hostPath卷可以将节点上的文件或目录挂载到Pod上,用于Pod定义日志输出或访问Docker内部的容器等【通常不推荐使用】
【官网中的警告】Warning:
-
HostPath volumes present many security risks, and it is a best practice to avoid the use of HostPaths when possible. When a HostPath volume must be used, it should be scoped to only the required file or directory, and mounted as ReadOnly.
HostPath卷存在许多安全风险,最好的做法是尽可能避免使用HostPath。当必须使用HostPath卷时,卷的作用域应限定为所需的文件或目录,并挂载为只读 -
If restricting HostPath access to specific directories through AdmissionPolicy, volumeMounts MUST be required to use readOnly mounts for the policy to be effective.
如果通过AdmissionPolicy限制HostPath对特定目录的访问,则必须要求volumeMounts使用readOnly挂载,以使策略生效。
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
# directory location on host
path: /data
# this field is optional
type: Directory
上面配置中的type,可以参照官方文档,根据不同的场景设置不同的类型
| Value | Behavior |
|---|---|
| Empty string (default) is for backward compatibility, which means that no checks will be performed before mounting the hostPath volume. | |
| DirectoryOrCreate | If nothing exists at the given path, an empty directory will be created there as needed with permission set to 0755, having the same group and ownership with Kubelet. |
| Directory | A directory must exist at the given path |
| FileOrCreate | If nothing exists at the given path, an empty file will be created there as needed with permission set to 0644, having the same group and ownership with Kubelet. |
| File | A file must exist at the given path |
| Socket | A UNIX socket must exist at the given path |
| CharDevice | A character device must exist at the given path |
| BlockDevice | A block device must exist at the given path |
使用type为File和DirectoryOrCreate来创建deploy资源
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-host
name: nginx-hostpath
spec:
replicas: 1
selector:
matchLabels:
app: nginx-host
template:
metadata:
labels:
app: nginx-host
spec:
nodeSelector:
app: nginx
imagePullSecrets:
- name: myregistry
# - name: dockerregistry ## 如果有多个Secret可以依次在下方配置
containers:
- image: registry.cn-hangzhou.aliyuncs.com/creamk87/nginx:1.15.1
name: nginx-hostpath
volumeMounts:
- name: timezone
mountPath: /etc/timezone #使用宿主机的timezone文件,替换时区为Asia/Shanghai
- name: mydirectory
mountPath: /opt/mydir #挂载宿主机的podtest文件夹,如果没有文件夹则创建
volumes:
- name: timezone
hostPath:
path: /etc/timezone
type: File
- name: mydirectory
hostPath:
path: /root/podtest
type: DirectoryOrCreate
通过yaml文件创建deploy成功后,可以进入到po中查看对应的文件或文件夹是否挂载成功
