podman-kube-play(1) General Commands Manual podman-kube-play(1)
NAME
podman-kube-play - Create containers, pods and volumes based on Kuber-
netes YAML
SYNOPSIS
podman kube play [options] file.yml|-|https://website.io/file.yml
DESCRIPTION
podman kube play reads in a structured file of Kubernetes YAML. It
recreates the containers, pods, or volumes described in the YAML. Con-
tainers within a pod are then started, and the ID of the new Pod or the
name of the new Volume is output. If the YAML file is specified as "-",
then podman kube play reads the YAML file from stdin. The input can
also be a URL that points to a YAML file such as https://pod-
man.io/demo.yml. podman kube play reads the YAML from the URL and create
pods and containers from it.
Using the --down command line option, it is also capable of tearing down
the pods created by a previous run of podman kube play.
Using the --replace command line option, it tears down the pods(if any)
created by a previous run of podman kube play and recreate the pods with
the Kubernetes YAML file.
Ideally the input file is created by the Podman command (see podman-
kube-generate(1)). This guarantees a smooth import and expected re-
sults.
Currently, the supported Kubernetes kinds are:
• Pod
• Deployment
• PersistentVolumeClaim
• ConfigMap
• Secret
• DaemonSet
• Job
Kubernetes Pods or Deployments
Only four volume types are supported by kube play, the hostPath, empty-
Dir, persistentVolumeClaim, and image volume types.
• When using the hostPath volume type, only the default (empty),
DirectoryOrCreate, Directory, FileOrCreate, File, Socket,
CharDevice and BlockDevice subtypes are supported. Podman in-
terprets the value of hostPath path as a file path when it con-
tains at least one forward slash, otherwise Podman treats the
value as the name of a named volume.
• When using a persistentVolumeClaim, the value for claimName is
the name for the Podman named volume.
• When using an emptyDir volume, Podman creates an anonymous vol-
ume that is attached the containers running inside the pod and
is deleted once the pod is removed.
• When using an image volume, Podman creates a read-only image
volume with an empty subpath (the whole image is mounted). The
image must already exist locally. It is supported in rootful
mode only.
Note: The default restart policy for containers is always. You can
change the default by setting the restartPolicy field in the spec.
Note: When playing a kube YAML with init containers, the init container
is created with init type value once. To change the default type, use
the io.podman.annotations.init.container.type annotation to set the type
to always.
Note: hostPath volume types created by kube play is given an SELinux
shared label (z), bind mounts are not relabeled (use chcon -t con-
tainer_file_t -R <directory>).
Note: To set userns of a pod, use the io.podman.annotations.userns anno-
tation in the pod/deployment definition. For example, io.podman.annota-
tions.userns=keep-id annotation tells Podman to create a user namespace
where the current rootless user's UID:GID are mapped to the same values
in the container. This can be overridden with the --userns flag.
Note: Use the io.podman.annotations.volumes-from annotation to bind
mount volumes of one container to another. You can mount volumes from
multiple source containers to a target container. The source containers
that belong to the same pod must be defined before the source container
in the kube YAML. The annotation format is io.podman.annotations.vol-
umes-from/targetContainer: "sourceContainer1:mountOpts1;sourceCon-
tainer2:mountOpts2".
Note: If the :latest tag is used, Podman attempts to pull the image from
a registry. If the image was built locally with Podman or Buildah, it
has localhost as the domain, in that case, Podman uses the image from
the local store even if it has the :latest tag.
Note: The command podman play kube is an alias of podman kube play, and
performs the same function.
Note: The command podman kube down can be used to stop and remove pods
or containers based on the same Kubernetes YAML used by podman kube play
to create them.
Note: To customize the name of the infra container created during podman
kube play, use the io.podman.annotations.infra.name annotation in the
pod definition. This annotation is automatically set when generating a
kube yaml from a pod that was created with the --infra-name flag set.
Kubernetes PersistentVolumeClaims
A Kubernetes PersistentVolumeClaim represents a Podman named volume.
Only the PersistentVolumeClaim name is required by Podman to create a
volume. Kubernetes annotations can be used to make use of the available
options for Podman volumes.
