1podman-kube-play(1) General Commands Manual podman-kube-play(1)
2
6 podman-kube-play - Create containers, pods and volumes based on Kuber‐
7 netes YAML
8
11 podman kube play [options] file.yml|-|https://website.io/file.yml
12
15 podman kube play reads in a structured file of Kubernetes YAML. It
16 recreates the containers, pods, or volumes described in the YAML. Con‐
17 tainers within a pod are then started, and the ID of the new Pod or the
18 name of the new Volume is output. If the YAML file is specified as "-",
19 then podman kube play reads the YAML file from stdin. The input can
20 also be a URL that points to a YAML file such as https://pod‐
21 man.io/demo.yml. podman kube play reads the YAML from the URL and cre‐
22 ate pods and containers from it.
23 Using the --down command line option, it is also capable of tearing
26 down the pods created by a previous run of podman kube play.
27 Using the --replace command line option, it tears down the pods(if any)
30 created by a previous run of podman kube play and recreate the pods
31 with the Kubernetes YAML file.
32 Ideally the input file is created by Podman (see podman-kube-gener‐
35 ate(1)). This guarantees a smooth import and expected results.
36 Currently, the supported Kubernetes kinds are:
39 • Pod
42 • Deployment
44 • PersistentVolumeClaim
46 • ConfigMap
48 • Secret
50 • DaemonSet
52 Kubernetes Pods or Deployments
56 Only three volume types are supported by kube play, the hostPath, emp‐
59 tyDir, and persistentVolumeClaim volume types.
60 • When using the hostPath volume type, only the default
63 (empty), DirectoryOrCreate, Directory, FileOrCreate, File,
64 Socket, CharDevice and BlockDevice subtypes are supported.
65 Podman interprets the value of hostPath path as a file path
66 when it contains at least one forward slash, otherwise Podman
67 treats the value as the name of a named volume.
68 • When using a persistentVolumeClaim, the value for claimName is
70 the name for the Podman named volume.
71 • When using an emptyDir volume, Podman creates an anonymous
73 volume that is attached the containers running inside the pod
74 and is deleted once the pod is removed.
75 Note: The default restart policy for containers is always. You can
79 change the default by setting the restartPolicy field in the spec.
80 Note: When playing a kube YAML with init containers, the init container
83 is created with init type value once. To change the default type, use
84 the io.podman.annotations.init.container.type annotation to set the
85 type to always.
86 Note: hostPath volume types created by kube play is given an SELinux
89 shared label (z), bind mounts are not relabeled (use chcon -t con‐
90 tainer_file_t -R <directory>).
91 Note: If the :latest tag is used, Podman attempts to pull the image
94 from a registry. If the image was built locally with Podman or Buildah,
95 it has localhost as the domain, in that case, Podman uses the image
96 from the local store even if it has the :latest tag.
97 Note: The command podman play kube is an alias of podman kube play, and
100 performs the same function.
101 Note: The command podman kube down can be used to stop and remove pods
104 or containers based on the same Kubernetes YAML used by podman kube
105 play to create them.
106 Note: To customize the name of the infra container created during pod‐
109 man kube play, use the io.podman.annotations.infra.name annotation in
110 the pod definition. This annotation is automatically set when generat‐
111 ing a kube yaml from a pod that was created with the --infra-name flag
112 set.
113 Kubernetes PersistentVolumeClaims
116 A Kubernetes PersistentVolumeClaim represents a Podman named volume.
119 Only the PersistentVolumeClaim name is required by Podman to create a
120 volume. Kubernetes annotations can be used to make use of the available
121 options for Podman volumes.
122 • volume.podman.io/driver
125 • volume.podman.io/device
127 • volume.podman.io/type
129 • volume.podman.io/uid
131 • volume.podman.io/gid
133 • volume.podman.io/mount-options
135 • volume.podman.io/import-source
137 Use volume.podman.io/import-source to import the contents of the tar‐
141 ball (.tar, .tar.gz, .tgz, .bzip, .tar.xz, .txz) specified in the anno‐
142 tation's value into the created Podman volume
143 Kube play is capable of building images on the fly given the correct
146 directory layout and Containerfiles. This option is not available for
147 remote clients, including Mac and Windows (excluding WSL2) machines,
148 yet. Consider the following excerpt from a YAML file:
149 apiVersion: v1
152 kind: Pod
153 metadata:
154 spec:
155 containers:
156 - name: container
157 image: foobar
158 If there is a directory named foobar in the current working directory
162 with a file named Containerfile or Dockerfile, Podman kube play builds
163 that image and name it foobar. An example directory structure for this
164 example looks like:
165 |- mykubefiles
168 |- myplayfile.yaml
169 |- foobar
170 |- Containerfile
171 The build considers foobar to be the context directory for the build.
175 If there is an image in local storage called foobar, the image is not
176 built unless the --build flag is used. Use --build=false to completely
177 disable builds.
