Storage - Nejati Notes

![[Pasted image 20250210220847.png]] ### Volume Like docker, a volume can be created and mapped to a pod. This enables the pod to write the data outside itself. This can make pods stateless. #### HostPath The simple version of volume where a path in the container is mapped to a path outside of it. > [!warning] > **Avoid this approach** in Kubernetes. Make sure developers can't do it. Since Kubernetes certificates exist in the node, they can be mapped to something in the pod and compromise the certificates. To combat this issue, an administrator controller like *gatekeeper* can be used to limit the paths that a volume can be mapped into. #### emptyDir Created during pod creation and is empty by default. Can be used to store **caches**. It can also reside in RAM. #### ConfigMap *ConfigMap* is a key-value storage designed to distribute the configuration of the pods. Unlike Secrets, ConfigMaps will be presented in every pod. #### Secret Just like *ConfigMaps*, but *Secrets* are encoded and shown in `base64` format. Hashicorp's *Vault* can be used as seamless secret manager. ### Persistent Volume (Claim) From cluster perspective, a *persistent volume* can be created and managed. From user perspective, its claim, the *persistent volume claim* is created and used. ![[Pasted image 20250210222110.png]] As shown in the figure, a persistent volume can connect to an external object. >[!note] > The process of creating a PV an their peered PVC is done manually (*static* provisioning). However, can be automated with `storageclass` (*dynamic* provisioning). The reason for PV and their claim to be separated is to limit the access control of a user on arbitrarily management of the storage. #### StorageClass Is a set of rules the defines how a user can create and manage PVs and PVCs automatically. ![[Pasted image 20250210222810.png]] #### Access controls A PVC can have different type of access control policies: 1. `read-write-once`: only one pod can read and write to it. (block storages) 2. `read-write-many`: multiple pods can be read and write to it. (multi-attachment) 3. `read-only-many`: multiple pods can read it. > [!tip] > Usually `read-only-many` is used can a volume is *cloned* from another volume. #### Reclaim policy Specifies what will happen to the PV when a change (e.g. deletion) is made to he PVC. The default behaviour is `delete`. This shows when a PVC is deleted, its peered PV in the remote storage is also deleted. Types: 1. *delete*: deletes the remote PV. 2. *recycle*: keeps the PV itself but deletes its content. 3. *reclaim*: keeps the PV. ### Volume Snapshot A snapshot of the volume. There is also *Volume Snapshot Content* which is like PV where *Volume Snapshot* is the PVC. Also *Volume Snapshot Class* is like StorageClasses.