You are viewing documentation for Kubernetes version: v1.30

Kubernetes v1.30 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date information, see the latest version.

Declarative Management of Kubernetes Objects Using Kustomize

Kustomize is a standalone tool to customize Kubernetes objects through a kustomization file.

Since 1.14, Kubectl also supports the management of Kubernetes objects using a kustomization file. To view Resources found in a directory containing a kustomization file, run the following command:

kubectl kustomize <kustomization_directory>

To apply those Resources, run kubectl apply with --kustomize or -k flag:

kubectl apply -k <kustomization_directory>

Before you begin

Install kubectl.

You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

To check the version, enter kubectl version.

Overview of Kustomize

Kustomize is a tool for customizing Kubernetes configurations. It has the following features to manage application configuration files:

  • generating resources from other sources
  • setting cross-cutting fields for resources
  • composing and customizing collections of resources

Generating Resources

ConfigMaps and Secrets hold configuration or sensitive data that are used by other Kubernetes objects, such as Pods. The source of truth of ConfigMaps or Secrets are usually external to a cluster, such as a .properties file or an SSH keyfile. Kustomize has secretGenerator and configMapGenerator, which generate Secret and ConfigMap from files or literals.

configMapGenerator

To generate a ConfigMap from a file, add an entry to the files list in configMapGenerator. Here is an example of generating a ConfigMap with a data item from a .properties file:

# Create a application.properties filecat <<EOF >application.properties FOO=Bar EOFcat <<EOF >./kustomization.yaml configMapGenerator: - name: example-configmap-1  files:  - application.properties EOF

The generated ConfigMap can be examined with the following command:

kubectl kustomize ./

The generated ConfigMap is:

apiVersion:v1data:application.properties:| FOO=Barkind:ConfigMapmetadata:name:example-configmap-1-8mbdf7882g

To generate a ConfigMap from an env file, add an entry to the envs list in configMapGenerator. Here is an example of generating a ConfigMap with a data item from a .env file:

# Create a .env filecat <<EOF >.env FOO=Bar EOFcat <<EOF >./kustomization.yaml configMapGenerator: - name: example-configmap-1  envs:  - .env EOF

The generated ConfigMap can be examined with the following command:

kubectl kustomize ./

The generated ConfigMap is:

apiVersion:v1data:FOO:Barkind:ConfigMapmetadata:name:example-configmap-1-42cfbf598f

ConfigMaps can also be generated from literal key-value pairs. To generate a ConfigMap from a literal key-value pair, add an entry to the literals list in configMapGenerator. Here is an example of generating a ConfigMap with a data item from a key-value pair:

cat <<EOF >./kustomization.yaml configMapGenerator: - name: example-configmap-2  literals:  - FOO=Bar EOF

The generated ConfigMap can be checked by the following command:

kubectl kustomize ./

The generated ConfigMap is:

apiVersion:v1data:FOO:Barkind:ConfigMapmetadata:name:example-configmap-2-g2hdhfc6tk

To use a generated ConfigMap in a Deployment, reference it by the name of the configMapGenerator. Kustomize will automatically replace this name with the generated name.

This is an example deployment that uses a generated ConfigMap:

# Create a application.properties filecat <<EOF >application.propertiesFOO=BarEOFcat <<EOF >deployment.yamlapiVersion:apps/v1kind:Deploymentmetadata:name:my-applabels:app:my-appspec:selector:matchLabels:app:my-apptemplate:metadata:labels:app:my-appspec:containers:- name:appimage:my-appvolumeMounts:- name:configmountPath:/configvolumes:- name:configconfigMap:name:example-configmap-1EOFcat <<EOF >./kustomization.yamlresources:- deployment.yamlconfigMapGenerator:- name:example-configmap-1files:- application.propertiesEOF