178 Kubernetes ConfigMap
181 Kubernetes ConfigMap can be referred as a source of environment vari‐
184 ables or volumes in Pods or Deployments. ConfigMaps aren't a stand‐
185 alone object in Podman; instead, when a container uses a ConfigMap,
186 Podman creates environment variables or volumes as needed.
187 For example, the following YAML document defines a ConfigMap and then
190 uses it in a Pod:
191 apiVersion: v1
194 kind: ConfigMap
195 metadata:
196 name: foo
197 data:
198 FOO: bar
199 ---
200 apiVersion: v1
201 kind: Pod
202 metadata:
203 name: foobar
204 spec:
205 containers:
206 - name: container-1
207 image: foobar
208 envFrom:
209 - configMapRef:
210 name: foo
211 optional: false
212 and as a result environment variable FOO is set to bar for container
216 container-1.
217 Kubernetes Secret
220 Kubernetes Secret represents a Podman named secret. The Kubernetes Se‐
223 cret is saved as a whole and may be referred to as a source of environ‐
224 ment variables or volumes in Pods or Deployments.
225 For example, the following YAML document defines a Secret and then uses
228 it in a Pod:
229 kind: Secret
232 apiVersion: v1
233 metadata:
234 name: foo
235 data:
236 foo: YmFy # base64 for bar
237 ---
238 apiVersion: v1
239 kind: Pod
240 metadata:
241 name: foobar
242 spec:
243 containers:
244 - name: container-1
245 image: foobar
246 env:
247 - name: FOO
248 valueFrom:
249 secretKeyRef:
250 name: foo
251 key: foo
252 and as a result environment variable FOO is set to bar for container
256 container-1.
257
260 --annotation=key=value
261 Add an annotation to the container or pod. This option can be set mul‐
262 tiple times.
263 --authfile=path
266 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
267 ers/auth.json on Linux, and $HOME/.config/containers/auth.json on Win‐
268 dows/macOS. The file is created by podman login. If the authorization
269 state is not found there, $HOME/.docker/config.json is checked, which
270 is set using docker login.
271 Note: There is also the option to override the default path of the au‐
274 thentication file by setting the REGISTRY_AUTH_FILE environment vari‐
275 able. This can be done with export REGISTRY_AUTH_FILE=path.
276 --build
279 Build images even if they are found in the local storage. Use
280 --build=false to completely disable builds. (This option is not avail‐
281 able with the remote Podman client)
282 --cert-dir=path
285 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
286 istry. (Default: /etc/containers/certs.d) For details, see containers-
287 certs.d(5). (This option is not available with the remote Podman
288 client, including Mac and Windows (excluding WSL2) machines)
289 --configmap=path
292 Use Kubernetes configmap YAML at path to provide a source for environ‐
293 ment variable values within the containers of the pod. (This option is
294 not available with the remote Podman client)
295 Note: The --configmap option can be used multiple times or a comma-sep‐
298 arated list of paths can be used to pass multiple Kubernetes configmap
299 YAMLs. The YAML file may be in a multi-doc YAML format. But, it must
300 container only configmaps
301 --context-dir=path
304 Use path as the build context directory for each image. Requires
305 --build option be true. (This option is not available with the remote
306 Podman client)
307 --creds=[username[:password]]
310 The [username[:password]] to use to authenticate with the registry, if
311 required. If one or both values are not supplied, a command line
312 prompt appears and the value can be entered. The password is entered
313 without echo.
314 Note that the specified credentials are only used to authenticate
317 against target registries. They are not used for mirrors or when the
318 registry gets rewritten (see containers-registries.conf(5)); to authen‐
319 ticate against those consider using a containers-auth.json(5) file.
320 --force
323 Tear down the volumes linked to the PersistentVolumeClaims as part of
324 --down
325 --help, -h
328 Print usage statement
329 --ip=IP address
332 Assign a static ip address to the pod. This option can be specified
333 several times when kube play creates more than one pod. Note: When
334 joining multiple networks use the --network name:ip=<ip> syntax.
335 --log-driver=driver
338 Set logging driver for all created containers.
339 --log-opt=name=value
342 Logging driver specific options.
343 Set custom logging configuration. The following *name*s are supported:
346 path: specify a path to the log file
349 (e.g. --log-opt path=/var/log/container/mycontainer.json);
350 max-size: specify a max size of the log file
353 (e.g. --log-opt max-size=10mb);
354 tag: specify a custom log tag for the container
357 (e.g. --log-opt tag="{{.ImageName}}". It supports the same keys as
358 podman inspect --format. This option is currently supported only by
359 the journald log driver.
360 --mac-address=MAC address
363 Assign a static mac address to the pod. This option can be specified
364 several times when kube play creates more than one pod. Note: When
365 joining multiple networks use the --network name:mac=<mac> syntax.
366 --network=mode, --net
369 Set the network mode for the pod.
370 Valid mode values are:
373 • bridge[:OPTIONS,...]: Create a network stack on the default
376 bridge. This is the default for rootful containers. It is pos‐
377 sible to specify these additional options:
378 • alias=name: Add network-scoped alias for the container.
380 • ip=IPv4: Specify a static ipv4 address for this container.
382 • ip=IPv6: Specify a static ipv6 address for this container.
384 • mac=MAC: Specify a static mac address for this container.
386 • interface_name: Specify a name for the created network in‐
388 terface inside the container.
