8 files changed, 610 insertions, 29 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index 870eb28d6..2b31a6423 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -146,37 +146,10 @@ func createContainer(c *cli.Context, runtime *libpod.Runtime) (*libpod.Container
 		return nil, nil, err
 	}
 
-	runtimeSpec, err := cc.CreateConfigToOCISpec(createConfig)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	options, err := createConfig.GetContainerCreateOptions(runtime)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	became, ret, err := joinOrCreateRootlessUserNamespace(createConfig, runtime)
+	ctr, err := createContainerFromCreateConfig(runtime, createConfig, ctx)
 	if err != nil {
 		return nil, nil, err
 	}
-	if became {
-		os.Exit(ret)
-	}
-
-	ctr, err := runtime.NewContainer(ctx, runtimeSpec, options...)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	createConfigJSON, err := json.Marshal(createConfig)
-	if err != nil {
-		return nil, nil, err
-	}
-	if err := ctr.AddArtifact("create-config", createConfigJSON); err != nil {
-		return nil, nil, err
-	}
-
 	if cidFile != nil {
 		_, err = cidFile.WriteString(ctr.ID())
 		if err != nil {
@@ -913,3 +886,37 @@ func joinOrCreateRootlessUserNamespace(createConfig *cc.CreateConfig, runtime *l
 	}
 	return rootless.BecomeRootInUserNS()
 }
+
+func createContainerFromCreateConfig(r *libpod.Runtime, createConfig *cc.CreateConfig, ctx context.Context) (*libpod.Container, error) {
+	runtimeSpec, err := cc.CreateConfigToOCISpec(createConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	options, err := createConfig.GetContainerCreateOptions(r)
+	if err != nil {
+		return nil, err
+	}
+
+	became, ret, err := joinOrCreateRootlessUserNamespace(createConfig, r)
+	if err != nil {
+		return nil, err
+	}
+	if became {
+		os.Exit(ret)
+	}
+
+	ctr, err := r.NewContainer(ctx, runtimeSpec, options...)
+	if err != nil {
+		return nil, err
+	}
+
+	createConfigJSON, err := json.Marshal(createConfig)
+	if err != nil {
+		return nil, err
+	}
+	if err := ctr.AddArtifact("create-config", createConfigJSON); err != nil {
+		return nil, err
+	}
+	return ctr, nil
+}
diff --git a/cmd/podman/generate_kube.go b/cmd/podman/generate_kube.go
index 8f2f0de32..f63bd431b 100644
--- a/cmd/podman/generate_kube.go
+++ b/cmd/podman/generate_kube.go
@@ -33,7 +33,6 @@ var (
 	}
 )
 
-// generateKubeYAMLCmdgenerates or replays kube
 func generateKubeYAMLCmd(c *cli.Context) error {
 	var (
 		podYAML           *v1.Pod
diff --git a/cmd/podman/image.go b/cmd/podman/image.go
index 95af36df5..e978b9cf5 100644
--- a/cmd/podman/image.go
+++ b/cmd/podman/image.go
@@ -19,6 +19,7 @@ var (
 		rmImageCommand,
 		saveCommand,
 		tagCommand,
+		trustCommand,
 	}
 
 	imageDescription = "Manage images"
diff --git a/cmd/podman/main.go b/cmd/podman/main.go
index 2db6c5dec..f47a75761 100644
--- a/cmd/podman/main.go
+++ b/cmd/podman/main.go
@@ -90,6 +90,7 @@ func main() {
 		portCommand,
 		pullCommand,
 		pushCommand,
+		playCommand,
 		restartCommand,
 		rmCommand,
 		rmiCommand,
diff --git a/cmd/podman/play.go b/cmd/podman/play.go
new file mode 100644
index 000000000..adbab3480
--- /dev/null
+++ b/cmd/podman/play.go
@@ -0,0 +1,23 @@
+package main
+
+import (
+	"github.com/urfave/cli"
+)
+
+var (
+	playSubCommands = []cli.Command{
+		playKubeCommand,
+	}
+
+	playDescription = "Play a pod and its containers from a structured file."
