►
Description
Kubernetes Data Protection WG Bi-Weekly Meeting - 22 February 2023
Meeting Notes/Agenda: -
Find out more about the DP WG here: https://github.com/kubernetes/community/tree/master/wg-data-protection
Moderator: Xing Yang (VMware)
A
Hello:
everyone:
it
is
February
22nd
2023.
This
is
the
kubernetes
data
protection
working
group
meeting
I.
Think
today
the
main
topic
is
we're
going
to
continue
discussion
on
CBT.
Then
I
can
give
a
quick
update
on
the
volume
group
snapshot
cap
all
right,
so
Yvonne
or
Prasad,
who
want
to
start
I,
can
make
you
both
co-host.
B
Yeah
so
try
to
yeah
so
today
would
mainly
the
Prasad,
so
I
wonder,
hang
on
a
sec,
hey
call
I,
wonder.
C
B
What
do
you
think
shall
we
go
over
it
today
or
shall
we
because
I'm
hoping
like
people
like
would
be
around
discussion.
B
A
The
same
thing
that
you
discussed
last
time
did
you
last
time?
Did
you
share
anything
new?
Was
this
see
this
slide?
That
is
the
new.
Is
this
still
old.
B
This
is
the
is
a
wish.
It
was
just
like
follow
a
follow-up
from
like
the
last
conversation
with
the
band
like
bandian
I,.
A
Do
you
have
any
slides
or
some
you
say
you
have
a
different
diagram?
Where
is
that
diagram?
Is
this
song?
We
can
just
take
a
quick
look
and
see
how
that
looked
like.
A
B
I'm
paid
right-
yes,
oh
this
is
so
yeah
yeah
Prasad.
We
can
walk
the
group
through,
but
just
knowing
that
you
probably
have
to
redo
this
again
in
the
next
meeting.
But
at
least
like
we
can
look
up
Jenkins
to
get
her
feedback
and
we
put.
C
Yeah
all
right
so
to
give
the
context.
So
this
is
the
kind
of
very
high
level
theme
where
we
are
trying
to
achieve
with
CPT
data
path,
so
backup
software
would
basically
call
CPT
service
endpoint
and
we
will
get
the
change
block
data
and
for
authentication,
so
mpls
is
obviously
is
the
is
one
way,
but
that
adds
dependency
and
extra
overhead
of
managing
certificates.
C
It
is
also
add,
depends
your
you
know,
third
party
tools,
if
you
want
to
achieve
the
mpls
using
service
mesh
or
start
manager,
for
example,
so
we
discussed
and
thought
of
alternate
to
this.
How
we
can
you
know,
use
kubernetes
apis
to
to
have
the
authentication
and
that
way
we
don't
have
to
go
into
managing
all
these
certificate
certificates
and
we
don't
have
to
rely
on
the
tools
like
service
meshes
or
cert
managers
as
well,
so
I
would
divide
the
whole
workflow
into
two
parts.
C
One
is
authentication
and
then
then
the
actual,
how
the
data
flow
happens
so
for
authentication
yeah.
So
first
talk
about
I'll
talk
about
the
components
we
will
be
discussing
so
CBT
client
is
basically
the
client
would
be
requesting
the
Change
clock
data
so
backup
software
could
be
one
symmetic
client
you
can
imagine
currently
CPR
server
and
the
CBD
Service
Board.
The
security
service
board
will
basically
have
will
still
solve
two
endpoints.
One
is
the
AG
API
service
endpoint
and
the
possibility
service.
A
Hold
on
for
a
minute,
so
are
we
going
back
to
aggregate
API
server
now
I
thought
we
are
not
either.
D
C
Term
here
we
can
say
resource
Handler
or
something
like
that
yeah,
so,
basically,
so
once
client
will
will
so
for
authentication.
You
can
kind
of
relate
this
workload
with
a
GPS
cover,
so
client
would
basically
using
go
client
or
any
client
would.
B
C
The
volume
snapshot
Delta
endpoint,
then
so
this
request
goes
through
API
server.
We
can.