389 For example to set a static ipv4 address and a static mac ad‐
391 dress, use --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99.
392 • <network name or ID>[:OPTIONS,...]: Connect to a user-defined
394 network; this is the network name or ID from a network created
395 by podman network create. Using the network name implies the
396 bridge network mode. It is possible to specify the same op‐
397 tions described under the bridge mode above. Use the --network
398 option multiple times to specify additional networks. For
399 backwards compatibility it is also possible to specify net‐
400 works comma separated on the first --network argument, however
401 this prevents you from using the options described under the
402 bridge section above.
403 • none: Create a network namespace for the container but do not
405 configure network interfaces for it, thus the container has no
406 network connectivity.
407 • container:id: Reuse another container's network stack.
409 • host: Do not create a network namespace, the container uses
411 the host's network. Note: The host mode gives the container
412 full access to local system services such as D-bus and is
413 therefore considered insecure.
414 • ns:path: Path to a network namespace to join.
416 • private: Create a new namespace for the container. This uses
418 the bridge mode for rootful containers and slirp4netns for
419 rootless ones.
420 • slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user
422 network stack. This is the default for rootless containers. It
423 is possible to specify these additional options, they can also
424 be set with network_cmd_options in containers.conf:
425 • allow_host_loopback=true|false: Allow slirp4netns to reach
427 the host loopback IP (default is 10.0.2.2 or the second IP
428 from slirp4netns cidr subnet when changed, see the cidr op‐
429 tion below). The default is false.
430 • mtu=MTU: Specify the MTU to use for this network. (Default
432 is 65520).
433 • cidr=CIDR: Specify ip range to use for this network. (De‐
435 fault is 10.0.2.0/24).
436 • enable_ipv6=true|false: Enable IPv6. Default is true. (Re‐
438 quired for outbound_addr6).
439 • outbound_addr=INTERFACE: Specify the outbound interface
441 slirp binds to (ipv4 traffic only).
442 • outbound_addr=IPv4: Specify the outbound ipv4 address slirp
444 binds to.
445 • outbound_addr6=INTERFACE: Specify the outbound interface
447 slirp binds to (ipv6 traffic only).
448 • outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
450 binds to.
451 • port_handler=rootlesskit: Use rootlesskit for port forward‐
453 ing. Default. Note: Rootlesskit changes the source IP ad‐
454 dress of incoming packets to an IP address in the container
455 network namespace, usually 10.0.2.100. If the application
456 requires the real source IP address, e.g. web server logs,
457 use the slirp4netns port handler. The rootlesskit port han‐
458 dler is also used for rootless containers when connected to
459 user-defined networks.
460 • port_handler=slirp4netns: Use the slirp4netns port forward‐
462 ing, it is slower than rootlesskit but preserves the correct
463 source IP address. This port handler cannot be used for
464 user-defined networks.
465 • pasta[:OPTIONS,...]: use pasta(1) to create a user-mode net‐
469 working stack.
470 This is only supported in rootless mode.
471 By default, IPv4 and IPv6 addresses and routes, as well as the
472 pod interface name, are copied from the host. If port forward‐
473 ing isn't configured, ports are forwarded dynamically as ser‐
474 vices are bound on either side (init namespace or container
475 namespace). Port forwarding preserves the original source IP
476 address. Options described in pasta(1) can be specified as
477 comma-separated arguments.
478 In terms of pasta(1) options, --config-net is given by de‐
479 fault, in order to configure networking when the container is
480 started, and --no-map-gw is also assumed by default, to avoid
481 direct access from container to host using the gateway ad‐
482 dress. The latter can be overridden by passing --map-gw in the
483 pasta-specific options (despite not being an actual pasta(1)
484 option).
485 Also, -t none and -u none are passed if, respectively, no TCP
486 or UDP port forwarding from host to container is configured,
487 to disable automatic port forwarding based on bound ports.
488 Similarly, -T none and -U none are given to disable the same
489 functionality from container to host.
490 Some examples:
491 • pasta:--map-gw: Allow the container to directly reach the
493 host using the gateway address.
494 • pasta:--mtu,1500: Specify a 1500 bytes MTU for the tap in‐
496 terface in the container.
497 • pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-for‐
499 ward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp, equiv‐
500 alent to default slirp4netns(1) options: disable IPv6, as‐
501 sign 10.0.2.0/24 to the tap0 interface in the container,
502 with gateway 10.0.2.3, enable DNS forwarder reachable at
503 10.0.2.3, set MTU to 1500 bytes, disable NDP, DHCPv6 and
504 DHCP support.
505 • pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-
507 forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp, equivalent
508 to default slirp4netns(1) options with Podman overrides:
509 same as above, but leave the MTU to 65520 bytes
510 • pasta:-t,auto,-u,auto,-T,auto,-U,auto: enable automatic port
512 forwarding based on observed bound ports from both host and
513 container sides
514 • pasta:-T,5201: enable forwarding of TCP port 5201 from con‐
516 tainer to host, using the loopback interface instead of the
517 tap interface for improved performance
518 NOTE: For backward compatibility reasons, if there is an exist‐
520 ing network named pasta, Podman uses it instead of the pasta
521 mode."?
