Pod

Pod is a collection of containers that can run on a host.

apiVersion: v1

import "k8s.io/api/core/v1"

Pod

Pod is a collection of containers that can run on a host. This resource is created by clients and scheduled onto hosts.

apiVersion: v1
kind: Pod
metadata (
Standard object's metadata. More info:

spec (
Specification of the desired behavior of the pod. More info:

status (
Most recently observed status of the pod. This data may not be up to date. Populated by the system. Read-only. More info:

PodSpec

PodSpec is a description of a pod.

Containers

containers ([]
Patch strategy: merge on key name

List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.

enableServiceLinks (boolean)

EnableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. Optional: Defaults to true.

os (PodOS)

Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.

If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions

If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[].securityContext.seLinuxOptions - spec.containers[].securityContext.seccompProfile - spec.containers[].securityContext.capabilities - spec.containers[].securityContext.readOnlyRootFilesystem - spec.containers[].securityContext.privileged - spec.containers[].securityContext.allowPrivilegeEscalation - spec.containers[].securityContext.procMount - spec.containers[].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup This is an alpha field and requires the IdentifyPodOS feature

PodOS defines the OS parameters of a pod.

os.name (string), required

Name is the name of the operating system. The currently supported values are linux and windows. Additional value may be defined in future and can be one of:

Volumes

volumes ([]
Patch strategies: retainKeys, merge on key name

List of volumes that can be mounted by containers belonging to the pod. More info:

Scheduling

nodeSelector (map[string]string)

NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeName (string)

NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.
affinity (Affinity)

If specified, the pod's scheduling constraints

Affinity is a group of affinity scheduling rules.

tolerations ([]Toleration)

If specified, the pod's tolerations.

The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator .

tolerations.key (string)

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

tolerations.operator (string)

Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

Possible enum values:

"Equal"

"Exists"

tolerations.value (string)

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

tolerations.effect (string)

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

Possible enum values:

"NoExecute" Evict any already-running pods that do not tolerate the taint. Currently enforced by NodeController.

"NoSchedule" Do not allow new pods to schedule onto the node unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running. Enforced by the scheduler.

"PreferNoSchedule" Like TaintEffectNoSchedule, but the scheduler tries not to schedule new pods onto the node, rather than prohibiting new pods from scheduling onto the node entirely. Enforced by the scheduler.

tolerations.tolerationSeconds (int64)

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
schedulerName (string)

If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.
runtimeClassName (string)

RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info:

priorityClassName (string)

If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.

priority (int32)

The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.

topologySpreadConstraints ([]TopologySpreadConstraint)

Patch strategy: merge on key topologyKey

Map: unique values on keys topologyKey, whenUnsatisfiable will be kept during a merge

TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. All topologySpreadConstraints are ANDed.

TopologySpreadConstraint specifies how to spread matching pods among the given topology.

topologySpreadConstraints.maxSkew (int32), required

MaxSkew describes the degree to which pods may be unevenly distributed. When whenUnsatisfiable=DoNotSchedule, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When whenUnsatisfiable=ScheduleAnyway, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.

topologySpreadConstraints.topologyKey (string), required

TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each <key, value> as a "bucket", and try to put balanced number of pods into each bucket. It's a required field.

topologySpreadConstraints.whenUnsatisfiable (string), required

WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it more imbalanced. It's a required field.

Possible enum values:

"DoNotSchedule" instructs the scheduler not to schedule the pod when constraints are not satisfied.

"ScheduleAnyway" instructs the scheduler to schedule the pod even if constraints are not satisfied.

topologySpreadConstraints.labelSelector (
LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.

Lifecycle

restartPolicy (string)

Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info:
Possible enum values:

"Always"

"Never"

"OnFailure"

terminationGracePeriodSeconds (int64)

Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.

activeDeadlineSeconds (int64)

Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.

readinessGates ([]PodReadinessGate)

If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" More info:
PodReadinessGate contains the reference to a pod condition

readinessGates.conditionType (string), required

ConditionType refers to a condition in the pod's condition list with matching type.

Possible enum values:

"ContainersReady" indicates whether all containers in the pod are ready.

"Initialized" means that all init containers in the pod have started successfully.

"PodScheduled" represents status of the scheduling process for this pod.

"Ready" means the pod is able to service requests and should be added to the load balancing pools of all matching services.

Hostname and Name resolution

hostname (string)

Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.
setHostnameAsFQDN (boolean)

If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters to FQDN. If a pod does not have FQDN, this has no effect. Default to false.
subdomain (string)

If specified, the fully qualified Pod hostname will be "<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>". If not specified, the pod will not have a domainname at all.
hostAliases ([]HostAlias)

Patch strategy: merge on key ip

HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods.

HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.
- hostAliases.hostnames ([]string)
  
  Hostnames for the above IP address.
- hostAliases.ip (string)
  
  IP address of the host file entry.
dnsConfig (PodDNSConfig)

Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.

PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.
- dnsConfig.nameservers ([]string)
  
  A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.
- dnsConfig.options ([]PodDNSConfigOption)
  
  A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.
  
  PodDNSConfigOption defines DNS resolver options of a pod.
  - dnsConfig.options.name (string)
    
    Required.
  - dnsConfig.options.value (string)
- dnsConfig.searches ([]string)
  
  A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.
dnsPolicy (string)

Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.

Possible enum values:
- "ClusterFirst" indicates that the pod should use cluster DNS first unless hostNetwork is true, if it is available, then fall back on the default (as determined by kubelet) DNS settings.
- "ClusterFirstWithHostNet" indicates that the pod should use cluster DNS first, if it is available, then fall back on the default (as determined by kubelet) DNS settings.
- "Default" indicates that the pod should use the default (as determined by kubelet) DNS settings.
- "None" indicates that the pod should use empty DNS settings. DNS parameters such as nameservers and search paths should be defined via DNSConfig.