• volume.podman.io/driver
• volume.podman.io/device
• volume.podman.io/type
• volume.podman.io/uid
• volume.podman.io/gid
• volume.podman.io/mount-options
• volume.podman.io/import-source
• volume.podman.io/image
Use volume.podman.io/import-source to import the contents of the tarball
(.tar, .tar.gz, .tgz, .bzip, .tar.xz, .txz) specified in the annota-
tion's value into the created Podman volume
Kube play is capable of building images on the fly given the correct di-
rectory layout and Containerfiles. This option is not available for re-
mote clients, including Mac and Windows (excluding WSL2) machines, yet.
Consider the following excerpt from a YAML file:
apiVersion: v1
kind: Pod
metadata:
...
spec:
containers:
- name: container
image: foobar
...
If there is a directory named foobar in the current working directory
with a file named Containerfile or Dockerfile, Podman kube play builds
that image and name it foobar. An example directory structure for this
example looks like:
|- mykubefiles
|- myplayfile.yaml
|- foobar
|- Containerfile
The build considers foobar to be the context directory for the build. If
there is an image in local storage called foobar, the image is not built
unless the --build flag is used. Use --build=false to completely disable
builds.
Kube play supports CDI (Container Device Interface) device selectors to
share host devices (e.g. GPUs) with containers. The configuration format
follows Kubernetes extended resource management:
apiVersion: v1
kind: Pod
spec:
containers:
- name: container
resources:
limits:
nvidia.com/gpu=all: 1
To enable sharing host devices, analogous to using the --device flag
Podman kube supports a custom CDI selector: podman.io/device=<host de-
vice path>.
Kubernetes ConfigMap
Kubernetes ConfigMap can be referred as a source of environment vari-
ables or volumes in Pods or Deployments. ConfigMaps aren't a standalone
object in Podman; instead, when a container uses a ConfigMap, Podman
creates environment variables or volumes as needed.
For example, the following YAML document defines a ConfigMap and then
uses it in a Pod:
apiVersion: v1
kind: ConfigMap
metadata:
name: foo
data:
FOO: bar
---
apiVersion: v1
kind: Pod
metadata:
name: foobar
spec:
containers:
- name: container-1
image: foobar
envFrom:
- configMapRef:
name: foo
optional: false
and as a result environment variable FOO is set to bar for container
container-1.
Kubernetes Secret
Kubernetes Secret represents a Podman named secret. The Kubernetes Se-
cret is saved as a whole and may be referred to as a source of environ-
ment variables or volumes in Pods or Deployments.
For example, the following YAML document defines a Secret and then uses
it in a Pod:
kind: Secret
apiVersion: v1
metadata:
name: foo
data:
foo: YmFy # base64 for bar
---
apiVersion: v1
kind: Pod
metadata:
name: foobar
spec:
containers:
- name: container-1
image: foobar
env:
- name: FOO
valueFrom:
secretKeyRef:
name: foo
key: foo
and as a result environment variable FOO is set to bar for container
container-1.
Automounting Volumes (deprecated)
Note: The automounting annotation is deprecated. Kubernetes has native
support for image volumes and that should be used rather than this pod-
man-specific annotation.
An image can be automatically mounted into a container if the annotation
io.podman.annotations.kube.image.automount/$ctrname is given. The fol-
lowing rules apply:
• The image must already exist locally.
• The image must have at least 1 volume directive.
• The path given by the volume directive will be mounted from the
image into the container. For example, an image with a volume
at /test/test_dir will have /test/test_dir in the image mounted
to /test/test_dir in the container.
• Multiple images can be specified. If multiple images have a
volume at a specific path, the last image specified trumps.
• The images are always mounted read-only.
• Images to mount are defined in the annotation "io.podman.anno-
tations.kube.image.automount/$ctrname" as a semicolon-separated
list. They are mounted into a single container in the pod, not
the whole pod. The annotation can be specified for additional
containers if additional mounts are required.
OPTIONS
--annotation=key=value
Add an annotation to the container or pod. This option can be set multi-
ple times.
--authfile=path
Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain-
ers/auth.json on Linux, and $HOME/.config/containers/auth.json on Win-
dows/macOS. The file is created by podman login. If the authorization
state is not found there, $HOME/.docker/config.json is checked, which is
set using docker login.
Note: There is also the option to override the default path of the au-
thentication file by setting the REGISTRY_AUTH_FILE environment vari-
able. This can be done with export REGISTRY_AUTH_FILE=path.