522 When no network option is specified and host network mode is not con‐
526 figured in the YAML file, a new network stack is created and pods are
527 attached to it making possible pod to pod communication.
528 --no-hosts
531 Do not create /etc/hosts for the pod. By default, Podman manages
532 /etc/hosts, adding the container's own IP address and any hosts from
533 --add-host. --no-hosts disables this, and the image's /etc/hosts is
534 preserved unmodified.
535 This option conflicts with host added in the Kubernetes YAML.
538 --no-trunc
541 Use annotations that are not truncated to the Kubernetes maximum length
542 of 63 characters
543 --publish=[[ip:][hostPort]:]containerPort[/protocol]
546 Define or override a port definition in the YAML file.
547 The lists of ports in the YAML file and the command line are merged.
550 Matching is done by using the containerPort field. If containerPort
551 exists in both the YAML file and the option, the latter takes prece‐
552 dence.
553 --quiet, -q
556 Suppress output information when pulling images
557 --replace
560 Tears down the pods created by a previous run of kube play and recre‐
561 ates the pods. This option is used to keep the existing pods up to date
562 based upon the Kubernetes YAML.
563 --seccomp-profile-root=path
566 Directory path for seccomp profiles (default: "/var/lib/kubelet/sec‐
567 comp"). (This option is not available with the remote Podman client,
568 including Mac and Windows (excluding WSL2) machines)
569 --start
572 Start the pod after creating it, set to false to only create it.
573 --tls-verify
576 Require HTTPS and verify certificates when contacting registries (de‐
577 fault: true). If explicitly set to true, TLS verification is used. If
578 set to false, TLS verification is not used. If not specified, TLS ver‐
579 ification is used unless the target registry is listed as an insecure
580 registry in containers-registries.conf(5)
581 --userns=mode
584 Set the user namespace mode for the container.
585 If --userns is not set, the default value is determined as follows. -
588 If --pod is set, --userns is ignored and the user namespace of the pod
589 is used. - If the environment variable PODMAN_USERNS is set its value
590 is used. - If userns is specified in containers.conf this value is
591 used. - Otherwise, --userns=host is assumed.
592 --userns="" (i.e., an empty string) is an alias for --userns=host.
595 This option is incompatible with --gidmap, --uidmap, --subuidname and
598 --subgidname.
599 Rootless user --userns=Key mappings:
602 ┌────────────────────────┬───────────┬─────────────────────┐
605 │Key │ Host User │ Container User │
606 ├────────────────────────┼───────────┼─────────────────────┤
607 │auto │ $UID │ nil (Host User UID │
608 │ │ │ is not mapped into │
609 │ │ │ container.) │
610 ├────────────────────────┼───────────┼─────────────────────┤
611 │host │ $UID │ 0 (Default User ac‐ │
612 │ │ │ count mapped to │
613 │ │ │ root user in con‐ │
614 │ │ │ tainer.) │
615 ├────────────────────────┼───────────┼─────────────────────┤
616 │keep-id │ $UID │ $UID (Map user ac‐ │
617 │ │ │ count to same UID │
618 │ │ │ within container.) │
619 ├────────────────────────┼───────────┼─────────────────────┤
620 │keep-id:uid=200,gid=210 │ $UID │ 200:210 (Map user │
621 │ │ │ account to speci‐ │
622 │ │ │ fied UID, GID value │
623 │ │ │ within container.) │
624 ├────────────────────────┼───────────┼─────────────────────┤
625 │nomap │ $UID │ nil (Host User UID │
626 │ │ │ is not mapped into │
627 │ │ │ container.) │
628 └────────────────────────┴───────────┴─────────────────────┘
629 Valid mode values are:
631 auto[:OPTIONS,...]: automatically create a unique user namespace.
634 The --userns=auto flag requires that the user name containers be speci‐
637 fied in the /etc/subuid and /etc/subgid files, with an unused range of
638 subordinate user IDs that Podman containers are allowed to allocate.
639 See subuid(5).
640 Example: containers:2147483647:2147483648.
643 Podman allocates unique ranges of UIDs and GIDs from the containers
646 subordinate user IDs. The size of the ranges is based on the number of
647 UIDs required in the image. The number of UIDs and GIDs can be overrid‐
648 den with the size option.
649 The option --userns=keep-id uses all the subuids and subgids of the
652 user. The option --userns=nomap uses all the subuids and subgids of
653 the user except the user's own ID. Using --userns=auto when starting
654 new containers does not work as long as any containers exist that were
655 started with --userns=keep-id or --userns=nomap.
656 Valid auto options:
659 • gidmapping=CONTAINER_GID:HOST_GID:SIZE: to force a GID mapping
662 to be present in the user namespace.
663 • size=SIZE: to specify an explicit size for the automatic user
665 namespace. e.g. --userns=auto:size=8192. If size is not speci‐
666 fied, auto estimates a size for the user namespace.
667 • uidmapping=CONTAINER_UID:HOST_UID:SIZE: to force a UID mapping
669 to be present in the user namespace.
670 container:id: join the user namespace of the specified container.
674 host or "" (empty string): run in the user namespace of the caller. The
677 processes running in the container have the same privileges on the host
678 as any other process launched by the calling user.