+	playCommand     = cli.Command{
+		Name:                   "play",
+		Usage:                  "play a container or pod",
+		Description:            playDescription,
+		ArgsUsage:              "",
+		Subcommands:            playSubCommands,
+		UseShortOptionHandling: true,
+		OnUsageError:           usageErrorHandler,
+		Hidden:                 true,
+	}
+)
diff --git a/cmd/podman/play_kube.go b/cmd/podman/play_kube.go
new file mode 100644
index 000000000..f165c5f0f
--- /dev/null
+++ b/cmd/podman/play_kube.go
@@ -0,0 +1,245 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/containers/image/types"
+	"github.com/containers/libpod/cmd/podman/libpodruntime"
+	"github.com/containers/libpod/cmd/podman/shared"
+	"github.com/containers/libpod/libpod"
+	image2 "github.com/containers/libpod/libpod/image"
+	ns "github.com/containers/libpod/pkg/namespaces"
+	"github.com/containers/libpod/pkg/rootless"
+	"github.com/containers/libpod/pkg/spec"
+	"github.com/containers/storage"
+	"github.com/cri-o/ocicni/pkg/ocicni"
+	"github.com/ghodss/yaml"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli"
+	"k8s.io/api/core/v1"
+)
+
+var (
+	playKubeFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "authfile",
+			Usage: "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override. ",
+		},
+		cli.StringFlag{
+			Name:  "cert-dir",
+			Usage: "`pathname` of a directory containing TLS certificates and keys",
+		},
+		cli.StringFlag{
+			Name:  "creds",
+			Usage: "`credentials` (USERNAME:PASSWORD) to use for authenticating to a registry",
+		},
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "Suppress output information when pulling images",
+		},
+		cli.StringFlag{
+			Name:  "signature-policy",
+			Usage: "`pathname` of signature policy file (not usually used)",
+		},
+		cli.BoolTFlag{
+			Name:  "tls-verify",
+			Usage: "require HTTPS and verify certificates when contacting registries (default: true)",
+		},
+	}
+	playKubeDescription = "Play a Pod and its containers based on a Kubrernetes YAML"
+	playKubeCommand     = cli.Command{
+		Name:                   "kube",
+		Usage:                  "Play a pod based on Kubernetes YAML",
+		Description:            playKubeDescription,
+		Action:                 playKubeYAMLCmd,
+		Flags:                  sortFlags(playKubeFlags),
+		ArgsUsage:              "kubernetes YAML file",
+		UseShortOptionHandling: true,
+		OnUsageError:           usageErrorHandler,
+	}
+)
+
+func playKubeYAMLCmd(c *cli.Context) error {
+	var (
+		podOptions    []libpod.PodCreateOption
+		podYAML       v1.Pod
+		registryCreds *types.DockerAuthConfig
+		containers    []*libpod.Container
+		writer        io.Writer
+	)
+
+	ctx := getContext()
+	if rootless.IsRootless() {
+		return errors.Wrapf(libpod.ErrNotImplemented, "rootless users")
+	}
+	args := c.Args()
+	if len(args) > 1 {
+		return errors.New("you can only play one kubernetes file at a time")
+	}
+	if len(args) < 1 {
+		return errors.New("you must supply at least one file")
+	}
+
+	runtime, err := libpodruntime.GetRuntime(c)
+	if err != nil {
+		return errors.Wrapf(err, "could not get runtime")
+	}
+	defer runtime.Shutdown(false)
+
+	content, err := ioutil.ReadFile(args[0])
+	if err != nil {
+		return err
+	}
+
+	if err := yaml.Unmarshal(content, &podYAML); err != nil {
+		return errors.Wrapf(err, "unable to read %s as YAML", args[0])
+	}
+
+	podOptions = append(podOptions, libpod.WithInfraContainer())
+	podOptions = append(podOptions, libpod.WithPodName(podYAML.ObjectMeta.Name))
+	// TODO for now we just used the default kernel namespaces; we need to add/subtract this from yaml
+
+	nsOptions, err := shared.GetNamespaceOptions(strings.Split(DefaultKernelNamespaces, ","))
+	if err != nil {
+		return err
+	}
+	podOptions = append(podOptions, nsOptions...)
