NAME

podman-kube-play - Create containers, pods and volumes based on Kubernetes YAML
 

SYNOPSIS

podman kube play [options] file.yml|-|https://website.io/file.yml
 

DESCRIPTION

podman kube play will read in a structured file of Kubernetes YAML. It will then recreate the containers, pods or volumes described in the YAML. Containers within a pod are then started and the ID of the new Pod or the name of the new Volume is output. If the yaml file is specified as "-" then podman kube play will read the YAML file from stdin. Using the --down command line option, it is also capable of tearing down the pods created by a previous run of podman kube play. Using the --replace command line option, it will tear down the pods(if any) created by a previous run of podman kube play and recreate the pods with the Kubernetes YAML file. Ideally the input file would be one created by Podman (see podman-kube-generate(1)). This would guarantee a smooth import and expected results. The input can also be a URL that points to a YAML file such as https://podman.io/demo.yml. podman kube play will read the YAML from the URL and create pods and containers from it.
 
Currently, the supported Kubernetes kinds are: - Pod - Deployment - PersistentVolumeClaim - ConfigMap
 
Kubernetes Pods or Deployments
 
Only three volume types are supported by kube play, the hostPath, emptyDir, and persistentVolumeClaim volume types. For the hostPath volume type, only the default (empty), DirectoryOrCreate, Directory, FileOrCreate, File, Socket, CharDevice and BlockDevice subtypes are supported. Podman interprets the value of hostPath path as a file path when it contains at least one forward slash, otherwise Podman treats the value as the name of a named volume. When using a persistentVolumeClaim, the value for claimName is the name for the Podman named volume. When using an emptyDir volume, podman creates an anonymous volume that is attached the containers running inside the pod and is deleted once the pod is removed.
 
Note: When playing a kube YAML with init containers, the init container will be created with init type value once. To change the default type, use the io.podman.annotations.init.container.type annotation to set the type to always.
 
Note: hostPath volume types created by kube play will be given an SELinux shared label (z), bind mounts are not relabeled (use chcon -t container_file_t -R <directory>).
 
Note: If the :latest tag is used, Podman will attempt to pull the image from a registry. If the image was built locally with Podman or Buildah, it will have localhost as the domain, in that case, Podman will use the image from the local store even if it has the :latest tag.
 
Note: The command podman play kube is an alias of podman kube play, and will perform the same function.
 
Note: The command podman kube down can be used to stop and remove pods or containers based on the same Kubernetes YAML used by podman kube play to create them.
 
Kubernetes PersistentVolumeClaims
 
A Kubernetes PersistentVolumeClaim represents a Podman named volume. Only the PersistentVolumeClaim name is required by Podman to create a volume. Kubernetes annotations can be used to make use of the available options for Podman volumes.
 
volume.podman.io/driver
volume.podman.io/device
volume.podman.io/type
volume.podman.io/uid
volume.podman.io/gid
volume.podman.io/mount-options
 
Kube play is capable of building images on the fly given the correct directory layout and Containerfiles. This option is not available for remote clients, including Mac and Windows (excluding WSL2) machines, yet. Consider the following excerpt from a YAML file:
 
 
apiVersion: v1
kind: Pod
metadata:
spec:
  containers:
  - command:
    - top
    - name: container
      value: podman
    image: foobar
 
If there is a directory named foobar in the current working directory with a file named Containerfile or Dockerfile, Podman kube play will build that image and name it foobar. An example directory structure for this example would look like:
 
 
|- mykubefiles
    |- myplayfile.yaml
    |- foobar
         |- Containerfile
 
The build will consider foobar to be the context directory for the build. If there is an image in local storage called foobar, the image will not be built unless the --build flag is used. Use --build=false to completely disable builds.
 
Kubernetes ConfigMap
 
Kubernetes ConfigMap can be referred as a source of environment variables or volumes in Pods or Deployments. ConfigMaps aren't a standalone object in Podman; instead, when a container uses a ConfigMap, Podman will create environment variables or volumes as needed.
 
For example, the following YAML document defines a ConfigMap and then uses it in a Pod:
 
 
apiVersion: v1
kind: ConfigMap
metadata:
  name: foo
data:
    FOO: bar
---
apiVersion: v1
kind: Pod
metadata:
  name: foobar
spec:
  containers:
  - command:
    - top
    name: container-1
    image: foobar
    envFrom:
    - configMapRef:
        name: foo
        optional: false
 
and as a result environment variable FOO will be set to bar for container container-1.
 