679 keep-id: creates a user namespace where the current user's UID:GID are
682 mapped to the same values in the container. For containers created by
683 root, the current mapping is created into a new user namespace.
684 Valid keep-id options:
687 • uid=UID: override the UID inside the container that is used to
690 map the current user to.
691 • gid=GID: override the GID inside the container that is used to
693 map the current user to.
694 nomap: creates a user namespace where the current rootless user's
698 UID:GID are not mapped into the container. This option is not allowed
699 for containers created by the root user.
700 ns:namespace: run the pod in the given existing user namespace.
703 --wait, -w
706 Run pods and containers in the foreground. Default is false.
707 At any time you can run podman pod ps in another shell to view a list
710 of the running pods and containers.
711 When attached in the tty mode, you can kill the pods and containers
714 by pressing Ctrl-C or receiving any other interrupt signals.
715 All pods, containers, and volumes created with podman kube play is re‐
718 moved upon exit.
719
722 Recreate the pod and containers as described in a file called demo.yml
723 $ podman kube play demo.yml
726 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
727 Recreate the pod and containers as described in a file demo.yml sent to
731 stdin
732 $ cat demo.yml | podman kube play -
735 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
736 Teardown the pod and containers as described in a file demo.yml
741 $ podman kube play --down demo.yml
744 Pods stopped:
745 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
746 Pods removed:
747 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
748 Provide configmap-foo.yml and configmap-bar.yml as sources for environ‐
752 ment variables within the containers.
753 $ podman kube play demo.yml --configmap configmap-foo.yml,configmap-bar.yml
756 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
757 $ podman kube play demo.yml --configmap configmap-foo.yml --configmap configmap-bar.yml
759 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
760 Create a pod connected to two networks (called net1 and net2) with a
764 static ip
765 $ podman kube play demo.yml --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10
768 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
769 Please take into account that networks must be created first using pod‐
773 man-network-create(1).
774 Create and teardown from a URL pointing to a YAML file
777 $ podman kube play https://podman.io/demo.yml
780 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
781 $ podman kube play --down https://podman.io/demo.yml
783 Pods stopped:
784 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
785 Pods removed:
786 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
787 podman kube play --down does not work with a URL if the YAML file the
791 URL points to has been changed or altered.
792
796 This document outlines the kube yaml fields that are currently sup‐
797 ported by the podman kube play command.
798 Note: N/A means that the option cannot be supported in a single-node
801 Podman environment.
802
805 ┌──────────────────────────────────────────────────┬─────────┐
806 │Field │ Support │
807 ├──────────────────────────────────────────────────┼─────────┤
808 │containers │ ✅ │
809 ├──────────────────────────────────────────────────┼─────────┤
810 │initContainers │ ✅ │
811 ├──────────────────────────────────────────────────┼─────────┤
812 │imagePullSecrets │ no │
813 ├──────────────────────────────────────────────────┼─────────┤
814 │enableServiceLinks │ no │
815 ├──────────────────────────────────────────────────┼─────────┤
816 │os.name │ no │
817 ├──────────────────────────────────────────────────┼─────────┤
818 │volumes │ ✅ │
819 ├──────────────────────────────────────────────────┼─────────┤
820 │nodeSelector │ N/A │
821 ├──────────────────────────────────────────────────┼─────────┤
822 │nodeName │ N/A │
823 ├──────────────────────────────────────────────────┼─────────┤
824 │affinity.nodeAffinity │ N/A │
825 ├──────────────────────────────────────────────────┼─────────┤
826 │affinity.podAffinity │ N/A │
827 ├──────────────────────────────────────────────────┼─────────┤
828 │affinity.podAntiAffinity │ N/A │
829 ├──────────────────────────────────────────────────┼─────────┤
830 │tolerations.key │ N/A │
831 ├──────────────────────────────────────────────────┼─────────┤
832 │tolerations.operator │ N/A │
833 ├──────────────────────────────────────────────────┼─────────┤
834 │tolerations.effect │ N/A │
835 ├──────────────────────────────────────────────────┼─────────┤
836 │tolerations.tolerationSeconds │ N/A │
837 ├──────────────────────────────────────────────────┼─────────┤
838 │schedulerName │ N/A │