+	podPorts := getPodPorts(podYAML.Spec.Containers)
+	podOptions = append(podOptions, libpod.WithInfraContainerPorts(podPorts))
+
+	// Create the Pod
+	pod, err := runtime.NewPod(ctx, podOptions...)
+	if err != nil {
+		return err
+	}
+	// Print the Pod's ID
+	fmt.Println(pod.ID())
+
+	podInfraID, err := pod.InfraContainerID()
+	if err != nil {
+		return err
+	}
+
+	namespaces := map[string]string{
+		// Disabled during code review per mheon
+		//"pid":  fmt.Sprintf("container:%s", podInfraID),
+		"net":  fmt.Sprintf("container:%s", podInfraID),
+		"user": fmt.Sprintf("container:%s", podInfraID),
+		"ipc":  fmt.Sprintf("container:%s", podInfraID),
+		"uts":  fmt.Sprintf("container:%s", podInfraID),
+	}
+	if !c.Bool("quiet") {
+		writer = os.Stderr
+	}
+
+	dockerRegistryOptions := image2.DockerRegistryOptions{
+		DockerRegistryCreds: registryCreds,
+		DockerCertPath:      c.String("cert-dir"),
+	}
+	if c.IsSet("tls-verify") {
+		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!c.BoolT("tls-verify"))
+	}
+
+	for _, container := range podYAML.Spec.Containers {
+		newImage, err := runtime.ImageRuntime().New(ctx, container.Image, c.String("signature-policy"), c.String("authfile"), writer, &dockerRegistryOptions, image2.SigningOptions{}, false)
+		if err != nil {
+			return err
+		}
+		createConfig := kubeContainerToCreateConfig(container, runtime, newImage, namespaces)
+		if err != nil {
+			return err
+		}
+		ctr, err := createContainerFromCreateConfig(runtime, createConfig, ctx)
+		if err != nil {
+			return err
+		}
+		containers = append(containers, ctr)
+	}
+
+	// start the containers
+	for _, ctr := range containers {
+		if err := ctr.Start(ctx); err != nil {
+			// Making this a hard failure here to avoid a mess
+			// the other containers are in created status
+			return err
+		}
+		fmt.Println(ctr.ID())
+	}
+
+	return nil
+}
+
+// getPodPorts converts a slice of kube container descriptions to an
+// array of ocicni portmapping descriptions usable in libpod
+func getPodPorts(containers []v1.Container) []ocicni.PortMapping {
+	var infraPorts []ocicni.PortMapping
+	for _, container := range containers {
+		for _, p := range container.Ports {
+			portBinding := ocicni.PortMapping{
+				HostPort:      p.HostPort,
+				ContainerPort: p.ContainerPort,
+				Protocol:      strings.ToLower(string(p.Protocol)),
+			}
+			if p.HostIP != "" {
+				logrus.Debug("HostIP on port bindings is not supported")
+			}
+			infraPorts = append(infraPorts, portBinding)
+		}
+	}
+	return infraPorts
+}
+
+// kubeContainerToCreateConfig takes a v1.Container and returns a createconfig describing a container
+func kubeContainerToCreateConfig(containerYAML v1.Container, runtime *libpod.Runtime, newImage *image2.Image, namespaces map[string]string) *createconfig.CreateConfig {
+	var (
+		containerConfig createconfig.CreateConfig
+		envs            map[string]string
+	)
+
+	containerConfig.Runtime = runtime
+	containerConfig.Image = containerYAML.Image
+	containerConfig.ImageID = newImage.ID()
+	containerConfig.Name = containerYAML.Name
+	containerConfig.Tty = containerYAML.TTY
+	containerConfig.WorkDir = containerYAML.WorkingDir
+	if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil {
+		containerConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem
+	}
+	if containerYAML.SecurityContext.Privileged != nil {
+		containerConfig.Privileged = *containerYAML.SecurityContext.Privileged
+	}
+
+	if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
+		containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
+	}
+
+	containerConfig.Command = containerYAML.Command
