podman-kube-play

podman-kube-play(1) General Commands Manual podman-kube-play(1)

NAME

   podman-kube-play - Create containers, pods and volumes based on Kubernetes YAML

SYNOPSIS

   podman kube play [options] file.yml|-|https://website.io/file.yml

DESCRIPTION

   podman  kube  play  reads in a structured file of Kubernetes YAML.  It recreates the containers, pods, or volumes described in the YAML.  Containers within a pod are then started, and
   the ID of the new Pod or the name of the new Volume is output. If the YAML file is specified as "-", then podman kube play reads the YAML file from stdin.  The input can also be a URL
   that points to a YAML file such as https://podman.io/demo.yml. podman kube play reads the YAML from the URL and create pods and containers from it.

   Using the --down command line option, it is also capable of tearing down the pods created by a previous run of podman kube play.

   Using the --replace command line option, it tears down the pods(if any) created by a previous run of podman kube play and recreate the pods with the Kubernetes YAML file.

   Ideally the input file is created by the Podman command (see podman-kube-generate(1)).  This guarantees a smooth import and expected results.

   Currently, the supported Kubernetes kinds are:

          • Pod

          • Deployment

          • PersistentVolumeClaim

          • ConfigMap

          • Secret

          • DaemonSet

          • Job

   Kubernetes Pods or Deployments

   Only four volume types are supported by kube play, the hostPath, emptyDir, persistentVolumeClaim, and image volume types.

          • When using the hostPath volume type, only the  default (empty), DirectoryOrCreate, Directory, FileOrCreate, File, Socket, CharDevice and BlockDevice subtypes  are  supported.
            Podman interprets the value of hostPath path as a file path when it contains at least one forward slash, otherwise Podman treats the value as the name of a named volume.

          • When using a persistentVolumeClaim, the value for claimName is the name for the Podman named volume.

          • When using an emptyDir volume, Podman creates an anonymous volume that is attached the containers running inside the pod and is deleted once the pod is removed.

          • When  using an image volume, Podman creates a read-only image volume with an empty subpath (the whole image is mounted). The image must already exist locally. It is supported
            in rootful mode only.

   Note: The default restart policy for containers is always.  You can change the default by setting the restartPolicy field in the spec.

   Note: When playing a kube YAML with init containers, the init container is created with init type value once. To change  the  default  type,  use  the  io.podman.annotations.init.con‐
   tainer.type annotation to set the type to always.

   Note: hostPath volume types created by kube play is given an SELinux shared label (z), bind mounts are not relabeled (use chcon -t container_file_t -R <directory>).

   Note: To set userns of a pod, use the io.podman.annotations.userns annotation in the pod/deployment definition. For example, io.podman.annotations.userns=keep-id annotation tells Pod‐
   man to create a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This can be overridden with the --userns flag.

   Note:  Use  the io.podman.annotations.volumes-from annotation to bind mount volumes of one container to another. You can mount volumes from multiple source containers to a target con‐
   tainer. The source containers that belong to the same pod must be defined before the source container in  the  kube  YAML.  The  annotation  format  is  io.podman.annotations.volumes-
   from/targetContainer: "sourceContainer1:mountOpts1;sourceContainer2:mountOpts2".

   Note:  If  the  :latest  tag is used, Podman attempts to pull the image from a registry. If the image was built locally with Podman or Buildah, it has localhost as the domain, in that
   case, Podman uses the image from the local store even if it has the :latest tag.

   Note: The command podman play kube is an alias of podman kube play, and performs the same function.

   Note: The command podman kube down can be used to stop and remove pods or containers based on the same Kubernetes YAML used by podman kube play to create them.

   Note: To customize the name of the infra container created during podman kube play, use the io.podman.annotations.infra.name annotation in the pod definition. This annotation is auto‐
   matically set when generating a kube yaml from a pod that was created with the --infra-name flag set.

   Kubernetes PersistentVolumeClaims

   A Kubernetes PersistentVolumeClaim represents a Podman named volume. Only the PersistentVolumeClaim name is required by Podman to create a volume. Kubernetes annotations can  be  used
   to make use of the available options for Podman volumes.

