Kubernetes Pod Manifest: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(28 intermediate revisions by the same user not shown)
Line 1: Line 1:
=External=
=External=
* https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#pod-v1-core
* https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#pod-v1-core
* https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#pod-v1-core
* https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#pod-v1-core


=Internal=
=Internal=
Line 10: Line 7:
* [[Kubernetes_Manifests#Common_Elements|Common Manifest Elements]]
* [[Kubernetes_Manifests#Common_Elements|Common Manifest Elements]]
* [[Kubernetes Deployments]]
* [[Kubernetes Deployments]]
* [[Kubernetes Mounting Volumes in Pods|Mounting Volumes in Pods]]


=Overview=
=Overview=
[[Kubernetes Workload Resources#Overview|Workload resource]] controllers create pods from [[#Pod_Template|pod templates]].
=Pod Template=
Pod templates are '''specifications''' for creating pods, and they are included in the manifests of the [[#Kubernetes_Workload_Resources|workload resources]]. Modifying the pod template or switching to a new pod template is detected by the workload resource controller, which usually shuts down the current running pods and replaces them with new pods built based on the new template. Each workload resource has its own rules for handling changes in the pod template.


=Example=
=Example=
 
<font size=-1>
  [[Kubernetes_Manifests#apiVersion|apiVersion]]: v1
  [[Kubernetes_Manifests#apiVersion|apiVersion]]: v1
  [[Kubernetes_Manifests#kind|kind]]: Pod
  [[Kubernetes_Manifests#kind|kind]]: Pod
Line 35: Line 36:
     ...
     ...
   <span id='podSecurityContext_manifest'></span>[[#podSecurityContext|securityContext]]:
   <span id='podSecurityContext_manifest'></span>[[#podSecurityContext|securityContext]]:
     runAsUser: 1000
     runAsUser: 1000 # integer, not quoted
     runAsGroup: 3000
     runAsGroup: 3000 # integer, not quoted
    runAsNonRoot: true
     fsGroup: 2000
     fsGroup: 2000
    fsGroupChangePolicy:
    seLinuxOptions:
    seccompProfile:
    supplementalGroups:
    sysctls:
   [[#containers|containers]]:
   [[#containers|containers]]:
   - [[#name|name]]: loop-container
   - [[#name|name]]: loop-container
Line 66: Line 73:
     - name: A_BOOLEAN_VARIABLE
     - name: A_BOOLEAN_VARIABLE
       value: "true" # must be quoted
       value: "true" # must be quoted
     [[#volumeMounts|volumeMounts]]:
     [[Kubernetes_Mounting_Volumes_in_Pods#volumeMounts_Pod_Manifest_Section|volumeMounts]]:
     - [[#volume_name|name]]: 'mount-0'
     - [[Kubernetes_Mounting_Volumes_in_Pods#volume_name|name]]: 'mount-0'
       [[#mountPath|mountPath]]: '/red'
       [[Kubernetes_Mounting_Volumes_in_Pods#mountPath|mountPath]]: '/red'
      # 'orange' must exist in the root of the volume identified by 'mount-0'; the content of that
       [[Kubernetes_Mounting_Volumes_in_Pods#subPath|subPath]]: 'orange'  
      # directory will be exposed in the container under the '/red' directory.
       [[#subPath|subPath]]: 'orange'  
     [[#readinessProbe|readinessProbe]]:
     [[#readinessProbe|readinessProbe]]:
       # See [[Kubernetes_Container_Probes#Probe_Template|Probe Template]]
       # See [[Kubernetes_Container_Probes#Probe_Template|Probe Template]]
     [[#livenessProbe|livenessProbe]]:
     [[#livenessProbe|livenessProbe]]:
       # See [[Kubernetes_Container_Probes#Probe_Template|Probe Template]]
       # See [[Kubernetes_Container_Probes#Probe_Template|Probe Template]]
     [[#command|command]]: ['sh', '-c', 'while true; do echo .; sleep 2; done;']
     [[#command|command]]: ['sh', '-c', 'while true; do sleep 2; done;']
     <span id='securityContext_manifest'></span>[[#securityContext|securityContext]]:  
     <span id='securityContext_manifest'></span>[[#containerSecurityContext|securityContext]]:  
       runAsGroup: 1001
       runAsGroup: 1001 # integer, not quoted
       runAsUser: 1001  
       runAsUser: 1001 # integer, not quoted
       runAsNonRoot: true  
       runAsNonRoot: true  
       privileged: false
       privileged: false
Line 100: Line 105:
     persistentVolumeClaim:
     persistentVolumeClaim:
       claimName: pvc1
       claimName: pvc1
</font>


