1podman-kube-play(1) General Commands Manual podman-kube-play(1)
2
6 podman-kube-play - Create containers, pods and volumes based on Kuber‐
7 netes YAML
8
11 podman kube play [options] file.yml|-|https://website.io/file.yml
12
15 podman kube play reads in a structured file of Kubernetes YAML. It
16 recreates the containers, pods, or volumes described in the YAML. Con‐
17 tainers within a pod are then started, and the ID of the new Pod or the
18 name of the new Volume is output. If the YAML file is specified as "-",
19 then podman kube play reads the YAML file from stdin. The input can
20 also be a URL that points to a YAML file such as https://pod‐
21 man.io/demo.yml. podman kube play reads the YAML from the URL and cre‐
22 ate pods and containers from it.
23 Using the --down command line option, it is also capable of tearing
26 down the pods created by a previous run of podman kube play.
27 Using the --replace command line option, it tears down the pods(if any)
30 created by a previous run of podman kube play and recreate the pods
31 with the Kubernetes YAML file.
32 Ideally the input file is created by Podman (see podman-kube-gener‐
35 ate(1)). This guarantees a smooth import and expected results.
36 Currently, the supported Kubernetes kinds are:
39 • Pod
42 • Deployment
44 • PersistentVolumeClaim
46 • ConfigMap
48 • Secret
50 • DaemonSet
52 Kubernetes Pods or Deployments
56 Only three volume types are supported by kube play, the hostPath, emp‐
59 tyDir, and persistentVolumeClaim volume types.
60 • When using the hostPath volume type, only the default
63 (empty), DirectoryOrCreate, Directory, FileOrCreate, File,
64 Socket, CharDevice and BlockDevice subtypes are supported.
65 Podman interprets the value of hostPath path as a file path
66 when it contains at least one forward slash, otherwise Podman
67 treats the value as the name of a named volume.
68 • When using a persistentVolumeClaim, the value for claimName is
70 the name for the Podman named volume.
71 • When using an emptyDir volume, Podman creates an anonymous
73 volume that is attached the containers running inside the pod
74 and is deleted once the pod is removed.
75 Note: The default restart policy for containers is always. You can
79 change the default by setting the restartPolicy field in the spec.
80 Note: When playing a kube YAML with init containers, the init container
83 is created with init type value once. To change the default type, use
84 the io.podman.annotations.init.container.type annotation to set the
85 type to always.
86 Note: hostPath volume types created by kube play is given an SELinux
89 shared label (z), bind mounts are not relabeled (use chcon -t con‐
90 tainer_file_t -R <directory>).
91 Note: If the :latest tag is used, Podman attempts to pull the image
94 from a registry. If the image was built locally with Podman or Buildah,
95 it has localhost as the domain, in that case, Podman uses the image
96 from the local store even if it has the :latest tag.
97 Note: The command podman play kube is an alias of podman kube play, and
100 performs the same function.
101 Note: The command podman kube down can be used to stop and remove pods
104 or containers based on the same Kubernetes YAML used by podman kube
105 play to create them.
106 Note: To customize the name of the infra container created during pod‐
109 man kube play, use the io.podman.annotations.infra.name annotation in
110 the pod definition. This annotation is automatically set when generat‐
111 ing a kube yaml from a pod that was created with the --infra-name flag
112 set.
113 Kubernetes PersistentVolumeClaims
116 A Kubernetes PersistentVolumeClaim represents a Podman named volume.
119 Only the PersistentVolumeClaim name is required by Podman to create a
120 volume. Kubernetes annotations can be used to make use of the available
121 options for Podman volumes.
122 • volume.podman.io/driver
125 • volume.podman.io/device
127 • volume.podman.io/type
129 • volume.podman.io/uid
131 • volume.podman.io/gid
133 • volume.podman.io/mount-options
135 • volume.podman.io/import-source
137 Use volume.podman.io/import-source to import the contents of the tar‐
141 ball (.tar, .tar.gz, .tgz, .bzip, .tar.xz, .txz) specified in the anno‐
142 tation's value into the created Podman volume
143 Kube play is capable of building images on the fly given the correct
146 directory layout and Containerfiles. This option is not available for
147 remote clients, including Mac and Windows (excluding WSL2) machines,
148 yet. Consider the following excerpt from a YAML file:
149 apiVersion: v1
151 kind: Pod
152 metadata:
153 spec:
154 containers:
155 - name: container
156 image: foobar
157 If there is a directory named foobar in the current working directory
161 with a file named Containerfile or Dockerfile, Podman kube play builds
162 that image and name it foobar. An example directory structure for this
163 example looks like:
164 |- mykubefiles
166 |- myplayfile.yaml
167 |- foobar
168 |- Containerfile
169 The build considers foobar to be the context directory for the build.
173 If there is an image in local storage called foobar, the image is not
174 built unless the --build flag is used. Use --build=false to completely
175 disable builds.
