Projected Volumes

    A volume maps several existing volume sources into the same directory.

    Currently, the following types of volume sources can be projected:

    All sources are required to be in the same namespace as the Pod. For more details, see the all-in-one volume design document.

    pods/storage/projected-secrets-nondefault-permission-mode.yaml Projected Volumes - 图2

    • For secrets, the secretName field has been changed to name to be consistent with ConfigMap naming.

    When the feature is enabled, you can inject the token for the current into a Pod at a specified path. For example:

    pods/storage/projected-service-account-token.yaml

    The example Pod has a projected volume containing the injected service account token. This token can be used by a Pod’s containers to access the Kubernetes API server. The audience field contains the intended audience of the token. A recipient of the token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. This field is optional and it defaults to the identifier of the API server.

    The expirationSeconds is the expected duration of validity of the service account token. It defaults to 1 hour and must be at least 10 minutes (600 seconds). An administrator can also limit its maximum value by specifying the --service-account-max-token-expiration option for the API server. The path field specifies a relative path to the mount point of the projected volume.

    Note: A container using a projected volume source as a volume mount will not receive updates for those volume sources.

    SecurityContext interactions

    In Linux pods that have a projected volume and RunAsUser set in the Pod , the projected files have the correct ownership set including container user ownership.

    In Windows pods that have a projected volume and RunAsUsername set in the Pod , the ownership is not enforced due to the way user accounts are managed in Windows. Windows stores and manages local user and group accounts in a database file called Security Account Manager (SAM). Each container maintains its own instance of the SAM database, to which the host has no visibility into while the container is running. Windows containers are designed to run the user mode portion of the OS in isolation from the host, hence the maintenance of a virtual SAM database. As a result, the kubelet running on the host does not have the ability to dynamically configure host file ownership for virtualized container accounts. It is recommended that if files on the host machine are to be shared with the container then they should be placed into their own volume mount outside of C:\.

    By default, the projected files will have the following ownership as shown for an example projected volume file:

    This implies all administrator users like ContainerAdministrator will have read, write and execute access while, non-administrator users will have read and execute access.

    Note:

    Creating a Windows Pod with RunAsUser in it’s SecurityContext will result in the Pod being stuck at ContainerCreating forever. So it is advised to not use the Linux only RunAsUser option with Windows Pods.