k8s学习记录【进阶篇】，Volumes hostPath挂载宿主机路径（二十一）

文章中资料参考来源2022 云原生Kubernetes全栈架构师

hostPath卷可以将节点上的文件或目录挂载到Pod上，用于Pod定义日志输出或访问Docker内部的容器等【通常不推荐使用】

【官网中的警告】Warning:

• HostPath volumes present many security risks, and it is a best practice to avoid the use of HostPaths when possible. When a HostPath volume must be used, it should be scoped to only the required file or directory, and mounted as ReadOnly.
  HostPath卷存在许多安全风险，最好的做法是尽可能避免使用HostPath。当必须使用HostPath卷时，卷的作用域应限定为所需的文件或目录，并挂载为只读

• If restricting HostPath access to specific directories through AdmissionPolicy, volumeMounts MUST be required to use readOnly mounts for the policy to be effective.
  如果通过AdmissionPolicy限制HostPath对特定目录的访问，则必须要求volumeMounts使用readOnly挂载，以使策略生效。

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      # directory location on host
      path: /data
      # this field is optional
      type: Directory

上面配置中的type，可以参照官方文档，根据不同的场景设置不同的类型

Value	Behavior
	Empty string (default) is for backward compatibility, which means that no checks will be performed before mounting the hostPath volume.
DirectoryOrCreate	If nothing exists at the given path, an empty directory will be created there as needed with permission set to 0755, having the same group and ownership with Kubelet.
Directory	A directory must exist at the given path
FileOrCreate	If nothing exists at the given path, an empty file will be created there as needed with permission set to 0644, having the same group and ownership with Kubelet.
File	A file must exist at the given path
Socket	A UNIX socket must exist at the given path
CharDevice	A character device must exist at the given path
BlockDevice	A block device must exist at the given path

使用type为File和DirectoryOrCreate来创建deploy资源

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx-host
  name: nginx-hostpath
spec:
  replicas: 1 
  selector:
    matchLabels:
      app: nginx-host
  template:
    metadata:
      labels:
        app: nginx-host
    spec:
      nodeSelector:
        app: nginx
      imagePullSecrets:
      - name: myregistry
#     - name: dockerregistry  ## 如果有多个Secret可以依次在下方配置
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/creamk87/nginx:1.15.1 
        name: nginx-hostpath
        volumeMounts:
          - name: timezone
            mountPath: /etc/timezone  #使用宿主机的timezone文件，替换时区为Asia/Shanghai
          - name: mydirectory
            mountPath: /opt/mydir  #挂载宿主机的podtest文件夹，如果没有文件夹则创建
      volumes:
        - name: timezone
          hostPath:
            path: /etc/timezone
            type: File
        - name: mydirectory
          hostPath:
            path: /root/podtest
            type: DirectoryOrCreate

通过yaml文件创建deploy成功后，可以进入到po中查看对应的文件或文件夹是否挂载成功