176 Kubernetes ConfigMap
179 Kubernetes ConfigMap can be referred as a source of environment vari‐
182 ables or volumes in Pods or Deployments. ConfigMaps aren't a stand‐
183 alone object in Podman; instead, when a container uses a ConfigMap,
184 Podman creates environment variables or volumes as needed.
185 For example, the following YAML document defines a ConfigMap and then
188 uses it in a Pod:
189 apiVersion: v1
191 kind: ConfigMap
192 metadata:
193 name: foo
194 data:
195 FOO: bar
196 ---
197 apiVersion: v1
198 kind: Pod
199 metadata:
200 name: foobar
201 spec:
202 containers:
203 - name: container-1
204 image: foobar
205 envFrom:
206 - configMapRef:
207 name: foo
208 optional: false
209 and as a result environment variable FOO is set to bar for container
213 container-1.
214 Kubernetes Secret
217 Kubernetes Secret represents a Podman named secret. The Kubernetes Se‐
220 cret is saved as a whole and may be referred to as a source of environ‐
221 ment variables or volumes in Pods or Deployments.
222 For example, the following YAML document defines a Secret and then uses
225 it in a Pod:
226 kind: Secret
228 apiVersion: v1
229 metadata:
230 name: foo
231 data:
232 foo: YmFy # base64 for bar
233 ---
234 apiVersion: v1
235 kind: Pod
236 metadata:
237 name: foobar
238 spec:
239 containers:
240 - name: container-1
241 image: foobar
242 env:
243 - name: FOO
244 valueFrom:
245 secretKeyRef:
246 name: foo
247 key: foo
248 and as a result environment variable FOO is set to bar for container
252 container-1.
253
256 --annotation=key=value
257 Add an annotation to the container or pod. This option can be set mul‐
258 tiple times.
259 --authfile=path
262 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
263 ers/auth.json on Linux, and $HOME/.config/containers/auth.json on Win‐
264 dows/macOS. The file is created by podman login. If the authorization
265 state is not found there, $HOME/.docker/config.json is checked, which
266 is set using docker login.
267 Note: There is also the option to override the default path of the au‐
270 thentication file by setting the REGISTRY_AUTH_FILE environment vari‐
271 able. This can be done with export REGISTRY_AUTH_FILE=path.
272 --build
275 Build images even if they are found in the local storage. Use
276 --build=false to completely disable builds. (This option is not avail‐
277 able with the remote Podman client)
278 Note: You can also override the default isolation type by setting the
281 BUILDAH_ISOLATION environment variable. export BUILDAH_ISOLATION=oci.
282 See podman-build.1.md for more information.
283 --cert-dir=path
286 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
287 istry. (Default: /etc/containers/certs.d) For details, see containers-
288 certs.d(5). (This option is not available with the remote Podman
289 client, including Mac and Windows (excluding WSL2) machines)
290 --configmap=path
293 Use Kubernetes configmap YAML at path to provide a source for environ‐
294 ment variable values within the containers of the pod. (This option is
295 not available with the remote Podman client)
296 Note: The --configmap option can be used multiple times or a comma-sep‐
299 arated list of paths can be used to pass multiple Kubernetes configmap
300 YAMLs. The YAML file may be in a multi-doc YAML format. But, it must
301 container only configmaps
302 --context-dir=path
305 Use path as the build context directory for each image. Requires
306 --build option be true. (This option is not available with the remote
307 Podman client)
308 --creds=[username[:password]]
311 The [username[:password]] to use to authenticate with the registry, if
312 required. If one or both values are not supplied, a command line
313 prompt appears and the value can be entered. The password is entered
314 without echo.
315 Note that the specified credentials are only used to authenticate
318 against target registries. They are not used for mirrors or when the
319 registry gets rewritten (see containers-registries.conf(5)); to authen‐
320 ticate against those consider using a containers-auth.json(5) file.
321 --force
324 Tear down the volumes linked to the PersistentVolumeClaims as part of
325 --down
326 --help, -h
329 Print usage statement
330 --ip=IP address
333 Assign a static ip address to the pod. This option can be specified
334 several times when kube play creates more than one pod. Note: When
335 joining multiple networks use the --network name:ip=<ip> syntax.
336 --log-driver=driver
339 Set logging driver for all created containers.
340 --log-opt=name=value
343 Logging driver specific options.
344 Set custom logging configuration. The following *name*s are supported:
347 path: specify a path to the log file
350 (e.g. --log-opt path=/var/log/container/mycontainer.json);
351 max-size: specify a max size of the log file
354 (e.g. --log-opt max-size=10mb);
355 tag: specify a custom log tag for the container
358 (e.g. --log-opt tag="{{.ImageName}}". It supports the same keys as
359 podman inspect --format. This option is currently supported only by
360 the journald log driver.
361 --mac-address=MAC address
364 Assign a static mac address to the pod. This option can be specified
365 several times when kube play creates more than one pod. Note: When
366 joining multiple networks use the --network name:mac=<mac> syntax.
367 --network=mode, --net
370 Set the network mode for the pod.
371 Valid mode values are:
374 • bridge[:OPTIONS,...]: Create a network stack on the default
377 bridge. This is the default for rootful containers. It is pos‐
378 sible to specify these additional options:
379 • alias=name: Add network-scoped alias for the container.
381 • ip=IPv4: Specify a static ipv4 address for this container.
383 • ip=IPv6: Specify a static ipv6 address for this container.
385 • mac=MAC: Specify a static mac address for this container.
387 • interface_name: Specify a name for the created network in‐
389 terface inside the container.