          • volume.podman.io/driver

          • volume.podman.io/device

          • volume.podman.io/type

          • volume.podman.io/uid

          • volume.podman.io/gid

          • volume.podman.io/mount-options

          • volume.podman.io/import-source

          • volume.podman.io/image

   Use volume.podman.io/import-source to import the contents of the tarball (.tar, .tar.gz, .tgz, .bzip, .tar.xz, .txz) specified in the annotation's value into the created Podman volume

   Kube  play  is  capable of building images on the fly given the correct directory layout and Containerfiles. This option is not available for remote clients, including Mac and Windows
   (excluding WSL2) machines, yet. Consider the following excerpt from a YAML file:

   apiVersion: v1
   kind: Pod
   metadata:
   ...
   spec:
     containers:
     - name: container
       image: foobar
   ...

   If there is a directory named foobar in the current working directory with a file named Containerfile or Dockerfile, Podman kube play builds that image and name it foobar.  An example
   directory structure for this example looks like:

   |- mykubefiles
       |- myplayfile.yaml
       |- foobar
            |- Containerfile

   The build considers foobar to be the context directory for the build. If there is an image in local storage called foobar, the image is not built unless the --build flag is used.  Use
   --build=false to completely disable builds.

   Kube  play  supports CDI (Container Device Interface) device selectors to share host devices (e.g. GPUs) with containers. The configuration format follows Kubernetes extended resource
   management:

   apiVersion: v1
   kind: Pod
   spec:
     containers:
     - name: container
       resources:
         limits:
           nvidia.com/gpu=all: 1

   To enable sharing host devices, analogous to using the --device flag Podman kube supports a custom CDI selector: podman.io/device=<host device path>.

   Kubernetes ConfigMap

   Kubernetes ConfigMap can be referred as a source of environment variables or volumes in Pods or Deployments.  ConfigMaps aren't a standalone object in Podman;  instead,  when  a  con‐
   tainer uses a ConfigMap, Podman creates environment variables or volumes as needed.

   For example, the following YAML document defines a ConfigMap and then uses it in a Pod:

   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: foo
   data:
       FOO: bar
   ---
   apiVersion: v1
   kind: Pod
   metadata:
     name: foobar
   spec:
     containers:
     - name: container-1
       image: foobar
       envFrom:
       - configMapRef:
           name: foo
           optional: false

   and as a result environment variable FOO is set to bar for container container-1.

   Kubernetes Secret

   Kubernetes Secret represents a Podman named secret. The Kubernetes Secret is saved as a whole and may be referred to as a source of environment variables or volumes in Pods or Deploy‐
   ments.

   For example, the following YAML document defines a Secret and then uses it in a Pod:

   kind: Secret
   apiVersion: v1
   metadata:
     name: foo
   data:
     foo: YmFy # base64 for bar
   ---
   apiVersion: v1
   kind: Pod
   metadata:
     name: foobar
   spec:
     containers:
     - name: container-1
       image: foobar
       env:
       - name: FOO
         valueFrom:
           secretKeyRef:
             name: foo
             key: foo

   and as a result environment variable FOO is set to bar for container container-1.

   Automounting Volumes (deprecated)

   Note: The automounting annotation is deprecated. Kubernetes has native support for image volumes and that should be used rather than this podman-specific annotation.

   An image can be automatically mounted into a container if the annotation io.podman.annotations.kube.image.automount/$ctrname is given. The following rules apply:

          • The image must already exist locally.

          • The image must have at least 1 volume directive.

          • The  path  given  by the volume directive will be mounted from the image into the container. For example, an image with a volume at /test/test_dir will have /test/test_dir in
            the image mounted to /test/test_dir in the container.

          • Multiple images can be specified. If multiple images have a volume at a specific path, the last image specified trumps.

          • The images are always mounted read-only.

          • Images to mount are defined in the annotation "io.podman.annotations.kube.image.automount/$ctrname" as a semicolon-separated list. They are mounted into a single container in
            the pod, not the whole pod. The annotation can be specified for additional containers if additional mounts are required.

OPTIONS --annotation=key=value

   Add an annotation to the container or pod. This option can be set multiple times.

--authfile=path

   Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json on Linux, and $HOME/.config/containers/auth.json on Windows/macOS.  The file is created  by  podman
   login. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using docker login.

   Note:  There  is  also  the  option  to  override the default path of the authentication file by setting the REGISTRY_AUTH_FILE environment variable. This can be done with export REG‐
   ISTRY_AUTH_FILE=path.

--build

   Build images even if they are found in the local storage. Use --build=false to completely disable builds. (This option is not available with the remote Podman client)

   Note:  You  can also override the default isolation type by setting the BUILDAH_ISOLATION environment variable.  export BUILDAH_ISOLATION=oci. See podman-build.1.md for more  informa‐
   tion.

