Projected Volumes

This document describes projected volumes in Kubernetes. Familiarity with volumes is suggested.

Introduction

A projected volume maps several existing volume sources into the same directory.

Currently, the following types of volume sources can be projected:

All sources are required to be in the same namespace as the Pod. For more details, see the all-in-one volume design document.

Example configuration with a secret, a downwardAPI, and a configMap

pods/storage/projected-secret-downwardapi-configmap.yaml Projected Volumes - 图1

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4.   name: volume-test
  5. spec:
  6.   containers:
  7.   - name: container-test
  8.     image: busybox:1.28
  9.     command: ["sleep", "3600"]
  10.     volumeMounts:
  11.     - name: all-in-one
  12.       mountPath: "/projected-volume"
  13.       readOnly: true
  14.   volumes:
  15.   - name: all-in-one
  16.     projected:
  17.       sources:
  18.       - secret:
  19.           name: mysecret
  20.           items:
  21.             - key: username
  22.               path: my-group/my-username
  23.       - downwardAPI:
  24.           items:
  25.             - path: "labels"
  26.               fieldRef:
  27.                 fieldPath: metadata.labels
  28.             - path: "cpu_limit"
  29.               resourceFieldRef:
  30.                 containerName: container-test
  31.                 resource: limits.cpu
  32.       - configMap:
  33.           name: myconfigmap
  34.           items:
  35.             - key: config
  36.               path: my-group/my-config

Example configuration: secrets with a non-default permission mode set

pods/storage/projected-secrets-nondefault-permission-mode.yaml Projected Volumes - 图2

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4.   name: volume-test
  5. spec:
  6.   containers:
  7.   - name: container-test
  8.     image: busybox:1.28
  9.     command: ["sleep", "3600"]
  10.     volumeMounts:
  11.     - name: all-in-one
  12.       mountPath: "/projected-volume"
  13.       readOnly: true
  14.   volumes:
  15.   - name: all-in-one
  16.     projected:
  17.       sources:
  18.       - secret:
  19.           name: mysecret
  20.           items:
  21.             - key: username
  22.               path: my-group/my-username
  23.       - secret:
  24.           name: mysecret2
  25.           items:
  26.             - key: password
  27.               path: my-group/my-password
  28.               mode: 511

Each projected volume source is listed in the spec under sources. The parameters are nearly the same with two exceptions:

  • For secrets, the secretName field has been changed to name to be consistent with ConfigMap naming.
  • The defaultMode can only be specified at the projected level and not for each volume source. However, as illustrated above, you can explicitly set the mode for each individual projection.

serviceAccountToken projected volumes

You can inject the token for the current service account into a Pod at a specified path. For example:

pods/storage/projected-service-account-token.yaml Projected Volumes - 图3

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4.   name: sa-token-test
  5. spec:
  6.   containers:
  7.   - name: container-test
  8.     image: busybox:1.28
  9.     command: ["sleep", "3600"]
  10.     volumeMounts:
  11.     - name: token-vol
  12.       mountPath: "/service-account"
  13.       readOnly: true
  14.   serviceAccountName: default
  15.   volumes:
  16.   - name: token-vol
  17.     projected:
  18.       sources:
  19.       - serviceAccountToken:
  20.           audience: api
  21.           expirationSeconds: 3600
  22.           path: token

The example Pod has a projected volume containing the injected service account token. Containers in this Pod can use that token to access the Kubernetes API server, authenticating with the identity of the pod’s ServiceAccount. The audience field contains the intended audience of the token. A recipient of the token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. This field is optional and it defaults to the identifier of the API server.

The expirationSeconds is the expected duration of validity of the service account token. It defaults to 1 hour and must be at least 10 minutes (600 seconds). An administrator can also limit its maximum value by specifying the --service-account-max-token-expiration option for the API server. The path field specifies a relative path to the mount point of the projected volume.

Note: A container using a projected volume source as a subPath volume mount will not receive updates for those volume sources.

clusterTrustBundle projected volumes

FEATURE STATE: Kubernetes v1.29 [alpha]

Note: To use this feature in Kubernetes 1.29, you must enable support for ClusterTrustBundle objects with the ClusterTrustBundle feature gate and --runtime-config=certificates.k8s.io/v1alpha1/clustertrustbundles=true kube-apiserver flag, then enable the ClusterTrustBundleProjection feature gate.

The clusterTrustBundle projected volume source injects the contents of one or more ClusterTrustBundle objects as an automatically-updating file in the container filesystem.