Hosts namespaces

hostNetwork (boolean)

Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.
hostPID (boolean)

Use the host's pid namespace. Optional: Default to false.
hostIPC (boolean)

Use the host's ipc namespace. Optional: Default to false.
shareProcessNamespace (boolean)

Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false.

Service account

serviceAccountName (string)

ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
automountServiceAccountToken (boolean)

AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.

Security context

securityContext (PodSecurityContext)

SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.

PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.
- securityContext.runAsUser (int64)
  
  The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
- securityContext.runAsNonRoot (boolean)
  
  Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
- securityContext.runAsGroup (int64)
  
  The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
- securityContext.supplementalGroups ([]int64)
  
  A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. Note that this field cannot be set when spec.os.name is windows.
- securityContext.fsGroup (int64)
  
  A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:
  1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----
  If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.
- securityContext.fsGroupChangePolicy (string)
  
  fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows.
- securityContext.seccompProfile (SeccompProfile)
  
  The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.
  
  SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.
  - securityContext.seccompProfile.type (string), required
    
    type indicates which kind of seccomp profile will be applied. Valid options are:
    
    Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
    
    Possible enum values:
    - "Localhost" indicates a profile defined in a file on the node should be used. The file's location relative to <kubelet-root-dir>/seccomp.
    - "RuntimeDefault" represents the default container runtime seccomp profile.
    - "Unconfined" indicates no seccomp profile is applied (A.K.A. unconfined).
  - securityContext.seccompProfile.localhostProfile (string)
    
    localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".
- securityContext.seLinuxOptions (SELinuxOptions)
  
  The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
  
  SELinuxOptions are the labels to be applied to the container
  - securityContext.seLinuxOptions.level (string)
    
    Level is SELinux level label that applies to the container.
  - securityContext.seLinuxOptions.role (string)
    
    Role is a SELinux role label that applies to the container.
  - securityContext.seLinuxOptions.type (string)
    
    Type is a SELinux type label that applies to the container.
  - securityContext.seLinuxOptions.user (string)
    
    User is a SELinux user label that applies to the container.
- securityContext.sysctls ([]Sysctl)
  
  Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.
  
  Sysctl defines a kernel parameter to be set
  - securityContext.sysctls.name (string), required
    
    Name of a property to set
  - securityContext.sysctls.value (string), required
    
    Value of a property to set
- securityContext.windowsOptions (WindowsSecurityContextOptions)
  
  The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
  
  WindowsSecurityContextOptions contain Windows-specific options and credentials.
  - securityContext.windowsOptions.gmsaCredentialSpec (string)
    
    GMSACredentialSpec is where the GMSA admission webhook (

Beta level

ephemeralContainers ([]
Patch strategy: merge on key name

List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. This field is beta-level and available on clusters that haven't disabled the EphemeralContainers feature gate.

preemptionPolicy (string)

PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is beta-level, gated by the NonPreemptingPriority feature-gate.

overhead (map[string]
Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info:

Deprecated

serviceAccount (string)

DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.

Container

A single application container that you want to run within a pod.

name (string), required

Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.

Image

image (string)

Docker image name. More info:

imagePullPolicy (string)

Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info:
Possible enum values:

"Always" means that kubelet always attempts to pull the latest image. Container will fail If the pull fails.

"IfNotPresent" means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails.

"Never" means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present

Entrypoint

command ([]string)

Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info:

args ([]string)

Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info:

workingDir (string)

Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.

Ports

ports ([]ContainerPort)

Patch strategy: merge on key containerPort

Map: unique values on keys containerPort, protocol will be kept during a merge

List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated.

ContainerPort represents a network port in a single container.

ports.containerPort (int32), required

Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.

ports.hostIP (string)

What host IP to bind the external port to.

ports.hostPort (int32)

Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.

ports.name (string)

If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.

ports.protocol (string)

Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".

Possible enum values:

"SCTP" is the SCTP protocol.

"TCP" is the TCP protocol.

"UDP" is the UDP protocol.

Environment variables

env ([]EnvVar)

Patch strategy: merge on key name

List of environment variables to set in the container. Cannot be updated.

EnvVar represents an environment variable present in a Container.
- env.name (string), required
  
  Name of the environment variable. Must be a C_IDENTIFIER.
- env.value (string)
  
  Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".
- env.valueFrom (EnvVarSource)
  
  Source for the environment variable's value. Cannot be used if value is not empty.
  
  EnvVarSource represents a source for the value of an EnvVar.
  - env.valueFrom.configMapKeyRef (ConfigMapKeySelector)
    
    Selects a key of a ConfigMap.
    
    Selects a key from a ConfigMap.
    - env.valueFrom.configMapKeyRef.key (string), required
      
      The key to select.
    - env.valueFrom.configMapKeyRef.name (string)
      
      Name of the referent. More info:
  - env.valueFrom.fieldRef (
    Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['\<KEY>'], metadata.annotations['\<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
  - env.valueFrom.resourceFieldRef (
    Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
  - env.valueFrom.secretKeyRef (SecretKeySelector)
    
    Selects a key of a secret in the pod's namespace
    
    SecretKeySelector selects a key of a Secret.
    
    env.valueFrom.secretKeyRef.key (string), required
    
    The key of the secret to select from. Must be a valid secret key.
    
    env.valueFrom.secretKeyRef.name (string)
    
    Name of the referent. More info:
    
    env.valueFrom.secretKeyRef.optional (boolean)
    
    Specify whether the Secret or its key must be defined

envFrom ([]EnvFromSource)

List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.

EnvFromSource represents the source of a set of ConfigMaps

envFrom.configMapRef (ConfigMapEnvSource)

The ConfigMap to select from

*ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.

The contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.*

envFrom.configMapRef.name (string)

Name of the referent. More info:

envFrom.configMapRef.optional (boolean)

Specify whether the ConfigMap must be defined

envFrom.prefix (string)

An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.

envFrom.secretRef (SecretEnvSource)

The Secret to select from

*SecretEnvSource selects a Secret to populate the environment variables with.

