1000
1002 podman(1), podman-kube(1), podman-kube-down(1), podman-network-cre‐
1003 ate(1), podman-kube-generate(1), containers-certs.d(5)
1004
1005
1006
1007 podman-kube-play(1)