Generate the ConfigMap and Deployment:

kubectl kustomize ./

The generated Deployment will refer to the generated ConfigMap by name:

apiVersion:v1data:application.properties:| FOO=Barkind:ConfigMapmetadata:name:example-configmap-1-g4hk9g2ff8---apiVersion:apps/v1kind:Deploymentmetadata:labels:app:my-appname:my-appspec:selector:matchLabels:app:my-apptemplate:metadata:labels:app:my-appspec:containers:- image:my-appname:appvolumeMounts:- mountPath:/configname:configvolumes:- configMap:name:example-configmap-1-g4hk9g2ff8name:config

secretGenerator

You can generate Secrets from files or literal key-value pairs. To generate a Secret from a file, add an entry to the files list in secretGenerator. Here is an example of generating a Secret with a data item from a file:

# Create a password.txt filecat <<EOF >./password.txt username=admin password=secret EOFcat <<EOF >./kustomization.yaml secretGenerator: - name: example-secret-1  files:  - password.txt EOF

The generated Secret is as follows:

apiVersion:v1data:password.txt:dXNlcm5hbWU9YWRtaW4KcGFzc3dvcmQ9c2VjcmV0Cg==kind:Secretmetadata:name:example-secret-1-t2kt65hgtbtype:Opaque

To generate a Secret from a literal key-value pair, add an entry to literals list in secretGenerator. Here is an example of generating a Secret with a data item from a key-value pair:

cat <<EOF >./kustomization.yaml secretGenerator: - name: example-secret-2  literals:  - username=admin  - password=secret EOF

The generated Secret is as follows:

apiVersion:v1data:password:c2VjcmV0username:YWRtaW4=kind:Secretmetadata:name:example-secret-2-t52t6g96d8type:Opaque

Like ConfigMaps, generated Secrets can be used in Deployments by referring to the name of the secretGenerator:

# Create a password.txt filecat <<EOF >./password.txt username=admin password=secret EOFcat <<EOF >deployment.yaml apiVersion: apps/v1 kind: Deployment metadata:  name: my-app  labels:  app: my-app spec:  selector:  matchLabels:  app: my-app  template:  metadata:  labels:  app: my-app  spec:  containers:  - name: app  image: my-app  volumeMounts:  - name: password  mountPath: /secrets  volumes:  - name: password  secret:  secretName: example-secret-1 EOFcat <<EOF >./kustomization.yaml resources: - deployment.yaml secretGenerator: - name: example-secret-1  files:  - password.txt EOF

generatorOptions

The generated ConfigMaps and Secrets have a content hash suffix appended. This ensures that a new ConfigMap or Secret is generated when the contents are changed. To disable the behavior of appending a suffix, one can use generatorOptions. Besides that, it is also possible to specify cross-cutting options for generated ConfigMaps and Secrets.

cat <<EOF >./kustomization.yaml configMapGenerator: - name: example-configmap-3  literals:  - FOO=Bar generatorOptions:  disableNameSuffixHash: true  labels:  type: generated  annotations:  note: generated EOF

Runkubectl kustomize ./ to view the generated ConfigMap:

apiVersion:v1data:FOO:Barkind:ConfigMapmetadata:annotations:note:generatedlabels:type:generatedname:example-configmap-3

Setting cross-cutting fields

It is quite common to set cross-cutting fields for all Kubernetes resources in a project. Some use cases for setting cross-cutting fields:

  • setting the same namespace for all Resources
  • adding the same name prefix or suffix
  • adding the same set of labels
  • adding the same set of annotations

Here is an example:

# Create a deployment.yamlcat <<EOF >./deployment.yaml apiVersion: apps/v1 kind: Deployment metadata:  name: nginx-deployment  labels:  app: nginx spec:  selector:  matchLabels:  app: nginx  template:  metadata:  labels:  app: nginx  spec:  containers:  - name: nginx  image: nginx EOFcat <<EOF >./kustomization.yaml namespace: my-namespace namePrefix: dev- nameSuffix: "-001" commonLabels:  app: bingo commonAnnotations:  oncallPager: 800-555-1212 resources: - deployment.yaml EOF

Run kubectl kustomize ./ to view those fields are all set in the Deployment Resource:

apiVersion:apps/v1kind:Deploymentmetadata:annotations:oncallPager:800-555-1212labels:app:bingoname:dev-nginx-deployment-001namespace:my-namespacespec:selector:matchLabels:app:bingotemplate:metadata:annotations:oncallPager:800-555-1212labels:app:bingospec:containers:- image:nginxname:nginx

Composing and Customizing Resources

It is common to compose a set of Resources in a project and manage them inside the same file or directory. Kustomize offers composing Resources from different files and applying patches or other customization to them.

