Kubernetes Volumes: A Comprehensive Guide

Introduction to Kubernetes Volumes

Kubernetes volumes provide a mechanism for containers within a Pod to access and share data via the filesystem. They address critical needs in containerized environments, such as data persistence and shared storage, by abstracting the underlying storage medium and enabling flexible data management. Unlike on-disk files in a container, which are ephemeral and lost upon container crashes or restarts, volumes ensure data durability and accessibility across container lifecycles.

Why Volumes Matter

  1. Data Persistence: Containers are inherently stateless, and their local files are lost when a container crashes or restarts. Volumes allow data to persist beyond the container's lifecycle, ensuring continuity for applications.
  2. Shared Storage: Multiple containers within a Pod, or even across Pods, may need to share data. Volumes facilitate seamless file sharing, overcoming the challenges of coordinating filesystem access.
  3. Flexibility: Volumes support various use cases, such as configuration injection, temporary scratch space, and durable storage, catering to diverse application requirements.

Prerequisites

Before diving into volumes, ensure you understand Kubernetes Pods, as they are the fundamental units that utilize volumes to run containers. Familiarity with PersistentVolumes (PVs) and PersistentVolumeClaims (PVCs) is also recommended for advanced volume types.

How Volumes Work

A Kubernetes volume is a directory, potentially containing data, that is accessible to containers in a Pod. The volume's characteristics—such as its backing medium, contents, and lifecycle—depend on the volume type. Volumes are defined in a Pod's .spec.volumes field and mounted into containers via .spec.containers[*].volumeMounts.

Key Concepts

  • Mounting: Volumes are mounted at specific paths within a container's filesystem, overlaying the container image's root filesystem. Writes to these paths affect the volume, not the image [>-].
  • Ephemeral vs. Persistent Volumes:
  • Ephemeral Volumes: Tied to a Pod's lifecycle, they are created and destroyed with the Pod (e.g., emptyDir).
  • Persistent Volumes: Exist independently of Pods, preserving data across Pod restarts or deletions (e.g., persistentVolumeClaim).
  • Constraints: Volumes cannot be mounted within other volumes, and hard links across volumes are not supported. For specific sub-directory access, use the subPath mechanism.

Volume Lifecycle

  1. Creation: When a Pod is scheduled to a node, Kubernetes creates the specified volumes.
  2. Mounting: Volumes are mounted into containers at the specified paths.
  3. Usage: Containers read from and write to the volume as needed.
  4. Destruction: Ephemeral volumes are deleted when the Pod is removed; persistent volumes persist until explicitly reclaimed.

Types of Kubernetes Volumes

Kubernetes supports a variety of volume types, each suited to specific use cases. Below is a categorized overview of the most relevant volume types, including their purpose, configuration, and status as of Kubernetes v1.33 (April 2025).

Ephemeral Volume Types

These volumes are created and destroyed with the Pod, making them ideal for temporary or Pod-specific data.

  1. emptyDir
  2. Purpose: Provides a temporary, initially empty directory for scratch space or shared storage within a Pod.
  3. Use Cases:
    • Temporary storage for disk-based operations (e.g., merge sort).
    • Checkpointing long computations for crash recovery.
    • Sharing data between containers (e.g., a content-manager fetching files for a webserver).
  4. Configuration:
    • Medium: Default is the node's storage (disk, SSD, etc.). Set medium: Memory for a RAM-backed tmpfs, which is faster but counts against container memory limits.
    • Size Limit: Optional sizeLimit caps storage usage, allocated from node ephemeral storage.
  5. Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - name: test-container
    image: registry.k8s.io/test-webserver
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir:
      sizeLimit: 500Mi
      medium: Memory

  6. Notes:

    • Data persists across container crashes but is deleted when the Pod is removed.
    • Memory-backed volumes require careful resource management to avoid node memory exhaustion.