390 For example to set a static ipv4 address and a static mac ad‐
392 dress, use --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99.
393 • <network name or ID>[:OPTIONS,...]: Connect to a user-defined
395 network; this is the network name or ID from a network created
396 by podman network create. Using the network name implies the
397 bridge network mode. It is possible to specify the same op‐
398 tions described under the bridge mode above. Use the --network
399 option multiple times to specify additional networks. For
400 backwards compatibility it is also possible to specify net‐
401 works comma separated on the first --network argument, however
402 this prevents you from using the options described under the
403 bridge section above.
404 • none: Create a network namespace for the container but do not
406 configure network interfaces for it, thus the container has no
407 network connectivity.
408 • container:id: Reuse another container's network stack.
410 • host: Do not create a network namespace, the container uses
412 the host's network. Note: The host mode gives the container
413 full access to local system services such as D-bus and is
414 therefore considered insecure.
415 • ns:path: Path to a network namespace to join.
417 • private: Create a new namespace for the container. This uses
419 the bridge mode for rootful containers and slirp4netns for
420 rootless ones.
421 • slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user
423 network stack. This is the default for rootless containers. It
424 is possible to specify these additional options, they can also
425 be set with network_cmd_options in containers.conf:
426 • allow_host_loopback=true|false: Allow slirp4netns to reach
428 the host loopback IP (default is 10.0.2.2 or the second IP
429 from slirp4netns cidr subnet when changed, see the cidr op‐
430 tion below). The default is false.
431 • mtu=MTU: Specify the MTU to use for this network. (Default
433 is 65520).
434 • cidr=CIDR: Specify ip range to use for this network. (De‐
436 fault is 10.0.2.0/24).
437 • enable_ipv6=true|false: Enable IPv6. Default is true. (Re‐
439 quired for outbound_addr6).
440 • outbound_addr=INTERFACE: Specify the outbound interface
442 slirp binds to (ipv4 traffic only).
443 • outbound_addr=IPv4: Specify the outbound ipv4 address slirp
445 binds to.
446 • outbound_addr6=INTERFACE: Specify the outbound interface
448 slirp binds to (ipv6 traffic only).
449 • outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
451 binds to.
452 • port_handler=rootlesskit: Use rootlesskit for port forward‐
454 ing. Default. Note: Rootlesskit changes the source IP ad‐
455 dress of incoming packets to an IP address in the container
456 network namespace, usually 10.0.2.100. If the application
457 requires the real source IP address, e.g. web server logs,
458 use the slirp4netns port handler. The rootlesskit port han‐
459 dler is also used for rootless containers when connected to
460 user-defined networks.
461 • port_handler=slirp4netns: Use the slirp4netns port forward‐
463 ing, it is slower than rootlesskit but preserves the correct
464 source IP address. This port handler cannot be used for
465 user-defined networks.
466 • pasta[:OPTIONS,...]: use pasta(1) to create a user-mode net‐
470 working stack.
471 This is only supported in rootless mode.
472 By default, IPv4 and IPv6 addresses and routes, as well as the
473 pod interface name, are copied from the host. If port forward‐
474 ing isn't configured, ports are forwarded dynamically as ser‐
475 vices are bound on either side (init namespace or container
476 namespace). Port forwarding preserves the original source IP
477 address. Options described in pasta(1) can be specified as
478 comma-separated arguments.
479 In terms of pasta(1) options, --config-net is given by de‐
480 fault, in order to configure networking when the container is
481 started, and --no-map-gw is also assumed by default, to avoid
482 direct access from container to host using the gateway ad‐
483 dress. The latter can be overridden by passing --map-gw in the
484 pasta-specific options (despite not being an actual pasta(1)
485 option).
486 Also, -t none and -u none are passed if, respectively, no TCP
487 or UDP port forwarding from host to container is configured,
488 to disable automatic port forwarding based on bound ports.
489 Similarly, -T none and -U none are given to disable the same
490 functionality from container to host.
491 Some examples:
492 • pasta:--map-gw: Allow the container to directly reach the
494 host using the gateway address.
495 • pasta:--mtu,1500: Specify a 1500 bytes MTU for the tap in‐
497 terface in the container.
498 • pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-for‐
500 ward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp, equiv‐
501 alent to default slirp4netns(1) options: disable IPv6, as‐
502 sign 10.0.2.0/24 to the tap0 interface in the container,
503 with gateway 10.0.2.3, enable DNS forwarder reachable at
504 10.0.2.3, set MTU to 1500 bytes, disable NDP, DHCPv6 and
505 DHCP support.
506 • pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-
508 forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp, equivalent
509 to default slirp4netns(1) options with Podman overrides:
510 same as above, but leave the MTU to 65520 bytes
511 • pasta:-t,auto,-u,auto,-T,auto,-U,auto: enable automatic port
513 forwarding based on observed bound ports from both host and
514 container sides
515 • pasta:-T,5201: enable forwarding of TCP port 5201 from con‐
517 tainer to host, using the loopback interface instead of the
518 tap interface for improved performance
519 NOTE: For backward compatibility reasons, if there is an exist‐
521 ing network named pasta, Podman uses it instead of the pasta
522 mode."?
523 When no network option is specified and host network mode is not con‐
527 figured in the YAML file, a new network stack is created and pods are
528 attached to it making possible pod to pod communication.
