OpenShift Enterprise leverages the Kubernetes concept of a pod, which is one or
more containers deployed
together on one host, and the smallest compute unit that can be defined,
deployed, and managed.
Pods are the rough equivalent of OpenShift Enterprise v2 gears, with containers
the rough equivalent of v2 cartridge instances. Each pod is allocated
its own internal IP address, therefore owning its entire port space,
and containers within pods can share their local storage and networking.
Pods have a lifecycle; they are defined, then they are assigned to run on
a node, then they run until their container(s) exit or they are removed
for some other reason. Pods, depending on policy and exit code, may be
removed after exiting, or may be retained to enable access to
the logs of their containers.
OpenShift Enterprise treats pods as largely immutable; changes cannot be made to
a pod definition while it is running. OpenShift Enterprise implements changes by
terminating an existing pod and recreating it with modified configuration,
base image(s), or both. Pods are also treated as expendable, and do not
maintain state when recreated. Therefore manage pods with higher-level controllers,
rather than directly by users.
The following example definition of a pod provides a long-running service, which is actually a part of the OpenShift Enterprise infrastructure: the
private Docker registry. It demonstrates many features of pods, most of
which are discussed in other topics and thus only briefly mentioned here.
Pod object definition example
apiVersion: v1
kind: Pod
metadata:
annotations: { ... }
labels: (1)
deployment: docker-registry-1
deploymentconfig: docker-registry
docker-registry: default
generateName: docker-registry-1- (2)
spec:
containers: (3)
- env: (4)
- name: OPENSHIFT_CA_DATA
value: ...
- name: OPENSHIFT_CERT_DATA
value: ...
- name: OPENSHIFT_INSECURE
value: "false"
- name: OPENSHIFT_KEY_DATA
value: ...
- name: OPENSHIFT_MASTER
value: https://master.example.com:8443
image: openshift/origin-docker-registry:v0.6.2 (5)
imagePullPolicy: IfNotPresent
name: registry
ports: (6)
- containerPort: 5000
protocol: TCP
resources: {}
securityContext: { ... } (7)
volumeMounts: (8)
- mountPath: /registry
name: registry-storage
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-br6yz
readOnly: true
dnsPolicy: ClusterFirst
imagePullsecrets:
- name: default-dockercfg-at06w
restartPolicy: Always
serviceAccount: default (9)
volumes: (10)
- emptyDir: {}
name: registry-storage
- name: default-token-br6yz
secret:
secretName: default-token-br6yz
1 |
Pods can be "tagged" with one or more labels, which can then
be used to select and manage groups of pods in a single operation. The labels
are stored in key-value format in the metadata hash. One label in this
example is docker-registry=default. |
2 |
Pods must have a unique name within their
namespace. A pod definition may specify
the basis of a name with the generateName attribute and random characters
will be added automatically to generate a unique name. |
3 |
containers specifies an array of container definitions; in this case (as
with most), just one. |
4 |
Environment variables can be specified to pass necessary values to each
container. |
5 |
Each container in the pod is instantiated from its own
Docker image. |
6 |
The container can bind to ports which will be made available on the pod’s
IP. |
7 |
OpenShift Enterprise defines a
security
context for containers which specifies whether they are allowed to run as
privileged containers, run as a user of their choice, and more. The default
context is very restrictive but administrators can modify this as needed. |
8 |
The container specifies where external storage volumes should be mounted
within the container. In this case, there is a volume for storing the registry’s
data, and one for access to credentials the registry needs for making requests
against the OpenShift Enterprise API. |
9 |
Pods making requests against the OpenShift Enterprise API is a common enough pattern that there is a serviceAccount field for specifying which
service account user the pod should
authenticate as when making the requests. This enables fine-grained access
control for custom infrastructure components. |
10 |
The pod defines storage volumes that are available to its container(s) to
use. In this case, it provides an ephemeral volume for the registry storage and
a secret volume containing the service account credentials. |
|
This pod definition does not include attributes that
are filled by OpenShift Enterprise automatically after the pod is created and
its lifecycle begins. The
Kubernetes API documentation
has complete details of the pod REST API object attributes, and the
Kubernetes pod documentation
has details about the functionality and purpose of pods.
|