The contents of the target Secret's Data field will represent the key-value pairs as environment variables.*

envFrom.secretRef.name (string)

Name of the referent. More info:

envFrom.secretRef.optional (boolean)

Specify whether the Secret must be defined

Volumes

volumeMounts ([]VolumeMount)

Patch strategy: merge on key mountPath

Pod volumes to mount into the container's filesystem. Cannot be updated.

VolumeMount describes a mounting of a Volume within a container.

volumeMounts.mountPath (string), required

Path within the container at which the volume should be mounted. Must not contain ':'.

volumeMounts.name (string), required

This must match the Name of a Volume.

volumeMounts.mountPropagation (string)

mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.

volumeMounts.readOnly (boolean)

Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.

volumeMounts.subPath (string)

Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).

volumeMounts.subPathExpr (string)

Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.
volumeDevices ([]VolumeDevice)

Patch strategy: merge on key devicePath

volumeDevices is the list of block devices to be used by the container.

volumeDevice describes a mapping of a raw block device within a container.
- volumeDevices.devicePath (string), required
  
  devicePath is the path inside of the container that the device will be mapped to.
- volumeDevices.name (string), required
  
  name must match the name of a persistentVolumeClaim in the pod

Resources

resources (ResourceRequirements)

Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

ResourceRequirements describes the compute resource requirements.
- resources.limits (map[string]
  Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
- resources.requests (map[string]
  Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Lifecycle

lifecycle (Lifecycle)

Actions that the management system should take in response to container lifecycle events. Cannot be updated.

Lifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted.
- lifecycle.postStart (
  PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info:
- lifecycle.preStop (
  PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod's termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info:

terminationMessagePath (string)

Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.

terminationMessagePolicy (string)

Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.

Possible enum values:

"FallbackToLogsOnError" will read the most recent contents of the container logs for the container status message when the container exits with an error and the terminationMessagePath has no contents.
"File" is the default behavior and will set the container status message to the contents of the container's terminationMessagePath when the container exits.

livenessProbe (
Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info:

readinessProbe (
Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info:

startupProbe (
StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info:

Security Context

securityContext (SecurityContext)

SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.

securityContext.runAsUser (int64)

The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.

securityContext.runAsNonRoot (boolean)

Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

securityContext.runAsGroup (int64)

The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.

securityContext.readOnlyRootFilesystem (boolean)

Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.

securityContext.procMount (string)

procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.

securityContext.privileged (boolean)

Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.

securityContext.allowPrivilegeEscalation (boolean)

AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.

securityContext.capabilities (Capabilities)

The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.

Adds and removes POSIX capabilities from running containers.

securityContext.capabilities.add ([]string)

Added capabilities

securityContext.capabilities.drop ([]string)

Removed capabilities

securityContext.seccompProfile (SeccompProfile)

The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.

SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.

securityContext.seccompProfile.type (string), required

type indicates which kind of seccomp profile will be applied. Valid options are:

Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.

Possible enum values:

"Localhost" indicates a profile defined in a file on the node should be used. The file's location relative to <kubelet-root-dir>/seccomp.

"RuntimeDefault" represents the default container runtime seccomp profile.

"Unconfined" indicates no seccomp profile is applied (A.K.A. unconfined).

securityContext.seccompProfile.localhostProfile (string)

localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".

securityContext.seLinuxOptions (SELinuxOptions)

The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.

SELinuxOptions are the labels to be applied to the container

securityContext.seLinuxOptions.level (string)

Level is SELinux level label that applies to the container.

securityContext.seLinuxOptions.role (string)

Role is a SELinux role label that applies to the container.

securityContext.seLinuxOptions.type (string)

Type is a SELinux type label that applies to the container.

securityContext.seLinuxOptions.user (string)

User is a SELinux user label that applies to the container.

securityContext.windowsOptions (WindowsSecurityContextOptions)

The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.

WindowsSecurityContextOptions contain Windows-specific options and credentials.

securityContext.windowsOptions.gmsaCredentialSpec (string)

GMSACredentialSpec is where the GMSA admission webhook (

securityContext.windowsOptions.gmsaCredentialSpecName (string)

GMSACredentialSpecName is the name of the GMSA credential spec to use.

securityContext.windowsOptions.hostProcess (boolean)

HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.

securityContext.windowsOptions.runAsUserName (string)

The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

Debugging

stdin (boolean)

Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.
stdinOnce (boolean)

Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false
tty (boolean)

Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.

EphemeralContainer

An EphemeralContainer is a temporary container that you may add to an existing Pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a Pod is removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the Pod to exceed its resource allocation.

To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers may not be removed or restarted.

This is a beta feature available on clusters that haven't disabled the EphemeralContainers feature gate.

name (string), required

Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers.
targetContainerName (string)

If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container uses the namespaces configured in the Pod spec.

The container runtime must implement support for this feature. If the runtime does not support namespace targeting then the result of setting this field is undefined.

Image

image (string)

Docker image name. More info:

imagePullPolicy (string)

Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info:
Possible enum values:

"Always" means that kubelet always attempts to pull the latest image. Container will fail If the pull fails.

"IfNotPresent" means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails.

"Never" means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present

Entrypoint

command ([]string)

Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info:

args ([]string)

Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info:

workingDir (string)

Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.

Environment variables

env ([]EnvVar)

Patch strategy: merge on key name

List of environment variables to set in the container. Cannot be updated.

EnvVar represents an environment variable present in a Container.

env.name (string), required

Name of the environment variable. Must be a C_IDENTIFIER.

env.value (string)

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

env.valueFrom (EnvVarSource)

Source for the environment variable's value. Cannot be used if value is not empty.

EnvVarSource represents a source for the value of an EnvVar.

env.valueFrom.configMapKeyRef (ConfigMapKeySelector)

Selects a key of a ConfigMap.

