hostPath卷可以將節點上的文件或目錄掛載到Pod上,用於Pod定義日志輸出或訪問Docker內部的容器等【通常不推薦使用】
【官網中的警告】Warning:
-
HostPath volumes present many security risks, and it is a best practice to avoid the use of HostPaths when possible. When a HostPath volume must be used, it should be scoped to only the required file or directory, and mounted as ReadOnly.
HostPath卷存在許多安全風險,最好的做法是盡可能避免使用HostPath。當必須使用HostPath卷時,卷的作用域應限定為所需的文件或目錄,並掛載為只讀 -
If restricting HostPath access to specific directories through AdmissionPolicy, volumeMounts MUST be required to use readOnly mounts for the policy to be effective.
如果通過AdmissionPolicy限制HostPath對特定目錄的訪問,則必須要求volumeMounts使用readOnly掛載,以使策略生效。
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
# directory location on host
path: /data
# this field is optional
type: Directory
上面配置中的type,可以參照官方文檔,根據不同的場景設置不同的類型
| Value | Behavior |
|---|---|
| Empty string (default) is for backward compatibility, which means that no checks will be performed before mounting the hostPath volume. | |
| DirectoryOrCreate | If nothing exists at the given path, an empty directory will be created there as needed with permission set to 0755, having the same group and ownership with Kubelet. |
| Directory | A directory must exist at the given path |
| FileOrCreate | If nothing exists at the given path, an empty file will be created there as needed with permission set to 0644, having the same group and ownership with Kubelet. |
| File | A file must exist at the given path |
| Socket | A UNIX socket must exist at the given path |
| CharDevice | A character device must exist at the given path |
| BlockDevice | A block device must exist at the given path |
使用type為File和DirectoryOrCreate來創建deploy資源
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-host
name: nginx-hostpath
spec:
replicas: 1
selector:
matchLabels:
app: nginx-host
template:
metadata:
labels:
app: nginx-host
spec:
nodeSelector:
app: nginx
imagePullSecrets:
- name: myregistry
# - name: dockerregistry ## 如果有多個Secret可以依次在下方配置
containers:
- image: registry.cn-hangzhou.aliyuncs.com/creamk87/nginx:1.15.1
name: nginx-hostpath
volumeMounts:
- name: timezone
mountPath: /etc/timezone #使用宿主機的timezone文件,替換時區為Asia/Shanghai
- name: mydirectory
mountPath: /opt/mydir #掛載宿主機的podtest文件夾,如果沒有文件夾則創建
volumes:
- name: timezone
hostPath:
path: /etc/timezone
type: File
- name: mydirectory
hostPath:
path: /root/podtest
type: DirectoryOrCreate
通過yaml文件創建deploy成功后,可以進入到po中查看對應的文件或文件夾是否掛載成功