--build
Build images even if they are found in the local storage. Use
--build=false to completely disable builds. (This option is not avail-
able with the remote Podman client)
Note: You can also override the default isolation type by setting the
BUILDAH_ISOLATION environment variable. export BUILDAH_ISOLATION=oci.
See podman-build.1.md for more information.
--cert-dir=path
Use certificates at path (*.crt, *.cert, *.key) to connect to the reg-
istry. (Default: /etc/containers/certs.d) For details, see containers-
certs.d(5). (This option is not available with the remote Podman
client, including Mac and Windows (excluding WSL2) machines)
--configmap=path
Use Kubernetes configmap YAML at path to provide a source for environ-
ment variable values within the containers of the pod. (This option is
not available with the remote Podman client)
Note: The --configmap option can be used multiple times or a comma-sepa-
rated list of paths can be used to pass multiple Kubernetes configmap
YAMLs. The YAML file may be in a multi-doc YAML format. But, it must
container only configmaps
--context-dir=path
Use path as the build context directory for each image. Requires --build
option be true. (This option is not available with the remote Podman
client)
--creds=[username[:password]]
The [username[:password]] to use to authenticate with the registry, if
required. If one or both values are not supplied, a command line prompt
appears and the value can be entered. The password is entered without
echo.
Note that the specified credentials are only used to authenticate
against target registries. They are not used for mirrors or when the
registry gets rewritten (see containers-registries.conf(5)); to authen-
ticate against those consider using a containers-auth.json(5) file.
--force
Tear down the volumes linked to the PersistentVolumeClaims as part of
--down
--help, -h
Print usage statement
--ip=IP address
Assign a static ip address to the pod. This option can be specified sev-
eral times when kube play creates more than one pod. Note: When joining
multiple networks use the --network name:ip=<ip> syntax.
--log-driver=driver
Set logging driver for all created containers.
--log-opt=name=value
Logging driver specific options.
Set custom logging configuration. The following *name*s are supported:
path: specify a path to the log file
(e.g. --log-opt path=/var/log/container/mycontainer.json);
max-size: specify a max size of the log file
(e.g. --log-opt max-size=10mb);
tag: specify a custom log tag for the container
(e.g. --log-opt tag="{{.ImageName}}". It supports the same keys as
podman inspect --format. This option is currently supported only by the
journald log driver.
--mac-address=MAC address
Assign a static mac address to the pod. This option can be specified
several times when kube play creates more than one pod. Note: When
joining multiple networks use the --network name:mac=<mac> syntax.
--network=mode, --net
Set the network mode for the pod.
Valid mode values are:
• bridge[:OPTIONS,...]: Create a network stack on the default
bridge. This is the default for rootful containers. It is pos-
sible to specify these additional options:
• alias=name: Add network-scoped alias for the container.
• ip=IPv4: Specify a static IPv4 address for this container.
• ip6=IPv6: Specify a static IPv6 address for this container.
• mac=MAC: Specify a static MAC address for this container.
• interface_name=name: Specify a name for the created network
interface inside the container.
• host_interface_name=name: Specify a name for the created net-
work interface outside the container.
Any other options will be passed through to netavark without val-
idation. This can be useful to pass arguments to netavark plug-
ins.For example, to set a static ipv4 address and a static mac
address, use --network
bridge:ip=10.88.0.10,mac=44:33:22:11:00:99.
• <network name or ID>[:OPTIONS,...]: Connect to a user-defined
network; this is the network name or ID from a network created
by podman network create. It is possible to specify the same
options described under the bridge mode above. Use the --net-
work option multiple times to specify additional networks.
For backwards compatibility it is also possible to specify
comma-separated networks on the first --network argument, how-
ever this prevents you from using the options described under
the bridge section above.
• none: Create a network namespace for the container but do not
configure network interfaces for it, thus the container has no
network connectivity.
• container:id: Reuse another container's network stack.
• host: Do not create a network namespace, the container uses the
host's network. Note: The host mode gives the container full
access to local system services such as D-bus and is therefore
considered insecure.
• ns:path: Path to a network namespace to join.
• private: Create a new namespace for the container. This uses
the bridge mode for rootful containers and slirp4netns for
rootless ones.
• slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user
network stack. It is possible to specify these additional op-
tions, they can also be set with network_cmd_options in con-
tainers.conf:
• allow_host_loopback=true|false: Allow slirp4netns to reach
the host loopback IP (default is 10.0.2.2 or the second IP
from slirp4netns cidr subnet when changed, see the cidr op-
tion below). The default is false.