=.<tt>metadata</tt> Elements=
=.<tt>metadata</tt> Elements=
Line 118: Line 124:
==<tt>restartPolicy</tt>==
==<tt>restartPolicy</tt>==
Optional field. See: {{Internal|Kubernetes_Pod_and_Container_Concepts#Container_Restart_Policy|Container Restart Policy}}
Optional field. See: {{Internal|Kubernetes_Pod_and_Container_Concepts#Container_Restart_Policy|Container Restart Policy}}
==<tt>serviceAccountName</tt>==
==<tt>serviceAccountName</tt>==
The name of [[Kubernetes_Pod_and_Container_Concepts#Pod_Service_Account|this pod's service account]]. Note that "serviceAccount" configuration element also exists, but it is deprecated. If not specified, defaults to the pod's namespace default service account.
The name of [[Kubernetes_Pod_and_Container_Concepts#Pod_Service_Account|this pod's service account]]. Note that "serviceAccount" configuration element also exists, but it is deprecated. If not specified, defaults to the pod's namespace default service account.
Line 123: Line 130:
{{Internal|Kubernetes_DNS_Concepts#Name_Resolution_inside_a_Pod|Name Resolution inside a Pod}}
{{Internal|Kubernetes_DNS_Concepts#Name_Resolution_inside_a_Pod|Name Resolution inside a Pod}}
==<tt>imagePullSecrets</tt>==
==<tt>imagePullSecrets</tt>==
"imagePullSecrets" contains an optional list of secret names in the same namespace to use for pulling any of the images used by this pod. If specified, these secrets will be passed to individual puller implementations for them to use. In the case of docker, only DockerConfig type secrets are honored. Also see: {{Internal|Kubernetes_Cluster_Configuration_Concepts#imagePullSecrets|Kubernetes Cluster Configuration Concepts &#124; imagePullSecrets}}
{{Internal|Kubernetes_Cluster_Configuration_Concepts#imagePullSecrets|Kubernetes Configuration Concepts &#124; Secrets Required to Pull Images for Pods}}
 
==<span id='podSecurityContext'></span><tt>securityContext</tt>==
==<span id='podSecurityContext'></span><tt>securityContext</tt>==
See: {{Internal|Kubernetes_Security_Concepts#Pod_Security|Pod Security}}
{{External|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podsecuritycontext-v1-core}}
The pod-wide security context, applies to all containers. See: {{Internal|Kubernetes_Security_Concepts#Pod_Security|Pod Security}}
 
==<tt>containers</tt>==
==<tt>containers</tt>==
{{External|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#container-v1-core}}
{{External|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#container-v1-core}}
Line 131: Line 141:
===<tt>name</tt>===
===<tt>name</tt>===
===<tt>image</tt>===
===<tt>image</tt>===
{{Internal|Kubernetes Container Image Pull Concepts|Kubernetes Container Image Pull Concepts}}
===<tt>imagePullPolicy</tt>===
===<tt>imagePullPolicy</tt>===
{{External|https://kubernetes.io/docs/concepts/containers/images/}}
{{External|https://kubernetes.io/docs/concepts/containers/images/}}
Line 137: Line 149:
{{External|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#lifecycle-v1-core}}
{{External|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#lifecycle-v1-core}}
===<tt>volumeMounts</tt>===
===<tt>volumeMounts</tt>===
{{External|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#volumemount-v1-core}}
{{Internal|Kubernetes Mounting Volumes in Pods|Mounting Volumes in Pods}}
Specifies how the volumes declared in the [[#volumes_manifest|volumes section of the manifest]] are to be mounted (projected) into the container's filesystem.
 
Also see: {{Internal|Kubernetes_Storage_Concepts#Mounting_a_Volume_in_Pod|Mounting a Volume in a Pod}}
====<span id='volume_name'></span><tt>name</tt>====
The identifier of the volume. Must match the name the volume specification was declared under, in the [[#volumes|volumes]] section of the specification.
 
If we need to use the same volume for multiple mount points, those mount points should refer the same volume name.
====<tt>mountPath</tt>====
Specifies the path within the container where the volume will be mounted. Must not contain ':'.
 
