Home > Enterprise >  Is it fundamentally wrong to use volumeMounts.subPath in a production setup?
Is it fundamentally wrong to use volumeMounts.subPath in a production setup?

Time:12-16

I am able to mount different directories to the same container at different mount points using volumeMounts.subPath attribute.

Is it OK to use this in production environment? I am using AWS EFS as my persistent storage.

This doc says it is not recommended. What is the concern if this is used?

CodePudding user response:

Short answer

It's absolutely fine to use the subPath in production

Detailed answer

Kubernetes example with subPath used.

What this phrase "This sample subPath configuration is not recommended for production use." means is exactly this sample is not recommended, not the subPath usage.

The example contains frontend and backend applications' containers in a single pod which is fundamentally wrong approach for production usage (for testing it's applicable).

In production frontend and backend applications should be separated to different deployments, it will allow:

  • manage front and back end applications separately
  • fault tolerance - in single pod if one of the app crashes, the whole pod is affected
  • pod are disposable units and for databases separate set of pods should be used (like statefulset), it allows to maintain sticky sessions and data persistence even if pod crashed

subPath vulnerabilities

First it's a good idea to figure out how subPath works to understand what risks/vulnerabilities can be introduced.

I found at least two ones:

Both are fixed as for today. It's very important to use last available versions which contain fixes for different issues (including both mentioned above).

Since kubernetes developers fix vulnerabilities related to subPath it can be safely used in production clusters.

  • Related