529 --no-hosts
532 Do not create /etc/hosts for the pod. By default, Podman manages
533 /etc/hosts, adding the container's own IP address and any hosts from
534 --add-host. --no-hosts disables this, and the image's /etc/hosts is
535 preserved unmodified.
536 This option conflicts with host added in the Kubernetes YAML.
539 --no-trunc
542 Use annotations that are not truncated to the Kubernetes maximum length
543 of 63 characters
544 --publish=[[ip:][hostPort]:]containerPort[/protocol]
547 Define or override a port definition in the YAML file.
548 The lists of ports in the YAML file and the command line are merged.
551 Matching is done by using the containerPort field. If containerPort
552 exists in both the YAML file and the option, the latter takes prece‐
553 dence.
554 --publish-all
557 Setting this option to true will expose all ports to the host, even if
558 only specified via containerPort in the K8 YAML. In terms of which
559 port will be exposed, --publish has higher priority than hostPort, has
560 higher priority than containerPort.
561 If set to false (which is the default), only ports defined via hostPort
564 or --publish are published on the host.
565 --quiet, -q
568 Suppress output information when pulling images
569 --replace
572 Tears down the pods created by a previous run of kube play and recre‐
573 ates the pods. This option is used to keep the existing pods up to date
574 based upon the Kubernetes YAML.
575 --seccomp-profile-root=path
578 Directory path for seccomp profiles (default: "/var/lib/kubelet/sec‐
579 comp"). (This option is not available with the remote Podman client,
580 including Mac and Windows (excluding WSL2) machines)
581 --start
584 Start the pod after creating it, set to false to only create it.
585 --tls-verify
588 Require HTTPS and verify certificates when contacting registries (de‐
589 fault: true). If explicitly set to true, TLS verification is used. If
590 set to false, TLS verification is not used. If not specified, TLS ver‐
591 ification is used unless the target registry is listed as an insecure
592 registry in containers-registries.conf(5)
593 --userns=mode
596 Set the user namespace mode for the container.
597 If --userns is not set, the default value is determined as follows. -
600 If --pod is set, --userns is ignored and the user namespace of the pod
601 is used. - If the environment variable PODMAN_USERNS is set its value
602 is used. - If userns is specified in containers.conf this value is
603 used. - Otherwise, --userns=host is assumed.
604 --userns="" (i.e., an empty string) is an alias for --userns=host.
607 This option is incompatible with --gidmap, --uidmap, --subuidname and
610 --subgidname.
611 Rootless user --userns=Key mappings:
614 ┌────────────────────────┬───────────┬─────────────────────┐
617 │Key │ Host User │ Container User │
618 ├────────────────────────┼───────────┼─────────────────────┤
619 │auto │ $UID │ nil (Host User UID │
620 │ │ │ is not mapped into │
621 │ │ │ container.) │
622 ├────────────────────────┼───────────┼─────────────────────┤
623 │host │ $UID │ 0 (Default User ac‐ │
624 │ │ │ count mapped to │
625 │ │ │ root user in con‐ │
626 │ │ │ tainer.) │
627 ├────────────────────────┼───────────┼─────────────────────┤
628 │keep-id │ $UID │ $UID (Map user ac‐ │
629 │ │ │ count to same UID │
630 │ │ │ within container.) │
631 ├────────────────────────┼───────────┼─────────────────────┤
632 │keep-id:uid=200,gid=210 │ $UID │ 200:210 (Map user │
633 │ │ │ account to speci‐ │
634 │ │ │ fied UID, GID value │
635 │ │ │ within container.) │
636 ├────────────────────────┼───────────┼─────────────────────┤
637 │nomap │ $UID │ nil (Host User UID │
638 │ │ │ is not mapped into │
639 │ │ │ container.) │
640 └────────────────────────┴───────────┴─────────────────────┘
641 Valid mode values are:
643 auto[:OPTIONS,...]: automatically create a unique user namespace.
646 • rootful mode: The --userns=auto flag requires that the user
649 name containers be specified in the /etc/subuid and /etc/sub‐
650 gid files, with an unused range of subordinate user IDs that
651 Podman containers are allowed to allocate.
652 Example: containers:2147483647:2147483648.
656 • rootless mode: The users range from the /etc/subuid and
659 /etc/subgid files will be used. Note running a single con‐
660 tainer without using --userns=auto will use the entire range
661 of UIDs and not allow further subdividing. See subuid(5).
662 Podman allocates unique ranges of UIDs and GIDs from the containers
666 subordinate user IDs. The size of the ranges is based on the number of
667 UIDs required in the image. The number of UIDs and GIDs can be overrid‐
668 den with the size option.
669 The option --userns=keep-id uses all the subuids and subgids of the
672 user. The option --userns=nomap uses all the subuids and subgids of
673 the user except the user's own ID. Using --userns=auto when starting
674 new containers does not work as long as any containers exist that were
675 started with --userns=keep-id or --userns=nomap.
676 Valid auto options:
679 • gidmapping=CONTAINER_GID:HOST_GID:SIZE: to force a GID mapping
682 to be present in the user namespace.
683 • size=SIZE: to specify an explicit size for the automatic user
685 namespace. e.g. --userns=auto:size=8192. If size is not speci‐
686 fied, auto estimates a size for the user namespace.