The mount will succeed even if some or all intermediate path elements of the "mountPath" does not exist as directories in the container's file system - they will be created as necessary.
====<tt>subPath</tt>====
Specifies the relative path '''within the external volume''', relative to the root of the external volume, whose content will be mounted as container's volume. If the path does not exist on the external volume, it will be created. If not specified, defaults to "" (external volume's root). <code>subPath</code> value must be a relative, the metadata will cause a deployment error if "/" or a path that starts with "/" is used.
 
Specifying:
<syntaxhighlight lang='yaml'>
  subPath: ''
</syntaxhighlight>
is a noop - the metadata will be accepted as correct, and the external volume's root will be mounted.
 
====<tt>subPathExpr</tt>====
Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to [[#subPath|subPath]] but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). subPathExpr and subPath are mutually exclusive.
 
====<tt>readOnly</tt>====
Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.
 
====Use Cases====
* Storage
* [[Kubernetes_Secrets_Operations#Consume_a_Secret_as_a_File|Secrets projected as files]]


===<tt>ports</tt>===
===<tt>ports</tt>===
Line 222: Line 205:
Also see: {{Internal|Dockerfile#ENTRYPOINT_and_CMD|Dockerfile ENTRYPOINT and CMD}}
Also see: {{Internal|Dockerfile#ENTRYPOINT_and_CMD|Dockerfile ENTRYPOINT and CMD}}


===resources===
===<tt>resources</tt>===
====requests====
====<tt>requests</tt>====
====limits====
====<tt>limits</tt>====
===securityContext===
===<span id='containerSecurityContext'></span><tt>securityContext</tt>===
{{External|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#securitycontext-v1-core}}
The section contains the security options this specific container should run with. See: {{Internal|Kubernetes_Security_Concepts#Pod_Security|Pod Security}}
The section contains the security options this specific container should run with. See: {{Internal|Kubernetes_Security_Concepts#Pod_Security|Pod Security}}


==initContainers==
==<tt>initContainers</tt>==
The 'initContainers' section has the same schema as the [[#containers|containers]] section, described above. For more details about init containers, see: {{Internal|Kubernetes_Init_Containers#Overview|init Containers}}
The 'initContainers' section has the same schema as the [[#containers|containers]] section, described above. For more details about init containers, see: {{Internal|Kubernetes_Init_Containers#Overview|init Containers}}


==volumes==
==<tt>volumes</tt>==
 
List of [[#volumes_manifest|volumes]] that can be mounted by containers belonging to the pod. Volumes can be of several types: [[Kubernetes Pod and Container Concepts#Persistent_Volume_Claim|persistent volume claim]], [[Kubernetes Pod and Container Concepts#Host_Path|host path]], etc.
List of [[#volumes_manifest|volumes]] that can be mounted by containers belonging to the pod. Volumes can be of several types: [[Kubernetes Pod and Container Concepts#Persistent_Volume_Claim|persistent volume claim]], [[Kubernetes Pod and Container Concepts#Host_Path|host path]], etc.

Latest revision as of 23:32, 1 August 2024

External

Internal

Overview

Workload resource controllers create pods from pod templates.

Pod Template

Pod templates are specifications for creating pods, and they are included in the manifests of the workload resources. Modifying the pod template or switching to a new pod template is detected by the workload resource controller, which usually shuts down the current running pods and replaces them with new pods built based on the new template. Each workload resource has its own rules for handling changes in the pod template.