We
will
be
sure
that
this
happens
with
TLS
authentication
encryption
in
place
right,
so
all
these
calls
will
be
secured.
C
C
So
once
the
client
makes
a
request,
the
request
will
go
through
APS
server
and
through
API
API
service
resource
will
will.
So.
This
is
similar
to
how
tag
API
service
igps
service,
request
flow
happens
right,
so
the
request
will
go
through
the
security
part.
The
CBD
part
will
authenticate
client
and
it
also
do
authorization
using
the
service
account
token.
C
It
provides
okay,
so
it
will
check
if
it
has
permissions
again
to
value
snapshot,
resources
and
if
it
is,
it
has
permission
to
call
non-resource
URLs
like
the
CBT
endpoint
it
it
serves.
C
So
next
step
is
the
service
creates
a
token
and
in
the
response
it
it
returns
URL
to
get
the
change
group
data
along
with
the
token
okay.
So
this
object
will
not
persist
anywhere.
It's
similar
to
how
we
had
designed
the
list
change
block
API
right,
so
there
will
be
unique
token
per
session
and
once
the
client
gets
the
token
and
URL
it
will
make
the
grpc
call
with
with
that
client
on
the
on
the
endpoint
to
get
the
change
of
data.
C
So
this
authentication
flow
will
be
secured
as
it's
going
through
the
qvps
server
and
using
the
kubernetes
ca.
So
so
it
will
be
secured
and
TLS
communication
The
Next
Step
once
it
gets
into
token,
then
when
it
when
it
calls
the
grpc
endpoint
we
so
so,
with
the
token,
we
can
assume
that
the
trust
is
already
there,
so
we
don't
have
to
do
again.
The
server-side
validation,
server,
validation
at
client
side,
so
that
removes
dependency
on
you
know.
C
Having
the
certificates
a
client
client
doesn't
have
to,
you
know,
provide
its
certificates,
so
we
don't
have
we
don't.
We
won't
fall
into
that
so
we'll
just
using
the
token
between
call
the
grpc
endpoint
and
get
the
Change
clock
data
from
the
CBT
service.
C
So
this
way
we
are
kind
of
splitting
this
flow
into
two
parts.
First
part
is
to
to
do
server
and
clients,
so
it
validate
authentication
and
then
once
this
trust
is
there,
we
will
directly
call
the
grpc
endpoint
possibility
service
endpoint
to
get
back
to
your
data.
This
that
makes
sense.
A
Can
you
talk
about
the
deployment
model?
How
do
you
deploy?
Let's
see
the
you,
have
a
your
CPT
power,
so
what
will
be
deployed
together
with
your
with
the
CSI
driver?
So
this
CPT
the
side?
It's
like
a
side
card,
you
put
it
like
a
side.
Car
yeah.
C
Yeah,
it
will
be
a
sidecar
to
the
CSI
plug-in
container.
D
A
Were
actually
actually
yeah,
let's
take
a
look
on
this
one
yeah,
okay,
so.
C
Yeah,
you
can
assume
CBD
service
are
deployed
on
the
same
spot
as
a
sidecar
to
CSR
plugin,
so
that
it
can
call
the
CSR
plugins.
A
D
D
C
A
D
C
D
We
should
start
with
that
with
the
deployment
diagram,
it
would
be
easier
to
picture.
C
A
C
A
B
So
how
did
you
say,
like
token
is
and
session
is
generated
by
the
CSI
Plugin
or
is
it
generated
by
the
CPT
Service.
D
Probably,
by
the
by
the
CBT,
sir,
by
the
CPT
service,
I
mean
the
the
sidecar
exists
to
listen
and
communicate
with
the
CSI
driver
in
a
standard
fashion
correct.
So
all
the
implementation
details
are
in
the
CSI
driver,
so
it
makes
sense
that
the
CSI
driver
returns
both
the
URL
and
the
token,
because
essentially,
when
that
token
is
conveyed
to
to
the
through
the
URL
into
in
the
session,
calls
it
has
to
be
decoded
by
the
by
that
receiving
entity
right.
B
So
I
I
guess
like
I,
just
okay,
yeah,
yeah
I,
think
I
get
that
part
I.