  7. configMap

  8. Purpose: Mounts configuration data from a ConfigMap as read-only files in a Pod.
  9. Use Cases: Injecting configuration files or environment-specific settings into containers.
  10. Configuration:
    • Reference a ConfigMap by name and optionally specify paths for specific keys.
    • Data is mounted as UTF-8 encoded files; use binaryData for other encodings.
  11. Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: configmap-pod
spec:
  containers:
  - name: test
    image: busybox:1.28
    command: ['sh', '-c', 'echo "The app is running!" && tail -f /dev/null']
    volumeMounts:
    - name: config-vol
      mountPath: /etc/config
  volumes:
  - name: config-vol
    configMap:
      name: log-config
      items:
      - key: log_level
        path: log_level.conf

  12. Notes:

    • ConfigMaps must exist before use.
    • Mounted as read-only; updates to the ConfigMap do not propagate to subPath mounts.

  13. secret

  14. Purpose: Mounts sensitive data (e.g., passwords, tokens) from a Secret as read-only files.
  15. Use Cases: Securely passing credentials to applications.
  16. Configuration:
    • Backed by tmpfs (RAM-backed), ensuring data is not written to disk.
    • Reference a Secret by name, similar to ConfigMap.
  17. Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: secret-pod
spec:
  containers:
  - name: test
    image: busybox:1.28
    volumeMounts:
    - name: secret-vol
      mountPath: /etc/secret
  volumes:
  - name: secret-vol
    secret:
      secretName: my-secret

  18. Notes:

    • Secrets must exist before use.
    • Mounted as read-only; updates do not propagate to subPath mounts.

  19. downwardAPI

  20. Purpose: Exposes Pod metadata (e.g., namespace, labels) as read-only files.
  21. Use Cases: Providing runtime context to applications (e.g., logging Pod details).
  22. Configuration: Specify fields or resource metadata to expose.
  23. Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: downward-pod
spec:
  containers:
  - name: test
    image: busybox:1.28
    volumeMounts:
    - name: pod-info
      mountPath: /etc/podinfo
  volumes:
  - name: pod-info
    downwardAPI:
      items:
      - path: "labels"
        fieldRef:
          fieldPath: metadata.labels

  24. Notes: Updates to metadata do not propagate to subPath mounts.

  25. image (Beta, Kubernetes v1.33)

  26. Purpose: Mounts the contents of an OCI container image or artifact as a read-only volume.
  27. Use Cases: Accessing static data bundled in an image without running it as a container.
  28. Configuration:
    • Specify an image reference and pullPolicy (Always, Never, IfNotPresent).
    • Mounted as read-only, with noexec on Linux.
  29. Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: image-volume
spec:
  containers:
  - name: shell
    image: debian
    command: ["sleep", "infinity"]
    volumeMounts:
    - name: volume
      mountPath: /volume
  volumes:
  - name: volume
    image:
      reference: quay.io/crio/artifact:v2
      pullPolicy: IfNotPresent
  30. Notes:
    • Requires the container runtime to support OCI objects.
    • SubPath mounts are supported from v1.33.

Persistent Volume Types

These volumes rely on PersistentVolumes (PVs) and PersistentVolumeClaims (PVCs) for durable storage that outlives Pods.

  1. persistentVolumeClaim
  2. Purpose: Mounts a PersistentVolume into a Pod, abstracting the underlying storage details.
  3. Use Cases: Durable storage for databases, file systems, or other stateful applications.
  4. Configuration:
    • Reference a PVC by name.
    • Supports dynamic provisioning via StorageClasses.
  5. Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: pvc-pod
spec:
  containers:
  - name: test
    image: registry.k8s.io/test-webserver
    volumeMounts:
    - mountPath: /data
      name: storage
  volumes:
  - name: storage
    persistentVolumeClaim:
      claimName: my-pvc

  6. Notes: PVCs provide a user-friendly abstraction for requesting storage without needing to manage PVs directly.

  7. local

  8. Purpose: Mounts a local storage device (disk, partition, or directory) as a PersistentVolume.
  9. Use Cases: High-performance storage for applications tolerant of node-specific constraints.
  10. Configuration:
    • Requires a statically created PV with nodeAffinity to bind to a specific node.
    • Supports Filesystem or Block volume modes.
  11. Example: 
    apiVersion: v1
kind: PersistentVolume
metadata:
  name: example-pv
spec:
  capacity:
    storage: 100Gi
  accessModes:
  - ReadWriteOnce
  persistentVolumeReclaimPolicy: Delete
  storageClassName: local-storage
  local:
    path: /mnt/disks/ssd1
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - example-node

  12. Notes:

    • No dynamic provisioning; requires manual PV creation.
    • Node failures can render the volume inaccessible, so use with caution.