Example

apiVersion: v1
kind: Pod
metadata:
  name: loop
  labels:
    color: blue
  annotations:
    ...
  generateName
spec:  
  restartPolicy: Always
  schedulerName: default-scheduler
  terminationGracePeriodSeconds: 120
  serviceAccountName: 'testServiceAccount'
  dnsPolicy: ClusterFirst
  imagePullSecrets:
    - name: myPullSecret1
    - name: myPullSecret2
    ...
  securityContext:
    runAsUser: 1000 # integer, not quoted
    runAsGroup: 3000 # integer, not quoted
    runAsNonRoot: true
    fsGroup: 2000
    fsGroupChangePolicy:
    seLinuxOptions:
    seccompProfile:
    supplementalGroups:
    sysctls:
  containers:
  - name: loop-container
    image: docker.io/ovidiufeodorov/loop:latest
    imagePullPolicy: Always
    lifecycle: [...]
    resources:
      requests:
        memory: '1024Mi'
        cpu: '500m'
      limits:
        memory: '4096Mi'
        cpu: '1000m'
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    command: ...
    ports:
    - containerPort: 8080
      protocol: TCP
      name: 'http'
    - containerPort: 8787
      protocol: TCP
    - containerPort: ...
      hostPort: ....
    env:
    - name: SOMETHING
      value: "something else"
    - name: A_BOOLEAN_VARIABLE
      value: "true" # must be quoted
    volumeMounts:
    - name: 'mount-0'
      mountPath: '/red'
      subPath: 'orange' 
    readinessProbe:
      # See Probe Template
    livenessProbe:
      # See Probe Template
    command: ['sh', '-c', 'while true; do sleep 2; done;']
    securityContext: 
      runAsGroup: 1001 # integer, not quoted
      runAsUser: 1001 # integer, not quoted
      runAsNonRoot: true 
      privileged: false
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: false
      capabilities:
      seLinuxOptions:
      procMount:
      seccompProfile:
  initContainers:
  - name: init-container1
    image: busybox
    command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
  volumes:
  - name: mount-0
    hostPath:
      # '/yellow' must contain an 'orange' sub-directory
      path: '/yellow'
  - name: mount-1
    persistentVolumeClaim:
     claimName: pvc1

.metadata Elements

labels

A pod can be tagged with labels. This section contains labels applied to the pod created based on this template. If the template is part of a deployment manifest, the section contains the labels applied to pods created by the deployment, and they must match the deployment's spec.selector values.

Also see:

Kubernetes Manifest Metadata | labels

generateName

"generateName" can be used to append random characters at the end of the base name, thus generating a unique pod name.

.spec Elements

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.14/#podspec-v1-core

hostname

Optional field. If not specified, the hostname exposed to the processes running inside the pod will be the name of the pod.

restartPolicy

Optional field. See:

Container Restart Policy

serviceAccountName

The name of this pod's service account. Note that "serviceAccount" configuration element also exists, but it is deprecated. If not specified, defaults to the pod's namespace default service account.

dnsPolicy

Name Resolution inside a Pod

imagePullSecrets

Kubernetes Configuration Concepts | Secrets Required to Pull Images for Pods

securityContext

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podsecuritycontext-v1-core

The pod-wide security context, applies to all containers. See:

Pod Security

containers

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#container-v1-core

"containers" contains an array with the pod's container definitions.

name

image

Kubernetes Container Image Pull Concepts

imagePullPolicy

https://kubernetes.io/docs/concepts/containers/images/
Kubernetes Container Image Pull Concepts

lifecycle

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#lifecycle-v1-core

volumeMounts

Mounting Volumes in Pods

ports

Contains an array specifying the ports exposed by the containers in this pod.

containerPort

protocol

name

An optional name given to the container port. If declared, it must be a IANA_SVC_NAME and unique within the pod. It can be used in the manifest of the associated service to designate the service's target port.

hostPort

Binds the container port to a host port.

env

Contains a list of name/value pairs representing the list of the environment variables to set in the container. In case of boolean variables, declare the boolean values as Strings ("true"/"false"), otherwise the template won't be processed correctly.

readinessProbe, livenessProbe

Probe Template

command

https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell

Optional field. If not present, the docker image's ENTRYPOINT is used. If present, represents the entrypoint array of the container. Not executed within a shell, so if a shell is required, must be specified as below. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not.

Example:

  ...
  command: ['sh', '-c', 'while true; do echo .; sleep 1; done']

Each array element is a string, and in the above case, the array element that follows the '-c' element is passed as one string to the shell to be executed.

Alternative syntax:

  ...
  command:
  - /bin/sh
  - -c
  - 'i=0; echo $i'

The single quotes are optional, the content that follows "-" will be interpreted as a single string:

  ...
  command:
  - /bin/sh
  - -c
  - i=0; echo $i

Also see:

Dockerfile ENTRYPOINT and CMD

args

TODO

Also see:

Dockerfile ENTRYPOINT and CMD

resources

requests

limits

securityContext

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#securitycontext-v1-core

The section contains the security options this specific container should run with. See:

Pod Security

initContainers

The 'initContainers' section has the same schema as the containers section, described above. For more details about init containers, see:

init Containers

volumes

List of volumes that can be mounted by containers belonging to the pod. Volumes can be of several types: persistent volume claim, host path, etc.