• mtu=MTU: Specify the MTU to use for this network. (Default is
65520).
• cidr=CIDR: Specify ip range to use for this network. (Default
is 10.0.2.0/24).
• enable_ipv6=true|false: Enable IPv6. Default is true. (Re-
quired for outbound_addr6).
• outbound_addr=INTERFACE: Specify the outbound interface slirp
binds to (ipv4 traffic only).
• outbound_addr=IPv4: Specify the outbound ipv4 address slirp
binds to.
• outbound_addr6=INTERFACE: Specify the outbound interface
slirp binds to (ipv6 traffic only).
• outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
binds to.
• port_handler=rootlesskit: Use rootlesskit for port forward-
ing. Default.
Note: Rootlesskit changes the source IP address of incoming
packets to an IP address in the container network namespace,
usually 10.0.2.100. If the application requires the real
source IP address, e.g. web server logs, use the slirp4netns
port handler. The rootlesskit port handler is also used for
rootless containers when connected to user-defined networks.
• port_handler=slirp4netns: Use the slirp4netns port forward-
ing, it is slower than rootlesskit but preserves the correct
source IP address. This port handler cannot be used for user-
defined networks.
• pasta[:OPTIONS,...]: use pasta(1) to create a user-mode net-
working stack.
This is the default for rootless containers and only supported
in rootless mode.
By default, IPv4 and IPv6 addresses and routes, as well as the
pod interface name, are copied from the host. If port forward-
ing isn't configured, ports are forwarded dynamically as ser-
vices are bound on either side (init namespace or container
namespace). Port forwarding preserves the original source IP
address. Options described in pasta(1) can be specified as
comma-separated arguments.
In terms of pasta(1) options, --config-net is given by default,
in order to configure networking when the container is started,
and --no-map-gw is also assumed by default, to avoid direct ac-
cess from container to host using the gateway address. The lat-
ter can be overridden by passing --map-gw in the pasta-specific
options (despite not being an actual pasta(1) option).
Also, -t none and -u none are passed if, respectively, no TCP
or UDP port forwarding from host to container is configured, to
disable automatic port forwarding based on bound ports. Simi-
larly, -T none and -U none are given to disable the same func-
tionality from container to host.
Some examples:
• pasta:--map-gw: Allow the container to directly reach the
host using the gateway address.
• pasta:--mtu,1500: Specify a 1500 bytes MTU for the tap inter-
face in the container.
• pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-for-
ward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp, equiva-
lent to default slirp4netns(1) options: disable IPv6, assign
10.0.2.0/24 to the tap0 interface in the container, with
gateway 10.0.2.3, enable DNS forwarder reachable at 10.0.2.3,
set MTU to 1500 bytes, disable NDP, DHCPv6 and DHCP support.
• pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-
forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp, equivalent
to default slirp4netns(1) options with Podman overrides: same
as above, but leave the MTU to 65520 bytes
• pasta:-t,auto,-u,auto,-T,auto,-U,auto: enable automatic port
forwarding based on observed bound ports from both host and
container sides
• pasta:-T,5201: enable forwarding of TCP port 5201 from con-
tainer to host, using the loopback interface instead of the
tap interface for improved performance
When no network option is specified and host network mode is not config-
ured in the YAML file, a new network stack is created and pods are at-
tached to it making possible pod to pod communication.
--no-hostname
Do not create the /etc/hostname file in the containers.
By default, Podman manages the /etc/hostname file, adding the con-
tainer's own hostname. When the --no-hostname option is set, the im-
age's /etc/hostname will be preserved unmodified if it exists.
--no-hosts
Do not modify the /etc/hosts file in the pod.
Podman assumes control over the pod's /etc/hosts file by default and
adds entries for the container's name (see --name option) and hostname
(see --hostname option), the internal host.containers.internal and
host.docker.internal hosts, as well as any hostname added using the
--add-host option. Refer to the --add-host option for details. Passing
--no-hosts disables this, so that the image's /etc/hosts file is kept
unmodified. The same can be achieved globally by setting no_hosts=true
in containers.conf.
This option conflicts with host added in the Kubernetes YAML.
--publish=[[ip:][hostPort]:]containerPort[/protocol]
Define or override a port definition in the YAML file.
