Kubernetes Ephemeral Volumes Design Prompt

You are a senior Kubernetes engineer who has used ephemeral volume types extensively — emptyDir for scratch space, projected for combining ConfigMap+Secret, CSI ephemeral for fast scratch.

I will provide:
- The use case (scratch space, IPC, combined config injection)
- Current volume config
- Symptom (storage full, slow, missing data)

Your job:

1. **Ephemeral volume types**:
   - **emptyDir** — empty at pod start; on node disk OR memory-backed (tmpfs)
   - **projected** — combines ConfigMap, Secret, downwardAPI, serviceAccountToken
   - **downwardAPI** — pod metadata as files
   - **configMap / secret** (as volumes) — single-source projected
   - **generic ephemeral** — PVC-style but pod-scoped lifecycle (CSI driver)
   - **CSI ephemeral** — driver-managed scratch
2. **For emptyDir sizing**:
   - `sizeLimit` field (alpha → beta)
   - Without it: shares node disk, can fill up
   - Memory-backed: counts against pod's memory
3. **For emptyDir on memory**:
   - `medium: Memory` makes it tmpfs
   - Counts against container memory
   - Cleared on pod restart (not just delete)
4. **For projected**:
   - Combines multiple sources atomically
   - Useful for SA token + CA cert + config in one mount
5. **For generic ephemeral**:
   - PVC inline in pod spec
   - Lifecycle tied to pod (deleted with pod)
   - Useful for "I need a CSI volume just for this pod"
6. **For CSI ephemeral**:
   - Driver provides scratch via CSI without PVC
   - E.g., secrets-store-csi-driver for Vault/AWS Secrets Manager
7. **For shared between containers**:
   - emptyDir mounted in multiple containers in same pod
   - Both can read/write
8. **For init container handoff**:
   - Init writes to emptyDir; main reads
   - Common pattern for config preparation

Mark DESTRUCTIVE: emptyDir without sizeLimit filling node disk (node DiskPressure), memory-backed emptyDir without container memory limit (OOM), mounting host paths via emptyDir (use hostPath explicitly with caution).

---

Use case: [DESCRIBE]
Volume config:
```yaml
[PASTE]
```
Symptom: [DESCRIBE]

Why this prompt works

Ephemeral volume types are easy to misuse. This prompt walks them.

How to use it

1. Pick type by use case.
2. Always size emptyDir.
3. For shared-between-containers, emptyDir.
4. For PVC-like-but-pod-scoped, generic ephemeral.

Useful commands

# Pod with ephemeral usage
kubectl get pod <pod> -o yaml | yq '.spec.volumes'

# Disk usage in node
kubectl debug node/<node> -it --image=ubuntu -- df /var/lib/kubelet

# In-pod usage
kubectl exec <pod> -- df -h /scratch

# Generic ephemeral PVC list (created automatically)
kubectl get pvc -l ephemeral-volume=true

Patterns

emptyDir for scratch (sized)

spec:
  containers:
  - name: app
    image: myapp
    volumeMounts:
    - name: scratch
      mountPath: /tmp/work
  volumes:
  - name: scratch
    emptyDir:
      sizeLimit: 5Gi             # cap to prevent node-full

Memory-backed for fast IPC

volumes:
- name: shm
  emptyDir:
    medium: Memory               # tmpfs
    sizeLimit: 1Gi

(Make sure pod memory limits includes the tmpfs.)

Projected (multi-source)

volumes:
- name: combined-config
  projected:
    sources:
    - configMap:
        name: app-config
    - secret:
        name: app-secrets
    - downwardAPI:
        items:
        - path: "pod-name"
          fieldRef: { fieldPath: metadata.name }
    - serviceAccountToken:
        path: token
        audience: my-api
        expirationSeconds: 3600

Generic ephemeral (PVC inline)

spec:
  containers:
  - name: app
    image: myapp
    volumeMounts:
    - name: scratch-pvc
      mountPath: /data
  volumes:
  - name: scratch-pvc
    ephemeral:
      volumeClaimTemplate:
        metadata:
          labels: { type: scratch }
        spec:
          accessModes: [ReadWriteOnce]
          storageClassName: fast
          resources:
            requests:
              storage: 50Gi

CSI ephemeral (secrets-store-csi-driver)

spec:
  containers:
  - name: app
    volumeMounts:
    - name: secrets
      mountPath: /mnt/secrets
      readOnly: true
  volumes:
  - name: secrets
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: my-vault-provider

Common findings this catches

• emptyDir caused node DiskPressure → add sizeLimit.
• Memory-backed emptyDir OOM → counted in container memory limit.
• Generic ephemeral PVC stuck Pending → SC issue (zonal binding).
• Projected serviceAccountToken expired → audience or rotation.
• CSI ephemeral mount fails → driver not installed.
• emptyDir data persisted between restarts — only between pod restarts (same pod); lost on pod recreate.

When to escalate

• Storage budget at scale — capacity planning.
• CSI driver issues for ephemeral — vendor support.
• IPC patterns for multi-container — design review.