KB: Kubernetes runs once and exits POD

In Kubernetes, the usual pattern for a container that “runs once and exits” is not a Deployment but rather a Job (or a CronJob for scheduled runs). A Deployment is designed to keep a given number of replicas running continuously, restarting pods if they exit. By contrast, a Job is specifically designed for run-to-completion workloads. Here’s why this matters and how you can set it up:

Why not a Deployment for “run once, then exit”?

  • Deployments expect long-running pods. If your container exits successfully, the Deployment’s ReplicaSet controller will see that the number of running pods is below the desired replica count (e.g., 1), so it will spin up a new pod. You’ll end up in an endless cycle of your “job” container repeatedly starting and exiting.
  • Deployments do not retain “completed” pods. When a pod in a Deployment terminates, Kubernetes treats it as “unavailable” and immediately attempts to create a new one.

The right approach: a Job (or CronJob)

Jobs create pods that run until they exit (succeed or fail). You can configure how often to retry, whether to keep pods after they succeed, and so on. That’s the standard approach for “one-off” tasks.

CronJobs are essentially “Jobs on a schedule.” You can configure them to run once a day, every hour, etc. But if you only want to start them on-demand, a plain Job is usually simpler.

Example Job Manifest

Below is a minimal example of a Job that runs a single pod to completion and does not restart on success. It also retains the pod so you can inspect its logs/state as long as you do not clean it up:

apiVersion: batch/v1
kind: Job
metadata:
  name: my-run-once-job
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
      - name: my-run-once-container
        image: alpine:3.18
        command: ["sh", "-c", "echo 'Hello, run once.' && sleep 5 && exit 0"]
  backoffLimit: 0   # Do not retry on failure
  • restartPolicy: Never: Ensures that Kubernetes will not restart the pod within the Job if it completes.
  • backoffLimit: 0: Prevents retries if the container exits with a non-zero status (you can adjust if you do want retries).

When you run kubectl apply -f my-job.yaml, this job will create a single pod, run echo 'Hello, run once.' && sleep 5 && exit 0, and then exit. The status of that pod should become Completed.

Keeping Completed Pods Around

If you want to ensure the pod isn’t garbage collected quickly, make sure you do not set the ttlSecondsAfterFinished field in your Job spec (or set it to null). By default, Kubernetes 1.21+ supports cleaning up old completed pods if ttlSecondsAfterFinished is configured. If it’s unset, the completed pod will remain until you manually delete the Job (or you have some cluster-level cleanup).

Manual Reruns

After the pod completes, you can choose to:

  1. Delete the Job and re-create it when you want to run the container again: 
    kubectl delete job my-run-once-job
kubectl apply -f my-job.yaml
  2. Create a new Job each time (with a unique name). For example: 
    kubectl create job my-run-once-job-2 --from=job/my-run-once-job
  3. Or use a CronJob that sets a schedule for repeats, though you can also manually trigger CronJobs outside of their schedule (less common for purely on-demand runs).

Summary

  • You can hack a Deployment to do “run once then exit,” but it goes against how Deployments are intended to work. You’d be fighting the ReplicaSet controller that constantly tries to keep a certain number of pods running.
  • The best practice for a “run once” or ephemeral job is to use a Job (or a CronJob for scheduled runs), set restartPolicy to Never, and tune backoffLimit and ttlSecondsAfterFinished as needed.
  • That way, once the pod completes, it won’t get restarted automatically, and you’ll be able to keep or clean up the completed pod as you see fit. When you need to run it again, you can just create or re-run the Job.

This approach cleanly fits the “once and done” model and allows you to inspect logs, see the exit status, and re-run on-demand without having to fight the Deployment’s logic.

Comments

Post a Comment

Popular posts from this blog

KB: Azure ACA Container fails to start (no User Assigned or Delegated Managed Identity found for specified ClientId)

Image
When deploying secure workloads using Azure Container Apps (ACA) , teams often face confusion between User Assigned Managed Identities (UAMI) and App Registrations . While both entities are visible in Azure Active Directory and have similar identifiers (Application ID, Object ID), they serve very different purposes . This confusion can lead to authentication failures when accessing services like Azure App Configuration or Key Vault . A common issue occurs when a container app is configured with a managed identity, but the environment variables or role assignments mistakenly reference an App Registration instead, causing errors like: "No User Assigned or Delegated Managed Identity found for specified ClientId" This article breaks down the difference between UAMI and App Registrations, explains why this issue happens, and outlines the correct approach to resolve it. Symptoms Azure Container App fails to authenticate to Azure App Configuration or other services. Logs...
Read more

Electron Process Execution Failure with FSLogix

  Technical Note: Electron Process Execution Failure with FSLogix 1. Overview When running Electron-based applications in environments using FSLogix Profile or Office Containers , users may encounter issues where the Electron process fails to launch or execute properly . This behavior has been observed in Azure Virtual Desktop (AVD) , Windows Virtual Desktop (WVD) , and other environments where FSLogix filter drivers are active. 2. Symptoms Electron-based applications (e.g., desktop apps built on Electron, CLI wrappers) do not start , remain unresponsive, or terminate silently. No visible logs or error messages are generated by the application. Standard executables run correctly when placed outside of the FSLogix-controlled profile path (e.g., copying to C:\Temp allows execution). The issue is reproducible across all Electron apps in the FSLogix-managed profile. 3. Root Cause The issue is linked to FSLogix filter drivers ( frxdrv , frxdrvvt , frxccd ) interfe...
Read more

KB:RMM VS DEX (Remote Monitoring Management vs Digital Employee Experience)

Digital Employee Experience (DEX) and Remote Monitoring and Management (RMM) tools serve different purposes and cater to distinct aspects of IT and employee management. Digital Employee Experience (DEX) Focus: Enhancing the overall experience of employees with their digital workplace tools and environment. Key Features: User Experience Monitoring: Tracks how employees interact with software and hardware, identifying issues impacting productivity. Performance Analytics: Provides insights into the performance of applications from the end-user's perspective. Feedback Mechanisms: Allows employees to report issues and give feedback on their digital tools and environment. Employee Well-being: Monitors factors that affect employee satisfaction and well-being, such as system performance and usability. Proactive Support: Identifies potential issues before they become significant problems, enabling proactive IT support. Goals: Improve employee satisfaction and productivity. Ensure a sm...
Read more