Just
don't
click
to
confirm.
I,
don't
think
like
so
the
CSI
plug-in
is
like
the
plug-in.
The
container
that's
maintained
by
the
provider
right
correct,
so
I
just
want
to
make
sure
that
not
every
CSI
plugin
have
to
implement
their
own
token.
In
general,.
D
No,
no,
no,
in
fact,
the
thing
is
the
the
way
the
CSI
deployment
model
is
that
picture
right
that
that
little
green
container
right
it
talks
via
Unix
sockets
to
all
these
sidecars
right,
so
each
side
car
is
talking
to
it.
So
there's
a
protocol
there
and
all
the
logic.
The
business
logic
of
the
domain.
Knowledge
of
that
environment
is
in
that
green
picture,
right
that
the
CSI
driver
can
data.
So
there
is
nothing
we
can
do
in
aspect
which
defines
how
the
snapshot
data
is
is
constructed.
It
is
up
to
the
implementer.
D
D
D
D
B
D
B
Hang
on
a
second
diagram,
so
if
I'm,
like
a
storage
provider,
I
have
to
implement
my
own
token
generation
mechanism
inside
the
green
box,
correct
correct
another
provider,
I
have
to
implement
their
own
token
generation
mechanism.
Things
like
that,
their
Green
Box.
D
What
is
the
token
convey
right
so,
and
that
depends
on
the
on
the
protocol.
We're
going
to
Define
for
the
grpc
part
see
so
Prasad.
Maybe
you
can
expound
on
that
little
bit
more
next
time,
because
essentially,
when
we
look
at
the
API
right,
we
have
to
convey
through
the
API
what
will
the
context
in
which
it's
operating
correct
so
so
that
token
has
to
represent
that
context.
Now
how
it's
done
is
totally
up
to
the
storage
vendor.
A
Yeah
I
think,
if
you
can
actually
that
sequence
diagram
you
can,
if
you
draw
out
other
all
the
components,
so
the
what
is
missing
is
the
CSR.
Plugin
is
not
there
right.
If
you
have
that,
then.
D
B
So
it's
actually
essentially
for
the
provider
to
provide
a
CBT
service.
They
also
have
to
implement
an
additional
token
management.
B
D
D
Maybe
they
spawn
another
process,
they
we
don't
care,
they
can
do
whatever
they
want
right
and
they
have,
and
they
have
to
give
us
some
sort
of
token,
which
is
going
to
incorporate
and
represent
the
fact
that
you've
gone
through
this
authentication
or
authorization
phase,
because
once
you
go
into
the
yellow
box
below
right
in
this
figure,
you
are
now
talking
with
you're
now
talking
encrypted,
yes,
but
not
with
mutual
authentication.
Necessarily
it's
that
token.
D
B
So
so,
essentially
inside
your
CBT
RPC
spec,
there
is
an
RPC
for
authentication
specifically
to
get
some
sort
of
CBT
token
there's.
Also
a
separate
set
of
RPC
calls
to
get
the
actual
CBT
metadata
right
right
and.
D
B
D
Yeah,
essentially,
you
have
a
session
right.
You,
you
said
I
want
to
get
the
change
blocks
for
this
volume
between
this
wall.
With
this
volume
snapshot
and
this
volume
snapshot,
so
it
returns,
so
it
authenticates
your
request,
validates
it
and
then
returns
your
session
token
and
a
URL
to
contact.
They
use
that
session
data
to
talk
make
make
all
your
calls
and
you're
done.
B
So
as
the
CSI
driver
maintainer,
which
I
guess
for
the
most
part,
I'm
not-
and
it
doesn't
really
affect
me
as
much
to
be
honest
so
essentially,
if
I
were
to
pick
up
this
I
want
to
expose
this
I
want
to
implement
a
CBT.
It's
a
bit
scary.
B
So
the
kubernetes
token
there
is
the
CBE
token,
which
I
may
I
may
or
may
not
have
in
my
back
end
to
support,
and
then
there
is
like
the
CBT
RPC
call
yeah
like
I
said
for
the
most
not
like
it
doesn't
affect
me
like
you'll,
be
interested
to
see
like.