  13. nfs

  14. Purpose: Mounts an existing NFS share into a Pod, supporting multiple writers.
  15. Use Cases: Shared storage for collaborative workloads or pre-populated datasets.
  16. Configuration:
    • Specify the NFS server and path.
    • Mount options can be set server-side or via /etc/nfsmount.conf.
  17. Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: nfs-pod
spec:
  containers:
  - name: test
    image: registry.k8s.io/test-webserver
    volumeMounts:
    - mountPath: /my-nfs-data
      name: test-volume
  volumes:
  - name: test-volume
    nfs:
      server: my-nfs-server.example.com
      path: /my-nfs-volume
      readOnly: true

  18. Notes:

    • Requires an existing NFS server.
    • PersistentVolumes can be used for more control over mount options.

  19. iscsi

  20. Purpose: Mounts an iSCSI volume, supporting pre-populated data and read-only access by multiple consumers.
  21. Use Cases: Shared datasets or durable storage for legacy systems.
  22. Configuration:
    • Specify the iSCSI target and LUN.
    • Read-only mounts allow multiple consumers; read-write is single-consumer only.
  23. Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: iscsi-pod
spec:
  containers:
  - name: test
    image: registry.k8s.io/test-webserver
    volumeMounts:
    - mountPath: /data
      name: iscsi-volume
  volumes:
  - name: iscsi-volume
    iscsi:
      targetPortal: iscsi-server.example.com:3260
      iqn: iqn.2003-01.com.example:storage
      lun: 0
      fsType: ext4
      readOnly: true
  24. Notes:
    • Requires an existing iSCSI server.
    • Data persists across Pod lifecycles.

Host-Based Volume Types

These volumes interact directly with the host node's filesystem, often requiring careful security considerations.

  1. hostPath
  2. Purpose: Mounts a file or directory from the host node's filesystem into a Pod.
  3. Use Cases:
    • Accessing node-level resources (e.g., logs at /var/log).
    • Providing configuration files to static Pods.
  4. Configuration:
    • Specify the path and optional type (e.g., Directory, FileOrCreate).
    • Types ensure the path exists or is created with specific permissions.
  5. Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: hostpath-pod
spec:
  containers:
  - name: test
    image: registry.k8s.io/test-webserver
    volumeMounts:
    - mountPath: /foo
      name: example-volume
      readOnly: true
  volumes:
  - name: example-volume
    hostPath:
      path: /data/foo
      type: Directory
  6. Security Considerations:
    • Exposes host filesystem, risking container escape or cluster compromise.
    • Use read-only mounts and restrict paths via admission policies.
    • Pods may behave differently across nodes due to varying host files.
  7. Notes:
    • Avoid unless necessary; prefer local PersistentVolumes for durability.
    • Monitor disk usage, as hostPath does not count toward ephemeral storage limits.

Specialty Volume Types

These volumes cater to specific storage protocols or configurations.

  1. fc (Fibre Channel)
  2. Purpose: Mounts an existing Fibre Channel block storage volume.
  3. Use Cases: High-performance storage for enterprise applications.
  4. Configuration:
    • Specify target World Wide Names (WWNs) for single or multi-path connections.
    • Requires FC SAN Zoning configuration.
  5. Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: fc-pod
spec:
  containers:
  - name: test
    image: registry.k8s.io/test-webserver
    volumeMounts:
    - mountPath: /data
      name: fc-volume
  volumes:
  - name: fc-volume
    fc:
      targetWWNs: ["50060e801049cfd1"]
      lun: 0
      fsType: ext4

  6. Notes: Requires pre-configured Fibre Channel infrastructure.

  7. projected

  8. Purpose: Maps multiple volume sources (e.g., secret, configMap, downwardAPI) into a single directory.
  9. Use Cases: Consolidating configuration data from multiple sources.
  10. Configuration: Specify multiple sources with their respective paths.
  11. Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: projected-pod
spec:
  containers:
  - name: test
    image: busybox:1.28
    volumeMounts:
    - mountPath: /config
      name: all-configs
  volumes:
  - name: all-configs
    projected:
      sources:
      - configMap:
          name: my-config
      - secret:
          name: my-secret
  12. Notes: Simplifies access to heterogeneous configuration data.