Selects a key from a ConfigMap.

env.valueFrom.configMapKeyRef.key (string), required

The key to select.

env.valueFrom.configMapKeyRef.name (string)

Name of the referent. More info:

env.valueFrom.configMapKeyRef.optional (boolean)

Specify whether the ConfigMap or its key must be defined

env.valueFrom.fieldRef (
Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['\<KEY>'], metadata.annotations['\<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

env.valueFrom.resourceFieldRef (
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

env.valueFrom.secretKeyRef (SecretKeySelector)

Selects a key of a secret in the pod's namespace

SecretKeySelector selects a key of a Secret.

env.valueFrom.secretKeyRef.key (string), required

The key of the secret to select from. Must be a valid secret key.

env.valueFrom.secretKeyRef.name (string)

Name of the referent. More info:

env.valueFrom.secretKeyRef.optional (boolean)

Specify whether the Secret or its key must be defined

envFrom ([]EnvFromSource)

List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.

EnvFromSource represents the source of a set of ConfigMaps

envFrom.configMapRef (ConfigMapEnvSource)

The ConfigMap to select from

*ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.

The contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.*

envFrom.configMapRef.name (string)

Name of the referent. More info:

envFrom.configMapRef.optional (boolean)

Specify whether the ConfigMap must be defined

envFrom.prefix (string)

An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.

envFrom.secretRef (SecretEnvSource)

The Secret to select from

*SecretEnvSource selects a Secret to populate the environment variables with.

The contents of the target Secret's Data field will represent the key-value pairs as environment variables.*

envFrom.secretRef.name (string)

Name of the referent. More info:

envFrom.secretRef.optional (boolean)

Specify whether the Secret must be defined

Volumes

volumeMounts ([]VolumeMount)

Patch strategy: merge on key mountPath

Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers. Cannot be updated.

VolumeMount describes a mounting of a Volume within a container.

volumeMounts.mountPath (string), required

Path within the container at which the volume should be mounted. Must not contain ':'.

volumeMounts.name (string), required

This must match the Name of a Volume.

volumeMounts.mountPropagation (string)

mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.

volumeMounts.readOnly (boolean)

Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.

volumeMounts.subPath (string)

Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).

volumeMounts.subPathExpr (string)

Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.
volumeDevices ([]VolumeDevice)

Patch strategy: merge on key devicePath

volumeDevices is the list of block devices to be used by the container.

volumeDevice describes a mapping of a raw block device within a container.
- volumeDevices.devicePath (string), required
  
  devicePath is the path inside of the container that the device will be mapped to.
- volumeDevices.name (string), required
  
  name must match the name of a persistentVolumeClaim in the pod

Lifecycle

terminationMessagePath (string)

Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.
terminationMessagePolicy (string)

Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.

Possible enum values:
- "FallbackToLogsOnError" will read the most recent contents of the container logs for the container status message when the container exits with an error and the terminationMessagePath has no contents.
- "File" is the default behavior and will set the container status message to the contents of the container's terminationMessagePath when the container exits.

Debugging

stdin (boolean)

Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.
stdinOnce (boolean)

Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false
tty (boolean)

Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.

Security context

securityContext (SecurityContext)

Optional: SecurityContext defines the security options the ephemeral container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.

SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.
- securityContext.runAsUser (int64)
  
  The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
- securityContext.runAsNonRoot (boolean)
  
  Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
- securityContext.runAsGroup (int64)
  
  The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
- securityContext.readOnlyRootFilesystem (boolean)
  
  Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
- securityContext.procMount (string)
  
  procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
- securityContext.privileged (boolean)
  
  Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
- securityContext.allowPrivilegeEscalation (boolean)
  
  AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.
- securityContext.capabilities (Capabilities)
  
  The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
  
  Adds and removes POSIX capabilities from running containers.
  - securityContext.capabilities.add ([]string)
    
    Added capabilities
  - securityContext.capabilities.drop ([]string)
    
    Removed capabilities
- securityContext.seccompProfile (SeccompProfile)
  
  The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
  
  SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.
  - securityContext.seccompProfile.type (string), required
    
    type indicates which kind of seccomp profile will be applied. Valid options are:
    
    Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
    
    Possible enum values:
    - "Localhost" indicates a profile defined in a file on the node should be used. The file's location relative to <kubelet-root-dir>/seccomp.
    - "RuntimeDefault" represents the default container runtime seccomp profile.
    - "Unconfined" indicates no seccomp profile is applied (A.K.A. unconfined).
  - securityContext.seccompProfile.localhostProfile (string)
    
    localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".
- securityContext.seLinuxOptions (SELinuxOptions)
  
  The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
  
  SELinuxOptions are the labels to be applied to the container
  - securityContext.seLinuxOptions.level (string)
    
    Level is SELinux level label that applies to the container.
  - securityContext.seLinuxOptions.role (string)
    
    Role is a SELinux role label that applies to the container.
  - securityContext.seLinuxOptions.type (string)
    
    Type is a SELinux type label that applies to the container.
  - securityContext.seLinuxOptions.user (string)
    
    User is a SELinux user label that applies to the container.
- securityContext.windowsOptions (WindowsSecurityContextOptions)
  
  The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
  
  WindowsSecurityContextOptions contain Windows-specific options and credentials.
  - securityContext.windowsOptions.gmsaCredentialSpec (string)
    
    GMSACredentialSpec is where the GMSA admission webhook (

Not allowed

ports ([]ContainerPort)

Patch strategy: merge on key containerPort

Map: unique values on keys containerPort, protocol will be kept during a merge

Ports are not allowed for ephemeral containers.

ContainerPort represents a network port in a single container.

ports.containerPort (int32), required

Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.

ports.hostIP (string)

What host IP to bind the external port to.

ports.hostPort (int32)

Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.

ports.name (string)

If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.

ports.protocol (string)

Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".

Possible enum values:

"SCTP" is the SCTP protocol.