687 • uidmapping=CONTAINER_UID:HOST_UID:SIZE: to force a UID mapping
689 to be present in the user namespace.
690 container:id: join the user namespace of the specified container.
694 host or "" (empty string): run in the user namespace of the caller. The
697 processes running in the container have the same privileges on the host
698 as any other process launched by the calling user.
699 keep-id: creates a user namespace where the current user's UID:GID are
702 mapped to the same values in the container. For containers created by
703 root, the current mapping is created into a new user namespace.
704 Valid keep-id options:
707 • uid=UID: override the UID inside the container that is used to
710 map the current user to.
711 • gid=GID: override the GID inside the container that is used to
713 map the current user to.
714 nomap: creates a user namespace where the current rootless user's
718 UID:GID are not mapped into the container. This option is not allowed
719 for containers created by the root user.
720 ns:namespace: run the pod in the given existing user namespace.
723 --wait, -w
726 Run pods and containers in the foreground. Default is false.
727 At any time you can run podman pod ps in another shell to view a list
730 of the running pods and containers.
731 When attached in the tty mode, you can kill the pods and containers
734 by pressing Ctrl-C or receiving any other interrupt signals.
735 All pods, containers, and volumes created with podman kube play is re‐
738 moved upon exit.
739
742 Recreate the pod and containers as described in a file called demo.yml
743 $ podman kube play demo.yml
745 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
746 Recreate the pod and containers as described in a file demo.yml sent to
750 stdin
751 $ cat demo.yml | podman kube play -
753 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
754 Teardown the pod and containers as described in a file demo.yml
759 $ podman kube play --down demo.yml
761 Pods stopped:
762 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
763 Pods removed:
764 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
765 Provide configmap-foo.yml and configmap-bar.yml as sources for environ‐
769 ment variables within the containers.
770 $ podman kube play demo.yml --configmap configmap-foo.yml,configmap-bar.yml
772 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
773 $ podman kube play demo.yml --configmap configmap-foo.yml --configmap configmap-bar.yml
775 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
776 Create a pod connected to two networks (called net1 and net2) with a
780 static ip
781 $ podman kube play demo.yml --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10
783 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
784 Please take into account that networks must be created first using pod‐
788 man-network-create(1).
789 Create and teardown from a URL pointing to a YAML file
792 $ podman kube play https://podman.io/demo.yml
794 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
795 $ podman kube play --down https://podman.io/demo.yml
797 Pods stopped:
798 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
799 Pods removed:
800 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
801 podman kube play --down does not work with a URL if the YAML file the
805 URL points to has been changed or altered.
806
810 This document outlines the kube yaml fields that are currently sup‐
811 ported by the podman kube play command.
812 Note: N/A means that the option cannot be supported in a single-node
815 Podman environment.
816
819 ┌──────────────────────────────────────────────────┬─────────┐
820 │Field │ Support │
821 ├──────────────────────────────────────────────────┼─────────┤
822 │containers │ ✅ │
823 ├──────────────────────────────────────────────────┼─────────┤
824 │initContainers │ ✅ │
825 ├──────────────────────────────────────────────────┼─────────┤
826 │imagePullSecrets │ no │
827 ├──────────────────────────────────────────────────┼─────────┤
828 │enableServiceLinks │ no │
829 ├──────────────────────────────────────────────────┼─────────┤
830 │os.name │ no │
831 ├──────────────────────────────────────────────────┼─────────┤
832 │volumes │ ✅ │
833 ├──────────────────────────────────────────────────┼─────────┤
834 │nodeSelector │ N/A │
835 ├──────────────────────────────────────────────────┼─────────┤
836 │nodeName │ N/A │
837 ├──────────────────────────────────────────────────┼─────────┤
838 │affinity.nodeAffinity │ N/A │
839 ├──────────────────────────────────────────────────┼─────────┤
840 │affinity.podAffinity │ N/A │
841 ├──────────────────────────────────────────────────┼─────────┤
842 │affinity.podAntiAffinity │ N/A │
843 ├──────────────────────────────────────────────────┼─────────┤
844 │tolerations.key │ N/A │
845 ├──────────────────────────────────────────────────┼─────────┤
846 │tolerations.operator │ N/A │
847 ├──────────────────────────────────────────────────┼─────────┤