D
Right
we
should.
We
should
Implement
something
which,
which
has
this
a
CSI
driver
component,
which
does
this
right
and.
A
A
It'll
be
good
to
also
get
feedback
from
the
security
team
side.
Just
you
see.
B
D
D
B
C
C
B
Then
it
has
to
have
a
special
way
to
authenticate
with
CBT
endpoint
a
token
of
some
sort,
and
then
you
have
to
deal
with
kubernetes
token
with
you
I
guess
all
this
I
can.
If
I
press
person
say
all
this
is
here
to
avoid
like
a
TSL
Supply
inside
authentication,
yeah.
D
We
absolutely
do
not
want
to
redo
what
kubernetes
does
for
for
us
today
correct.
We
don't
want
to
take
on
any
management
of
network
security,
because
that's
that's
not
our
40
R40
is
the
domain
over
here.
Kubernetes
does
all
this
for
us,
so
we
have
to
piggyback
as
much
as
we
can
on
the
functionality
that
kubernetes
gives
us.
B
Right
and
and
I
agree
with,
you
know
that
that
principle
so,
but
this
that
is
this,
like
an
extra
like
session
token,
oh.
D
Okay,
so
this
this
is,
this
is
actually
we
talked
about
this
with
Ben
I
think
two
meetings
ago
or
three
meetings
ago.
Essentially,
you
know
this
is
a
data
API
correct
and
we
are
we've
all
agreed
right
now,
based
on
feedback
that
we
don't
want
this
to
go
through
the
kubernetes
API
service.
A
C
D
So
this
is
the
control
part.
What
Prasad
started
showing
you
in
the
in
the
Sim
link,
figure
right
and
the
swim.
Lane
figure,
it's
all
about.
It's
all
about
the
control
path,
the
weight,
the
cube,
API
server,
you're,
making
an
up
you're
posting
a
request
right
through
Cube
API
server,
which
is
because
of
an
AG
API
service
type
right
register
there.
It
goes
all
the
way
without
creating
an
FCD
object.
It
goes
all
the
way
to
the
service.
D
B
Can
we
I
don't
precise
and
I
chatted
with
about
this
earlier
too?
Why
can't
we
just
use
the
the
service
account
token?
What
do
we
need?
Two
tokens.
D
Okay,
so
let's,
let's
not
mistake
the
word
token
token,
as
a
general,
it
just
means
something
opaque.
You
can
call
this
a
session
token
if
you
want
to
make
it
clear,
but
the
point,
the
point
is
the
session
token
is
something
which
was
constructed
as
part
of
authenticating
and
authorizing,
and
it
it
basically
carries
your
right
to
make
a
call
to
the
other
API.
D
It's
more
than
just
look
it's
more
than
understand
the
domain
of
the
credential.
Okay,
the
the
domain
of
the
kubernetes
credential
coming
in
was
all
about
security
and
identifying
who
the
client
was
it's
that
type
of
a
token
right.
It's
a
security
ready
token.
This
token
right
is
something
constructed
by
the
CSI
driver
to
understand
that
it's
this
volume,
it's
these
snapshots,
it's
this
user,
it's
you
know
all
the
underlying
stuff,
and
it
goes
with
the
URL
right,
because
that's
also
where
the
CSI
driver
decides
what
endpoint
to
expose.
D
A
Let
me
just
record
what
is
a
CP
CPT,
credential,
CBT,
URL
question
or
add
a
add
some
explanation
right.
Even
if
you
want.
D
B
Not
sure,
like
you,
I
mean
yeah
again
right
just
like
ask
them
questions
not
disagreeing.
C
A
D
B
D
It
is
information
for
that
yellow
box
below
right
for
the
client
to
communicate
to
find
the
end
point.
That's
what
the
you
know
the
URL
is
about
and
for
the
service
at
the
other
end
of
the
endpoint
to
understand
the
context
in
which
the
client
is
operating.
Okay,
so
now.
D
It's
this
request,
so
the
client
made
a
post
right
and
got
a
response.