+	containerConfig.StopSignal = 15
+
+	// If the user does not pass in ID mappings, just set to basics
+	if containerConfig.IDMappings == nil {
+		containerConfig.IDMappings = &storage.IDMappingOptions{}
+	}
+
+	containerConfig.NetMode = ns.NetworkMode(namespaces["net"])
+	containerConfig.IpcMode = ns.IpcMode(namespaces["ipc"])
+	containerConfig.UtsMode = ns.UTSMode(namespaces["uts"])
+	// disabled in code review per mheon
+	//containerConfig.PidMode = ns.PidMode(namespaces["pid"])
+	containerConfig.UsernsMode = ns.UsernsMode(namespaces["user"])
+
+	if len(containerYAML.Env) > 0 {
+		envs = make(map[string]string)
+	}
+	// Environment Variables
+	for _, e := range containerYAML.Env {
+		envs[e.Name] = e.Value
+	}
+	containerConfig.Env = envs
+	return &containerConfig
+}
diff --git a/cmd/podman/trust.go b/cmd/podman/trust.go
new file mode 100644
index 000000000..7c404cd3f
--- /dev/null
+++ b/cmd/podman/trust.go
@@ -0,0 +1,293 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"sort"
+
+	"github.com/containers/image/types"
+	"github.com/containers/libpod/cmd/podman/formats"
+	"github.com/containers/libpod/cmd/podman/libpodruntime"
+	"github.com/containers/libpod/libpod/image"
+	"github.com/containers/libpod/pkg/trust"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli"
+)
+
+var (
+	setTrustFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "type, t",
+			Usage: "Trust type, accept values: signedBy(default), accept, reject.",
+			Value: "signedBy",
+		},
+		cli.StringSliceFlag{
+			Name: "pubkeysfile, f",
+			Usage: `Path of installed public key(s) to trust for TARGET.
+	Absolute path to keys is added to policy.json. May
+	used multiple times to define multiple public keys.
+	File(s) must exist before using this command.`,
+		},
+		cli.StringFlag{
+			Name:   "policypath",
+			Hidden: true,
+		},
+	}
+	showTrustFlags = []cli.Flag{
+		cli.BoolFlag{
+			Name:  "raw",
+			Usage: "Output raw policy file",
+		},
+		cli.BoolFlag{
+			Name:  "json, j",
+			Usage: "Output as json",
+		},
+		cli.StringFlag{
+			Name:   "policypath",
+			Hidden: true,
+		},
+		cli.StringFlag{
+			Name:   "registrypath",
+			Hidden: true,
+		},
+	}
+
+	setTrustDescription = "Set default trust policy or add a new trust policy for a registry"
+	setTrustCommand     = cli.Command{
+		Name:         "set",
+		Usage:        "Set default trust policy or a new trust policy for a registry",
+		Description:  setTrustDescription,
+		Flags:        sortFlags(setTrustFlags),
+		ArgsUsage:    "default | REGISTRY[/REPOSITORY]",
+		Action:       setTrustCmd,
+		OnUsageError: usageErrorHandler,
+	}
+
+	showTrustDescription = "Display trust policy for the system"
+	showTrustCommand     = cli.Command{
+		Name:                   "show",
+		Usage:                  "Display trust policy for the system",
+		Description:            showTrustDescription,
+		Flags:                  sortFlags(showTrustFlags),
+		Action:                 showTrustCmd,
+		ArgsUsage:              "",
+		UseShortOptionHandling: true,
+		OnUsageError:           usageErrorHandler,
+	}
+
+	trustSubCommands = []cli.Command{
+		setTrustCommand,
+		showTrustCommand,
+	}
+
+	trustDescription = fmt.Sprintf(`Manages the trust policy of the host system. (%s)
+	 Trust policy describes a registry scope that must be signed by public keys.`, getDefaultPolicyPath())
+	trustCommand = cli.Command{
+		Name:         "trust",
+		Usage:        "Manage container image trust policy",
+		Description:  trustDescription,
+		ArgsUsage:    "{set,show} ...",
+		Subcommands:  trustSubCommands,
+		OnUsageError: usageErrorHandler,
+	}
+)
+