OPTIONS

--annotation=key=value

Add an annotation to the container or pod. This option can be set multiple times.
 

--authfile=path

Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json, which is set using podman login. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using docker login.
 
Note: There is also the option to override the default path of the authentication file by setting the REGISTRY_AUTH_FILE environment variable. This can be done with export REGISTRY_AUTH_FILE=path.
 

--build

Build images even if they are found in the local storage. Use --build=false to completely disable builds. (This option is not available with the remote Podman client)
 

--cert-dir=path

Use certificates at path (*.crt, *.cert, *.key) to connect to the registry. (Default: /etc/containers/certs.d) Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
 

--configmap=path

Use Kubernetes configmap YAML at path to provide a source for environment variable values within the containers of the pod. (This option is not available with the remote Podman client)
 
Note: The --configmap option can be used multiple times or a comma-separated list of paths can be used to pass multiple Kubernetes configmap YAMLs.
 

--context-dir=path

Use path as the build context directory for each image. Requires --build option be true. (This option is not available with the remote Podman client)
 

--creds=[username[:password]]

The [username[:password]] to use to authenticate with the registry, if required. If one or both values are not supplied, a command line prompt will appear and the value can be entered. The password is entered without echo.
 

--help, -h

Print usage statement
 

--ip=IP address

Assign a static ip address to the pod. This option can be specified several times when kube play creates more than one pod. Note: When joining multiple networks you should use the --network name:ip=<ip> syntax.
 

--log-driver=driver

Set logging driver for all created containers.
 

--log-opt=name=value

Logging driver specific options.
 
Set custom logging configuration. The following *name*s are supported:
 
path: specify a path to the log file
(e.g. --log-opt path=/var/log/container/mycontainer.json);
 
max-size: specify a max size of the log file
(e.g. --log-opt max-size=10mb);
 
tag: specify a custom log tag for the container
(e.g. --log-opt tag="{{.ImageName}}". It supports the same keys as podman inspect --format. This option is currently supported only by the journald log driver.
 

--mac-address=MAC address

Assign a static mac address to the pod. This option can be specified several times when kube play creates more than one pod. Note: When joining multiple networks you should use the --network name:mac=<mac> syntax.
 

--network=mode, --net

Set the network mode for the pod.
 
Valid mode values are:
 
bridge[:OPTIONS,...]: Create a network stack on the default bridge. This is the default for rootful containers. It is possible to specify these additional options:
alias=name: Add network-scoped alias for the container.
ip=IPv4: Specify a static ipv4 address for this container.
ip=IPv6: Specify a static ipv6 address for this container.
mac=MAC: Specify a static mac address for this container.
interface_name: Specify a name for the created network interface inside the container.
 
 
 
For example to set a static ipv4 address and a static mac address, use --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99. - <network name or ID>[:OPTIONS,...]: Connect to a user-defined network; this is the network name or ID from a network created by podman network create. Using the network name implies the bridge network mode. It is possible to specify the same options described under the bridge mode above. You can use the --network option multiple times to specify additional networks. - none: Create a network namespace for the container but do not configure network interfaces for it, thus the container has no network connectivity. - container:id: Reuse another container's network stack. - host: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. - ns: path: Path to a network namespace to join. - private: Create a new namespace for the container. This will use the bridge mode for rootful containers and slirp4netns for rootless ones. - slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options, they can also be set with network_cmd_options in containers.conf:
- allow_host_loopback=true|false: Allow slirp4netns to reach the host loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr subnet when changed, see the cidr option below). The default is false.
- mtu=MTU: Specify the MTU to use for this network. (Default is 65520).
- cidr=CIDR: Specify ip range to use for this network. (Default is 10.0.2.0/24).
- enable_ipv6=true|false: Enable IPv6. Default is true. (Required for outbound_addr6).
- outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).
- outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.
- outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).
- outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.
- port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually 10.0.2.100. If your application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks.
- port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used for user-defined networks.
 
When no network option is specified and host network mode is not configured in the YAML file, a new network stack is created and pods are attached to it making possible pod to pod communication.
 

