Storage intermediate β± 10 minutes K8s 1.21+
Kubernetes hostPath Volume Guide
Use hostPath volumes to mount node filesystem paths into pods. Types, security risks, use cases for DaemonSets, and safer alternatives like local PVs.
By Luca Berton β’ β’ π 5 min read
π‘ Quick Answer:
hostPathmounts a file or directory from the host nodeβs filesystem into a pod. Use only for DaemonSets (log collectors, monitoring agents) β never for regular workloads. PreferlocalPersistentVolumes or CSI drivers for production storage.
The Problem
Some workloads need direct access to the node filesystem:
- Log collectors reading
/var/log/containers/ - Monitoring agents accessing
/sysor/proc - GPU device plugins accessing
/dev/nvidia* - Container runtime socket (
/var/run/containerd/containerd.sock)
But hostPath has serious risks: pod can access any file on the node, breaks portability, and bypasses storage lifecycle management.
The Solution
Basic hostPath Volume
apiVersion: v1
kind: Pod
metadata:
name: log-reader
spec:
containers:
- name: reader
image: busybox
command: ["tail", "-f", "/host-logs/syslog"]
volumeMounts:
- name: host-logs
mountPath: /host-logs
readOnly: true
volumes:
- name: host-logs
hostPath:
path: /var/log
type: DirectoryhostPath Types
volumes:
- name: vol
hostPath:
path: /data/myapp
type: DirectoryOrCreate # Creates if missing (0755, same owner as kubelet)
# Available types:
# "" - No check (default, dangerous)
# DirectoryOrCreate - Creates directory if not exists
# Directory - Must already exist
# FileOrCreate - Creates file if not exists
# File - Must already exist
# Socket - Unix socket must exist
# CharDevice - Character device must exist
# BlockDevice - Block device must existDaemonSet Use Cases (Legitimate)
# Fluentd/Vector log collector
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: log-collector
spec:
selector:
matchLabels:
app: log-collector
template:
metadata:
labels:
app: log-collector
spec:
containers:
- name: vector
image: timberio/vector:0.42.0-alpine
volumeMounts:
- name: varlog
mountPath: /var/log
readOnly: true
- name: containers
mountPath: /var/lib/docker/containers
readOnly: true
- name: machine-id
mountPath: /etc/machine-id
readOnly: true
volumes:
- name: varlog
hostPath:
path: /var/log
type: Directory
- name: containers
hostPath:
path: /var/lib/docker/containers
type: Directory
- name: machine-id
hostPath:
path: /etc/machine-id
type: File# Node exporter (Prometheus)
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: node-exporter
spec:
template:
spec:
hostNetwork: true
hostPID: true
containers:
- name: exporter
image: prom/node-exporter:v1.8.2
args:
- --path.procfs=/host/proc
- --path.sysfs=/host/sys
- --path.rootfs=/host/root
volumeMounts:
- name: proc
mountPath: /host/proc
readOnly: true
- name: sys
mountPath: /host/sys
readOnly: true
- name: root
mountPath: /host/root
readOnly: true
mountPropagation: HostToContainer
volumes:
- name: proc
hostPath:
path: /proc
type: Directory
- name: sys
hostPath:
path: /sys
type: Directory
- name: root
hostPath:
path: /
type: DirectorySafer Alternative: Local PersistentVolume
# For workloads that need node-local SSD storage
apiVersion: v1
kind: PersistentVolume
metadata:
name: local-ssd-pv
spec:
capacity:
storage: 100Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Delete
storageClassName: local-ssd
local:
path: /mnt/ssd/data
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- worker-01Architecture
graph TD
A[Pod] -->|volumeMount| B[hostPath Volume]
B -->|direct access| C[Node Filesystem]
D[Pod Security Admission] -->|restrict| B
E[Pod Security Policy] -->|allowedHostPaths| B
F[Safer Alternatives]
F --> G[emptyDir - ephemeral]
F --> H[local PV - managed lifecycle]
F --> I[CSI driver - cloud storage]Common Issues
| Issue | Cause | Fix |
|---|---|---|
| Permission denied | Container runs as non-root | Set securityContext.runAsUser: 0 or fix host permissions |
| Pod scheduled on wrong node | hostPath data is node-local | Use nodeSelector or nodeAffinity |
| Data lost on pod reschedule | Pod moved to different node | Use PVC with network storage instead |
| Security policy blocks hostPath | PSA restricted profile | Use baseline or privileged for DaemonSets only |
| Disk fills up node | No quota on hostPath | Use local PV with capacity enforcement |
Best Practices
- Always set
readOnly: trueunless you specifically need write access - Use specific
typeβDirectoryorFilevalidates path exists at schedule time - Restrict with Pod Security Admission β only allow hostPath for system DaemonSets
- Prefer
localPersistentVolumes β proper lifecycle, capacity tracking, scheduling - Never use hostPath for application data β breaks portability and HA
Key Takeaways
- hostPath gives pods direct node filesystem access β powerful but dangerous
- Legitimate uses: log collectors, monitoring agents, device plugins (always as DaemonSets)
- Always use
readOnly: trueand specifictypefields for safety - For application storage, use
localPVs (managed lifecycle) or network-attached CSI volumes - Pod Security Admission
restrictedprofile blocks hostPath β useprivilegednamespace for system DaemonSets
Recommended
Kubernetes Recipes β The Complete Book100+ production-ready patterns with detailed explanations, best practices, and copy-paste YAML. Everything in one place.
Get the Book βπ
Learn by Doing
CopyPasteLearn β Hands-on Cloud & DevOps CoursesMaster Kubernetes, Ansible, Terraform, and MLOps with interactive, copy-paste-run lessons. Start free.
Browse Courses β#hostpath #volumes #storage #daemonset #security #local-storage
π Deepen Your Skills β Hands-on Courses
Courses by CopyPasteLearn.com β Learn IT by Doing
Want More Kubernetes Recipes?
This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.