ClusterTrustBundles can be selected either by name or by signer name.

To select by name, use the name field to designate a single ClusterTrustBundle object.

To select by signer name, use the signerName field (and optionally the labelSelector field) to designate a set of ClusterTrustBundle objects that use the given signer name. If labelSelector is not present, then all ClusterTrustBundles for that signer are selected.

The kubelet deduplicates the certificates in the selected ClusterTrustBundle objects, normalizes the PEM representations (discarding comments and headers), reorders the certificates, and writes them into the file named by path. As the set of selected ClusterTrustBundles or their content changes, kubelet keeps the file up-to-date.

By default, the kubelet will prevent the pod from starting if the named ClusterTrustBundle is not found, or if signerName / labelSelector do not match any ClusterTrustBundles. If this behavior is not what you want, then set the optional field to true, and the pod will start up with an empty file at path.

pods/storage/projected-clustertrustbundle.yaml Projected Volumes - 图4

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4.   name: sa-ctb-name-test
  5. spec:
  6.   containers:
  7.   - name: container-test
  8.     image: busybox
  9.     command: ["sleep", "3600"]
  10.     volumeMounts:
  11.     - name: token-vol
  12.       mountPath: "/root-certificates"
  13.       readOnly: true
  14.   serviceAccountName: default
  15.   volumes:
  16.   - name: root-certificates-vol
  17.     projected:
  18.       sources:
  19.       - clusterTrustBundle:
  20.           name: example
  21.           path: example-roots.pem
  22.       - clusterTrustBundle:
  23.           signerName: "example.com/mysigner"
  24.           labelSelector:
  25.             matchLabels:
  26.               version: live
  27.           path: mysigner-roots.pem
  28.           optional: true

SecurityContext interactions

The proposal for file permission handling in projected service account volume enhancement introduced the projected files having the correct owner permissions set.

Linux

In Linux pods that have a projected volume and RunAsUser set in the Pod SecurityContext, the projected files have the correct ownership set including container user ownership.

When all containers in a pod have the same runAsUser set in their PodSecurityContext or container SecurityContext, then the kubelet ensures that the contents of the serviceAccountToken volume are owned by that user, and the token file has its permission mode set to 0600.

Note:

Ephemeral containers added to a Pod after it is created do not change volume permissions that were set when the pod was created.

If a Pod’s serviceAccountToken volume permissions were set to 0600 because all other containers in the Pod have the same runAsUser, ephemeral containers must use the same runAsUser to be able to read the token.

Windows

In Windows pods that have a projected volume and RunAsUsername set in the Pod SecurityContext, the ownership is not enforced due to the way user accounts are managed in Windows. Windows stores and manages local user and group accounts in a database file called Security Account Manager (SAM). Each container maintains its own instance of the SAM database, to which the host has no visibility into while the container is running. Windows containers are designed to run the user mode portion of the OS in isolation from the host, hence the maintenance of a virtual SAM database. As a result, the kubelet running on the host does not have the ability to dynamically configure host file ownership for virtualized container accounts. It is recommended that if files on the host machine are to be shared with the container then they should be placed into their own volume mount outside of C:\.

By default, the projected files will have the following ownership as shown for an example projected volume file:

  1. PS C:\> Get-Acl C:\var\run\secrets\kubernetes.io\serviceaccount\..2021_08_31_22_22_18.318230061\ca.crt | Format-List
  3. Path   : Microsoft.PowerShell.Core\FileSystem::C:\var\run\secrets\kubernetes.io\serviceaccount\..2021_08_31_22_22_18.318230061\ca.crt
  4. Owner  : BUILTIN\Administrators
  5. Group  : NT AUTHORITY\SYSTEM
  6. Access : NT AUTHORITY\SYSTEM Allow  FullControl
  7.          BUILTIN\Administrators Allow  FullControl
  8.          BUILTIN\Users Allow  ReadAndExecute, Synchronize
  9. Audit  :
  10. Sddl   : O:BAG:SYD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)

This implies all administrator users like ContainerAdministrator will have read, write and execute access while, non-administrator users will have read and execute access.

Note:

In general, granting the container access to the host is discouraged as it can open the door for potential security exploits.

Creating a Windows Pod with RunAsUser in it’s SecurityContext will result in the Pod being stuck at ContainerCreating forever. So it is advised to not use the Linux only RunAsUser option with Windows Pods.