848 │tolerations.effect │ N/A │
849 ├──────────────────────────────────────────────────┼─────────┤
850 │tolerations.tolerationSeconds │ N/A │
851 ├──────────────────────────────────────────────────┼─────────┤
852 │schedulerName │ N/A │
853 ├──────────────────────────────────────────────────┼─────────┤
854 │runtimeClassName │ no │
855 ├──────────────────────────────────────────────────┼─────────┤
856 │priorityClassName │ no │
857 ├──────────────────────────────────────────────────┼─────────┤
858 │priority │ no │
859 ├──────────────────────────────────────────────────┼─────────┤
860 │topologySpreadConstraints.maxSkew │ N/A │
861 ├──────────────────────────────────────────────────┼─────────┤
862 │topologySpreadConstraints.topologyKey │ N/A │
863 ├──────────────────────────────────────────────────┼─────────┤
864 │topologySpreadConstraints.whenUnsatisfiable │ N/A │
865 ├──────────────────────────────────────────────────┼─────────┤
866 │topologySpreadConstraints.labelSelector │ N/A │
867 ├──────────────────────────────────────────────────┼─────────┤
868 │topologySpreadConstraints.minDomains │ N/A │
869 ├──────────────────────────────────────────────────┼─────────┤
870 │restartPolicy │ ✅ │
871 ├──────────────────────────────────────────────────┼─────────┤
872 │terminationGracePeriodSeconds │ ✅ │
873 ├──────────────────────────────────────────────────┼─────────┤
874 │activeDeadlineSeconds │ no │
875 ├──────────────────────────────────────────────────┼─────────┤
876 │readinessGates.conditionType │ no │
877 ├──────────────────────────────────────────────────┼─────────┤
878 │hostname │ ✅ │
879 ├──────────────────────────────────────────────────┼─────────┤
880 │setHostnameAsFQDN │ no │
881 ├──────────────────────────────────────────────────┼─────────┤
882 │subdomain │ no │
883 ├──────────────────────────────────────────────────┼─────────┤
884 │hostAliases.hostnames │ ✅ │
885 ├──────────────────────────────────────────────────┼─────────┤
886 │hostAliases.ip │ ✅ │
887 ├──────────────────────────────────────────────────┼─────────┤
888 │dnsConfig.nameservers │ ✅ │
889 ├──────────────────────────────────────────────────┼─────────┤
890 │dnsConfig.options.name │ ✅ │
891 ├──────────────────────────────────────────────────┼─────────┤
892 │dnsConfig.options.value │ ✅ │
893 ├──────────────────────────────────────────────────┼─────────┤
894 │dnsConfig.searches │ ✅ │
895 ├──────────────────────────────────────────────────┼─────────┤
896 │dnsPolicy │ no │
897 ├──────────────────────────────────────────────────┼─────────┤
898 │hostNetwork │ ✅ │
899 ├──────────────────────────────────────────────────┼─────────┤
900 │hostPID │ ✅ │
901 ├──────────────────────────────────────────────────┼─────────┤
902 │hostIPC │ ✅ │
903 ├──────────────────────────────────────────────────┼─────────┤
904 │shareProcessNamespace │ ✅ │
905 ├──────────────────────────────────────────────────┼─────────┤
906 │serviceAccountName │ no │
907 ├──────────────────────────────────────────────────┼─────────┤
908 │automountServiceAccountToken │ no │
909 ├──────────────────────────────────────────────────┼─────────┤
910 │securityContext.runAsUser │ ✅ │
911 ├──────────────────────────────────────────────────┼─────────┤
912 │securityContext.runAsNonRoot │ no │
913 ├──────────────────────────────────────────────────┼─────────┤
914 │securityContext.runAsGroup │ ✅ │
915 ├──────────────────────────────────────────────────┼─────────┤
916 │securityContext.supplementalGroups │ ✅ │
917 ├──────────────────────────────────────────────────┼─────────┤
918 │securityContext.fsGroup │ no │
919 ├──────────────────────────────────────────────────┼─────────┤
920 │securityContext.fsGroupChangePolicy │ no │
921 ├──────────────────────────────────────────────────┼─────────┤
922 │securityContext.seccompProfile.type │ no │
923 ├──────────────────────────────────────────────────┼─────────┤
924 │securityContext.seccompProfile.localhostProfile │ no │
925 ├──────────────────────────────────────────────────┼─────────┤
926 │securityContext.seLinuxOptions.level │ ✅ │
927 ├──────────────────────────────────────────────────┼─────────┤
928 │securityContext.seLinuxOptions.role │ ✅ │
929 ├──────────────────────────────────────────────────┼─────────┤
930 │securityContext.seLinuxOptions.type │ ✅ │
931 ├──────────────────────────────────────────────────┼─────────┤
932 │securityContext.seLinuxOptions.user │ ✅ │
933 ├──────────────────────────────────────────────────┼─────────┤
934 │securityContext.sysctls.name │ ✅ │
935 ├──────────────────────────────────────────────────┼─────────┤
936 │securityContext.sysctls.value │ ✅ │
937 ├──────────────────────────────────────────────────┼─────────┤
938 │securityContext.windowsOptions.gmsaCredentialSpec │ no │
939 ├──────────────────────────────────────────────────┼─────────┤
940 │securityContext.windowsOptions.hostProcess │ no │
941 ├──────────────────────────────────────────────────┼─────────┤
