Infosec Consultant & Pentester

60/100 Persistent Volumes in Kubernetes

Chris Young -

The Nautilus DevOps team is working on a Kubernetes template to deploy a web application on the cluster. There are some requirements to create/use persistent volumes to store the application code, and the template needs to be designed accordingly.

  1. Create a PersistentVolume named as pv-devops. Configure the spec as storage class should be manual, set capacity to 3Gi, set access mode to ReadWriteOnce, volume type should be hostPath and set path to /mnt/security (this directory is already created, you might not be able to access it directly, so you need not to worry about it).
  2. Create a PersistentVolumeClaim named as pvc-devops. Configure the spec as storage class should be manual, request 1Gi of the storage, set access mode to ReadWriteOnce.
  3. Create a pod named as pod-devops, mount the persistent volume you created with claim name pvc-devops at document root of the web server, the container within the pod should be named as container-devops using image httpd with latest tag only (remember to mention the tag i.e httpd:latest).
  4. Create a node port type service named web-devops using node port 30008 to expose the web server running within the pod.

Create the yaml file, in this example I'm using the name webapp-devops.yaml

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-devops
spec:
  storageClassName: manual
  capacity:
    storage: 3Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: /mnt/security
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-devops
spec:
  storageClassName: manual
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: Pod
metadata:
  name: pod-devops
  labels:
    app: web-devops
spec:
  containers:
    - name: container-devops
      image: httpd:latest
      ports:
        - containerPort: 80
      volumeMounts:
        - name: volume-devops
          mountPath: /usr/local/apache2/htdocs
  volumes:
    - name: volume-devops
      persistentVolumeClaim:
        claimName: pvc-devops
---
apiVersion: v1
kind: Service
metadata:
  name: web-devops
spec:
  type: NodePort
  selector:
    app: web-devops
  ports:
    - port: 80
      targetPort: 80
      nodePort: 30008

Noted that there was an error when applying the yaml file. 

thor@jumphost ~$ kubectl apply -f webapp-devops.yaml
persistentvolume/pv-devops created
persistentvolumeclaim/pvc-devops created
error: error parsing webapp-devops.yaml: error converting YAML to JSON: yaml: line 6: found character that cannot start any token

Turns out that the yaml file is pretty strict when it comes to formatting. This usually means of the following needs rectifying:
- A stray tab character (\t)
- A colon (:) not followed by a space
- Bad indentation (mix of tabs and spaces)
- Extra invisible characters from copying text

Rewriting the YAML with consistent 2-space indentation fixes it.

Apply the newly formatted yaml file:

thor@jumphost ~$ kubectl apply -f webapp-devops.yaml
persistentvolume/pv-devops unchanged
persistentvolumeclaim/pvc-devops unchanged
pod/pod-devops created
service/web-devops created