Deprecated and Removed Volume Types

Several volume types have been deprecated or removed in Kubernetes v1.33, with operations redirected to Container Storage Interface (CSI) drivers. These include:

  • awsElasticBlockStore: Deprecated in v1.19, removed in v1.27. Use ebs.csi.aws.com CSI driver.
  • azureDisk: Deprecated in v1.19, removed in v1.27. Use disk.csi.azure.com CSI driver.
  • azureFile: Deprecated in v1.21, removed in v1.30. Use file.csi.azure.com CSI driver.
  • cinder: Deprecated in v1.11, removed in v1.26. Use cinder.csi.openstack.org CSI driver.
  • gcePersistentDisk: Deprecated in v1.17, removed in v1.28. Use pd.csi.storage.gke.io CSI driver.
  • portworxVolume: Deprecated in v1.25, redirected to pxd.portworx.com CSI driver.
  • vsphereVolume: Deprecated in v1.19, removed in v1.30. Use csi.vsphere.vmware.com CSI driver.
  • cephfs: Deprecated in v1.28, removed in v1.31.
  • glusterfs: Deprecated in v1.25, removed in v1.26.
  • rbd: Deprecated in v1.28, removed in v1.31.
  • gitRepo: Deprecated and disabled by default. Use emptyDir with an init container to clone repositories.

Recommendation: Transition to CSI drivers for deprecated types to ensure compatibility and support.

Advanced Volume Features

Using subPath

The subPath property allows mounting a specific sub-directory or file from a volume, enabling multiple uses of a single volume within a Pod.

  • Use Case: Sharing a volume between containers with different mount points (e.g., a LAMP stack with MySQL and PHP sharing a volume).
  • Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: lamp-pod
spec:
  containers:
  - name: mysql
    image: mysql
    volumeMounts:
    - mountPath: /var/lib/mysql
      name: site-data
      subPath: mysql
  - name: php
    image: php:7.0-apache
    volumeMounts:
    - mountPath: /var/www/html
      name: site-data
      subPath: html
  volumes:
  - name: site-data
    persistentVolumeClaim:
      claimName: my-lamp-site-data
  • Notes:
  • Not recommended for production due to complexity.
  • Updates to the volume's source (e.g., ConfigMap, Secret) do not propagate to subPath mounts.

subPathExpr

The subPathExpr field (stable in v1.17) constructs subPath names using environment variables from the downward API.

  • Use Case: Dynamic directory naming based on Pod metadata.
  • Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
  - name: container1
    image: busybox:1.28
    env:
    - name: POD_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name
    volumeMounts:
    - name: workdir1
      mountPath: /logs
      subPathExpr: $(POD_NAME)
  volumes:
  - name: workdir1
    hostPath:
      path: /var/log/pods
  • Notes: Mutually exclusive with subPath.

Mount Propagation

Mount propagation controls how volume mounts are shared between containers or with the host. It is a low-level feature with limited support across volume types.

  • Modes:
  • None: No mounts are propagated; default mode (equivalent to rprivate in mount(8)).
  • HostToContainer: The container sees mounts made by the host (equivalent to rslave).
  • Bidirectional: Mounts are propagated both ways, allowing containers to mount back to the host (equivalent to rshared).
  • Use Cases: Primarily for hostPath or memory-backed emptyDir with FlexVolume/CSI drivers.
  • Warnings:
  • Limited to hostPath and memory-backed emptyDir due to inconsistent behavior.
  • Bidirectional is dangerous and restricted to privileged containers, as it can affect the host OS.
  • Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: propagation-pod
spec:
  containers:
  - name: test
    image: busybox:1.28
    volumeMounts:
    - mountPath: /data
      name: host-vol
      mountPropagation: HostToContainer
  volumes:
  - name: host-vol
    hostPath:
      path: /mnt

Read-Only Mounts

Volumes can be mounted as read-only by setting .spec.containers[].volumeMounts[].readOnly: true.