942 │securityContext.windowsOptions.runAsUserName │ no │
943 └──────────────────────────────────────────────────┴─────────┘
944
946 ┌──────────────────────────────────────────────────┬─────────┐
947 │Field │ Support │
948 ├──────────────────────────────────────────────────┼─────────┤
949 │name │ ✅ │
950 ├──────────────────────────────────────────────────┼─────────┤
951 │image │ ✅ │
952 ├──────────────────────────────────────────────────┼─────────┤
953 │imagePullPolicy │ ✅ │
954 ├──────────────────────────────────────────────────┼─────────┤
955 │command │ ✅ │
956 ├──────────────────────────────────────────────────┼─────────┤
957 │args │ ✅ │
958 ├──────────────────────────────────────────────────┼─────────┤
959 │workingDir │ ✅ │
960 ├──────────────────────────────────────────────────┼─────────┤
961 │ports.containerPort │ ✅ │
962 ├──────────────────────────────────────────────────┼─────────┤
963 │ports.hostIP │ ✅ │
964 ├──────────────────────────────────────────────────┼─────────┤
965 │ports.hostPort │ ✅ │
966 ├──────────────────────────────────────────────────┼─────────┤
967 │ports.name │ ✅ │
968 ├──────────────────────────────────────────────────┼─────────┤
969 │ports.protocol │ ✅ │
970 ├──────────────────────────────────────────────────┼─────────┤
971 │env.name │ ✅ │
972 ├──────────────────────────────────────────────────┼─────────┤
973 │env.value │ ✅ │
974 ├──────────────────────────────────────────────────┼─────────┤
975 │env.valueFrom.configMapKeyRef.key │ ✅ │
976 ├──────────────────────────────────────────────────┼─────────┤
977 │env.valueFrom.configMapKeyRef.name │ ✅ │
978 ├──────────────────────────────────────────────────┼─────────┤
979 │env.valueFrom.configMapKeyRef.optional │ ✅ │
980 ├──────────────────────────────────────────────────┼─────────┤
981 │env.valueFrom.fieldRef │ ✅ │
982 ├──────────────────────────────────────────────────┼─────────┤
983 │env.valueFrom.resourceFieldRef │ ✅ │
984 ├──────────────────────────────────────────────────┼─────────┤
985 │env.valueFrom.secretKeyRef.key │ ✅ │
986 ├──────────────────────────────────────────────────┼─────────┤
987 │env.valueFrom.secretKeyRef.name │ ✅ │
988 ├──────────────────────────────────────────────────┼─────────┤
989 │env.valueFrom.secretKeyRef.optional │ ✅ │
990 ├──────────────────────────────────────────────────┼─────────┤
991 │envFrom.configMapRef.name │ ✅ │
992 ├──────────────────────────────────────────────────┼─────────┤
993 │envFrom.configMapRef.optional │ ✅ │
994 ├──────────────────────────────────────────────────┼─────────┤
995 │envFrom.prefix │ no │
996 ├──────────────────────────────────────────────────┼─────────┤
997 │envFrom.secretRef.name │ ✅ │
998 ├──────────────────────────────────────────────────┼─────────┤
999 │envFrom.secretRef.optional │ ✅ │
1000 ├──────────────────────────────────────────────────┼─────────┤
1001 │volumeMounts.mountPath │ ✅ │
1002 ├──────────────────────────────────────────────────┼─────────┤
1003 │volumeMounts.name │ ✅ │
1004 ├──────────────────────────────────────────────────┼─────────┤
1005 │volumeMounts.mountPropagation │ no │
1006 ├──────────────────────────────────────────────────┼─────────┤
1007 │volumeMounts.readOnly │ ✅ │
1008 ├──────────────────────────────────────────────────┼─────────┤
1009 │volumeMounts.subPath │ no │
1010 ├──────────────────────────────────────────────────┼─────────┤
1011 │volumeMounts.subPathExpr │ no │
1012 ├──────────────────────────────────────────────────┼─────────┤
1013 │volumeDevices.devicePath │ no │
1014 ├──────────────────────────────────────────────────┼─────────┤
1015 │volumeDevices.name │ no │
1016 ├──────────────────────────────────────────────────┼─────────┤
1017 │resources.limits │ ✅ │
1018 ├──────────────────────────────────────────────────┼─────────┤
1019 │resources.requests │ ✅ │
1020 ├──────────────────────────────────────────────────┼─────────┤
1021 │lifecycle.postStart │ no │
1022 ├──────────────────────────────────────────────────┼─────────┤
1023 │lifecycle.preStop │ no │
1024 ├──────────────────────────────────────────────────┼─────────┤
1025 │terminationMessagePath │ no │
1026 ├──────────────────────────────────────────────────┼─────────┤
1027 │terminationMessagePolicy │ no │
1028 ├──────────────────────────────────────────────────┼─────────┤
1029 │livenessProbe │ ✅ │
1030 ├──────────────────────────────────────────────────┼─────────┤
1031 │readinessProbe │ no │
1032 ├──────────────────────────────────────────────────┼─────────┤
1033 │startupProbe │ no │
1034 ├──────────────────────────────────────────────────┼─────────┤
1035 │securityContext.runAsUser │ ✅ │
1036 ├──────────────────────────────────────────────────┼─────────┤
1037 │securityContext.runAsNonRoot │ no │
1038 ├──────────────────────────────────────────────────┼─────────┤
1039 │securityContext.runAsGroup │ ✅ │
1040 ├──────────────────────────────────────────────────┼─────────┤
1041 │securityContext.readOnlyRootFilesystem │ ✅ │
1042 ├──────────────────────────────────────────────────┼─────────┤