Then
it
takes
that
response
and
makes
a
grpc
call
so
essentially
the
the
it's
a
session.
For
that
thing,
it
doesn't
have
to
be
unique.
In
any
sense,
there
can
be
five
sessions
on
the
same
two
pairs
of
snapshots.
Who
cares
right?
But
the
point
is
it's:
this
client
it's
this
request
and
something
is
going
to
handle
this
request.
So
that's
what
session.
A
B
A
B
C
B
Okay,
so
the
request
doesn't
have
to
be
unique.
That's
what
we
just
said.
So,
just
like
some
sort
of
thing
that
says
this
is
a
request
from
client
a,
and
this
is
another
request
from
client,
B
and
client.
A
is
asking
for
the
CBT
between
snapshot,
one
and
snapshot.
Two
yeah
and
client
B
is
asking
for
the
same
thing:
Snapchat
one
and
Snapchat.
Two.
The
only
difference
is
playing
in
client
B,
which
is
really
just
in
service
account
tokens
which
again.
D
D
But
all
that
is
taken
care
of
at
the
first
phase,
right,
authentication
and
authorization
is
happening
in
the
first.
The
first
kubernetes
call.
So
you
know,
let
me
make
an
analogy:
Ivan,
it's
like
open,
like
like
open
in
the
file
descriptor
right
in
posix.
At
that
point,
at
the
open
call
right,
it
returns
an
FD,
and
then
you
do
I
O
with
the
FD
right.
Well,
that
open
call
is
validate
authenticating,
you
and
you
know,
based
on
for
your
credential,
your
user,
ID,
Etc
and
and
the
and
the
path
you
are
opening.
D
But
once
that
is
validated,
it
goes
down
to
a
lower
level
of
the
kernel
where
you
get
a
where
you
get
a
file.
Whatever
you
file,
structure,
Etc,
sign,
stuffed
it
to
your
user
area
and
your
process,
and
you
got
to
file
the
script
back
from
that
correct.
And
then
you
work
on
that
and
multiple
processes
can
open
the
same
file
exactly.
B
D
But
the
sessions
are
used
in
okay,
maybe
we're
talking
cross
purposes
in
the
green
box.
Above
This
negotiation
is
done
securely
with
kubernetes
API
in
the
yellow
box
below
this
is
done
securely,
but
it's
valid.
It's
done
without
Mutual
authentication
and
it's
valid,
and
the
The
Authority
is
conveyed
right
via
the
talk
session
token,
which
was
securely
established.
D
D
B
Right,
yeah,
I
guess
regardless,
regardless
of
how
this
I
mean
like
with
with
the
CSI
drivers,
try
to
do
the
session
management
or
would
it
tap
into
its
like
back-end
session
thing
like
you
use
AWS
as
an.
B
Right,
but
would
it
like
okay
so
forget
about
how
the
CSI
driver
does
it,
regardless
with
the
CSI
driver,
generate
the
token
or
a
CSI
driver
called
AWS,
SDS
and
say
hey
give
me
a
temporary
token.
D
B
Simple,
it's
a
CSI
driver,
so
let's
assume
the
CSI
driver
managed
the
entire
life
cycle.
The
csis
driver
have
a
state
of
the
session
because
if
you
crash
a
restart,
you
still
remember
where
the
token
is
good
or
not
somehow
the
goal
magically
taken
care
of
right
I
would
like
to
know.
Okay,
maybe
like,
if
you
want
to
extend
this
diagram
a
little
bit.
I
want
to
know
like
what
country.
What
makes
a
session
like?
B
C
D
Request
but
let's,
let's
handle,
let's
handle
the
problem
this
way.
So
this
is
a
post
call.
You
said:
what
is
the
session
correct?
The
session
is
returning
the
result
of
this
post
call.
The
Post
call
returns
an
immediate
result,
but
you
haven't
got
the
data.
Yet
right,
you
haven't,
got
the
changed
block
metadata.
So
the
session
is
all
about
retrieving
that
change
the
change
block
metadata
and
then
it's
when
you
finish
with
it
you're
done
it
could
have
a
time
to
live
whatever
you
want.
As
an
implementer.
