OKD leverages the Kubernetes concept of a pod, which is one or more containers deployed
together on one host, and the smallest compute unit that can be defined,
deployed, and managed.
Pods are the rough equivalent of a machine instance (physical or virtual) to a container. Each pod is allocated its own internal IP address, therefore owning its entire port space, and containers within pods can share their local storage and networking.
Pods have a lifecycle; they are defined, then they are assigned to run on
a node, then they run until their container(s) exit or they are removed
for some other reason. Pods, depending on policy and exit code, may be
removed after exiting, or may be retained in order to enable access to
the logs of their containers.
OKD treats pods as largely immutable; changes cannot be made to
a pod definition while it is running. OKD implements changes by
terminating an existing pod and recreating it with modified configuration,
base image(s), or both. Pods are also treated as expendable, and do not
maintain state when recreated. Therefore pods should usually be managed by
higher-level controllers,
rather than directly by users.
|
The recommended maximum number of pods per OKD node host is 110.
|
Below is an example definition of a pod that provides a long-running
service, which is actually a part of the OKD infrastructure: the
integrated container registry. It demonstrates many features of pods, most of
which are discussed in other topics and thus only briefly mentioned here:
Example 1. Pod Object Definition (YAML)
apiVersion: v1
kind: Pod
metadata:
annotations: { ... }
labels: (1)
deployment: docker-registry-1
deploymentconfig: docker-registry
docker-registry: default
generateName: docker-registry-1- (2)
spec:
containers: (3)
- env: (4)
- name: OPENSHIFT_CA_DATA
value: ...
- name: OPENSHIFT_CERT_DATA
value: ...
- name: OPENSHIFT_INSECURE
value: "false"
- name: OPENSHIFT_KEY_DATA
value: ...
- name: OPENSHIFT_MASTER
value: https://master.example.com:8443
image: openshift/origin-docker-registry:v0.6.2 (5)
imagePullPolicy: IfNotPresent
name: registry
ports: (6)
- containerPort: 5000
protocol: TCP
resources: {}
securityContext: { ... } (7)
volumeMounts: (8)
- mountPath: /registry
name: registry-storage
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-br6yz
readOnly: true
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: default-dockercfg-at06w
restartPolicy: Always (9)
serviceAccount: default (10)
volumes: (11)
- emptyDir: {}
name: registry-storage
- name: default-token-br6yz
secret:
secretName: default-token-br6yz
1 |
Pods can be "tagged" with one or more labels, which can then
be used to select and manage groups of pods in a single operation. The labels
are stored in key/value format in the metadata hash. One label in this
example is docker-registry=default. |
2 |
Pods must have a unique name within their
namespace. A pod definition may specify
the basis of a name with the generateName attribute, and random characters
will be added automatically to generate a unique name. |
3 |
containers specifies an array of container definitions; in this case (as
with most), just one. |
4 |
Environment variables can be specified to pass necessary values to each
container. |
5 |
Each container in the pod is instantiated from its own
Docker-formatted container image. |
6 |
The container can bind to ports which will be made available on the pod’s
IP. |
7 |
OKD defines a
security
context
for containers which specifies whether they are allowed to run as
privileged containers, run as a user of their choice, and more. The default
context is very restrictive but administrators can modify this as needed. |
8 |
The container specifies where external storage volumes should be mounted
within the container. In this case, there is a volume for storing the registry’s
data, and one for access to credentials the registry needs for making requests
against the OKD API. |
9 |
The pod restart policy with possible values Always , OnFailure , and Never . The default value is Always . |
10 |
Pods making requests against the OKD API is a common enough pattern
that there is a serviceAccount field for specifying which
service account user the pod should
authenticate as when making the requests. This enables fine-grained access
control for custom infrastructure components. |
11 |
The pod defines storage volumes that are available to its container(s) to
use. In this case, it provides an ephemeral volume for the registry storage and
a secret volume containing the service account credentials. |
|
This pod definition does not include attributes that
are filled by OKD automatically after the pod is created and
its lifecycle begins. The
Kubernetes API documentation
has complete details of the pod REST API object attributes, and the
Kubernetes pod documentation
has details about the functionality and purpose of pods.
|
Pod Restart Policy
A pod restart policy determines how OKD responds when containers in that pod exit.
The policy applies to all containers in that pod.
-
Always
- Tries restarting a successfully exited container on the pod continuously, with an exponential back-off delay (10s, 20s, 40s) until the pod is restarted. The default is Always
.
-
OnFailure
- Tries restarting a failed container on the pod with an exponential back-off delay (10s, 20s, 40s) capped at 5 minutes.
-
Never
- Does not try to restart exited or failed containers on the pod. Pods immediately fail and exit.
Once bound to a node, a pod will never be bound to another node. This means that a controller is necessary in order for a pod to survive node failure:
Condition |
Controller Type |
Restart Policy |
Pods that are expected to terminate (such as batch computations) |
Job |
OnFailure or Never
|
Pods that are expected to not terminate (such as web servers) |
Replication Controller |
Always .
|
Pods that need to run one-per-machine |
Daemonset |
Any |
If a container on a pod fails and the restart policy is set to OnFailure
, the pod stays on the node and the container is restarted. If you do not want the container to
restart, use a restart policy of Never
.
If an entire pod fails, OKD starts a new pod. Developers need to address the possibility that applications might be restarted in a new pod. In particular,
applications need to handle temporary files, locks, incomplete output, and so forth caused by previous runs.
For details on how OKD uses restart policy with failed containers, see
the Example States in the Kubernetes documentation.