Composing

Kustomize supports composition of different resources. The resources field, in the kustomization.yaml file, defines the list of resources to include in a configuration. Set the path to a resource's configuration file in the resources list. Here is an example of an NGINX application comprised of a Deployment and a Service:

# Create a deployment.yaml filecat <<EOF > deployment.yaml apiVersion: apps/v1 kind: Deployment metadata:  name: my-nginx spec:  selector:  matchLabels:  run: my-nginx  replicas: 2  template:  metadata:  labels:  run: my-nginx  spec:  containers:  - name: my-nginx  image: nginx  ports:  - containerPort: 80 EOF# Create a service.yaml filecat <<EOF > service.yaml apiVersion: v1 kind: Service metadata:  name: my-nginx  labels:  run: my-nginx spec:  ports:  - port: 80  protocol: TCP  selector:  run: my-nginx EOF# Create a kustomization.yaml composing themcat <<EOF >./kustomization.yaml resources: - deployment.yaml - service.yaml EOF

The Resources from kubectl kustomize ./ contain both the Deployment and the Service objects.

Customizing

Patches can be used to apply different customizations to Resources. Kustomize supports different patching mechanisms through patchesStrategicMerge and patchesJson6902. patchesStrategicMerge is a list of file paths. Each file should be resolved to a strategic merge patch. The names inside the patches must match Resource names that are already loaded. Small patches that do one thing are recommended. For example, create one patch for increasing the deployment replica number and another patch for setting the memory limit.

# Create a deployment.yaml filecat <<EOF > deployment.yaml apiVersion: apps/v1 kind: Deployment metadata:  name: my-nginx spec:  selector:  matchLabels:  run: my-nginx  replicas: 2  template:  metadata:  labels:  run: my-nginx  spec:  containers:  - name: my-nginx  image: nginx  ports:  - containerPort: 80 EOF# Create a patch increase_replicas.yamlcat <<EOF > increase_replicas.yaml apiVersion: apps/v1 kind: Deployment metadata:  name: my-nginx spec:  replicas: 3 EOF# Create another patch set_memory.yamlcat <<EOF > set_memory.yaml apiVersion: apps/v1 kind: Deployment metadata:  name: my-nginx spec:  template:  spec:  containers:  - name: my-nginx  resources:  limits:  memory: 512Mi EOFcat <<EOF >./kustomization.yaml resources: - deployment.yaml patchesStrategicMerge: - increase_replicas.yaml - set_memory.yaml EOF

Run kubectl kustomize ./ to view the Deployment:

apiVersion:apps/v1kind:Deploymentmetadata:name:my-nginxspec:replicas:3selector:matchLabels:run:my-nginxtemplate:metadata:labels:run:my-nginxspec:containers:- image:nginxname:my-nginxports:- containerPort:80resources:limits:memory:512Mi

Not all Resources or fields support strategic merge patches. To support modifying arbitrary fields in arbitrary Resources, Kustomize offers applying JSON patch through patchesJson6902. To find the correct Resource for a Json patch, the group, version, kind and name of that Resource need to be specified in kustomization.yaml. For example, increasing the replica number of a Deployment object can also be done through patchesJson6902.