+func showTrustCmd(c *cli.Context) error {
+	runtime, err := libpodruntime.GetRuntime(c)
+	if err != nil {
+		return errors.Wrapf(err, "could not create runtime")
+	}
+
+	var (
+		policyPath              string
+		systemRegistriesDirPath string
+	)
+	if c.IsSet("policypath") {
+		policyPath = c.String("policypath")
+	} else {
+		policyPath = trust.DefaultPolicyPath(runtime.SystemContext())
+	}
+	policyContent, err := ioutil.ReadFile(policyPath)
+	if err != nil {
+		return errors.Wrapf(err, "unable to read %s", policyPath)
+	}
+	if c.IsSet("registrypath") {
+		systemRegistriesDirPath = c.String("registrypath")
+	} else {
+		systemRegistriesDirPath = trust.RegistriesDirPath(runtime.SystemContext())
+	}
+
+	if c.Bool("raw") {
+		_, err := os.Stdout.Write(policyContent)
+		if err != nil {
+			return errors.Wrap(err, "could not read trust policies")
+		}
+		return nil
+	}
+
+	var policyContentStruct trust.PolicyContent
+	if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil {
+		return errors.Errorf("could not read trust policies")
+	}
+	policyJSON, err := trust.GetPolicyJSON(policyContentStruct, systemRegistriesDirPath)
+	if err != nil {
+		return errors.Wrapf(err, "error reading registry config file")
+	}
+	if c.Bool("json") {
+		var outjson interface{}
+		outjson = policyJSON
+		out := formats.JSONStruct{Output: outjson}
+		return formats.Writer(out).Out()
+	}
+
+	sortedRepos := sortPolicyJSONKey(policyJSON)
+	type policydefault struct {
+		Repo      string
+		Trusttype string
+		GPGid     string
+		Sigstore  string
+	}
+	var policyoutput []policydefault
+	for _, repo := range sortedRepos {
+		repoval := policyJSON[repo]
+		var defaultstruct policydefault
+		defaultstruct.Repo = repo
+		if repoval["type"] != nil {
+			defaultstruct.Trusttype = trustTypeDescription(repoval["type"].(string))
+		}
+		if repoval["keys"] != nil && len(repoval["keys"].([]string)) > 0 {
+			defaultstruct.GPGid = trust.GetGPGId(repoval["keys"].([]string))
+		}
+		if repoval["sigstore"] != nil {
+			defaultstruct.Sigstore = repoval["sigstore"].(string)
+		}
+		policyoutput = append(policyoutput, defaultstruct)
+	}
+	var output []interface{}
+	for _, ele := range policyoutput {
+		output = append(output, interface{}(ele))
+	}
+	out := formats.StdoutTemplateArray{Output: output, Template: "{{.Repo}}\t{{.Trusttype}}\t{{.GPGid}}\t{{.Sigstore}}"}
+	return formats.Writer(out).Out()
+}
+
+func setTrustCmd(c *cli.Context) error {
+	runtime, err := libpodruntime.GetRuntime(c)
+	if err != nil {
+		return errors.Wrapf(err, "could not create runtime")
+	}
+
+	args := c.Args()
+	if len(args) != 1 {
+		return errors.Errorf("default or a registry name must be specified")
+	}
+	valid, err := image.IsValidImageURI(args[0])
+	if err != nil || !valid {
+		return errors.Wrapf(err, "invalid image uri %s", args[0])
+	}
+
+	trusttype := c.String("type")
+	if !isValidTrustType(trusttype) {
+		return errors.Errorf("invalid choice: %s (choose from 'accept', 'reject', 'signedBy')", trusttype)
+	}
+	if trusttype == "accept" {
+		trusttype = "insecureAcceptAnything"
+	}
+
+	pubkeysfile := c.StringSlice("pubkeysfile")
+	if len(pubkeysfile) == 0 && trusttype == "signedBy" {
+		return errors.Errorf("At least one public key must be defined for type 'signedBy'")
+	}
+
+	var policyPath string
+	if c.IsSet("policypath") {
+		policyPath = c.String("policypath")
+	} else {
+		policyPath = trust.DefaultPolicyPath(runtime.SystemContext())
+	}
+	var policyContentStruct trust.PolicyContent
+	_, err = os.Stat(policyPath)
+	if !os.IsNotExist(err) {
+		policyContent, err := ioutil.ReadFile(policyPath)
+		if err != nil {