  • Behavior: Only the specific container mount is read-only; other containers may mount the same volume as read-write.
  • Limitation: On Linux, read-only mounts are not recursively read-only by default, allowing writable sub-mounts (e.g., tmpfs).

Recursive Read-Only Mounts (Stable, v1.33)

Enables recursively read-only mounts, ensuring sub-mounts are also read-only.

  • Configuration:
  • Enable the RecursiveReadOnlyMounts feature gate (default in v1.33).
  • Set .spec.containers[].volumeMounts[].recursiveReadOnly to Enabled or IfPossible.
  • Requirements:
  • readOnly: true.
  • mountPropagation unset or set to None.
  • Linux kernel v5.12+.
  • CRI and OCI runtimes supporting recursive read-only mounts (e.g., containerd v2.0+, CRI-O v1.30+).
  • Example: 
    apiVersion: v1
kind: Pod
metadata:
  name: rro-pod
spec:
  containers:
  - name: busybox
    image: busybox
    volumeMounts:
    - name: mnt
      mountPath: /mnt-rro
      readOnly: true
      mountPropagation: None
      recursiveReadOnly: Enabled
  volumes:
  - name: mnt
    hostPath:
      path: /mnt
  • Notes: Fallback to Disabled if requirements are not met when using IfPossible.

Out-of-Tree Volume Plugins

Kubernetes supports out-of-tree volume plugins to integrate external storage systems without modifying the core codebase.

  1. Container Storage Interface (CSI):
  2. Purpose: Standard interface for exposing arbitrary storage systems to Kubernetes.
  3. Usage:
    • Reference via persistentVolumeClaim, generic ephemeral volumes, or CSI ephemeral volumes.
    • Configure with driver, volumeHandle, and optional secrets.
  4. Example: 
    apiVersion: v1
kind: PersistentVolume
metadata:
  name: csi-pv
spec:
  capacity:
    storage: 10Gi
  accessModes:
  - ReadWriteOnce
  csi:
    driver: my-csi-driver
    volumeHandle: unique-volume-id

  5. Notes:

    • Requires CSI driver installation.
    • Supports provisioning, attach/detach, mount/unmount, and resizing.
    • Check driver compatibility with Kubernetes releases.

  6. FlexVolume (Deprecated, v1.23):

  7. Purpose: Exec-based plugin interface for custom storage drivers.
  8. Usage: Requires driver binaries on nodes; interacts via the flexVolume in-tree plugin.
  9. Notes:
    • Deprecated; migrate to CSI drivers.
    • Supports Windows via SMB and iSCSI plugins.

Resource Management

  • emptyDir: Storage is drawn from the node's filesystem (default) or memory (medium: Memory). No inherent size limits unless sizeLimit is set.
  • hostPath: No size limits; monitor disk usage manually to avoid node disk pressure.
  • CSI Volumes: Resource limits depend on the driver and underlying storage.

For precise resource allocation, use resource specifications in Pod definitions.

Best Practices

  1. Choose the Right Volume Type:
  2. Use emptyDir for temporary data, configMap/secret for configuration, and persistentVolumeClaim for durable storage.
  3. Avoid hostPath unless necessary due to security risks.
  4. Leverage CSI Drivers: Transition from deprecated in-tree plugins to CSI drivers for better support and flexibility.
  5. Secure Sensitive Data: Use secret volumes for credentials and ensure read-only mounts where possible.
  6. Monitor Resource Usage: Set sizeLimit for emptyDir and monitor hostPath to prevent node resource exhaustion.
  7. Test Persistence: Validate data durability across container crashes and Pod restarts for critical applications.

What's Next

  • Explore PersistentVolumes and PersistentVolumeClaims for advanced storage management.
  • Follow tutorials, such as deploying WordPress with MySQL using Persistent Volumes, to apply these concepts.
  • Refer to CSI driver documentation for specific storage vendor integrations.