# Create a deployment.yaml filecat <<EOF > deployment.yaml apiVersion: apps/v1 kind: Deployment metadata:  name: my-nginx spec:  selector:  matchLabels:  run: my-nginx  replicas: 2  template:  metadata:  labels:  run: my-nginx  spec:  containers:  - name: my-nginx  image: nginx  ports:  - containerPort: 80 EOF# Create a json patchcat <<EOF > patch.yaml - op: replace  path: /spec/replicas  value: 3 EOF# Create a kustomization.yamlcat <<EOF >./kustomization.yaml resources: - deployment.yaml patchesJson6902: - target:  group: apps  version: v1  kind: Deployment  name: my-nginx  path: patch.yaml EOF

Run kubectl kustomize ./ to see the replicas field is updated:

apiVersion:apps/v1kind:Deploymentmetadata:name:my-nginxspec:replicas:3selector:matchLabels:run:my-nginxtemplate:metadata:labels:run:my-nginxspec:containers:- image:nginxname:my-nginxports:- containerPort:80

In addition to patches, Kustomize also offers customizing container images or injecting field values from other objects into containers without creating patches. For example, you can change the image used inside containers by specifying the new image in images field in kustomization.yaml.

cat <<EOF > deployment.yaml apiVersion: apps/v1 kind: Deployment metadata:  name: my-nginx spec:  selector:  matchLabels:  run: my-nginx  replicas: 2  template:  metadata:  labels:  run: my-nginx  spec:  containers:  - name: my-nginx  image: nginx  ports:  - containerPort: 80 EOFcat <<EOF >./kustomization.yaml resources: - deployment.yaml images: - name: nginx  newName: my.image.registry/nginx  newTag: 1.4.0 EOF

Run kubectl kustomize ./ to see that the image being used is updated:

apiVersion:apps/v1kind:Deploymentmetadata:name:my-nginxspec:replicas:2selector:matchLabels:run:my-nginxtemplate:metadata:labels:run:my-nginxspec:containers:- image:my.image.registry/nginx:1.4.0name:my-nginxports:- containerPort:80

Sometimes, the application running in a Pod may need to use configuration values from other objects. For example, a Pod from a Deployment object need to read the corresponding Service name from Env or as a command argument. Since the Service name may change as namePrefix or nameSuffix is added in the kustomization.yaml file. It is not recommended to hard code the Service name in the command argument. For this usage, Kustomize can inject the Service name into containers through vars.

# Create a deployment.yaml file (quoting the here doc delimiter)cat <<'EOF' > deployment.yaml apiVersion: apps/v1 kind: Deployment metadata:  name: my-nginx spec:  selector:  matchLabels:  run: my-nginx  replicas: 2  template:  metadata:  labels:  run: my-nginx  spec:  containers:  - name: my-nginx  image: nginx  command: ["start", "--host", "$(MY_SERVICE_NAME)"] EOF# Create a service.yaml filecat <<EOF > service.yaml apiVersion: v1 kind: Service metadata:  name: my-nginx  labels:  run: my-nginx spec:  ports:  - port: 80  protocol: TCP  selector:  run: my-nginx EOFcat <<EOF >./kustomization.yaml namePrefix: dev- nameSuffix: "-001" resources: - deployment.yaml - service.yaml vars: - name: MY_SERVICE_NAME  objref:  kind: Service  name: my-nginx  apiVersion: v1 EOF

Run kubectl kustomize ./ to see that the Service name injected into containers is dev-my-nginx-001:

apiVersion:apps/v1kind:Deploymentmetadata:name:dev-my-nginx-001spec:replicas:2selector:matchLabels:run:my-nginxtemplate:metadata:labels:run:my-nginxspec:containers:- command:- start- --host- dev-my-nginx-001image:nginxname:my-nginx

Bases and Overlays

Kustomize has the concepts of bases and overlays. A base is a directory with a kustomization.yaml, which contains a set of resources and associated customization. A base could be either a local directory or a directory from a remote repo, as long as a kustomization.yaml is present inside. An overlay is a directory with a kustomization.yaml that refers to other kustomization directories as its bases. A base has no knowledge of an overlay and can be used in multiple overlays. An overlay may have multiple bases and it composes all resources from bases and may also have customization on top of them.