+			return errors.Wrapf(err, "unable to read %s", policyPath)
+		}
+		if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil {
+			return errors.Errorf("could not read trust policies")
+		}
+	}
+	var newReposContent []trust.RepoContent
+	if len(pubkeysfile) != 0 {
+		for _, filepath := range pubkeysfile {
+			newReposContent = append(newReposContent, trust.RepoContent{Type: trusttype, KeyType: "GPGKeys", KeyPath: filepath})
+		}
+	} else {
+		newReposContent = append(newReposContent, trust.RepoContent{Type: trusttype})
+	}
+	if args[0] == "default" {
+		policyContentStruct.Default = newReposContent
+	} else {
+		exists := false
+		for transport, transportval := range policyContentStruct.Transports {
+			_, exists = transportval[args[0]]
+			if exists {
+				policyContentStruct.Transports[transport][args[0]] = newReposContent
+				break
+			}
+		}
+		if !exists {
+			if policyContentStruct.Transports == nil {
+				policyContentStruct.Transports = make(map[string]trust.RepoMap)
+			}
+			if policyContentStruct.Transports["docker"] == nil {
+				policyContentStruct.Transports["docker"] = make(map[string][]trust.RepoContent)
+			}
+			policyContentStruct.Transports["docker"][args[0]] = append(policyContentStruct.Transports["docker"][args[0]], newReposContent...)
+		}
+	}
+
+	data, err := json.MarshalIndent(policyContentStruct, "", "    ")
+	if err != nil {
+		return errors.Wrapf(err, "error setting trust policy")
+	}
+	err = ioutil.WriteFile(policyPath, data, 0644)
+	if err != nil {
+		return errors.Wrapf(err, "error setting trust policy")
+	}
+	return nil
+}
+
+var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"}
+
+func trustTypeDescription(trustType string) string {
+	trustDescription, exist := typeDescription[trustType]
+	if !exist {
+		logrus.Warnf("invalid trust type %s", trustType)
+	}
+	return trustDescription
+}
+
+func sortPolicyJSONKey(m map[string]map[string]interface{}) []string {
+	keys := make([]string, len(m))
+	i := 0
+	for k := range m {
+		keys[i] = k
+		i++
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+func isValidTrustType(t string) bool {
+	if t == "accept" || t == "insecureAcceptAnything" || t == "reject" || t == "signedBy" {
+		return true
+	}
+	return false
+}
+
+func getDefaultPolicyPath() string {
+	return trust.DefaultPolicyPath(&types.SystemContext{})
+}
diff --git a/cmd/podman/varlink/io.podman.varlink b/cmd/podman/varlink/io.podman.varlink
index 376bbc950..c1b7c703a 100644
--- a/cmd/podman/varlink/io.podman.varlink
+++ b/cmd/podman/varlink/io.podman.varlink
@@ -1016,6 +1016,18 @@ method  UnmountContainer(name: string, force: bool) -> ()
 # This function is not implemented yet.
 method ListContainerPorts(name: string) -> (notimplemented: NotImplemented)
 
+# GenerateKube generates a Kubernetes v1 Pod description of a Podman container or pod
+# and its containers. The description is in YAML.  See also [ReplayKube](ReplayKube).
+method GenerateKube() -> (notimplemented: NotImplemented)
+
+# GenerateKubeService generates a Kubernetes v1 Service description of a Podman container or pod
+# and its containers. The description is in YAML. See also [GenerateKube](GenerateKube).
+method GenerateKubeService() -> (notimplemented: NotImplemented)
+
+# ReplayKube recreates a pod and its containers based on a Kubernetes v1 Pod description (in YAML)
+# like that created by GenerateKube. See also [GenerateKube](GenerateKube).
+method ReplayKube() -> (notimplemented: NotImplemented)
+
 # ImageNotFound means the image could not be found by the provided name or ID in local storage.
 error ImageNotFound (name: string)