Injecting Information into Pods Using Pod Presets

    You are viewing documentation for a release that is no longer supported. The latest supported version of version 3 is [3.11]. For the most recent version 4, see

    A pod preset is an object that injects user-specified information into pods as they are created.

    Using pod preset objects you can inject:

    Developers only need make sure the pod labels match the label selector on the PodPreset in order to add all that information to the pod. The on a pod associates the pod with one or more pod preset objects that have a matching label selectors.

    Using pod presets, a developer can provision pods without needing to know the details about the services the pod will consume. An administrator can keep configuration items of a service invisible from a developer without preventing the developer from deploying pods. For example, an administrator can create a pod preset that provides the name, user name, and password for a database through a secret and the database port through environment variables. The pod developer only needs to know the label to use to include all the information in pods. A developer can also create pod presets and perform all the same tasks. For example, the developer can create a preset that injects environment variable automatically into multiple pods.

    When a pod preset is applied to a pod, OKD modifies the pod specification, adding the injectable data and annotating the pod spec to show that it was modified by a pod preset. The annotation is of the form:

    In order to use pod presets in your cluster:

    • The pod preset author must enable the API type settings.k8s.io/v1alpha1/podpreset through the pod preset and add injectable information to the pod preset.

    If the pod creation encounters an error, the pod is created without any injected resources from the pod preset.

    You can exclude specific pods from being altered by any pod preset mutations using the podpreset.admission.kubernetes.io/exclude: "true" parameter in the pod specification. See the below.

    The Pod Preset feature is available only if the Service Catalog has been installed.

    Sample pod preset object

    1. kind: PodPreset
    2. apiVersion: settings.k8s.io/v1alpha1 (1)
    3. metadata:
    4.   name: allow-database (2)
    5. spec:
    6.   selector:
    7.     matchLabels:
    8.       role: frontend (3)
    9.   env:
    10.     - name: DB_PORT (4)
    11.       value: "6379" (4)
    12.   envFrom:
    13.     - configMapRef: (5)
    14.       name: etcd-env-config
    15.     - secretKeyRef: (6)
    16.       name: test-secret
    17.   volumeMounts: (7)
    18.     - mountPath: /cache
    19.       name: cache-volume
    20.   volumes: (8)
    21.     - name: cache-volume
    22.       emptyDir: {}
    1Specify the settings.k8s.io/v1alpha1 API.
    2Name of the pod preset. This name is used in the pod annotation.
    3A label selector that matches the label in the pod specification.
    4Creates an environment variable to pass to the container.
    5Adds a ConfigMap to the pod specification.
    6Adds a secrets object to the pod specification.
    7Specifies where external storage volumes should be mounted within the container.
    8Defines storage volumes that are available to the container(s).

    Sample pod specification

    1. apiVersion: v1
    2. kind: Pod
    3. metadata:
    4.   name: website
    5.   labels:
    6.     app: website
    7.     role: frontend (1)
    8. spec:
    9.   containers:
    10.     - name: website
    11.       image: ecorp/website
    12.       ports:
    13.         - containerPort: 80

    Sample pod specification after a pod preset

    1. apiVersion: v1
    2. kind: Pod
    3. metadata:
    4.   name: website
    5.   labels:
    6.     app: website
    7.     role: frontend
    8.   annotations:
    9.     podpreset.admission.kubernetes.io/allow-database: "resource version" (1)
    10. spec:
    11.   containers:
    12.     - name: website
    13.       image: ecorp/website
    14.       volumeMounts: (2)
    15.         - mountPath: /cache
    16.           name: cache-volume
    17.       ports:
    18.         - containerPort: 80
    19.       env: (3)
    20.         - name: DB_PORT
    21.           value: "6379"
    22.       envFrom: (4)
    23.         - configMapRef:
    24.           name: etcd-env-config
    25.         - secretKeyRef:
    26.           name: test-secret
    27.   volumes: (5)
    28.     - name: cache-volume
    1The annotation added to show a pod preset was injected, if the pod specification was not configured to prevent the modification.
    2The volume mount is added to the pod.
    3The environment variable is added to the pod.
    4The ConfigMap and secrets object added to the pod.
    5The volume mount is added to the pod.

    Sample pod specification to exclude the pod from pod preset

    2. kind: Pod
    3. metadata:
    4.   name: no-podpreset
    5.   labels:
    6.     app: website
    7.     role: frontend
    8.   annotations:
    9.     podpreset.admission.kubernetes.io/exclude: "true" (1)
    10. spec:
    11.   containers:
    12.     - name: hello-pod
    13.       image: docker.io/ocpqe/hello-pod
    1Add this parameter to prevent this pod from being injected by the pod preset feature.

