Kubernetes Pod Manifest
External
- https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#pod-v1-core
- https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#pod-v1-core
- https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#pod-v1-core
Internal
Overview
Example
apiVersion: v1 kind: Pod metadata: name: loop labels: color: blue annotations: ... generateName spec: restartPolicy: Always schedulerName: default-scheduler terminationGracePeriodSeconds: 120 serviceAccountName: 'testServiceAccount' dnsPolicy: ClusterFirst imagePullSecrets: - name: myPullSecret1 - name: myPullSecret2 ... securityContext: runAsUser: 1000 runAsGroup: 3000 runAsNonRoot: true fsGroup: 2000 fsGroupChangePolicy: seLinuxOptions: seccompProfile: supplementalGroups: sysctls: containers: - name: loop-container image: docker.io/ovidiufeodorov/loop:latest imagePullPolicy: Always lifecycle: [...] resources: requests: memory: '1024Mi' cpu: '500m' limits: memory: '4096Mi' cpu: '1000m' terminationMessagePath: /dev/termination-log terminationMessagePolicy: File command: ... ports: - containerPort: 8080 protocol: TCP name: 'http' - containerPort: 8787 protocol: TCP - containerPort: ... hostPort: .... env: - name: SOMETHING value: "something else" - name: A_BOOLEAN_VARIABLE value: "true" # must be quoted volumeMounts: - name: 'mount-0' mountPath: '/red' # 'orange' must exist in the root of the volume identified by 'mount-0'; the content of that # directory will be exposed in the container under the '/red' directory. subPath: 'orange' readinessProbe: # See Probe Template livenessProbe: # See Probe Template command: ['sh', '-c', 'while true; do echo .; sleep 2; done;'] securityContext: runAsGroup: 1001 runAsUser: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false readOnlyRootFilesystem: false capabilities: seLinuxOptions: procMount: seccompProfile: initContainers: - name: init-container1 image: busybox command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] volumes: - name: mount-0 hostPath: # '/yellow' must contain an 'orange' sub-directory path: '/yellow' - name: mount-1 persistentVolumeClaim: claimName: pvc1
.metadata Elements
labels
A pod can be tagged with labels. This section contains labels applied to the pod created based on this template. If the template is part of a deployment manifest, the section contains the labels applied to pods created by the deployment, and they must match the deployment's spec.selector values.
Also see:
generateName
"generateName" can be used to append random characters at the end of the base name, thus generating a unique pod name.
.spec Elements
hostname
Optional field. If not specified, the hostname exposed to the processes running inside the pod will be the name of the pod.
restartPolicy
Optional field. See:
serviceAccountName
The name of this pod's service account. Note that "serviceAccount" configuration element also exists, but it is deprecated. If not specified, defaults to the pod's namespace default service account.
dnsPolicy
imagePullSecrets
"imagePullSecrets" contains an optional list of secret names in the same namespace to use for pulling any of the images used by this pod. If specified, these secrets will be passed to individual puller implementations for them to use. In the case of docker, only DockerConfig type secrets are honored. Also see:
securityContext
The pod-wide security context, applies to all containers. See:
containers
"containers" contains an array with the pod's container definitions.
name
image
imagePullPolicy
lifecycle
volumeMounts
Specifies how the volumes declared in the volumes section of the manifest are to be mounted (projected) into the container's filesystem.
Also see:
name
The identifier of the volume. Must match the name the volume specification was declared under, in the volumes section of the specification.
If we need to use the same volume for multiple mount points, those mount points should refer the same volume name.
mountPath
Specifies the path within the container where the volume will be mounted. Must not contain ':'.
The mount will succeed even if some or all intermediate path elements of the "mountPath" does not exist as directories in the container's file system - they will be created as necessary.
subPath
Specifies the relative path within the external volume, relative to the root of the external volume, whose content will be mounted as container's volume. If the path does not exist on the external volume, it will be created. If not specified, defaults to "" (external volume's root). subPath value must be a relative, the metadata will cause a deployment error if "/" or a path that starts with "/" is used.
Specifying:
subPath: ''
is a noop - the metadata will be accepted as correct, and the external volume's root will be mounted.
subPathExpr
Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to subPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). subPathExpr and subPath are mutually exclusive.
readOnly
Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.
Use Cases
- Storage
- Secrets projected as files
ports
Contains an array specifying the ports exposed by the containers in this pod.
containerPort
protocol
name
An optional name given to the container port. If declared, it must be a IANA_SVC_NAME and unique within the pod. It can be used in the manifest of the associated service to designate the service's target port.
hostPort
Binds the container port to a host port.
env
Contains a list of name/value pairs representing the list of the environment variables to set in the container. In case of boolean variables, declare the boolean values as Strings ("true"/"false"), otherwise the template won't be processed correctly.
readinessProbe, livenessProbe
command
Optional field. If not present, the docker image's ENTRYPOINT is used. If present, represents the entrypoint array of the container. Not executed within a shell, so if a shell is required, must be specified as below. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not.
Example:
...
command: ['sh', '-c', 'while true; do echo .; sleep 1; done']
Each array element is a string, and in the above case, the array element that follows the '-c' element is passed as one string to the shell to be executed.
Alternative syntax:
...
command:
- /bin/sh
- -c
- 'i=0; echo $i'
The single quotes are optional, the content that follows "-" will be interpreted as a single string:
...
command:
- /bin/sh
- -c
- i=0; echo $i
Also see:
args
TODO
Also see:
resources
requests
limits
securityContext
The section contains the security options this specific container should run with. See:
initContainers
The 'initContainers' section has the same schema as the containers section, described above. For more details about init containers, see:
volumes
List of volumes that can be mounted by containers belonging to the pod. Volumes can be of several types: persistent volume claim, host path, etc.