--no-hosts

Do not create /etc/hosts for the pod. By default, Podman will manage /etc/hosts, adding the container's own IP address and any hosts from --add-host. --no-hosts disables this, and the image's /etc/hosts will be preserved unmodified.
 
This option conflicts with host added in the Kubernetes YAML.
 

--quiet, -q

Suppress output information when pulling images
 

--replace

Tears down the pods created by a previous run of kube play and recreates the pods. This option is used to keep the existing pods up to date based upon the Kubernetes YAML.
 

--seccomp-profile-root=path

Directory path for seccomp profiles (default: "/var/lib/kubelet/seccomp"). (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
 

--start

Start the pod after creating it, set to false to only create it.
 

--tls-verify

Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, TLS verification will be used. If set to false, TLS verification will not be used. If not specified, TLS verification will be used unless the target registry is listed as an insecure registry in containers-registries.conf(5)
 

--userns=mode

Set the user namespace mode for the container. It defaults to the PODMAN_USERNS environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the --uidmap and --gidmap options.
 
This option is incompatible with --gidmap, --uidmap, --subuidname and --subgidname.
 
Rootless user --userns=Key mappings:
 
Key Host User Container User
"" $UID 0 (Default User account mapped to root user in container.)
keep-id $UID $UID (Map user account to same UID within container.)
auto $UID nil (Host User UID is not mapped into container.)
nomap $UID nil (Host User UID is not mapped into container.)
 
Valid mode values are:
 
auto[:OPTIONS,...]: automatically create a unique user namespace.
 
The --userns=auto flag, requires that the user name containers and a range of subordinate user ids that the Podman container is allowed to use be specified in the /etc/subuid and /etc/subgid files.
 
Example: containers:2147483647:2147483648.
 
Podman allocates unique ranges of UIDs and GIDs from the containers subordinate user ids. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the size option.
 
The rootless option --userns=keep-id uses all the subuids and subgids of the user. Using --userns=auto when starting new containers will not work as long as any containers exist that were started with --userns=keep-id.
 
Valid auto options:
 
gidmapping=_CONTAINER_GID:HOSTGID:SIZE: to force a GID mapping to be present in the user namespace.
size=SIZE: to specify an explicit size for the automatic user namespace. e.g. --userns=auto:size=8192. If size is not specified, auto will estimate a size for the user namespace.
uidmapping=_CONTAINER_UID:HOSTUID:SIZE: to force a UID mapping to be present in the user namespace.
 
container:id: join the user namespace of the specified container.
 
host: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default).
 
keep-id: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user.
 
Valid keep-id options:
 
uid=UID: override the UID inside the container that will be used to map the current rootless user to.
gid=GID: override the GID inside the container that will be used to map the current rootless user to.
 
nomap: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.
 
ns:namespace: run the pod in the given existing user namespace.
 

EXAMPLES

Recreate the pod and containers as described in a file called demo.yml
 
 
$ podman kube play demo.yml
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
 
Recreate the pod and containers as described in a file demo.yml sent to stdin
 
 
$ cat demo.yml | podman kube play -
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
 
Teardown the pod and containers as described in a file demo.yml
 
 
$  podman kube play --down demo.yml
Pods stopped:
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
Pods removed:
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
 
Provide configmap-foo.yml and configmap-bar.yml as sources for environment variables within the containers.
 
 
$ podman kube play demo.yml --configmap configmap-foo.yml,configmap-bar.yml
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6


$ podman kube play demo.yml --configmap configmap-foo.yml --configmap configmap-bar.yml
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
 
Create a pod connected to two networks (called net1 and net2) with a static ip
 
 
$ podman kube play demo.yml --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
 
Please take into account that networks must be created first using podman-network-create(1).
 
Create and teardown from a URL pointing to a YAML file
 
 
$ podman kube play https://podman.io/demo.yml
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6


$ podman kube play --down https://podman.io/demo.yml
Pods stopped:
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
Pods removed:
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
 
podman kube play --down will not work with a URL if the YAML file the URL points to has been changed or altered.
 
 

Podman Kube Play Support

This document outlines the kube yaml fields that are currently supported by the podman kube play command.
 
Note: N/A means that the option cannot be supported in a single-node Podman environment.
 