839 ├──────────────────────────────────────────────────┼─────────┤
840 │runtimeClassName │ no │
841 ├──────────────────────────────────────────────────┼─────────┤
842 │priorityClassName │ no │
843 ├──────────────────────────────────────────────────┼─────────┤
844 │priority │ no │
845 ├──────────────────────────────────────────────────┼─────────┤
846 │topologySpreadConstraints.maxSkew │ N/A │
847 ├──────────────────────────────────────────────────┼─────────┤
848 │topologySpreadConstraints.topologyKey │ N/A │
849 ├──────────────────────────────────────────────────┼─────────┤
850 │topologySpreadConstraints.whenUnsatisfiable │ N/A │
851 ├──────────────────────────────────────────────────┼─────────┤
852 │topologySpreadConstraints.labelSelector │ N/A │
853 ├──────────────────────────────────────────────────┼─────────┤
854 │topologySpreadConstraints.minDomains │ N/A │
855 ├──────────────────────────────────────────────────┼─────────┤
856 │restartPolicy │ ✅ │
857 ├──────────────────────────────────────────────────┼─────────┤
858 │terminationGracePeriodSeconds │ ✅ │
859 ├──────────────────────────────────────────────────┼─────────┤
860 │activeDeadlineSeconds │ no │
861 ├──────────────────────────────────────────────────┼─────────┤
862 │readinessGates.conditionType │ no │
863 ├──────────────────────────────────────────────────┼─────────┤
864 │hostname │ ✅ │
865 ├──────────────────────────────────────────────────┼─────────┤
866 │setHostnameAsFQDN │ no │
867 ├──────────────────────────────────────────────────┼─────────┤
868 │subdomain │ no │
869 ├──────────────────────────────────────────────────┼─────────┤
870 │hostAliases.hostnames │ ✅ │
871 ├──────────────────────────────────────────────────┼─────────┤
872 │hostAliases.ip │ ✅ │
873 ├──────────────────────────────────────────────────┼─────────┤
874 │dnsConfig.nameservers │ ✅ │
875 ├──────────────────────────────────────────────────┼─────────┤
876 │dnsConfig.options.name │ ✅ │
877 ├──────────────────────────────────────────────────┼─────────┤
878 │dnsConfig.options.value │ ✅ │
879 ├──────────────────────────────────────────────────┼─────────┤
880 │dnsConfig.searches │ ✅ │
881 ├──────────────────────────────────────────────────┼─────────┤
882 │dnsPolicy │ no │
883 ├──────────────────────────────────────────────────┼─────────┤
884 │hostNetwork │ ✅ │
885 ├──────────────────────────────────────────────────┼─────────┤
886 │hostPID │ ✅ │
887 ├──────────────────────────────────────────────────┼─────────┤
888 │hostIPC │ ✅ │
889 ├──────────────────────────────────────────────────┼─────────┤
890 │shareProcessNamespace │ ✅ │
891 ├──────────────────────────────────────────────────┼─────────┤
892 │serviceAccountName │ no │
893 ├──────────────────────────────────────────────────┼─────────┤
894 │automountServiceAccountToken │ no │
895 ├──────────────────────────────────────────────────┼─────────┤
896 │securityContext.runAsUser │ ✅ │
897 ├──────────────────────────────────────────────────┼─────────┤
898 │securityContext.runAsNonRoot │ no │
899 ├──────────────────────────────────────────────────┼─────────┤
900 │securityContext.runAsGroup │ ✅ │
901 ├──────────────────────────────────────────────────┼─────────┤
902 │securityContext.supplementalGroups │ ✅ │
903 ├──────────────────────────────────────────────────┼─────────┤
904 │securityContext.fsGroup │ no │
905 ├──────────────────────────────────────────────────┼─────────┤
906 │securityContext.fsGroupChangePolicy │ no │
907 ├──────────────────────────────────────────────────┼─────────┤
908 │securityContext.seccompProfile.type │ no │
909 ├──────────────────────────────────────────────────┼─────────┤
910 │securityContext.seccompProfile.localhostProfile │ no │
911 ├──────────────────────────────────────────────────┼─────────┤
912 │securityContext.seLinuxOptions.level │ ✅ │
913 ├──────────────────────────────────────────────────┼─────────┤
914 │securityContext.seLinuxOptions.role │ ✅ │
915 ├──────────────────────────────────────────────────┼─────────┤
916 │securityContext.seLinuxOptions.type │ ✅ │
917 ├──────────────────────────────────────────────────┼─────────┤
918 │securityContext.seLinuxOptions.user │ ✅ │
919 ├──────────────────────────────────────────────────┼─────────┤
920 │securityContext.sysctls.name │ ✅ │
921 ├──────────────────────────────────────────────────┼─────────┤
922 │securityContext.sysctls.value │ ✅ │
923 ├──────────────────────────────────────────────────┼─────────┤
924 │securityContext.windowsOptions.gmsaCredentialSpec │ no │
925 ├──────────────────────────────────────────────────┼─────────┤
926 │securityContext.windowsOptions.hostProcess │ no │
927 ├──────────────────────────────────────────────────┼─────────┤
928 │securityContext.windowsOptions.runAsUserName │ no │
929 └──────────────────────────────────────────────────┴─────────┘
930
932 ┌──────────────────────────────────────────────────┬─────────┐