The lists of ports in the YAML file and the command line are merged.
Matching is done by using the containerPort field. If containerPort ex-
ists in both the YAML file and the option, the latter takes precedence.
--publish-all
Setting this option to true will expose all ports to the host, even if
only specified via containerPort in the K8 YAML. In terms of which port
will be exposed, --publish has higher priority than hostPort, has higher
priority than containerPort.
If set to false (which is the default), only ports defined via hostPort
or --publish are published on the host.
--quiet, -q
Suppress output information when pulling images
--replace
Tears down the pods created by a previous run of kube play and recreates
the pods. This option is used to keep the existing pods up to date based
upon the Kubernetes YAML.
--seccomp-profile-root=path
Directory path for seccomp profiles (default: "/var/lib/kubelet/sec-
comp"). (This option is not available with the remote Podman client, in-
cluding Mac and Windows (excluding WSL2) machines)
--start
Start the pod after creating it, set to false to only create it.
--tls-verify
Require HTTPS and verify certificates when contacting registries (de-
fault: true). If explicitly set to true, TLS verification is used. If
set to false, TLS verification is not used. If not specified, TLS veri-
fication is used unless the target registry is listed as an insecure
registry in containers-registries.conf(5)
--userns=mode
Set the user namespace mode for the container.
If --userns is not set, the default value is determined as follows. -
If --pod is set, --userns is ignored and the user namespace of the pod
is used. - If the environment variable PODMAN_USERNS is set its value
is used. - If userns is specified in containers.conf this value is
used. - Otherwise, --userns=host is assumed.
--userns="" (i.e., an empty string) is an alias for --userns=host.
This option is incompatible with --gidmap, --uidmap, --subuidname and
--subgidname.
Rootless user --userns=Key mappings:
┌─────────────────────────┬───────────┬──────────────────────┐
│ Key │ Host User │ Container User │
├─────────────────────────┼───────────┼──────────────────────┤
│ auto │ $UID │ nil (Host User UID │
│ │ │ is not mapped into │
│ │ │ container.) │
├─────────────────────────┼───────────┼──────────────────────┤
│ host │ $UID │ 0 (Default User ac- │
│ │ │ count mapped to root │
│ │ │ user in container.) │
├─────────────────────────┼───────────┼──────────────────────┤
│ keep-id │ $UID │ $UID (Map user ac- │
│ │ │ count to same UID │
│ │ │ within container.) │
├─────────────────────────┼───────────┼──────────────────────┤
│ keep-id:uid=200,gid=210 │ $UID │ 200:210 (Map user │
│ │ │ account to specified │
│ │ │ UID, GID value │
│ │ │ within container.) │
├─────────────────────────┼───────────┼──────────────────────┤
│ nomap │ $UID │ nil (Host User UID │
│ │ │ is not mapped into │
│ │ │ container.) │
└─────────────────────────┴───────────┴──────────────────────┘
Valid mode values are:
auto[:OPTIONS,...]: automatically create a unique user namespace.
• rootful mode: The --userns=auto flag requires that the user
name containers be specified in the /etc/subuid and /etc/subgid
files, with an unused range of subordinate user IDs that Podman
containers are allowed to allocate.
Example: containers:2147483647:2147483648.
• rootless mode: The users range from the /etc/subuid and
/etc/subgid files will be used. Note running a single container
without using --userns=auto will use the entire range of UIDs
and not allow further subdividing. See subuid(5).
Podman allocates unique ranges of UIDs and GIDs from the containers sub-
ordinate user IDs. The size of the ranges is based on the number of UIDs
required in the image. The number of UIDs and GIDs can be overridden
with the size option.
The option --userns=keep-id uses all the subuids and subgids of the
user. The option --userns=nomap uses all the subuids and subgids of the
user except the user's own ID. Using --userns=auto when starting new
containers does not work as long as any containers exist that were
started with --userns=nomap or --userns=keep-id without limiting the
user namespace size.
Valid auto options:
• gidmapping=CONTAINER_GID:HOST_GID:SIZE: to force a GID mapping
to be present in the user namespace.
• size=SIZE: to specify an explicit size for the automatic user
namespace. e.g. --userns=auto:size=8192. If size is not speci-
fied, auto estimates a size for the user namespace.
• uidmapping=CONTAINER_UID:HOST_UID:SIZE: to force a UID mapping
to be present in the user namespace.