Pod Fields

Field Support
containers
initContainers
imagePullSecrets
enableServiceLinks
os.name
volumes
nodeSelector N/A
nodeName N/A
affinity.nodeAffinity N/A
affinity.podAffinity N/A
affinity.podAntiAffinity N/A
tolerations.key N/A
tolerations.operator N/A
tolerations.effect N/A
tolerations.tolerationSeconds N/A
schedulerName N/A
runtimeClassName
priorityClassName
priority
topologySpreadConstraints.maxSkew
N/A
topologySpreadConstraints.topologyKey
N/A
topologySpreadConstraints.whenUnsatisfiable
N/A
topologySpreadConstraints.labelSelector
N/A
topologySpreadConstraints.minDomains
N/A
restartPolicy
terminationGracePeriod
activeDeadlineSeconds
readinessGates.conditionType
hostname
setHostnameAsFQDN
subdomain
hostAliases.hostnames
hostAliases.ip
dnsConfig.nameservers
dnsConfig.options.name
dnsConfig.options.value
dnsConfig.searches
dnsPolicy
hostNetwork
hostPID
hostIPC
shareProcessNamespace
serviceAccountName
automountServiceAccountToken
securityContext.runAsUser
securityContext.runAsNonRoot
securityContext.runAsGroup
securityContext.supplementalGroups
securityContext.fsGroup
securityContext.fsGroupChangePolicy
securityContext.seccompProfile.type
securityContext.seccompProfile.localhostProfile
securityContext.seLinuxOptions.level
securityContext.seLinuxOptions.role
securityContext.seLinuxOptions.type
securityContext.seLinuxOptions.user
securityContext.sysctls.name
securityContext.sysctls.value
securityContext.windowsOptions.gmsaCredentialSpec
securityContext.windowsOptions.hostProcess
securityContext.windowsOptions.runAsUserName
 

Container Fields

Field Support
name
image
imagePullPolicy
command
args
workingDir
ports.containerPort
ports.hostIP
ports.hostPort
ports.name
ports.protocol
env.name
env.value
env.valueFrom.configMapKeyRef.key
env.valueFrom.configMapKeyRef.name
env.valueFrom.configMapKeyRef.optional
env.valueFrom.fieldRef
env.valueFrom.resourceFieldRef
env.valueFrom.secretKeyRef.key
env.valueFrom.secretKeyRef.name
env.valueFrom.secretKeyRef.optional
envFrom.configMapRef.name
envFrom.configMapRef.optional
envFrom.prefix
envFrom.secretRef.name
envFrom.secretRef.optional
volumeMounts.mountPath
volumeMounts.name
volumeMounts.mountPropagation
volumeMounts.readOnly
volumeMounts.subPath
volumeMounts.subPathExpr
volumeDevices.devicePath
volumeDevices.name
resources.limits
resources.requests
lifecycle.postStart
lifecycle.preStop
terminationMessagePath
terminationMessagePolicy
livenessProbe
readinessProbe
startupProbe
securityContext.runAsUser
securityContext.runAsNonRoot
securityContext.runAsGroup
securityContext.readOnlyRootFilesystem
securityContext.procMount
securityContext.privileged
securityContext.allowPrivilegeEscalation
securityContext.capabilities.add
securityContext.capabilities.drop
securityContext.seccompProfile.type
securityContext.seccompProfile.localhostProfile
securityContext.seLinuxOptions.level
securityContext.seLinuxOptions.role
securityContext.seLinuxOptions.type
securityContext.seLinuxOptions.user
securityContext.windowsOptions.gmsaCredentialSpec
securityContext.windowsOptions.hostProcess
securityContext.windowsOptions.runAsUserName
stdin
stdinOnce
tty
 

PersistentVolumeClaim Fields

Field Support
volumeName
storageClassName
volumeMode
accessModes
selector
resources.limits
resources.requests
 

ConfigMap Fields

Field Support
binaryData
data
immutable
 

Deployment Fields

Field Support
replicas
selector
template
minReadySeconds
strategy.type
strategy.rollingUpdate.maxSurge
strategy.rollingUpdate.maxUnavailable
revisionHistoryLimit
progressDeadlineSeconds
paused
 

SEE ALSO

podman(1), podman-kube(1), podman-kube-down(1), podman-network-create(1), podman-kube-generate(1), containers-certs.d(5)