933 │Field │ Support │
934 ├──────────────────────────────────────────────────┼─────────┤
935 │name │ ✅ │
936 ├──────────────────────────────────────────────────┼─────────┤
937 │image │ ✅ │
938 ├──────────────────────────────────────────────────┼─────────┤
939 │imagePullPolicy │ ✅ │
940 ├──────────────────────────────────────────────────┼─────────┤
941 │command │ ✅ │
942 ├──────────────────────────────────────────────────┼─────────┤
943 │args │ ✅ │
944 ├──────────────────────────────────────────────────┼─────────┤
945 │workingDir │ ✅ │
946 ├──────────────────────────────────────────────────┼─────────┤
947 │ports.containerPort │ ✅ │
948 ├──────────────────────────────────────────────────┼─────────┤
949 │ports.hostIP │ ✅ │
950 ├──────────────────────────────────────────────────┼─────────┤
951 │ports.hostPort │ ✅ │
952 ├──────────────────────────────────────────────────┼─────────┤
953 │ports.name │ ✅ │
954 ├──────────────────────────────────────────────────┼─────────┤
955 │ports.protocol │ ✅ │
956 ├──────────────────────────────────────────────────┼─────────┤
957 │env.name │ ✅ │
958 ├──────────────────────────────────────────────────┼─────────┤
959 │env.value │ ✅ │
960 ├──────────────────────────────────────────────────┼─────────┤
961 │env.valueFrom.configMapKeyRef.key │ ✅ │
962 ├──────────────────────────────────────────────────┼─────────┤
963 │env.valueFrom.configMapKeyRef.name │ ✅ │
964 ├──────────────────────────────────────────────────┼─────────┤
965 │env.valueFrom.configMapKeyRef.optional │ ✅ │
966 ├──────────────────────────────────────────────────┼─────────┤
967 │env.valueFrom.fieldRef │ ✅ │
968 ├──────────────────────────────────────────────────┼─────────┤
969 │env.valueFrom.resourceFieldRef │ ✅ │
970 ├──────────────────────────────────────────────────┼─────────┤
971 │env.valueFrom.secretKeyRef.key │ ✅ │
972 ├──────────────────────────────────────────────────┼─────────┤
973 │env.valueFrom.secretKeyRef.name │ ✅ │
974 ├──────────────────────────────────────────────────┼─────────┤
975 │env.valueFrom.secretKeyRef.optional │ ✅ │
976 ├──────────────────────────────────────────────────┼─────────┤
977 │envFrom.configMapRef.name │ ✅ │
978 ├──────────────────────────────────────────────────┼─────────┤
979 │envFrom.configMapRef.optional │ ✅ │
980 ├──────────────────────────────────────────────────┼─────────┤
981 │envFrom.prefix │ no │
982 ├──────────────────────────────────────────────────┼─────────┤
983 │envFrom.secretRef.name │ ✅ │
984 ├──────────────────────────────────────────────────┼─────────┤
985 │envFrom.secretRef.optional │ ✅ │
986 ├──────────────────────────────────────────────────┼─────────┤
987 │volumeMounts.mountPath │ ✅ │
988 ├──────────────────────────────────────────────────┼─────────┤
989 │volumeMounts.name │ ✅ │
990 ├──────────────────────────────────────────────────┼─────────┤
991 │volumeMounts.mountPropagation │ no │
992 ├──────────────────────────────────────────────────┼─────────┤
993 │volumeMounts.readOnly │ ✅ │
994 ├──────────────────────────────────────────────────┼─────────┤
995 │volumeMounts.subPath │ no │
996 ├──────────────────────────────────────────────────┼─────────┤
997 │volumeMounts.subPathExpr │ no │
998 ├──────────────────────────────────────────────────┼─────────┤
999 │volumeDevices.devicePath │ no │
1000 ├──────────────────────────────────────────────────┼─────────┤
1001 │volumeDevices.name │ no │
1002 ├──────────────────────────────────────────────────┼─────────┤
1003 │resources.limits │ ✅ │
1004 ├──────────────────────────────────────────────────┼─────────┤
1005 │resources.requests │ ✅ │
1006 ├──────────────────────────────────────────────────┼─────────┤
1007 │lifecycle.postStart │ no │
1008 ├──────────────────────────────────────────────────┼─────────┤
1009 │lifecycle.preStop │ no │
1010 ├──────────────────────────────────────────────────┼─────────┤
1011 │terminationMessagePath │ no │
1012 ├──────────────────────────────────────────────────┼─────────┤
1013 │terminationMessagePolicy │ no │
1014 ├──────────────────────────────────────────────────┼─────────┤
1015 │livenessProbe │ ✅ │
1016 ├──────────────────────────────────────────────────┼─────────┤
1017 │readinessProbe │ no │
1018 ├──────────────────────────────────────────────────┼─────────┤
1019 │startupProbe │ no │
1020 ├──────────────────────────────────────────────────┼─────────┤
1021 │securityContext.runAsUser │ ✅ │
1022 ├──────────────────────────────────────────────────┼─────────┤
1023 │securityContext.runAsNonRoot │ no │
1024 ├──────────────────────────────────────────────────┼─────────┤
1025 │securityContext.runAsGroup │ ✅ │
1026 ├──────────────────────────────────────────────────┼─────────┤
1027 │securityContext.readOnlyRootFilesystem │ ✅ │
1028 ├──────────────────────────────────────────────────┼─────────┤
1029 │securityContext.procMount │ ✅ │
1030 ├──────────────────────────────────────────────────┼─────────┤