Here is an example of a base:

# Create a directory to hold the basemkdir base # Create a base/deployment.yamlcat <<EOF > base/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata:  name: my-nginx spec:  selector:  matchLabels:  run: my-nginx  replicas: 2  template:  metadata:  labels:  run: my-nginx  spec:  containers:  - name: my-nginx  image: nginx EOF# Create a base/service.yaml filecat <<EOF > base/service.yaml apiVersion: v1 kind: Service metadata:  name: my-nginx  labels:  run: my-nginx spec:  ports:  - port: 80  protocol: TCP  selector:  run: my-nginx EOF# Create a base/kustomization.yamlcat <<EOF > base/kustomization.yaml resources: - deployment.yaml - service.yaml EOF

This base can be used in multiple overlays. You can add different namePrefix or other cross-cutting fields in different overlays. Here are two overlays using the same base.

mkdir dev cat <<EOF > dev/kustomization.yaml resources: - ../base namePrefix: dev- EOFmkdir prod cat <<EOF > prod/kustomization.yaml resources: - ../base namePrefix: prod- EOF

How to apply/view/delete objects using Kustomize

Use --kustomize or -k in kubectl commands to recognize Resources managed by kustomization.yaml. Note that -k should point to a kustomization directory, such as

kubectl apply -k <kustomization directory>/

Given the following kustomization.yaml,

# Create a deployment.yaml filecat <<EOF > deployment.yaml apiVersion: apps/v1 kind: Deployment metadata:  name: my-nginx spec:  selector:  matchLabels:  run: my-nginx  replicas: 2  template:  metadata:  labels:  run: my-nginx  spec:  containers:  - name: my-nginx  image: nginx  ports:  - containerPort: 80 EOF# Create a kustomization.yamlcat <<EOF >./kustomization.yaml namePrefix: dev- commonLabels:  app: my-nginx resources: - deployment.yaml EOF

Run the following command to apply the Deployment object dev-my-nginx:

> kubectl apply -k ./ deployment.apps/dev-my-nginx created

Run one of the following commands to view the Deployment object dev-my-nginx:

kubectl get -k ./ 
kubectl describe -k ./

Run the following command to compare the Deployment object dev-my-nginx against the state that the cluster would be in if the manifest was applied:

kubectl diff -k ./

Run the following command to delete the Deployment object dev-my-nginx:

> kubectl delete -k ./ deployment.apps "dev-my-nginx" deleted

Kustomize Feature List

FieldTypeExplanation
namespacestringadd namespace to all resources
namePrefixstringvalue of this field is prepended to the names of all resources
nameSuffixstringvalue of this field is appended to the names of all resources
commonLabelsmap[string]stringlabels to add to all resources and selectors
commonAnnotationsmap[string]stringannotations to add to all resources
resources[]stringeach entry in this list must resolve to an existing resource configuration file
configMapGenerator[]ConfigMapArgsEach entry in this list generates a ConfigMap
secretGenerator[]SecretArgsEach entry in this list generates a Secret
generatorOptionsGeneratorOptionsModify behaviors of all ConfigMap and Secret generator
bases[]stringEach entry in this list should resolve to a directory containing a kustomization.yaml file
patchesStrategicMerge[]stringEach entry in this list should resolve a strategic merge patch of a Kubernetes object
patchesJson6902[]PatchEach entry in this list should resolve to a Kubernetes object and a Json Patch
vars[]VarEach entry is to capture text from one resource's field
images[]ImageEach entry is to modify the name, tags and/or digest for one image without creating patches
configurations[]stringEach entry in this list should resolve to a file containing Kustomize transformer configurations
crds[]stringEach entry in this list should resolve to an OpenAPI definition file for Kubernetes types

What's next

Last modified April 18, 2023 at 3:26 PM PST: docs/en: Update kustomize examples to use non-deprecated resources key (b2b28c49f5)