Use host paths (HostPath) as volumes in ACK pods - Container Service for Kubernetes

A HostPath volume mounts a file or directory from the host node's file system directly into a pod. This allows the pod to read and write to the node's file system. Use HostPath for tasks such as reading node logs, accessing specific configuration files, or sharing data in development environments.

How it works

Workflow

After a pod is scheduled to the target node, the kubelet on that node mounts the HostPath volume before the container starts. The kubelet validates and prepares the host path (path) based on the mount type (type) defined in the hostPath field.

DirectoryOrCreate: If the specified host path does not exist, the kubelet creates an empty directory with permissions set to 0755. The directory owner and group match those of the kubelet.
Directory: The specified host path must exist and be a directory. Otherwise, the pod fails to start.
FileOrCreate: If the specified host path does not exist, the kubelet creates an empty file with permissions set to 0644. The file owner and group match those of the kubelet.
File: The specified host path must exist and be a file. Otherwise, the pod fails to start.

After validation passes, the kubelet bind-mounts the host path into the container. All subsequent read and write operations on the mount point are performed directly on the host file system.

Usage

Mount HostPath directly in a pod: Define hostPath directly in the pod's volumes. This method is simple but tightly couples storage to the application. Avoid it for production applications that require long-term maintenance or may require storage changes in the future.
Mount HostPath using a PersistentVolume (PV) and PersistentVolumeClaim (PVC): Define hostPath in a standalone PV. The pod can then request the storage through a PVC. This decouples storage from the application, which lets you manage the underlying storage independently without changing the pod configuration.

Scope

This feature supports only ECS nodes. It does not support heterogeneous computing nodes, such as GPU nodes or Lingjun nodes, or serverless compute services, such as ECI or ACS.

Option one: Mount HostPath directly in a pod

Create a file named pod-hostpath-direct.yaml.

This example mounts the node's /data directory to the /test directory in the pod.

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
  - image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
    name: test-container
    volumeMounts:
    - mountPath: /test
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      # Specify the host path
      path: /data
      # Specify the mount type
      type: DirectoryOrCreate

Deploy the pod.

kubectl apply -f pod-hostpath-direct.yaml

Verify the mount.
Create a file inside the pod. Then check whether the file exists on the node. This confirms that the mount was successful.
1. Create a file inside the pod.
  Create a test.txt file in the pod's /test directory, which is the mount point.
```
kubectl exec test-pod -- sh -c 'echo "This file was created from within the Pod." > /test/test.txt'
```
2. Obtain the name of the node where the pod is running.
```
NODE_NAME=$(kubectl get pod test-pod -o jsonpath='{.spec.nodeName}')
echo "Pod is running on node: $NODE_NAME"
```
3. Verify the file on the node.
  For more information, see Log on to a node. Run the ls /data command to check whether the /data directory contains the file that you just created.
  If the output includes the test.txt file, the HostPath volume was mounted successfully.

Option two: Mount HostPath using a PV and PVC

Create a file named pv-pvc-hostpath.yaml.

This example creates a PV that points to the host's /data directory, a PVC that requests that storage, and a pod that uses the PVC.

# --- PersistentVolume definition ---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: hostpath-pv
  labels:
    type: local
spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/data"
---
# --- PersistentVolumeClaim definition ---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: hostpath-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  # Use selector to ensure the PVC binds to the PV created earlier
  selector:
    matchLabels:
      type: local
---
# --- Pod definition ---
apiVersion: v1
kind: Pod
metadata:
  name: test-pod-pvc
spec:
  containers:
    - name: test-container
      image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
      ports:
        - containerPort: 80
      volumeMounts:
        - mountPath: "/usr/share/nginx/html"
          name: storage
  volumes:
    - name: storage
      persistentVolumeClaim:
        # Reference the PVC defined earlier
        claimName: hostpath-pvc

Create the PV, PVC, and pod.
```
kubectl apply -f pv-pvc-hostpath.yaml
```
Verify the mount.
Create a file inside the pod. Then check whether the file exists on the node. This confirms that the mount was successful.
1. Create a file inside the pod.
  Create a test.txt file in the pod's /usr/share/nginx/html directory, which is the mount point.
```
kubectl exec test-pod-pvc -- sh -c 'echo "File from PV/PVC Pod." > /usr/share/nginx/html/test.txt'
```
2. Obtain the name of the node where the pod is running.
```
NODE_NAME=$(kubectl get pod test-pod-pvc -o jsonpath='{.spec.nodeName}')
echo "Pod is running on node: $NODE_NAME"
```
3. Verify the file on the node.
  For more information, see Log on to a node. Run the ls /data command to check whether the /data directory contains the file that you just created.
  If the output includes the test.txt file, the HostPath volume was mounted successfully using the PV and PVC.

Going live

Improve security isolation
- Mount as read-only: If your application only needs to read data from the node, mount the volume as read-only (ReadOnlyMany). This prevents accidental changes to host files.
- Follow the principle of least privilege: Do not mount the host root directory (/) or sensitive system directories, such as /etc or /var. Use a dedicated directory for HostPath instead.
Monitor node resources
- Monitor host disk: Containers that write to a HostPath volume consume the node's disk space. Implement monitoring and alerting for disk partitions to prevent nodes from failing due to disk exhaustion.
- Evaluate I/O impact: Frequent read and write operations on a HostPath volume consume the node's I/O resources. This can affect other application pods or even impact kubelet stability. You should assess the potential performance impact.
A HostPath volume binds a pod directly to physical storage on a specific node. Data in a HostPath volume is specific to that node and does not persist if the pod moves to a different node.
- Do not use HostPath for stateful applications that need high availability and persistent storage, such as databases or caches.
  - Data in a HostPath volume exists only on one node. If a pod is restarted or updated and then rescheduled to another node, it loses access to its original data.
  - Allowing a pod to access the host file system breaks container isolation. If misconfigured, for example, by mounting the root directory /, or if the container has vulnerabilities, it can compromise the security and stability of the node.
- HostPath is not suitable for nodes that have a read-only root file system, such as ContainerOS.

FAQ

Does data in a HostPath volume persist after a pod is deleted and recreated?

This depends on the node to which the new pod is scheduled.

If the pod is scheduled to the same node: The new pod mounts the same directory on the node and can access all previous data.
If the pod is scheduled to a new node: The new pod mounts an empty directory on the new node. The data on the original node becomes inaccessible to the new pod.