"TCP" is the TCP protocol.

"UDP" is the UDP protocol.
resources (ResourceRequirements)

Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod.

ResourceRequirements describes the compute resource requirements.
- resources.limits (map[string]
  Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
- resources.requests (map[string]
  Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
lifecycle (Lifecycle)

Lifecycle is not allowed for ephemeral containers.

Lifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted.
- lifecycle.postStart (
  PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info:
- lifecycle.preStop (
  PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod's termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info:

livenessProbe (
Probes are not allowed for ephemeral containers.

readinessProbe (
Probes are not allowed for ephemeral containers.

startupProbe (
Probes are not allowed for ephemeral containers.

LifecycleHandler

LifecycleHandler defines a specific action that should be taken in a lifecycle hook. One and only one of the fields, except TCPSocket must be specified.

exec (ExecAction)

Exec specifies the action to take.

ExecAction describes a "run in container" action.

exec.command ([]string)

Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
httpGet (HTTPGetAction)

HTTPGet specifies the http request to perform.

HTTPGetAction describes an action based on HTTP Get requests.
- httpGet.port (IntOrString), required
  
  Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
  
  IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.
- httpGet.host (string)
  
  Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
- httpGet.httpHeaders ([]HTTPHeader)
  
  Custom headers to set in the request. HTTP allows repeated headers.
  
  HTTPHeader describes a custom header to be used in HTTP probes
  - httpGet.httpHeaders.name (string), required
    
    The header field name
  - httpGet.httpHeaders.value (string), required
    
    The header field value
- httpGet.path (string)
  
  Path to access on the HTTP server.
- httpGet.scheme (string)
  
  Scheme to use for connecting to the host. Defaults to HTTP.
  
  Possible enum values:
  - "HTTP" means that the scheme used will be http://
  - "HTTPS" means that the scheme used will be https://
tcpSocket (TCPSocketAction)

Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified.

TCPSocketAction describes an action based on opening a socket
- tcpSocket.port (IntOrString), required
  
  Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
  
  IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.
- tcpSocket.host (string)
  
  Optional: Host name to connect to, defaults to the pod IP.

NodeAffinity

Node affinity is a group of node affinity scheduling rules.

preferredDuringSchedulingIgnoredDuringExecution ([]PreferredSchedulingTerm)

The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.

An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- preferredDuringSchedulingIgnoredDuringExecution.preference (NodeSelectorTerm), required
  
  A node selector term, associated with the corresponding weight.
  
  A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
  - preferredDuringSchedulingIgnoredDuringExecution.preference.matchExpressions ([]
    A list of node selector requirements by node's labels.
  - preferredDuringSchedulingIgnoredDuringExecution.preference.matchFields ([]
    A list of node selector requirements by node's fields.

requiredDuringSchedulingIgnoredDuringExecution (NodeSelector)

If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.

A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.

requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms ([]NodeSelectorTerm), required

Required. A list of node selector terms. The terms are ORed.

A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.

requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms.matchExpressions ([]
A list of node selector requirements by node's labels.

requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms.matchFields ([]
A list of node selector requirements by node's fields.

PodAffinity

Pod affinity is a group of inter pod affinity scheduling rules.

preferredDuringSchedulingIgnoredDuringExecution ([]WeightedPodAffinityTerm)

The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.

The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)

preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm (PodAffinityTerm), required

Required. A pod affinity term, associated with the corresponding weight.

Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running

preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.topologyKey (string), required

This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.labelSelector (
A label query over a set of resources, in this case pods.

preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.namespaceSelector (
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.

preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.namespaces ([]string)

namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"

preferredDuringSchedulingIgnoredDuringExecution.weight (int32), required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

requiredDuringSchedulingIgnoredDuringExecution ([]PodAffinityTerm)

If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.

Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running

requiredDuringSchedulingIgnoredDuringExecution.topologyKey (string), required

This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

requiredDuringSchedulingIgnoredDuringExecution.labelSelector (
A label query over a set of resources, in this case pods.

requiredDuringSchedulingIgnoredDuringExecution.namespaceSelector (
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.

requiredDuringSchedulingIgnoredDuringExecution.namespaces ([]string)

namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"

PodAntiAffinity

Pod anti affinity is a group of inter pod anti affinity scheduling rules.

preferredDuringSchedulingIgnoredDuringExecution ([]WeightedPodAffinityTerm)

The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.

The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)

preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm (PodAffinityTerm), required

Required. A pod affinity term, associated with the corresponding weight.

Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running

preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.topologyKey (string), required

This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.labelSelector (
A label query over a set of resources, in this case pods.

preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.namespaceSelector (
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.

preferredDuringSchedulingIgnoredDuringExecution.podAffinityTerm.namespaces ([]string)

namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"

preferredDuringSchedulingIgnoredDuringExecution.weight (int32), required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

requiredDuringSchedulingIgnoredDuringExecution ([]PodAffinityTerm)

If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.

Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running

requiredDuringSchedulingIgnoredDuringExecution.topologyKey (string), required

This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

requiredDuringSchedulingIgnoredDuringExecution.labelSelector (
A label query over a set of resources, in this case pods.

requiredDuringSchedulingIgnoredDuringExecution.namespaceSelector (
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.

requiredDuringSchedulingIgnoredDuringExecution.namespaces ([]string)

namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"

Probe

Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.

exec (ExecAction)

Exec specifies the action to take.

ExecAction describes a "run in container" action.

exec.command ([]string)

Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
httpGet (HTTPGetAction)

HTTPGet specifies the http request to perform.

HTTPGetAction describes an action based on HTTP Get requests.
- httpGet.port (IntOrString), required
  
  Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
  
  IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.
- httpGet.host (string)
  
  Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.
- httpGet.httpHeaders ([]HTTPHeader)
  
  Custom headers to set in the request. HTTP allows repeated headers.
  