The host UID and GID in gidmapping and uidmapping can optionally be pre-
fixed with the @ symbol. In this case, podman will look up the interme-
diate ID corresponding to host ID and it will map the found intermediate
ID to the container id. For details see --uidmap.
container:id: join the user namespace of the specified container.
host or "" (empty string): run in the user namespace of the caller. The
processes running in the container have the same privileges on the host
as any other process launched by the calling user.
keep-id: creates a user namespace where the current user's UID:GID are
mapped to the same values in the container. For containers created by
root, the current mapping is created into a new user namespace.
Valid keep-id options:
• uid=UID: override the UID inside the container that is used to
map the current user to.
• gid=GID: override the GID inside the container that is used to
map the current user to.
• size=SIZE: override the size of the configured user namespace.
It is useful to not saturate all the available IDs. Not sup-
ported when running as root.
nomap: creates a user namespace where the current rootless user's
UID:GID are not mapped into the container. This option is not allowed
for containers created by the root user.
ns:namespace: run the pod in the given existing user namespace.
--wait, -w
Run pods and containers in the foreground. Default is false.
At any time you can run podman pod ps in another shell to view a list
of the running pods and containers.
When attached in the tty mode, you can kill the pods and containers by
pressing Ctrl-C or receiving any other interrupt signals.
All pods, containers, and volumes created with podman kube play is re-
moved upon exit.
EXAMPLES
Recreate the pod and containers described in the specified host YAML
file.
$ podman kube play demo.yml
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
Recreate the pod and containers specified in a YAML file sent to stdin.
$ cat demo.yml | podman kube play -
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
Tear down the pod and containers as described in the specified YAML
file.
$ podman kube play --down demo.yml
Pods stopped:
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
Pods removed:
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
Provide multiple configmap files as sources for environment variables
within the specified pods and containers.
$ podman kube play demo.yml --configmap configmap-foo.yml,configmap-bar.yml
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
$ podman kube play demo.yml --configmap configmap-foo.yml --configmap configmap-bar.yml
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
Create a pod connected to two networks with a static ip on each.
$ podman kube play demo.yml --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
Please take into account that networks must be created first using pod-
man-network-create(1).
Create and teardown from a URL pointing to a YAML file.
$ podman kube play https://podman.io/demo.yml
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
$ podman kube play --down https://podman.io/demo.yml
Pods stopped:
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
Pods removed:
52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6
podman kube play --down does not work with a URL if the YAML file the
URL points to has been changed or altered.
Podman Kube Play Support
This document outlines the kube yaml fields that are currently supported
by the podman kube play command.
Note: N/A means that the option cannot be supported in a single-node
Podman environment.
Pod Fields
┌───────────────────────────────────────────────────┬─────────┐
│ Field │ Support │
├───────────────────────────────────────────────────┼─────────┤
│ containers │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ initContainers │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ imagePullSecrets │ no │
├───────────────────────────────────────────────────┼─────────┤
│ enableServiceLinks │ no │
├───────────────────────────────────────────────────┼─────────┤
│ os.name │ no │
├───────────────────────────────────────────────────┼─────────┤
│ volumes │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ nodeSelector │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ nodeName │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ affinity.nodeAffinity │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ affinity.podAffinity │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ affinity.podAntiAffinity │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ tolerations.key │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ tolerations.operator │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ tolerations.effect │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ tolerations.tolerationSeconds │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ schedulerName │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ runtimeClassName │ no │
├───────────────────────────────────────────────────┼─────────┤
│ priorityClassName │ no │
├───────────────────────────────────────────────────┼─────────┤
│ priority │ no │
├───────────────────────────────────────────────────┼─────────┤
│ topologySpreadConstraints.maxSkew │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ topologySpreadConstraints.topologyKey │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ topologySpreadConstraints.whenUnsatisfiable │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ topologySpreadConstraints.labelSelector │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ topologySpreadConstraints.minDomains │ N/A │
├───────────────────────────────────────────────────┼─────────┤
│ restartPolicy │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ terminationGracePeriodSeconds │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ activeDeadlineSeconds │ no │
├───────────────────────────────────────────────────┼─────────┤