You
put
that
in
right.
B
D
B
B
B
B
A
B
D
A
It
under
that
I
think
your
question
seems
to
be
like
you,
you
think
well,
I
can't
even
get
that
in
just
one
call.
The
first
call
but
I
think
the
the
problem
is.
If
we
do
that,
then
it's
going
to
go
through
the
API
server
again
right.
That's.
B
A
C
D
Action
taken
on
on
that
call
right
that
authentication
not
declined
that
that
actually
is
the
target
of
the
left
of
the
left
swim
Lane.
Then
that
makes
a
call
to
another
as
Prasad
we
can
work
on
the
figure
later
on,
but
now
we
have
we
have.
This
is
the
correct
part:
a
set
of
actors
involved
right.
The
CSI
driver
actor
was
missing
from
this
chart
before
so
now
you
can
see
that
the
CSI
driver
actor
creates
the
session
token
and
returns
it
back,
and
this
is
done.
D
B
So
it
makes
sense
so
that
skill
has
an
answer.
My
question:
why,
like
okay,
so
go
back
to
your
your
chart.
B
So
if
you
go
to
your
yellow
box,
yes,
so
scroll
down
a
little
bit
so
right
here,
right,
so
okay,
so
like
so
right
here
so.
D
This
is
wrong.
The
figure
is
wrong
here.
These
calls
are
made
now
not
to
the
not
to
the
side
car
but
actually
to
this
service.
So
you
have
to
extend
the
yellow
box
to
the
right
and
talk
to
the
second
actor.
It's
the
calls
are
made
not
to
the
side
cup.
The
calls
I
need
to
the
CSI
driver
piece
which
is
listening
so.
B
So
regardless,
who
we
call
so
there's
some
endpoint
out
there
same
process
or
not,
regardless
of
logo
routines
or
whatever
right,
I
guess
I'm
still
trying
to
understand
like
so
you
say
it's
your
grpc
call
with
session
token
list
change
blocks.
So
why
cannot
we
estimate
part
of
the
grpc
call?
B
D
I
I
hear
you:
let's
say
that
let's
say
there
were
a
thousand
calls
made
right,
or
every
call
would
have
to
be
authenticated
in
that
remember.
This
is
now
a
data
transfer
API.
This
is
not
a
a
control
API,
so
the
whole.
The
whole
point
expressed
in
the
previous
meetings
was
about
how
we
overload
the
API
service.
Even
authentication
requests
overload
services
and
the
other
part
is
the
other
part
which
Prasad
I
think
had
researched
again.
I'm,
not
a
I'm,
not
an
expert
in
security,
so
we
really
have
to
get
this
through
security.
D
B
So
forget
about
certificate.
Signing
so
forget,
okay,
so
the
server
will
always
have
a
certificate.
Yes
right,
the
client
side.
So
let's
say
the
client
side
doesn't
have
a
certificate,
so
we
don't
want
to
do
mtrs,
but
at
least
the
communication
would
be
over
secure,
grp,
at
least
it's
encrypted
correct,
so
like
regardless
of
thousands
of
requested.
B
The
the
green
box
will
still
need
to
happen
right.
So
in
the
first
part
of
the
green
box,
is
you
still
have
to
ask
kubernetes
API
server?
You
should
scrub
a
little
bit.
What
inscribe
like
that,
that
first
gray
box,
token
review
and
subject
access
review,
whether
it
is
50
requests,
is
a
thousand
or
million
requested
that
first
grade
box
will
always
happen.
You
still
have
to
ask
kubernetes
APS.
Yes,
you
will
still
ask
to
win
at
least
appear,
so
it
doesn't,
it
will
still
put
load
and
pressure
on
the
kubernetes
apis.
B
And
authorization
yeah
so,
but
what
I'm
saying
is
if
you
scroll
down
to
the
yellow
box
like
when
you
make
a
thousand
grpc
calls
each
one
of
them
will
still
go
through
the
same
mechanism
and
it
will
say,
as
the
kubernetes
API
server
can
I
trust.
This
service
account
token.