  HTTPHeader describes a custom header to be used in HTTP probes
  - httpGet.httpHeaders.name (string), required
    
    The header field name
  - httpGet.httpHeaders.value (string), required
    
    The header field value
- httpGet.path (string)
  
  Path to access on the HTTP server.
- httpGet.scheme (string)
  
  Scheme to use for connecting to the host. Defaults to HTTP.
  
  Possible enum values:
  - "HTTP" means that the scheme used will be http://
  - "HTTPS" means that the scheme used will be https://
tcpSocket (TCPSocketAction)

TCPSocket specifies an action involving a TCP port.

TCPSocketAction describes an action based on opening a socket
- tcpSocket.port (IntOrString), required
  
  Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
  
  IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.
- tcpSocket.host (string)
  
  Optional: Host name to connect to, defaults to the pod IP.
initialDelaySeconds (int32)

Number of seconds after the container has started before liveness probes are initiated. More info:

terminationGracePeriodSeconds (int64)

Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.

periodSeconds (int32)

How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.

timeoutSeconds (int32)

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info:

failureThreshold (int32)

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.

successThreshold (int32)

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.

grpc (GRPCAction)

GRPC specifies an action involving a GRPC port. This is an alpha field and requires enabling GRPCContainerProbe feature gate.

**

grpc.port (int32), required

Port number of the gRPC service. Number must be in the range 1 to 65535.

grpc.service (string)

Service is the name of the service to place in the gRPC HealthCheckRequest (see
If this is not specified, the default behavior is defined by gRPC.

PodStatus

PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.

nominatedNodeName (string)

nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled.

hostIP (string)

IP address of the host to which the pod is assigned. Empty if not yet scheduled.

startTime (Time)

RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod.

Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
phase (string)

The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:

Pending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.

More info:
Possible enum values:
- "Failed" means that all containers in the pod have terminated, and at least one container has terminated in a failure (exited with a non-zero exit code or was stopped by the system).
- "Pending" means the pod has been accepted by the system, but one or more of the containers has not been started. This includes time before being bound to a node, as well as time spent pulling images onto the host.
- "Running" means the pod has been bound to a node and all of the containers have been started. At least one container is still running or is in the process of being restarted.
- "Succeeded" means that all containers in the pod have voluntarily terminated with a container exit code of 0, and the system is not going to restart any of these containers.
- "Unknown" means that for some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod. Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095)

message (string)

A human readable message indicating details about why the pod is in this condition.

reason (string)

A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted'

podIP (string)

IP address allocated to the pod. Routable at least within the cluster. Empty if not yet allocated.

podIPs ([]PodIP)

Patch strategy: merge on key ip

podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list is empty if no IPs have been allocated yet.

IP address information for entries in the (plural) PodIPs field. Each entry includes: IP: An IP address allocated to the pod. Routable at least within the cluster.

podIPs.ip (string)

ip is an IP address (IPv4 or IPv6) assigned to the pod
conditions ([]PodCondition)

Patch strategy: merge on key type

Current service state of pod. More info:
PodCondition contains details for the current condition of this pod.
- conditions.status (string), required
  
  Status is the status of the condition. Can be True, False, Unknown. More info:
- conditions.type (string), required
  
  Type is the type of the condition. More info:
  Possible enum values:
  
  "ContainersReady" indicates whether all containers in the pod are ready.
  
  "Initialized" means that all init containers in the pod have started successfully.
  
  "PodScheduled" represents status of the scheduling process for this pod.
  
  "Ready" means the pod is able to service requests and should be added to the load balancing pools of all matching services.
- conditions.lastProbeTime (Time)
  
  Last time we probed the condition.
  
  Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
- conditions.lastTransitionTime (Time)
  
  Last time the condition transitioned from one status to another.
  
  Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
- conditions.message (string)
  
  Human-readable message indicating details about last transition.
- conditions.reason (string)
  
  Unique, one-word, CamelCase reason for the condition's last transition.
qosClass (string)

The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info:
Possible enum values:
- "BestEffort" is the BestEffort qos class.
- "Burstable" is the Burstable qos class.
- "Guaranteed" is the Guaranteed qos class.

initContainerStatuses ([]ContainerStatus)

The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info:
ContainerStatus contains details for the current status of this container.

initContainerStatuses.name (string), required

This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.

initContainerStatuses.image (string), required

The image the container is running. More info:

initContainerStatuses.imageID (string), required

ImageID of the container's image.

initContainerStatuses.containerID (string)

Container's ID in the format 'docker://<container_id>'.

initContainerStatuses.state (ContainerState)

Details about the container's current condition.

ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.

initContainerStatuses.state.running (ContainerStateRunning)

Details about a running container

ContainerStateRunning is a running state of a container.

initContainerStatuses.state.running.startedAt (Time)

Time at which the container was last (re-)started

Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

initContainerStatuses.state.terminated (ContainerStateTerminated)

Details about a terminated container

ContainerStateTerminated is a terminated state of a container.

initContainerStatuses.state.terminated.containerID (string)

Container's ID in the format 'docker://<container_id>'

initContainerStatuses.state.terminated.exitCode (int32), required

Exit status from the last termination of the container

initContainerStatuses.state.terminated.startedAt (Time)

Time at which previous execution of the container started

Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

initContainerStatuses.state.terminated.finishedAt (Time)

Time at which the container last terminated

Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

initContainerStatuses.state.terminated.message (string)

Message regarding the last termination of the container

initContainerStatuses.state.terminated.reason (string)

(brief) reason from the last termination of the container

initContainerStatuses.state.terminated.signal (int32)

Signal from the last termination of the container

initContainerStatuses.state.waiting (ContainerStateWaiting)

Details about a waiting container

ContainerStateWaiting is a waiting state of a container.

initContainerStatuses.state.waiting.message (string)

Message regarding why the container is not yet running.

initContainerStatuses.state.waiting.reason (string)

(brief) reason the container is not yet running.

initContainerStatuses.lastState (ContainerState)

Details about the container's last termination condition.

ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.

initContainerStatuses.lastState.running (ContainerStateRunning)

Details about a running container

ContainerStateRunning is a running state of a container.

initContainerStatuses.lastState.running.startedAt (Time)

Time at which the container was last (re-)started

Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

initContainerStatuses.lastState.terminated (ContainerStateTerminated)

Details about a terminated container

ContainerStateTerminated is a terminated state of a container.

initContainerStatuses.lastState.terminated.containerID (string)

Container's ID in the format 'docker://<container_id>'

initContainerStatuses.lastState.terminated.exitCode (int32), required

Exit status from the last termination of the container

initContainerStatuses.lastState.terminated.startedAt (Time)

Time at which previous execution of the container started

Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

initContainerStatuses.lastState.terminated.finishedAt (Time)

Time at which the container last terminated

Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

initContainerStatuses.lastState.terminated.message (string)

Message regarding the last termination of the container

initContainerStatuses.lastState.terminated.reason (string)

(brief) reason from the last termination of the container

initContainerStatuses.lastState.terminated.signal (int32)

Signal from the last termination of the container

initContainerStatuses.lastState.waiting (ContainerStateWaiting)

Details about a waiting container

ContainerStateWaiting is a waiting state of a container.

initContainerStatuses.lastState.waiting.message (string)

Message regarding why the container is not yet running.

initContainerStatuses.lastState.waiting.reason (string)

(brief) reason the container is not yet running.

initContainerStatuses.ready (boolean), required

Specifies whether the container has passed its readiness probe.

initContainerStatuses.restartCount (int32), required

The number of times the container has been restarted.

initContainerStatuses.started (boolean)

Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.
containerStatuses ([]ContainerStatus)

The list has one entry per container in the manifest. Each entry is currently the output of docker inspect. More info:
ContainerStatus contains details for the current status of this container.
- containerStatuses.name (string), required
  
  This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.
- containerStatuses.image (string), required
  
  The image the container is running. More info:
- containerStatuses.state (ContainerState)
  
  Details about the container's current condition.
  
  ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.
  
  containerStatuses.state.running (ContainerStateRunning)
  
  Details about a running container
  
  ContainerStateRunning is a running state of a container.
  
  containerStatuses.state.running.startedAt (Time)
  
  Time at which the container was last (re-)started
  
  Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
  
  containerStatuses.state.terminated (ContainerStateTerminated)
  
  Details about a terminated container
  
  ContainerStateTerminated is a terminated state of a container.
  
  containerStatuses.state.terminated.containerID (string)
  
  Container's ID in the format 'docker://<container_id>'
  
  containerStatuses.state.terminated.exitCode (int32), required
  
  Exit status from the last termination of the container
  
  containerStatuses.state.terminated.startedAt (Time)
  
  Time at which previous execution of the container started
  
  Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
  
  containerStatuses.state.terminated.finishedAt (Time)
  
  Time at which the container last terminated
  
  Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
  
  containerStatuses.state.terminated.message (string)
  
  Message regarding the last termination of the container
  
  containerStatuses.state.terminated.reason (string)
  
  (brief) reason from the last termination of the container
  
  containerStatuses.state.terminated.signal (int32)
  
  Signal from the last termination of the container
  
  containerStatuses.state.waiting (ContainerStateWaiting)
  
  Details about a waiting container
  
  ContainerStateWaiting is a waiting state of a container.
  
  containerStatuses.state.waiting.message (string)
  
  Message regarding why the container is not yet running.
  
  containerStatuses.state.waiting.reason (string)
  
  (brief) reason the container is not yet running.
- containerStatuses.lastState (ContainerState)
  
  Details about the container's last termination condition.
  
  ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.
  - containerStatuses.lastState.running (ContainerStateRunning)
    
    Details about a running container
    
    ContainerStateRunning is a running state of a container.
    - containerStatuses.lastState.running.startedAt (Time)
      
      Time at which the container was last (re-)started
      
      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
  - containerStatuses.lastState.terminated (ContainerStateTerminated)
    
    Details about a terminated container
    
    ContainerStateTerminated is a terminated state of a container.
    - containerStatuses.lastState.terminated.containerID (string)
      
      Container's ID in the format 'docker://<container_id>'
    - containerStatuses.lastState.terminated.exitCode (int32), required
      
      Exit status from the last termination of the container
    - containerStatuses.lastState.terminated.startedAt (Time)
      
      Time at which previous execution of the container started
      
      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
    - containerStatuses.lastState.terminated.finishedAt (Time)
      
      Time at which the container last terminated
      
      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
    - containerStatuses.lastState.terminated.message (string)
      
      Message regarding the last termination of the container
    - containerStatuses.lastState.terminated.reason (string)
      
      (brief) reason from the last termination of the container
    - containerStatuses.lastState.terminated.signal (int32)
      
      Signal from the last termination of the container
  - containerStatuses.lastState.waiting (ContainerStateWaiting)
    
    Details about a waiting container
    
    ContainerStateWaiting is a waiting state of a container.
    - containerStatuses.lastState.waiting.message (string)
      
      Message regarding why the container is not yet running.
    - containerStatuses.lastState.waiting.reason (string)
      
      (brief) reason the container is not yet running.
- containerStatuses.ready (boolean), required
  
  Specifies whether the container has passed its readiness probe.
- containerStatuses.restartCount (int32), required
  
  The number of times the container has been restarted.
- containerStatuses.started (boolean)
  
  Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.
ephemeralContainerStatuses ([]ContainerStatus)

Status for any ephemeral containers that have run in this pod. This field is beta-level and available on clusters that haven't disabled the EphemeralContainers feature gate.

ContainerStatus contains details for the current status of this container.
- ephemeralContainerStatuses.name (string), required
  
  This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.
- ephemeralContainerStatuses.image (string), required
  
  The image the container is running. More info:
- ephemeralContainerStatuses.state (ContainerState)
  
  Details about the container's current condition.
  
  ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.
  
  ephemeralContainerStatuses.state.running (ContainerStateRunning)
  
  Details about a running container
  
  ContainerStateRunning is a running state of a container.
  
  ephemeralContainerStatuses.state.running.startedAt (Time)
  
  Time at which the container was last (re-)started
  
  Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
  
  ephemeralContainerStatuses.state.terminated (ContainerStateTerminated)
  
  Details about a terminated container
  
  ContainerStateTerminated is a terminated state of a container.
  
  ephemeralContainerStatuses.state.terminated.containerID (string)
  
  Container's ID in the format 'docker://<container_id>'
  
  ephemeralContainerStatuses.state.terminated.exitCode (int32), required
  
  Exit status from the last termination of the container
  
  ephemeralContainerStatuses.state.terminated.startedAt (Time)
  
  Time at which previous execution of the container started
  
  Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
  
  ephemeralContainerStatuses.state.terminated.finishedAt (Time)
  
  Time at which the container last terminated
  
  Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
  
  ephemeralContainerStatuses.state.terminated.message (string)
  
  Message regarding the last termination of the container
  
  ephemeralContainerStatuses.state.terminated.reason (string)
  
  (brief) reason from the last termination of the container
  
  ephemeralContainerStatuses.state.terminated.signal (int32)
  
  Signal from the last termination of the container
  
  ephemeralContainerStatuses.state.waiting (ContainerStateWaiting)
  
  Details about a waiting container
  
  ContainerStateWaiting is a waiting state of a container.
  
  ephemeralContainerStatuses.state.waiting.message (string)
  
  Message regarding why the container is not yet running.
  
  ephemeralContainerStatuses.state.waiting.reason (string)
  
  (brief) reason the container is not yet running.
- ephemeralContainerStatuses.lastState (ContainerState)
  
  Details about the container's last termination condition.
  
  ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.
  - ephemeralContainerStatuses.lastState.running (ContainerStateRunning)
    
    Details about a running container
    
    ContainerStateRunning is a running state of a container.
    - ephemeralContainerStatuses.lastState.running.startedAt (Time)
      
      Time at which the container was last (re-)started
      
      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
  - ephemeralContainerStatuses.lastState.terminated (ContainerStateTerminated)
    
    Details about a terminated container
    
    ContainerStateTerminated is a terminated state of a container.
    - ephemeralContainerStatuses.lastState.terminated.containerID (string)
      
      Container's ID in the format 'docker://<container_id>'
    - ephemeralContainerStatuses.lastState.terminated.exitCode (int32), required
      
      Exit status from the last termination of the container
    - ephemeralContainerStatuses.lastState.terminated.startedAt (Time)
      
      Time at which previous execution of the container started
      
      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
    - ephemeralContainerStatuses.lastState.terminated.finishedAt (Time)
      
      Time at which the container last terminated
      
      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
    - ephemeralContainerStatuses.lastState.terminated.message (string)
      
      Message regarding the last termination of the container
    - ephemeralContainerStatuses.lastState.terminated.reason (string)
      
      (brief) reason from the last termination of the container
    - ephemeralContainerStatuses.lastState.terminated.signal (int32)
      
      Signal from the last termination of the container
  - ephemeralContainerStatuses.lastState.waiting (ContainerStateWaiting)
    
    Details about a waiting container
    
    ContainerStateWaiting is a waiting state of a container.
    - ephemeralContainerStatuses.lastState.waiting.message (string)
      
      Message regarding why the container is not yet running.
    - ephemeralContainerStatuses.lastState.waiting.reason (string)
      
      (brief) reason the container is not yet running.
- ephemeralContainerStatuses.ready (boolean), required
  
  Specifies whether the container has passed its readiness probe.
- ephemeralContainerStatuses.restartCount (int32), required
  
  The number of times the container has been restarted.
- ephemeralContainerStatuses.started (boolean)
  
  Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.

PodList

PodList is a list of Pods.

items ([]
List of pods. More info:

apiVersion (string)

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:

kind (string)

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:

metadata (
Standard list metadata. More info:

Operations

`get` read the specified Pod

HTTP Request

GET /api/v1/namespaces/{namespace}/pods/{name}

Parameters

name (in path): string, required

name of the Pod

namespace (in path): string, required

pretty (in query): string

Response

200 (

401: Unauthorized

`get` read ephemeralcontainers of the specified Pod

HTTP Request

GET /api/v1/namespaces/{namespace}/pods/{name}/ephemeralcontainers

Parameters

name (in path): string, required

name of the Pod

namespace (in path): string, required

pretty (in query): string

Response

200 (

401: Unauthorized

`get` read log of the specified Pod

HTTP Request

GET /api/v1/namespaces/{namespace}/pods/{name}/log

Parameters

name (in path): string, required

name of the Pod

namespace (in path): string, required

container (in query): string

The container for which to stream logs. Defaults to only container if there is one container in the pod.

follow (in query): boolean

Follow the log stream of the pod. Defaults to false.

insecureSkipTLSVerifyBackend (in query): boolean

insecureSkipTLSVerifyBackend indicates that the apiserver should not confirm the validity of the serving certificate of the backend it is connecting to. This will make the HTTPS connection between the apiserver and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real kubelet. If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept the actual log data coming from the real kubelet).

limitBytes (in query): integer

If set, the number of bytes to read from the server before terminating the log output. This may not display a complete final line of logging, and may return slightly more or slightly less than the specified limit.

pretty (in query): string

previous (in query): boolean

Return previous terminated container logs. Defaults to false.

sinceSeconds (in query): integer

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned. Only one of sinceSeconds or sinceTime may be specified.

tailLines (in query): integer

If set, the number of lines from the end of the logs to show. If not specified, logs are shown from the creation of the container or sinceSeconds or sinceTime