Skip to main content

Pod

Pods are immutable, cannot do k apply or k replace commands on them. Have to delete them first.

A pod is ready if readiness probe is passing. Can be running before it is ready.

Editing a pod

kubectl edit pod <pod-name> command. Please note that only the properties listed below are editable.

spec.containers[*].image
spec.initContainers[*].image
spec.activeDeadlineSeconds
spec.tolerations
spec.terminationGracePeriodSeconds
Docker Tip

Docker Entrypoint always runs. or can be overridden with --entrypoint
CMD is appended to Entrypoint if exists, and can be replaced by last args in docker cmd

Pod Manifest
apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-sleeper-pod
  labels:
    app:
    function:
spec:
  securityContext: # There is no capabilities on pod level
    runAsUser: 1000
    runAsGroup: 3000
  nodeSelector:
    app: ubuntu-sleeper-app # any label on the node
    kubernetes.io/hostname: controlplane # node01 etc...
  containers:
    - name: ubuntu-sleeper
      image: ubuntu-sleeper
      command: ["sleep", "3600"] # Corresponds to Entrypoint
      # OR
      command: 
      - sleep
      - "3600"
      # OR
      command: ["sleep"]
      args: ["3600"] # Passed onto command
      # OR
      command: ["sh", "-c", "sleep 3600"]
      # OR
      command:
      - sh
      - -c
      - sleep 3600
      env:
        - name: APP_COLOR
          value: "blue"
        - name: DB_HOST
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: DB_HOST
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: app-secrets
              key: DB_PASSWORD
      securityContext: # Container level! Important.
        runAsUser: 1000
        runAsGroup: 3000
        allowPrivilegeEscalation: false  # Prevents privilege escalation
        privileged: false                # Ensures the container is not privileged
        readOnlyRootFilesystem: true     # Makes the root filesystem read-only
        capabilities: # Only container level!
          add: ["SYS_TIME"]
          drop:
            - ALL                       # Drops all Linux capabilities
        runAsNonRoot: true              # Ensures the container does not run as root
      readinessProbe:
        httpGet: // tcpSocket.port: | exec.command:
          path: /health
          port: 8080
        initialDelaySeconds: 10
        periodSeconds: 5
        failureThreshold: 8
      livenessProbe:
        ...similar to readiness...
  restartPolicy: Never
  initContainers:
    - name: init-myservice # Multiple init containers run sequentially
      image: busybox
      command: ['sh', '-c', 'git clone <some-repository-that-will-be-used-by-application> ;']

Pod Conditions

  • PodScheduled
  • Initialized
  • ContainersReady
  • Ready

Dockerfile → K8s Cmd & Args Mapping

🔄 Mapping Summary

| Dockerfile Directive | Kubernetes Field |
| -------------------- | ---------------- |
| `ENTRYPOINT`         | `command`        |
| `CMD`                | `args`           |