--cert-dir=path

   Use  certificates  at path (*.crt, *.cert, *.key) to connect to the registry. (Default: /etc/containers/certs.d) For details, see containers-certs.d(5).  (This option is not available
   with the remote Podman client, including Mac and Windows (excluding WSL2) machines)

--configmap=path

   Use Kubernetes configmap YAML at path to provide a source for environment variable values within the containers of the pod.  (This option is  not  available  with  the  remote  Podman
   client)

   Note:  The  --configmap option can be used multiple times or a comma-separated list of paths can be used to pass multiple Kubernetes configmap YAMLs.  The YAML file may be in a multi-
   doc YAML format. But, it must container only configmaps

--context-dir=path

   Use path as the build context directory for each image. Requires --build option be true. (This option is not available with the remote Podman client)

--creds=[username[:password]]

   The [username[:password]] to use to authenticate with the registry, if required.  If one or both values are not supplied, a command line prompt appears and the value can  be  entered.
   The password is entered without echo.

   Note  that  the  specified credentials are only used to authenticate against target registries.  They are not used for mirrors or when the registry gets rewritten (see containers-reg‐
   istries.conf(5)); to authenticate against those consider using a containers-auth.json(5) file.

--force

   Tear down the volumes linked to the PersistentVolumeClaims as part of --down

--help, -h

   Print usage statement

--ip=IP address

   Assign a static ip address to the pod. This option can be specified several times when kube play creates more than one pod.  Note: When joining multiple  networks  use  the  --network
   name:ip=<ip> syntax.

--log-driver=driver

   Set logging driver for all created containers.

--log-opt=name=value

   Logging driver specific options.

   Set custom logging configuration. The following *name*s are supported:

   path: specify a path to the log file
       (e.g. --log-opt path=/var/log/container/mycontainer.json);

   max-size: specify a max size of the log file
       (e.g. --log-opt max-size=10mb);

   tag: specify a custom log tag for the container
       (e.g. --log-opt tag="{{.ImageName}}".  It supports the same keys as podman inspect --format.  This option is currently supported only by the journald log driver.

--mac-address=MAC address

   Assign  a  static  mac address to the pod. This option can be specified several times when kube play creates more than one pod.  Note: When joining multiple networks use the --network
   name:mac=<mac> syntax.

--network=mode, --net

   Set the network mode for the pod.

   Valid mode values are:

          • bridge[:OPTIONS,...]: Create a network stack on the default bridge. This is the default for rootful containers. It is possible to specify these additional options:

            • alias=name: Add network-scoped alias for the container.

            • ip=IPv4: Specify a static IPv4 address for this container.

            • ip6=IPv6: Specify a static IPv6 address for this container.

            • mac=MAC: Specify a static MAC address for this container.

            • interface_name=name: Specify a name for the created network interface inside the container.

            • host_interface_name=name: Specify a name for the created network interface outside the container.

          Any other options will be passed through to netavark without validation. This can be useful to pass arguments to netavark plugins.For example, to set a static ipv4 address  and
          a static mac address, use --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99.

          • <network name or ID>[:OPTIONS,...]: Connect to a user-defined network; this is the network name or ID from a network created by podman network create. It is possible to spec‐
            ify the same options described under the bridge mode above. Use the --network option multiple times to specify additional networks.
            For  backwards  compatibility  it  is  also possible to specify comma-separated networks on the first --network argument, however this prevents you from using the options de‐
            scribed under the bridge section above.

          • none: Create a network namespace for the container but do not configure network interfaces for it, thus the container has no network connectivity.

          • container:id: Reuse another container's network stack.

          • host: Do not create a network namespace, the container uses the host's network. Note: The host mode gives the container full access to local system services such as D-bus and
            is therefore considered insecure.

          • ns:path: Path to a network namespace to join.

          • private: Create a new namespace for the container. This uses the bridge mode for rootful containers and slirp4netns for rootless ones.

          • slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user network stack. It is possible to specify these additional options, they can also be  set  with  network_cmd_op‐
            tions in containers.conf:

            • allow_host_loopback=true|false:  Allow  slirp4netns  to  reach the host loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr subnet when changed, see the
              cidr option below). The default is false.

            • mtu=MTU: Specify the MTU to use for this network. (Default is 65520).

            • cidr=CIDR: Specify ip range to use for this network. (Default is 10.0.2.0/24).

            • enable_ipv6=true|false: Enable IPv6. Default is true. (Required for outbound_addr6).

            • outbound_addr=INTERFACE: Specify the outbound interface slirp binds to (ipv4 traffic only).