    The following example demonstrates how to create and use pod presets.

    Add the Admission Controller

    An administrator can check the /etc/origin/master/master-config.yaml file to make sure the pod preset admission controller plug-in is present. If the admission controller is not present, add the plug-in using the following:

    1. admissionConfig:
    2.   pluginConfig:
    3.     PodPreset:
    4.       configuration:
    5.         kind: DefaultAdmissionConfig
    6.         apiVersion: v1
    7.         disable: false

    Then, restart the OKD services:

    Create the Pod Preset

    1. kind: PodPreset
    2. apiVersion: settings.k8s.io/v1alpha1
    3. metadata:
    4.   name: allow-database
    5. spec:
    6.   selector:
    7.     matchLabels:
    8.       role: frontend
    9.   env:
    10.     - name: DB_PORT
    11.       value: "6379"
    12.   volumeMounts:
    13.     - mountPath: /cache
    14.       name: cache-volume
    15.   volumes:
    16.     - name: cache-volume
    17.       emptyDir: {}

    Create the Pod

    The developer creates the pod with a label that matches the label selector in the pod preset:

    1. Create a standard pod specification with a label that matches the label selector in the pod preset:

      1. apiVersion: v1
      2. kind: Pod
      3. metadata:
      4.   name: website
      5.   labels:
      6.     app: website
      7.     role: frontend
      8. spec:
      9.   containers:
      10.     - name: website
      11.       image: ecorp/website
      12.       ports:
      13.         - containerPort: 80

    2. Create the pod:

      1. $ oc create -f pod.yaml

    3. Check the pod spec after creation:

      1. $ oc get pod website -o yaml
      3. apiVersion: v1
      4. kind: Pod
      5. metadata:
      6.   name: website
      7.   labels:
      8.     app: website
      9.     role: frontend
      10.   annotations:
      11.     podpreset.admission.kubernetes.io/allow-database: "resource version" (1)
      12. spec:
      13.   containers:
      14.     - name: website
      15.       image: ecorp/website
      16.       volumeMounts: (1)
      17.         - mountPath: /cache
      18.           name: cache-volume
      20.         - containerPort: 80
      21.         - name: DB_PORT
      22.           value: "6379"
      23.   volumes:
      24.     - name: cache-volume
      25.       emptyDir: {}

    You can use multiple pod presets to inject multiple pod injection policies.

    • Make sure the is enabled.

    • Create a pod preset, similar to the following, with environment variables, mount points, and/or storage volumes:

      1. kind: PodPreset
      2. apiVersion: settings.k8s.io/v1alpha1
      3. metadata:
      4.   name: allow-database
      5. spec:
      6.   selector:
      7.     matchLabels:
      8.       role: frontend (1)
      9.   env:
      10.     - name: DB_PORT
      11.       value: "6379"
      12.   volumeMounts:
      13.     - mountPath: /cache
      14.       name: cache-volume
      15.   volumes:
      16.     - name: cache-volume
      17.       emptyDir: {}
      1Label selector to match the pod labels.

    • Create a second pod preset, similar to the following:

      1Label selector to match the pod labels.

    • Create a standard pod specification:

      1. apiVersion: v1
      2. kind: Pod
      3. metadata:
      4.   name: website
      5.   labels:
      6.     app: website
      7.     role: frontend (1)
      8. spec:
      9.   containers:
      10.     - name: website
      11.       image: ecorp/website
      12.       ports:
      13.         - containerPort: 80

    • Create the pod:

      1. $ oc create -f pod.yaml

    • Check the pod spec after creation:

      1. apiVersion: v1
      2. kind: Pod
      3. metadata:
      4.   name: website
      5.   labels:
      6.     app: website
      7.     role: frontend
      8.   annotations:
      9.     podpreset.admission.kubernetes.io/allow-database: "resource version" (1)
      10.     podpreset.admission.kubernetes.io/proxy: "resource version" (1)
      11. spec:
      12.   containers:
      13.     - name: website
      14.       image: ecorp/website
      15.       volumeMounts:
      16.         - mountPath: /cache
      17.           name: cache-volume
      18.         - mountPath: /etc/proxy/configs
      19.           name: proxy-volume
      20.       ports:
      21.         - containerPort: 80
      22.       env:
      23.         - name: DB_PORT
      24.           value: "6379"
      25.   volumes:
      26.     - name: cache-volume
      27.       emptyDir: {}
      28.     - name: proxy-volume
      29.       emptyDir: {}
      1Annotation indicating that multiple pod presets were injected.

    You can delete a pod preset using the following command:

    1. $ oc delete podpreset <name>
    1. $ oc delete podpreset allow-database