│ readinessGates.conditionType │ no │
├───────────────────────────────────────────────────┼─────────┤
│ hostname │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ setHostnameAsFQDN │ no │
├───────────────────────────────────────────────────┼─────────┤
│ subdomain │ no │
├───────────────────────────────────────────────────┼─────────┤
│ hostAliases.hostnames │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ hostAliases.ip │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ dnsConfig.nameservers │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ dnsConfig.options.name │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ dnsConfig.options.value │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ dnsConfig.searches │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ dnsPolicy │ no │
├───────────────────────────────────────────────────┼─────────┤
│ hostNetwork │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ hostPID │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ hostIPC │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ shareProcessNamespace │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ serviceAccountName │ no │
├───────────────────────────────────────────────────┼─────────┤
│ automountServiceAccountToken │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.runAsUser │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.runAsNonRoot │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.runAsGroup │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.supplementalGroups │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.fsGroup │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.fsGroupChangePolicy │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seccompProfile.type │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seccompProfile.localhostProfile │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seLinuxOptions.level │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seLinuxOptions.role │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seLinuxOptions.type │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seLinuxOptions.user │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.sysctls.name │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.sysctls.value │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.windowsOptions.gmsaCredentialSpec │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.windowsOptions.hostProcess │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.windowsOptions.runAsUserName │ no │
└───────────────────────────────────────────────────┴─────────┘
Container Fields
┌───────────────────────────────────────────────────┬─────────┐
│ Field │ Support │
├───────────────────────────────────────────────────┼─────────┤
│ name │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ image │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ imagePullPolicy │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ command │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ args │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ workingDir │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ ports.containerPort │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ ports.hostIP │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ ports.hostPort │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ ports.name │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ ports.protocol │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ env.name │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ env.value │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ env.valueFrom.configMapKeyRef.key │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ env.valueFrom.configMapKeyRef.name │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ env.valueFrom.configMapKeyRef.optional │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ env.valueFrom.fieldRef │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ env.valueFrom.resourceFieldRef │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ env.valueFrom.secretKeyRef.key │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ env.valueFrom.secretKeyRef.name │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ env.valueFrom.secretKeyRef.optional │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ envFrom.configMapRef.name │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ envFrom.configMapRef.optional │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ envFrom.prefix │ no │
├───────────────────────────────────────────────────┼─────────┤
│ envFrom.secretRef.name │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ envFrom.secretRef.optional │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ volumeMounts.mountPath │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ volumeMounts.name │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ volumeMounts.mountPropagation │ no │
├───────────────────────────────────────────────────┼─────────┤
│ volumeMounts.readOnly │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ volumeMounts.subPath │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ volumeMounts.subPathExpr │ no │
├───────────────────────────────────────────────────┼─────────┤
│ volumeDevices.devicePath │ no │
├───────────────────────────────────────────────────┼─────────┤
│ volumeDevices.name │ no │
├───────────────────────────────────────────────────┼─────────┤
│ resources.limits │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ resources.requests │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ lifecycle.postStart │ no │
├───────────────────────────────────────────────────┼─────────┤
│ lifecycle.preStop │ no │
├───────────────────────────────────────────────────┼─────────┤
│ terminationMessagePath │ no │
├───────────────────────────────────────────────────┼─────────┤
│ terminationMessagePolicy │ no │