            • outbound_addr=IPv4: Specify the outbound ipv4 address slirp binds to.

            • outbound_addr6=INTERFACE: Specify the outbound interface slirp binds to (ipv6 traffic only).

            • outbound_addr6=IPv6: Specify the outbound ipv6 address slirp binds to.

            • port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
              Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually 10.0.2.100. If the application requires the
              real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-de‐
              fined networks.

            • port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot  be  used
              for user-defined networks.

          • pasta[:OPTIONS,...]: use pasta(1) to create a user-mode networking stack.
            This is the default for rootless containers and only supported in rootless mode.
            By  default, IPv4 and IPv6 addresses and routes, as well as the pod interface name, are copied from the host. If port forwarding isn't configured, ports are forwarded dynami‐
            cally as services are bound on either side (init namespace or container namespace). Port forwarding preserves the original source IP address. Options  described  in  pasta(1)
            can be specified as comma-separated arguments.
            In terms of pasta(1) options, --config-net is given by default, in order to configure networking when the container is started, and --no-map-gw is also assumed by default, to
            avoid direct access from container to host using the gateway address. The latter can be overridden by passing --map-gw in the pasta-specific options (despite not being an ac‐
            tual pasta(1) option).
            Also, -t none and -u none are passed if, respectively, no TCP or UDP port forwarding from host to container is configured, to disable automatic port forwarding based on bound
            ports. Similarly, -T none and -U none are given to disable the same functionality from container to host.
            Some examples:

            • pasta:--map-gw: Allow the container to directly reach the host using the gateway address.

            • pasta:--mtu,1500: Specify a 1500 bytes MTU for the tap interface in the container.

            • pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp,  equivalent  to default slirp4netns(1) options: disable IPv6,
              assign 10.0.2.0/24 to the tap0 interface in the container, with gateway 10.0.2.3, enable DNS forwarder reachable at 10.0.2.3, set MTU to 1500 bytes, disable NDP, DHCPv6 and
              DHCP support.

            • pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp, equivalent to  default  slirp4netns(1)  options  with  Podman
              overrides: same as above, but leave the MTU to 65520 bytes

            • pasta:-t,auto,-u,auto,-T,auto,-U,auto: enable automatic port forwarding based on observed bound ports from both host and container sides

            • pasta:-T,5201: enable forwarding of TCP port 5201 from container to host, using the loopback interface instead of the tap interface for improved performance

   When  no  network  option  is specified and host network mode is not configured in the YAML file, a new network stack is created and pods are attached to it making possible pod to pod
   communication.

--no-hostname

   Do not create the /etc/hostname file in the containers.

   By default, Podman manages the /etc/hostname file, adding the container's own hostname.  When the --no-hostname option is set, the image's /etc/hostname will be  preserved  unmodified
   if it exists.

--no-hosts

   Do not modify the /etc/hosts file in the pod.

   Podman  assumes  control  over  the  pod's  /etc/hosts file by default and adds entries for the container's name (see --name option) and hostname (see --hostname option), the internal
   host.containers.internal and host.docker.internal hosts, as well as any hostname added using the --add-host option. Refer to the --add-host option for details. Passing --no-hosts dis‐
   ables this, so that the image's /etc/hosts file is kept unmodified. The same can be achieved globally by setting no_hosts=true in containers.conf.

   This option conflicts with host added in the Kubernetes YAML.

--publish=[[ip:][hostPort]:]containerPort[/protocol]

   Define or override a port definition in the YAML file.

   The lists of ports in the YAML file and the command line are merged. Matching is done by using the containerPort field.  If containerPort exists in both the YAML file and the  option,
   the latter takes precedence.

--publish-all

   Setting  this  option to true will expose all ports to the host, even if only specified via containerPort in the K8 YAML.  In terms of which port will be exposed, --publish has higher
   priority than hostPort, has higher priority than containerPort.

   If set to false (which is the default), only ports defined via hostPort or --publish are published on the host.

--quiet, -q

   Suppress output information when pulling images

--replace

   Tears down the pods created by a previous run of kube play and recreates the pods. This option is used to keep the existing pods up to date based upon the Kubernetes YAML.

--seccomp-profile-root=path

   Directory path for seccomp profiles (default: "/var/lib/kubelet/seccomp"). (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2)  ma‐
   chines)

--start

   Start the pod after creating it, set to false to only create it.

