Skip to content

Adds HostToContainer to JuiceFS Volumes

Notifications You must be signed in to change notification settings


Repository files navigation


This mutating webhook transforms all volumeMounts of ALL pods which use a PersistentVolumeClaim to use mountPropagation: HostToContainer which is needed in order for juiceFS volumes to recover.


  • have helm installed on your computer
  • have cert-manager installed in your cluster


kubectl create namespace juicefs
helm repo add juicefs-volume-hook
helm repo update
helm install juicefs-volume-hook juicefs-volume-hook/juicefs-volume-hook -n juicefs



The controller will convert ALL volumeMount.mountPropagation fields which have a PersistentVolumeClaim to HostToContainer.

via annotation

Start the controller with the --pod-annotation flag and the controller will ONLY process pods which have set the juicefs.volume.hook/mount-propagation annotation to "true".

via storageclass

Start the controller with the --storage-classes=foobar flag in order to ONLY process volumeMounts that have the given storage classes. Multiple storage classes have to be comma separated.


The controller-runtime package always creates a Webhook Server that relies on TLS, and therefore requires a certificate. As this complicates local development, you can use the following approach to tunnel the server running locally with a self-signed certificate through localtunnel, exposing it via public TLS which the Kubernetes API server accepts.

Generate selfsigned certificates:

bash hack/

Start the local webhook server with the certs configured:

go run main.go --cert-dir certs --key-name server.key --cert-name server.crt

Create a tunnel that exposes your local server:

npx localtunnel --port 9443 --local-https --local-ca certs/ca.crt --local-cert certs/server.crt --local-key certs/server.key --subdomain juicefs

Finally, apply the MutatingWebhookConfiguration:

kubectl apply -f example/webhook.yaml


  • add serviceaccount, role and rolebinding for controller to list PVC

Nice to Know

I wrote a Blog Post on how to create a minimal Kubernetes Admission Webhook like this one. Just check it out :)