Kubernetes hostPath volumes: use cases, examples and security considerations
Learn how hostPath volumes work in Kubernetes with practical examples. Covers valid use cases, the DirectoryOrCreate type, security risks in multi-tenant clusters, and when to use alternatives.
5 lessons · 16 min · Intermediate
Written by
Marketing Team at Civo
Written by
Marketing Team at Civo
A hostPath volume mounts a file or directory from the host node's filesystem directly into a pod. It is one of the simplest volume types but also one of the most dangerous in the wrong context. This page covers what hostPath does, when it is acceptable to use it, and why you should avoid it in production multi-tenant clusters.
How hostPath works
When a pod with a hostPath volume is scheduled to a node, Kubernetes mounts the specified path from that node's filesystem into the container at the defined mount path. The data lives on the node, not in the pod. If you create a file inside the container at the mount path, it appears on the node's filesystem at the hostPath location.
This is different from emptyDir, which creates a fresh temporary directory for each pod. hostPath mounts an existing path from the node that persists independently of the pod lifecycle.
Security warning
Do not use hostPath in production multi-tenant clusters. hostPath gives a pod direct access to the host node's filesystem. In a multi-tenant cluster, this creates two serious risks:
Portability failure. If the pod is deleted and rescheduled to a different node, the hostPath data is not there. The pod starts on a different node and the files it created on the previous node are inaccessible. There is no portability across nodes.
Security risk. A compromised or misconfigured pod with a hostPath volume can read sensitive files from the node, including credentials, certificates, and other containers' data. In a multi-tenant cluster this is a significant attack surface. Security-conscious practitioners avoid hostPath even in development clusters for this reason.
For persistent storage in production, use a PVC with dynamic provisioning. For node-local high-performance storage, use a local volume which is Kubernetes-managed and scheduler-aware.
Valid use cases
hostPath is acceptable in the following scenarios:
- Log collection DaemonSets that need to read
/var/log/containersor/var/log/podsfrom every node - Monitoring agents such as Prometheus node-exporter that need access to
/procor/systo collect hardware and OS metrics - Container runtime socket access for tools that need to communicate with the containerd socket
- cAdvisor running in a container by mounting
/sysof the node - Single-node development clusters where pod rescheduling to a different node is not a concern
In all cases, use RBAC to restrict which service accounts can create pods with hostPath volumes.
The type field
The type field in a hostPath spec controls what Kubernetes checks or creates at the path before mounting. It is optional but recommended.
If you omit the type field, Kubernetes does not check or validate the path before mounting.
Working example
This example creates a pod with a hostPath volume using DirectoryOrCreate. The directory /data is created on the node if it does not already exist, and mounted at /demo inside the container.
apiVersion: v1kind: Podmetadata:name: hostpath-podspec:containers:- name: busyboximage: busyboxcommand: ["sh", "-c", "while true; do sleep 3600; done"]volumeMounts:- mountPath: /demoname: host-volumevolumes:- name: host-volumehostPath:path: /datatype: DirectoryOrCreate
kubectl create -f pod.yamlkubectl get pods
Exec into the pod:
kubectl exec -it hostpath-pod -- sh
Navigate to the mount path and create a file:
cd /demotouch testexit
Check which node the pod is running on:
kubectl get pods -o wide
Verify the file exists on the node by execing into the pod directly:
kubectl exec -it hostpath-pod -- ls /demo
Expected output:
test
DaemonSet example with hostPath
This is the most legitimate production use of hostPath. A log-shipping DaemonSet reads container logs from every node:
apiVersion: apps/v1kind: DaemonSetmetadata:name: log-collectorspec:selector:matchLabels:app: log-collectortemplate:metadata:labels:app: log-collectorspec:containers:- name: fluentdimage: fluentd:v1.16volumeMounts:- mountPath: /var/log/containersname: container-logsreadOnly: truevolumes:- name: container-logshostPath:path: /var/log/containerstype: Directory
The readOnly: true flag on the volume mount ensures the container can read logs but cannot write to or modify the host log directory.

Marketing Team at Civo
Civo is the Sovereign Cloud and AI platform designed to help developers and enterprises build without limits. We bridge the gap between the openness of the public cloud and the rigorous security of private environments, delivering full cloud parity across every deployment. As a team, we are dedicated to providing scalable compute, lightning-fast Kubernetes, and managed services that are ready in minutes. Through CivoStack Enterprise and our FlexCore appliance, we empower organizations to maintain total data sovereignty on their own hardware.
Our mission is to make the cloud faster, simpler, and fairer. By providing enterprise-grade NVIDIA GPUs and streamlined model management, we ensure that high-performance AI and machine learning are accessible to everyone. Built for transparency and performance, the Civo Team is here to give you total control over your infrastructure, your data, and your spend.
Share this lesson