Use HostPath volumes

更新时间:
复制 MD 格式

Mount host files or directories into pods for direct access to node logs, configuration files, or shared development data.

How it works

Process overview

After a pod is scheduled to a node, the kubelet mounts the HostPath volume before the container starts. It validates and prepares the host path defined in path based on the type in the hostPath configuration.

  • DirectoryOrCreate: Checks whether the host path exists. If not, creates an empty directory with 0755 permissions, with ownership and group matching the kubelet.

  • Directory: Checks that the host path exists and is a directory. If not, the pod fails to start.

  • FileOrCreate: Checks whether the host path exists. If not, creates an empty file with 0644 permissions, with ownership and group matching the kubelet.

  • File: Checks that the host path exists and is a file. If not, the pod fails to start.

Once validated, the kubelet bind-mounts the host path into the container. All read and write operations on the mount point go directly to the host node's file system.

Usage methods

  • Mount a HostPath volume directly in a pod: Define the hostPath directly in the pod manifest's volumes section. Simple but tightly couples storage to the application. Not recommended for production workloads that require long-term maintenance or may need storage changes.

  • Mount a HostPath volume by using a PV and PVC: Define the hostPath in a standalone PV, which a pod requests via a PVC. Decouples storage from the application, letting you manage storage independently without modifying the pod configuration.

Applicability

Supported only on ECS nodes. Not available for serverless compute resources such as ECI and ACS. Not recommended on local disks.

Method one: Direct HostPath mount

  1. Create a file named pod-hostpath-direct.yaml.

    Mounts the node's /data directory to /test in the pod.
    apiVersion: v1
    kind: Pod
    metadata:
      name: test-pod
    spec:
      containers:
      - image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
        name: test-container
        volumeMounts:
        - mountPath: /test
          name: test-volume
      volumes:
      - name: test-volume
        hostPath:
          # Specify the path on the host node.
          path: /data
          # Specify the volume type.
          type: DirectoryOrCreate
  2. Deploy the pod.

    kubectl apply -f pod-hostpath-direct.yaml
  3. Verify the mount.

    Create a file inside the pod and confirm it exists on the node.

    1. Create a file in the pod.

      Create test.txt in the /test directory (mount point) of the pod.

      kubectl exec test-pod -- sh -c 'echo "This file was created from within the Pod." > /test/test.txt'
    2. Get the node name where the pod runs.

      NODE_NAME=$(kubectl get pod test-pod -o jsonpath='{.spec.nodeName}')
      echo "Pod is running on node: $NODE_NAME"
    3. Verify the file on the node.

      Log on to the node and run ls /data to check whether the file exists in the /data directory.

      If the output includes test.txt, the HostPath volume is mounted successfully.

Method two: Mount with a PV and PVC

  1. Create a file named pv-pvc-hostpath.yaml.

    Creates a PV pointing to the host's /data directory, a PVC that requests the storage, and a pod that uses the PVC.
    # --- PersistentVolume definition ---
    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: hostpath-pv
      labels:
        type: local
    spec:
      capacity:
        storage: 10Gi
      accessModes:
        - ReadWriteOnce
      hostPath:
        path: "/data"
    ---
    # --- PersistentVolumeClaim definition ---
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: hostpath-pvc
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 10Gi
      # Use a selector to bind the PVC to the PV created earlier.
      selector:
        matchLabels:
          type: local
    ---
    # --- Pod definition ---
    apiVersion: v1
    kind: Pod
    metadata:
      name: test-pod-pvc
    spec:
      containers:
        - name: test-container
          image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
          ports:
            - containerPort: 80
          volumeMounts:
            - mountPath: "/usr/share/nginx/html"
              name: storage
      volumes:
        - name: storage
          persistentVolumeClaim:
            # Reference the PVC defined earlier.
            claimName: hostpath-pvc
  2. Create the PV, PVC, and pod.

    kubectl apply -f pv-pvc-hostpath.yaml
  3. Verify the mount.

    Create a file inside the pod and confirm it exists on the node.

    1. Create a file in the pod.

      Create test.txt in the /usr/share/nginx/html directory (mount point) of the pod.

      kubectl exec test-pod-pvc -- sh -c 'echo "File from PV/PVC Pod." > /usr/share/nginx/html/test.txt'
    2. Get the node name where the pod runs.

      NODE_NAME=$(kubectl get pod test-pod-pvc -o jsonpath='{.spec.nodeName}')
      echo "Pod is running on node: $NODE_NAME"
    3. Verify the file on the node.

      Log on to the node and run ls /data to check whether the file exists in the /data directory.

      If the output includes test.txt, the PV/PVC HostPath volume is mounted successfully.

Production considerations

  • Enhance security isolation

    • Mount as read-only: If the application only reads node data, set readOnly: true in the volumeMounts section to prevent accidental writes to the host node.

    • Follow least privilege: Avoid mounting the root directory (/) or sensitive directories such as /etc and /var. Use a dedicated directory.

  • Monitor node resources

    • Monitor the host disk: Containers writing to a HostPath volume consume node disk space. Set up monitoring and alerting for disk partitions to prevent disk exhaustion.

    • Evaluate I/O impact: Frequent reads and writes on a HostPath volume consume node I/O resources, which may affect other pods or kubelet stability. Evaluate the I/O impact before using HostPath in production.

  • A HostPath volume binds a pod to the physical storage of a specific node. Data is tied to that node and unavailable if the pod is rescheduled elsewhere.

    • Not suitable for stateful applications requiring high availability, such as databases or caches.

      • Data exists only on a single node. When a pod is rescheduled to another node, access to the original data is lost.

      • Accessing a host node's file system breaks container isolation. If misconfigured (for example, mounting the root directory /) or if the container has a vulnerability, node security and stability can be compromised.

    • Not suitable for nodes with a read-only root file system, such as ContainerOS.

FAQ

Does data persist if a pod is recreated?

It depends on which node the pod is scheduled to.

  • Scheduled to the same node: The pod mounts the same directory and can access all existing data.

  • Scheduled to a different node: The pod mounts an empty directory. Data remains on the original node but is inaccessible.