When a container restarts, the new container will see any files written to a volume. This is because a volume outlives the lifespan of the container.
Persistent Volumes are backed by durable storage and exist independently of pods. Pods request persistent volumes by specifying PVCs describing the required storage capacity and access mode. Clusters then attempt to match PVCs with available static PVs.
Kubernetes deployment volume mount are a valuable way to store data inside a container. They can persist data across container restarts and share data between containers within the same Pod. To use a volume, a container must submit a PersistentVolumeClaim (PVC), which specifies the storage capacity and characteristics it requires. The PVC is bound to a persistent volume (PV) object through a one-to-one mapping. It allows the cluster to provision and mount the PV.
Once a volume is mounted into a container, it becomes part of its writable layer and can be read or written from within it. This is a better option than persisting on-disk files, which can increase a container’s size and are not preserved across the container’s lifecycle.
There are several types of volumes available in the Kubernetes ecosystem. Each type differs in its storage implementation and initial contents. An emptyDir volume is created when a Pod is assigned to a Node and exists as long as the Pod is running on that Node. When the Pod crashes or is removed from the Node, any data in the emptyDir volume is lost. Another volume type is a ReadWriteOnceVolume, which is only mounted to a single container in the cluster and is only ever accessed for reads.
As the complexity of applications increases, engineering teams need a way to scale their solutions. Kubernetes provides a mechanism to do so by defining storage volumes. These aren’t top-level resources like pods but define a specific location within the file system accessible to containers in the Pod.
These volumes can be temporary or persistent. Ephemeral volumes are only created when a Pod is deployed and exist as long as the Pod is running on a node. However, when a Pod is restarted or removed, the data in these volumes will be lost.
On the other hand, a Persistent Volume (PV) is backed by an underlying persistent disk and exists independently of a pod’s lifecycle. When a Pod requests storage by specifying a PersistentVolumeClaim, the cluster attempts to match it with an existing PV by looking at the capacity and access modes that it supports. Suppose you manually edit the capacity of a PersistentVolumeClaim to be larger than its backing PV. In that case, the control plane will automatically resize the volume on the underlying persistent disk without creating a new one.
It allows you to deploy multiple replicas of the same stateful application with the same volume, avoiding conflicts or errors when one Pod writes to it. At the same time, another container already uses the same volume. You can further enhance this scalability by using the admission policy to require hostPath mounts to use read-only mode.
Volume mounts separate data from the Pod state, providing better security for the Pod’s contents. This is especially important when containers die, or the liveness probe signals that they’re unhealthy. When a container dies, all the files written into its writable layer are deleted. This is fine for on-disk applications like databases and web servers, but it can be for other applications requiring data persistence.
You can protect those files better with volumes because the contents reside on the host file system. It means they’re not vulnerable to loss during a restart. Volumes also allow you to limit access to your data by defining access modes, such as ReadOnlyMany or ReadWriteManyPod.
When you specify an access mode for a PersistentVolumeClaim, Kubernetes uses it to bind the PVC to a storage volume. The cluster finds the Pod using that claim, looks up the PersistentVolume backing the claim in its namespace, and mounts that volume into it.
HostPath is a special PersistentVolume that mounts content from the host’s file system into a Pod. This is useful for some applications, such as sys tools, but it exposes privileged system credentials and potentially enables attackers to exploit the Pod or even the cluster. Alternatively, you can use AdmissionPolicy to restrict hostPath directories accessible by Pods and their containers.
Kubernetes volumes provide a flexible and reliable way to store data within containers. The volumeMounts field allows you to specify the path where your application will access the data stored in a container. It makes it easy to migrate the application to another environment. You can also use the configMap volume type to store configuration data separate from the application code.
A container can access a persistent volume (PV) through a persistent volume claim (PVC). The PVC captures the details of the storage implementation, such as NFS, Ceph, iSCSI, or a cloud-provider-specific mechanism. The PVC also defines the access mode, which specifies whether a volume can be mounted in read-only or write modes.
Ephemeral volumes are created when a Pod is assigned to a node and exist as long as the Pod remains in the cluster. All data in the temporary volume is lost when the Pod is deleted.
HostPath volumes are directories on the underlying host that a container can mount. They can expose privileged system credentials, and threats can exploit them for container escape or other attacks. You can limit the exposure of hostPath volumes by using an admission policy to require that all hostPath volumes use read-only access modes. In addition, you can restrict the number of hosts that can access hostPath volumes by using a ReadOnlyManyAccessPolicy.