Functions may be written as container images. The container must run a program which:
- Reads a ResourceList from STDIN
- Writes a ResourceList to STDOUT
- Exits non-0 on failure
- Writes error messages to users on STDERR
By default containers are run without network access, and without the ability to write to volumes outside the container.
While container functions may be written in any language so long as they adhere to the io specification (read / write ResourceList), the kpt-functions-sdk provides a solution for writing functions using typescript.
Container functions may be run imperatively using the
--image flag with
kpt fn run. This
will create a container from the image, then write to its STDIN a ResourceList and read from
it’s STDOUT a ResourceList.
Container functions may be run by declaring the function in a resource using the
apiVersion: example.com/v1beta1 kind: ExampleKind metadata: name: function-input annotations: config.kubernetes.io/function: | container: image: gcr.io/a/b:v1
To run the declared function use
kpt fn run DIR/ on the directory containing the example.
By default, container functions cannot access network or volumes. Functions may enable network
access using the
--network flag, and specifying that a network is required in the functionConfig.
apiVersion: example.com/v1beta1 kind: ExampleKind metadata: name: function-input annotations: config.kubernetes.io/function: | container: image: gcr.io/a/b:v1 network: required: true
kpt fn run DIR/ --network