Add PodSpec to spec file

Customize the Kubernetes PodSpec of Fission function and environment pods to control containers, volumes, scheduling, and security context.

What is PodSpec

A pod in Kubernetes is basic unit of deployment. Like every Kubernetes resource the pod consists of the basic declaration, metadata, spec & status.

apiVersion: v1
kind: Pod
metadata:
  labels:
    svc-name: svc-name
  name: podname
spec:
  containers:

The spec in a pod, also known as PodSpec, defines the specifications of many behaviors in a declarative manner. A PodSpec defines the containers, environment variables for the container and other properties such as the scheduler name, security context etc.

spec:
  containers:
    env:
    - name: ENV_NAME
      value: ENV_VALUE
    image: image_url
    imagePullPolicy: IfNotPresent
  dnsPolicy: ClusterFirst
  nodeName: nodename
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: fission-svc

In this section we will look at various use cases that are possible with PodSpec support in Fission. To learn more about specs, check the spec documentation.

Security: PodSpec fields are validated and hardened (since v1.25.0). Because the executor and builder service accounts can create Pods and Deployments, Fission rejects PodSpec fields that would let a function tenant escape the container sandbox or reach node-level state. A user- or environment-supplied (init)container may add only the NET_BIND_SERVICE Linux capability through securityContext.capabilities.add; every other capability is rejected by the allowlist, and the executor forces securityContext.capabilities.drop: ["ALL"] when it merges the pod. The following are also rejected: hostNetwork, hostPID, hostIPC, hostPath volumes, serviceAccountName/serviceAccount overrides, privileged: true, and allowPrivilegeEscalation: true. Keep your PodSpec additions within these bounds, or fission spec apply (and the admission webhook) will reject the Environment or Function.

Many More!

Here are some ideas for how you can use PodSpec to enhance your function pods:

  • You can add a custom scheduler to be used for specific functions.
  • Additional security policies and settings can be set with security context field in PodSpec.
  • Introduced in Kubernetes 1.11 readiness gates allow extra feedback to the pod status and enable advanced mechanism to signal to Kubernetes that the pod can now serve production traffic.
  • Priority and priority Class Name are used with a custom admission controller so you can set the priorities of the pods and effectively allocate resources to pods/functions with higher priority.
  • Node selector allows scheduling function pods on specific nodes of the cluster.
  • Image Pull Secrets will enable using private registries for all your images!
Environment Variable

Set environment variables on Fission environment pods via PodSpec, including exposing Kubernetes Secrets and ConfigMaps to your function.

Sidecar and Init Container

Add init containers and sidecar containers to a Fission environment’s PodSpec to run setup or auxiliary processes alongside functions.

Volume

Define and mount Kubernetes volumes on Fission function containers through PodSpec so stateful functions can access attached data.

Toleration

Add tolerations to a Fission environment’s PodSpec so functions schedule onto tainted nodes reserved for specific hardware or workloads.

Last modified June 6, 2026: SEO + LLM-friendliness: JSON-LD, llms.txt, descriptions, robots, titles (#289) (6cead82)