--tls-verify

   Require HTTPS and verify certificates when contacting registries (default: true).  If explicitly set to true, TLS verification is used.  If set to false, TLS verification is not used.
   If not specified, TLS verification is used unless the target registry is listed as an insecure registry in containers-registries.conf(5)

--userns=mode

   Set the user namespace mode for the container.

   If  --userns  is not set, the default value is determined as follows.  - If --pod is set, --userns is ignored and the user namespace of the pod is used.  - If the environment variable
   PODMAN_USERNS is set its value is used.  - If userns is specified in containers.conf this value is used.  - Otherwise, --userns=host is assumed.

   --userns="" (i.e., an empty string) is an alias for --userns=host.

   This option is incompatible with --gidmap, --uidmap, --subuidname and --subgidname.

   Rootless user --userns=Key mappings:

   ┌─────────────────────────┬───────────┬─────────────────────────────────────────────────┐
   │ Key                     │ Host User │ Container User                                  │
   ├─────────────────────────┼───────────┼─────────────────────────────────────────────────┤
   │ auto                    │ $UID      │ nil (Host User UID  is  not  mapped  into  con‐ │
   │                         │           │ tainer.)                                        │
   ├─────────────────────────┼───────────┼─────────────────────────────────────────────────┤
   │ host                    │ $UID      │ 0  (Default User account mapped to root user in │
   │                         │           │ container.)                                     │
   ├─────────────────────────┼───────────┼─────────────────────────────────────────────────┤
   │ keep-id                 │ $UID      │ $UID (Map user account to same UID within  con‐ │
   │                         │           │ tainer.)                                        │
   ├─────────────────────────┼───────────┼─────────────────────────────────────────────────┤
   │ keep-id:uid=200,gid=210 │ $UID      │ 200:210 (Map user account to specified UID, GID │
   │                         │           │ value within container.)                        │
   ├─────────────────────────┼───────────┼─────────────────────────────────────────────────┤
   │ nomap                   │ $UID      │ nil  (Host  User  UID  is  not mapped into con‐ │
   │                         │           │ tainer.)                                        │
   └─────────────────────────┴───────────┴─────────────────────────────────────────────────┘

   Valid mode values are:

   auto[:OPTIONS,...]: automatically create a unique user namespace.

          • rootful mode: The --userns=auto flag requires that the user name containers be specified in the /etc/subuid and /etc/subgid files, with an unused range  of  subordinate  user
            IDs that Podman containers are allowed to allocate.

           Example: containers:2147483647:2147483648.

          • rootless  mode: The users range from the /etc/subuid and /etc/subgid files will be used. Note running a single container without using --userns=auto will use the entire range
            of UIDs and not allow further subdividing. See subuid(5).

   Podman allocates unique ranges of UIDs and GIDs from the containers subordinate user IDs. The size of the ranges is based on the number of UIDs required in the image.  The  number  of
   UIDs and GIDs can be overridden with the size option.

   The  option  --userns=keep-id  uses  all  the subuids and subgids of the user.  The option --userns=nomap uses all the subuids and subgids of the user except the user's own ID.  Using
   --userns=auto when starting new containers does not work as long as any containers exist that were started with --userns=nomap or --userns=keep-id without limiting the user  namespace
   size.

   Valid auto options:

          • gidmapping=CONTAINER_GID:HOST_GID:SIZE: to force a GID mapping to be present in the user namespace.

          • size=SIZE: to specify an explicit size for the automatic user namespace. e.g. --userns=auto:size=8192. If size is not specified, auto estimates a size for the user namespace.

          • uidmapping=CONTAINER_UID:HOST_UID:SIZE: to force a UID mapping to be present in the user namespace.

   The  host UID and GID in gidmapping and uidmapping can optionally be prefixed with the @ symbol.  In this case, podman will look up the intermediate ID corresponding to host ID and it
   will map the found intermediate ID to the container id.  For details see --uidmap.

   container:id: join the user namespace of the specified container.

   host or "" (empty string): run in the user namespace of the caller. The processes running in the container have the same privileges on the host as any other process  launched  by  the
   calling user.

   keep-id:  creates a user namespace where the current user's UID:GID are mapped to the same values in the container. For containers created by root, the current mapping is created into
   a new user namespace.

   Valid keep-id options:

          • uid=UID: override the UID inside the container that is used to map the current user to.

          • gid=GID: override the GID inside the container that is used to map the current user to.

          • size=SIZE: override the size of the configured user namespace.  It is useful to not saturate all the available IDs.  Not supported when running as root.

   nomap: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.

   ns:namespace: run the pod in the given existing user namespace.