B
Without
going
to
that
diamond
box
right,
like
the
the
Diamond
Box
means,
like
you
know,
we
have
to
create
1000,
like
those
volumes
snapshot.
Deltas
custom
resources
there
in
the
green
box,
but
this
is
just
one.
D
Quality
again,
okay,
so
yeah
I
I,
don't
I,
don't
get
the
I
think
Prasad
has
to
expound.
What
this
thing
is
you
understand
what
this
volume
snapshot,
Delta
object
looks
like
and
I'm
sure
Prasad
has
a
different
figure
for
it
different
definition
of
it.
Maybe
we
should
call
it
a
session,
talk
response
or
something
I.
B
It
is
no,
no,
that's
not
my
confusion,
my
my
eyes
Okay.
So
I
still
don't
know
why,
like
the
session,
token,
is
needed.
C
D
So
it
can
be
done
directly
as
in
the
case
of
the
green
box
right,
it
can
be
done
with
mutual
authentication
and
authorization
done
through
CSI
through
the
kubernetes
mechanisms,
that's
in
the
green
box,
and
that
that's
because
the
client
is
coming
in
with
say
the
whatever
Q
kernel
Authority
give
granted
to
the
client
right.
It
has
all
that
type
of
stuff
and
we,
the
cube
API
server,
is
the
one
which
is
trusted
and
then
there
it
then
forwards
the
request
to
the
AG
API
server,
which
responds
validates
all
the
other
stuff.
C
D
Since
we
use
encryption
over
the
Y
in
this
yellow
box,
you
it's
a
secure
call
coming
in
the
client.
Can
trust
the
fact
that
the
endpoint
came
as
a
response
from
The
Trusted
request
and
the
service
receiving
the
request
can
trust
that
the
token
right
was
issued
by
it,
because
the
service
cannot.
At
this
point,
the
service
of
the
yellow
box
cannot
identify
the
client
and
doesn't
have
to
actually
you
just
trust
the
fact
that
the
token
conveys
all
the
all
the
authentication
granted
in
the
green
section.
B
D
D
B
B
Okay,
yeah
I.
Do
you
have
any
other
thoughts.
A
Yeah
this
I'm
not
quite
sure
if
this
model
is
Good
from
the
security
point
of
view,
I
guess
this
is
definitely
something
that
we
need
to
ask
them
this.
Is
it.
A
That
this
is
not
something
that
we
have
used
before
right.
So
it's
basically
now
you
get
the
token
now
you
just
trust
this
right,
the
the
and
then
the
backup
software
will
be
using
this
token
right.
So
that's
the
part
I'm,
not
sure.
If
how
secure
is
this
this
way?
So
like
you,
you,
you
do
the
secret,
basically,
the
first
one.
A
First
time
you
call
that's
the
normal
path,
normal
kubernetes,
you
got
the
authentication
everything
and
then
you
just
trust
that
whatever
you
got
right
then,
after
that
you
don't
have
to
go
through
that
again,
yeah.
B
So
I
think
the
you
see
like
we,
we
we
scare
like
a
phone
away.
B
Yeah
I
think,
like
anyways
I,
finally
tell
me
that
he
wants
to
continue
to
work
with
us
on
this,
but
just
subjected
to
his
own
other
full-time
job
and
stuff,
like
that,
but
anyways
regardless
I
think
fundamentally
right.
I
think
the
the
main
disagreement
is
that,
like
so
so,
I
think
Carl
you,
you
put
it
nicely
by
saying
that
okay,
so
the
the
the
client
trust
the
server
via
the
the
TLs
certificate.
I
think
that
we
cannot
get
away
with
that.
One.
B
But
now
how
does
the
the
the
the
the
other
part
of
the
equation
is?
How
does
the
server
trust
the
client
so
in
this
in
this
proposal,
like
we're,
saying
that
the
client,
the
server
or
trust
the
client,
because
the
client
has
a
token
that
the
server
issue-
that's
right?
Okay,
so
which
I
think
like
from
that?
B
We
don't
have
to
agree
wait.
We
can
agree
to
disagree
with
that,
but
I
think
do
we
agree
that
that's
the
fundamental
like
disagreement
there
yeah.