1043 │securityContext.procMount │ ✅ │
1044 ├──────────────────────────────────────────────────┼─────────┤
1045 │securityContext.privileged │ ✅ │
1046 ├──────────────────────────────────────────────────┼─────────┤
1047 │securityContext.allowPrivilegeEscalation │ ✅ │
1048 ├──────────────────────────────────────────────────┼─────────┤
1049 │securityContext.capabilities.add │ ✅ │
1050 ├──────────────────────────────────────────────────┼─────────┤
1051 │securityContext.capabilities.drop │ ✅ │
1052 ├──────────────────────────────────────────────────┼─────────┤
1053 │securityContext.seccompProfile.type │ no │
1054 ├──────────────────────────────────────────────────┼─────────┤
1055 │securityContext.seccompProfile.localhostProfile │ no │
1056 ├──────────────────────────────────────────────────┼─────────┤
1057 │securityContext.seLinuxOptions.level │ ✅ │
1058 ├──────────────────────────────────────────────────┼─────────┤
1059 │securityContext.seLinuxOptions.role │ ✅ │
1060 ├──────────────────────────────────────────────────┼─────────┤
1061 │securityContext.seLinuxOptions.type │ ✅ │
1062 ├──────────────────────────────────────────────────┼─────────┤
1063 │securityContext.seLinuxOptions.user │ ✅ │
1064 ├──────────────────────────────────────────────────┼─────────┤
1065 │securityContext.windowsOptions.gmsaCredentialSpec │ no │
1066 ├──────────────────────────────────────────────────┼─────────┤
1067 │securityContext.windowsOptions.hostProcess │ no │
1068 ├──────────────────────────────────────────────────┼─────────┤
1069 │securityContext.windowsOptions.runAsUserName │ no │
1070 ├──────────────────────────────────────────────────┼─────────┤
1071 │stdin │ no │
1072 ├──────────────────────────────────────────────────┼─────────┤
1073 │stdinOnce │ no │
1074 ├──────────────────────────────────────────────────┼─────────┤
1075 │tty │ no │
1076 └──────────────────────────────────────────────────┴─────────┘
1077
1079 ┌───────────────────┬─────────┐
1080 │Field │ Support │
1081 ├───────────────────┼─────────┤
1082 │volumeName │ no │
1083 ├───────────────────┼─────────┤
1084 │storageClassName │ ✅ │
1085 ├───────────────────┼─────────┤
1086 │volumeMode │ no │
1087 ├───────────────────┼─────────┤
1088 │accessModes │ ✅ │
1089 ├───────────────────┼─────────┤
1090 │selector │ no │
1091 ├───────────────────┼─────────┤
1092 │resources.limits │ no │
1093 ├───────────────────┼─────────┤
1094 │resources.requests │ ✅ │
1095 └───────────────────┴─────────┘
1096
1098 ┌───────────┬─────────┐
1099 │Field │ Support │
1100 ├───────────┼─────────┤
1101 │binaryData │ ✅ │
1102 ├───────────┼─────────┤
1103 │data │ ✅ │
1104 ├───────────┼─────────┤
1105 │immutable │ no │
1106 └───────────┴─────────┘
1107
1109 ┌──────────────────────────────────────┬────────────────────────────┐
1110 │Field │ Support │
1111 ├──────────────────────────────────────┼────────────────────────────┤
1112 │replicas │ ✅ (the actual replica │
1113 │ │ count is ignored and set │
1114 │ │ to 1) │
1115 ├──────────────────────────────────────┼────────────────────────────┤
1116 │selector │ ✅ │
1117 ├──────────────────────────────────────┼────────────────────────────┤
1118 │template │ ✅ │
1119 ├──────────────────────────────────────┼────────────────────────────┤
1120 │minReadySeconds │ no │
1121 ├──────────────────────────────────────┼────────────────────────────┤
1122 │strategy.type │ no │
1123 ├──────────────────────────────────────┼────────────────────────────┤
1124 │strategy.rollingUpdate.maxSurge │ no │
1125 ├──────────────────────────────────────┼────────────────────────────┤
1126 │strategy.rollingUpdate.maxUnavailable │ no │
1127 ├──────────────────────────────────────┼────────────────────────────┤
1128 │revisionHistoryLimit │ no │
1129 ├──────────────────────────────────────┼────────────────────────────┤
1130 │progressDeadlineSeconds │ no │
1131 ├──────────────────────────────────────┼────────────────────────────┤
1132 │paused │ no │
1133 └──────────────────────────────────────┴────────────────────────────┘
1134
1136 ┌──────────────────────────────────────┬─────────┐
1137 │Field │ Support │
1138 ├──────────────────────────────────────┼─────────┤
1139 │selector │ ✅ │
1140 ├──────────────────────────────────────┼─────────┤
1141 │template │ ✅ │
1142 ├──────────────────────────────────────┼─────────┤
1143 │minReadySeconds │ no │
1144 ├──────────────────────────────────────┼─────────┤
1145 │strategy.type │ no │
1146 ├──────────────────────────────────────┼─────────┤
1147 │strategy.rollingUpdate.maxSurge │ no │
1148 ├──────────────────────────────────────┼─────────┤
1149 │strategy.rollingUpdate.maxUnavailable │ no │
1150 ├──────────────────────────────────────┼─────────┤
1151 │revisionHistoryLimit │ no │
1152 └──────────────────────────────────────┴─────────┘
1153
1155 podman(1), podman-kube(1), podman-kube-down(1), podman-network-cre‐
1156 ate(1), podman-kube-generate(1), podman-build(1), containers-certs.d(5)
1157 podman-kube-play(1)