1031 │securityContext.privileged │ ✅ │
1032 ├──────────────────────────────────────────────────┼─────────┤
1033 │securityContext.allowPrivilegeEscalation │ ✅ │
1034 ├──────────────────────────────────────────────────┼─────────┤
1035 │securityContext.capabilities.add │ ✅ │
1036 ├──────────────────────────────────────────────────┼─────────┤
1037 │securityContext.capabilities.drop │ ✅ │
1038 ├──────────────────────────────────────────────────┼─────────┤
1039 │securityContext.seccompProfile.type │ no │
1040 ├──────────────────────────────────────────────────┼─────────┤
1041 │securityContext.seccompProfile.localhostProfile │ no │
1042 ├──────────────────────────────────────────────────┼─────────┤
1043 │securityContext.seLinuxOptions.level │ ✅ │
1044 ├──────────────────────────────────────────────────┼─────────┤
1045 │securityContext.seLinuxOptions.role │ ✅ │
1046 ├──────────────────────────────────────────────────┼─────────┤
1047 │securityContext.seLinuxOptions.type │ ✅ │
1048 ├──────────────────────────────────────────────────┼─────────┤
1049 │securityContext.seLinuxOptions.user │ ✅ │
1050 ├──────────────────────────────────────────────────┼─────────┤
1051 │securityContext.windowsOptions.gmsaCredentialSpec │ no │
1052 ├──────────────────────────────────────────────────┼─────────┤
1053 │securityContext.windowsOptions.hostProcess │ no │
1054 ├──────────────────────────────────────────────────┼─────────┤
1055 │securityContext.windowsOptions.runAsUserName │ no │
1056 ├──────────────────────────────────────────────────┼─────────┤
1057 │stdin │ no │
1058 ├──────────────────────────────────────────────────┼─────────┤
1059 │stdinOnce │ no │
1060 ├──────────────────────────────────────────────────┼─────────┤
1061 │tty │ no │
1062 └──────────────────────────────────────────────────┴─────────┘
1063
1065 ┌───────────────────┬─────────┐
1066 │Field │ Support │
1067 ├───────────────────┼─────────┤
1068 │volumeName │ no │
1069 ├───────────────────┼─────────┤
1070 │storageClassName │ ✅ │
1071 ├───────────────────┼─────────┤
1072 │volumeMode │ no │
1073 ├───────────────────┼─────────┤
1074 │accessModes │ ✅ │
1075 ├───────────────────┼─────────┤
1076 │selector │ no │
1077 ├───────────────────┼─────────┤
1078 │resources.limits │ no │
1079 ├───────────────────┼─────────┤
1080 │resources.requests │ ✅ │
1081 └───────────────────┴─────────┘
1082
1084 ┌───────────┬─────────┐
1085 │Field │ Support │
1086 ├───────────┼─────────┤
1087 │binaryData │ ✅ │
1088 ├───────────┼─────────┤
1089 │data │ ✅ │
1090 ├───────────┼─────────┤
1091 │immutable │ no │
1092 └───────────┴─────────┘
1093
1095 ┌──────────────────────────────────────┬────────────────────────────┐
1096 │Field │ Support │
1097 ├──────────────────────────────────────┼────────────────────────────┤
1098 │replicas │ ✅ (the actual replica │
1099 │ │ count is ignored and set │
1100 │ │ to 1) │
1101 ├──────────────────────────────────────┼────────────────────────────┤
1102 │selector │ ✅ │
1103 ├──────────────────────────────────────┼────────────────────────────┤
1104 │template │ ✅ │
1105 ├──────────────────────────────────────┼────────────────────────────┤
1106 │minReadySeconds │ no │
1107 ├──────────────────────────────────────┼────────────────────────────┤
1108 │strategy.type │ no │
1109 ├──────────────────────────────────────┼────────────────────────────┤
1110 │strategy.rollingUpdate.maxSurge │ no │
1111 ├──────────────────────────────────────┼────────────────────────────┤
1112 │strategy.rollingUpdate.maxUnavailable │ no │
1113 ├──────────────────────────────────────┼────────────────────────────┤
1114 │revisionHistoryLimit │ no │
1115 ├──────────────────────────────────────┼────────────────────────────┤
1116 │progressDeadlineSeconds │ no │
1117 ├──────────────────────────────────────┼────────────────────────────┤
1118 │paused │ no │
1119 └──────────────────────────────────────┴────────────────────────────┘
1120
1122 ┌──────────────────────────────────────┬─────────┐
1123 │Field │ Support │
1124 ├──────────────────────────────────────┼─────────┤
1125 │selector │ ✅ │
1126 ├──────────────────────────────────────┼─────────┤
1127 │template │ ✅ │
1128 ├──────────────────────────────────────┼─────────┤
1129 │minReadySeconds │ no │
1130 ├──────────────────────────────────────┼─────────┤
1131 │strategy.type │ no │
1132 ├──────────────────────────────────────┼─────────┤
1133 │strategy.rollingUpdate.maxSurge │ no │
1134 ├──────────────────────────────────────┼─────────┤
1135 │strategy.rollingUpdate.maxUnavailable │ no │
1136 ├──────────────────────────────────────┼─────────┤
1137 │revisionHistoryLimit │ no │
1138 └──────────────────────────────────────┴─────────┘
1139
1141 podman(1), podman-kube(1), podman-kube-down(1), podman-network-cre‐
1142 ate(1), podman-kube-generate(1), containers-certs.d(5)
1143 podman-kube-play(1)