├───────────────────────────────────────────────────┼─────────┤
│ livenessProbe │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ readinessProbe │ no │
├───────────────────────────────────────────────────┼─────────┤
│ startupProbe │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.runAsUser │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.runAsNonRoot │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.runAsGroup │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.readOnlyRootFilesystem │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.procMount │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.privileged │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.allowPrivilegeEscalation │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.capabilities.add │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.capabilities.drop │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seccompProfile.type │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seccompProfile.localhostProfile │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seLinuxOptions.level │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seLinuxOptions.role │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seLinuxOptions.type │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.seLinuxOptions.user │ ✅ │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.windowsOptions.gmsaCredentialSpec │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.windowsOptions.hostProcess │ no │
├───────────────────────────────────────────────────┼─────────┤
│ securityContext.windowsOptions.runAsUserName │ no │
├───────────────────────────────────────────────────┼─────────┤
│ stdin │ no │
├───────────────────────────────────────────────────┼─────────┤
│ stdinOnce │ no │
├───────────────────────────────────────────────────┼─────────┤
│ tty │ no │
└───────────────────────────────────────────────────┴─────────┘
PersistentVolumeClaim Fields
┌────────────────────┬─────────┐
│ Field │ Support │
├────────────────────┼─────────┤
│ volumeName │ no │
├────────────────────┼─────────┤
│ storageClassName │ ✅ │
├────────────────────┼─────────┤
│ volumeMode │ no │
├────────────────────┼─────────┤
│ accessModes │ ✅ │
├────────────────────┼─────────┤
│ selector │ no │
├────────────────────┼─────────┤
│ resources.limits │ no │
├────────────────────┼─────────┤
│ resources.requests │ ✅ │
└────────────────────┴─────────┘
ConfigMap Fields
┌────────────┬─────────┐
│ Field │ Support │
├────────────┼─────────┤
│ binaryData │ ✅ │
├────────────┼─────────┤
│ data │ ✅ │
├────────────┼─────────┤
│ immutable │ no │
└────────────┴─────────┘
Deployment Fields
┌───────────────────────────────────────┬────────────────────────────┐
│ Field │ Support │
├───────────────────────────────────────┼────────────────────────────┤
│ replicas │ ✅ (the actual replica │
│ │ count is ignored and set │
│ │ to 1) │
├───────────────────────────────────────┼────────────────────────────┤
│ selector │ ✅ │
├───────────────────────────────────────┼────────────────────────────┤
│ template │ ✅ │
├───────────────────────────────────────┼────────────────────────────┤
│ minReadySeconds │ no │
├───────────────────────────────────────┼────────────────────────────┤
│ strategy.type │ no │
├───────────────────────────────────────┼────────────────────────────┤
│ strategy.rollingUpdate.maxSurge │ no │
├───────────────────────────────────────┼────────────────────────────┤
│ strategy.rollingUpdate.maxUnavailable │ no │
├───────────────────────────────────────┼────────────────────────────┤
│ revisionHistoryLimit │ no │
├───────────────────────────────────────┼────────────────────────────┤
│ progressDeadlineSeconds │ no │
├───────────────────────────────────────┼────────────────────────────┤
│ paused │ no │
└───────────────────────────────────────┴────────────────────────────┘
DaemonSet Fields
┌───────────────────────────────────────┬─────────┐
│ Field │ Support │
├───────────────────────────────────────┼─────────┤
│ selector │ ✅ │
├───────────────────────────────────────┼─────────┤
│ template │ ✅ │
├───────────────────────────────────────┼─────────┤
│ minReadySeconds │ no │
├───────────────────────────────────────┼─────────┤
│ strategy.type │ no │
├───────────────────────────────────────┼─────────┤
│ strategy.rollingUpdate.maxSurge │ no │
├───────────────────────────────────────┼─────────┤
│ strategy.rollingUpdate.maxUnavailable │ no │
├───────────────────────────────────────┼─────────┤
│ revisionHistoryLimit │ no │
└───────────────────────────────────────┴─────────┘
Job Fields
┌─────────────────────────┬───────────────────────────────┐
│ Field │ Support │
├─────────────────────────┼───────────────────────────────┤
│ activeDeadlineSeconds │ no │
├─────────────────────────┼───────────────────────────────┤
│ selector │ no (automatically set by k8s) │
├─────────────────────────┼───────────────────────────────┤
│ template │ ✅ │
├─────────────────────────┼───────────────────────────────┤
│ backoffLimit │ no │
├─────────────────────────┼───────────────────────────────┤
│ completionMode │ no │
├─────────────────────────┼───────────────────────────────┤
│ completions │ no (set to 1 with kube gener- │
│ │ ate) │
├─────────────────────────┼───────────────────────────────┤
│ manualSelector │ no │
├─────────────────────────┼───────────────────────────────┤
│ parallelism │ no (set to 1 with kube gener- │
│ │ ate) │
├─────────────────────────┼───────────────────────────────┤
│ podFailurePolicy │ no │
├─────────────────────────┼───────────────────────────────┤
│ suspend │ no │
├─────────────────────────┼───────────────────────────────┤
│ ttlSecondsAfterFinished │ no │
└─────────────────────────┴───────────────────────────────┘
SEE ALSO
podman(1), podman-kube(1), podman-kube-down(1), podman-network-cre-
ate(1), podman-kube-generate(1), podman-build(1), containers-certs.d(5)
podman-kube-play(1)
Generated by dwww version 1.16 on Tue Dec 16 06:02:44 CET 2025.