Kubernetes hostPath volumes: use cases, examples and security considerations

Learn how hostPath volumes work in Kubernetes with practical examples. Covers valid use cases, the DirectoryOrCreate type, security risks in multi-tenant clusters, and when to use alternatives.

5 lessons · 16 min · Intermediate

3 minutes reading time

Written by

Civo Team
Civo Team

Marketing Team at Civo

A hostPath volume mounts a file or directory from the host node's filesystem directly into a pod. It is one of the simplest volume types but also one of the most dangerous in the wrong context. This page covers what hostPath does, when it is acceptable to use it, and why you should avoid it in production multi-tenant clusters.

How hostPath works

When a pod with a hostPath volume is scheduled to a node, Kubernetes mounts the specified path from that node's filesystem into the container at the defined mount path. The data lives on the node, not in the pod. If you create a file inside the container at the mount path, it appears on the node's filesystem at the hostPath location.

This is different from emptyDir, which creates a fresh temporary directory for each pod. hostPath mounts an existing path from the node that persists independently of the pod lifecycle.

Security warning

Do not use hostPath in production multi-tenant clusters. hostPath gives a pod direct access to the host node's filesystem. In a multi-tenant cluster, this creates two serious risks:

Portability failure. If the pod is deleted and rescheduled to a different node, the hostPath data is not there. The pod starts on a different node and the files it created on the previous node are inaccessible. There is no portability across nodes.

Security risk. A compromised or misconfigured pod with a hostPath volume can read sensitive files from the node, including credentials, certificates, and other containers' data. In a multi-tenant cluster this is a significant attack surface. Security-conscious practitioners avoid hostPath even in development clusters for this reason.

For persistent storage in production, use a PVC with dynamic provisioning. For node-local high-performance storage, use a local volume which is Kubernetes-managed and scheduler-aware.

Valid use cases

hostPath is acceptable in the following scenarios:

  • Log collection DaemonSets that need to read /var/log/containers or /var/log/pods from every node
  • Monitoring agents such as Prometheus node-exporter that need access to /proc or /sys to collect hardware and OS metrics
  • Container runtime socket access for tools that need to communicate with the containerd socket
  • cAdvisor running in a container by mounting /sys of the node
  • Single-node development clusters where pod rescheduling to a different node is not a concern

In all cases, use RBAC to restrict which service accounts can create pods with hostPath volumes.

The type field

The type field in a hostPath spec controls what Kubernetes checks or creates at the path before mounting. It is optional but recommended.

TypeBehaviour

Directory

Path must already exist as a directory. Fails if not present.

DirectoryOrCreate

Creates the directory (permissions 0755, owned by kubelet) if it does not exist.

File

Path must already exist as a file. Fails if not present.

FileOrCreate

Creates the file (permissions 0644, owned by kubelet) if it does not exist.

Socket

Path must already exist as a Unix socket.

CharDevice

Path must already exist as a character device.

BlockDevice

Path must already exist as a block device.

If you omit the type field, Kubernetes does not check or validate the path before mounting.

Working example

This example creates a pod with a hostPath volume using DirectoryOrCreate. The directory /data is created on the node if it does not already exist, and mounted at /demo inside the container.

apiVersion: v1
kind: Pod
metadata:
name: hostpath-pod
spec:
containers:
- name: busybox
image: busybox
command: ["sh", "-c", "while true; do sleep 3600; done"]
volumeMounts:
- mountPath: /demo
name: host-volume
volumes:
- name: host-volume
hostPath:
path: /data
type: DirectoryOrCreate
kubectl create -f pod.yaml
kubectl get pods

Exec into the pod:

kubectl exec -it hostpath-pod -- sh

Navigate to the mount path and create a file:

cd /demo
touch test
exit

Check which node the pod is running on:

kubectl get pods -o wide

Verify the file exists on the node by execing into the pod directly:

kubectl exec -it hostpath-pod -- ls /demo

Expected output:

test

DaemonSet example with hostPath

This is the most legitimate production use of hostPath. A log-shipping DaemonSet reads container logs from every node:

apiVersion: apps/v1
kind: DaemonSet
metadata:
name: log-collector
spec:
selector:
matchLabels:
app: log-collector
template:
metadata:
labels:
app: log-collector
spec:
containers:
- name: fluentd
image: fluentd:v1.16
volumeMounts:
- mountPath: /var/log/containers
name: container-logs
readOnly: true
volumes:
- name: container-logs
hostPath:
path: /var/log/containers
type: Directory

The readOnly: true flag on the volume mount ensures the container can read logs but cannot write to or modify the host log directory.

Civo Team
Civo Team

Marketing Team at Civo

Civo is the Sovereign Cloud and AI platform designed to help developers and enterprises build without limits. We bridge the gap between the openness of the public cloud and the rigorous security of private environments, delivering full cloud parity across every deployment. As a team, we are dedicated to providing scalable compute, lightning-fast Kubernetes, and managed services that are ready in minutes. Through CivoStack Enterprise and our FlexCore appliance, we empower organizations to maintain total data sovereignty on their own hardware.

Our mission is to make the cloud faster, simpler, and fairer. By providing enterprise-grade NVIDIA GPUs and streamlined model management, we ensure that high-performance AI and machine learning are accessible to everyone. Built for transparency and performance, the Civo Team is here to give you total control over your infrastructure, your data, and your spend.

View author profile