kubernetes
[zh] Sync concepts/storage/volumes.md
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign chenrui333 for approval. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
Pull request preview available for checking
Built without sensitive environment variables
| Name | Link |
|---|---|
| Latest commit | 33d806adb954c6a25c556d6e0d44337dd790fc11 |
| Latest deploy log | https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/661697977888b1000829762d |
| Deploy Preview | https://deploy-preview-45713--kubernetes-io-main-staging.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @jiecloud, this file has some more in-synced content with the en upstream, which you can find by running this command on your main branch:
./scripts/lsync.sh content/zh-cn/docs/concepts/storage/volumes.md
yao@YHF k8s % ./scripts/lsync.sh content/zh-cn/docs/concepts/storage/volumes.md
diff --git a/content/en/docs/concepts/storage/volumes.md b/content/en/docs/concepts/storage/volumes.md
index 08be7f60e3..a4ef1bbede 100644
--- a/content/en/docs/concepts/storage/volumes.md
+++ b/content/en/docs/concepts/storage/volumes.md
@@ -194,7 +194,7 @@ keyed with `log_level`.
{{< note >}}
-* You must create a [ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/)
+* You must [create a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/#create-a-configmap)
before you can use it.
* A ConfigMap is always mounted as `readOnly`.
@@ -349,92 +349,161 @@ and then removed entirely in the v1.26 release.
### hostPath {#hostpath}
+A `hostPath` volume mounts a file or directory from the host node's filesystem
+into your Pod. This is not something that most Pods will need, but it offers a
+powerful escape hatch for some applications.
+
{{< warning >}}
-HostPath volumes present many security risks, and it is a best practice to avoid the use of
-HostPaths when possible. When a HostPath volume must be used, it should be scoped to only the
-required file or directory, and mounted as ReadOnly.
+Using the `hostPath` volume type presents many security risks.
+If you can avoid using a `hostPath` volume, you should. For example,
+define a [`local` PersistentVolume](#local), and use that instead.
+
+If you are restricting access to specific directories on the node using
+admission-time validation, that restriction is only effective when you
+additionally require that any mounts of that `hostPath` volume are
+**read only**. If you allow a read-write mount of any host path by an
+untrusted Pod, the containers in that Pod may be able to subvert the
+read-write host mount.
+
+---
-If restricting HostPath access to specific directories through AdmissionPolicy, `volumeMounts` MUST
-be required to use `readOnly` mounts for the policy to be effective.
+Take care when using `hostPath` volumes, whether these are mounted as read-only
+or as read-write, because:
+
+* Access to the host filesystem can expose privileged system credentials (such as for the kubelet) or privileged APIs
+ (such as the container runtime socket), that can be used for container escape or to attack other
+ parts of the cluster.
+* Pods with identical configuration (such as created from a PodTemplate) may
+ behave differently on different nodes due to different files on the nodes.
{{< /warning >}}
...
@jiecloud Looks like you ave pushed some new commits but you didn't respond to the previous review comments. Please check if you have pushed the right commit version.
@chenrui333: Closed this PR.
In response to this:
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.