Pod

Optional labels control the underlying compute resources of the Pod.

kind: Pod
apiVersion: v1
metadata:
  name: ..
  labels:
    pod.staroid.com/isolation: sandboxed          # 'sandboxed' or 'dedicated'. 'dedicated' schedule the Pod to the dedicated Node. Defaults to 'sandboxed'.
    pod.staroid.com/instance-type: standard-2     # 'standard-2', 'standard-4', 'standard-8', 'gpu-1'. Choose instance type for 'dedicated' mode. Defaults to 'standard-2'.
    pod.staroid.com/spot: false                   # 'true' or 'false'. 'true' uses Spot instance. Defaults to 'false'.
spec:
   securityContext:
     runAsUser: 1000                              # Must not be 0. Defaults to UID of the container image.
     runAsGroup: 3000                             # Between 1-65535
     fsGroup: 2000                                # Define only for 'dedicated' Pod. 'sandboxed' will fail to start if it is defined.
   ...

Note

spec.nodeSelector, spec.affinity, spec.tolerations are ignored.

Pod metadata.labels

pod.staroid.com/isolation

sandboxed or dedicated. Defaults to sandboxed.

sandboxed makes Pod run containers using gVisor. It gives faster container creation in most cases and flexible cpu, memory configuration. Cpu, memory usage will be charged based on their actual consumption between minimum resources.requests and maximum resources.limits.

dedicated allocates a Node and schedule the Pod there. It gives higher IO performance and cheaper compute unit cost than the sandboxed. However, creating a new Pod usually takes a much longer time and less flexibility on cpu and memory configuration. In this mode, Pod is charged based on pod.staroid.com/instance-type regardless of actual consumption.

pod.staroid.com/instance-type

standard-2, standard-4, standard-8, gpu-1. Defaults to standard-2. Only effective on pod.staroid.com/isolation: true.

gpu-1 instance type is available on AWS based cluster only, at this point.

instance-type

CPU

GPU

Memory

Available cloud region

standard-2

2

N/A

8GB

AWS, GCP

standard-4

4

N/A

16GB

AWS, GCP

standard-8

8

N/A

32GB

AWS, GCP

gpu-1

8

Tesla V100 (16GB)

61GB

AWS

pod.staroid.com/spot

true or false. Defaults to false.

Pod with spot true may experience some disruptions (such as Pod relocated to another Node) in every few hours. However, it provides significant cost savings.

Pod spec.securityContext

spec.securityContext.runAsUser

Must not be 0. When not defined, the default UID of the container image will be used.

spec.securityContext.runAsGroup

Between 1-65535

spec.securityContext.fsGroup

Valid on dedicated Pod. sandboxed Pod will fail to start if it is defined.

Pod spec.serviceAccountName (experimental)

Staroid supports non-root containers. That’s why spec.securityContext.runAsUser must not be 0. Most applications able to run with non-root UID and this is usually a good practice. However, some applications require root permission. For example, the developer tool may want users to install additional os packages in the container.

spec.serviceAccountName

Defaults to default. root if root UID is required. root allows spec.securityContext.runAsUser set to 0.

For example,

kind: Pod
apiVersion: v1
metadata:
    name: ..
spec:
    serviceAccountName: root
    securityContext:
        runAsUser: 0
    ...

Warning

This is an experimental feature. Support for root UID can be changed in the future.