B
Folks
wanted
a
stronger
authentication
and
authorization
I'm
only
going
to
trust
you
if
you
give
me
a
token
that
I
issued
you
versus
like
I
guess,
like
my
my
way
of
my
language,
is.
A
D
To
driver
yeah
and
by
the
way
I
I,
really
think
we
can
make
it
really
strong.
If
say,
every
grpc
call
can
mutate
the
token
and
return.
The
next
token
you
know
I
mean
that's,
that's
how,
for
example,
web
authentication
works
right,
the
JWT
is,
is,
is
mutated
and
returned
back
I.
Think
every
call
something
like
that
right.
So
essentially,
this
is
a
session,
and
if
the
session
breaks,
there's
no
retrying,
you
go
start
a
new
session,
but.
A
D
Let
me
spin
out
an
example:
how
I
would
do
it
just
just
a
very
simple
example,
because
you
know
I
prefer
to
implement
simple
B.
So
if
I'm,
the
CSI
driver,
I,
would
say,
construct
create
a
token
I
would
spin
off
a
pod
potentially
would
run
this
service.
It
gives
you
isolation,
it
gives
you,
you
know
rate,
limiting
everything
on
that
thing
and
I
give
it
all
these
secret
information
and
spin
it
off
and
forget.
So
my
my
CSI
driver
now
goes
back
to
doing
its
own
stuff
right.
D
The
client
contacts
that
URL,
which
now
points
to
that
new
service
running
in
that
pod
and
it
does
its
session
and
when
it's
done
it
closes
off
and
the
Pod
dies.
If
the
if
the
client
doesn't
call
and
say
some
time
to
live,
the
thought
just
says
bye-bye:
it's
dead
right,
something
like
that.
I
mean
that's,
that's
how
I
would
implement
it
as
a
naive
first
pass
approach.
B
Right
I
think
this
definitely
this
design
definitely
definitely
makes
it
very
simple
on
the
client
side.
So
the
part
where
you
talk
about
when
the
CSI
driver
comes
up
somehow
have
a
secret
or
something
that
it
passed
along
the
secret
and
it
went
back
to
do
his
own
thing.
So
that
is
the
part
that
I'm
not
sure.
D
So
let
me
take
a
concrete
example:
I've
worked
a
lot
with
VMware,
as
you
guys
know,
right
so,
and
right
now,
I
the
way
we
talk
to
VMware,
we
spin
off
apart.
You
know
because
it
has
C
GoGo
bindings
Etc.
We
spin
off
a
bar
with
all
that
stuff
and
it
we
give
it
all
the
arguments
which
include
say
the
the
volume
either
FCD
ID
and
the
snapshot.
Ids
Etc
and
we
tell
it
go,
do
its
thing
correct,
so
I
would
consider
doing
it
in
a
similar,
Manner
and
spin
off
the
spot
right.
D
D
All
the
data
is
then
packaged
and
construct
concerned
turned
into
the
domain
specific
FCD
ID
and
snapshot
ID
Etc
and
given
to
the
spot,
somehow
through
a
secret
or
through
command
line,
arguments
or
whatever
you
know,
that's
totally
vendor
specific
and
the
URL
is
given
to
it
and
the
token
is
given
to
it
right
and
then
that
guy
then
listens
for
until
sometime.
You
know
until
it
you
know
until
the
time
expires
Etc,
but
it
listens
for
the
client.
When
the
client
call
contacts
it,
it
knows
what
it's
doing
and
it
starts.
A
D
A
B
D
A
D
D
C
B
I
saw
that
the
end
to
level
workflow
works
right.
You
know
so
again
be
calculation
of
time
here.
A
B
D
D
That
you
know
the
CSI
thing
just
also
handles
all
the
volume
requests
together
and
one
thing
it
doesn't
care.
You
know
so
the
URL
I
mean
look
at
the
variance
variations.
We
have
this
return,
grpc
endpoint
it
could
be
dynamically
it's
created
per
session.
It
could
be
one
common
thing
for
all
sessions.
Right
I
mean
there's
so
much
variation
here.
I
don't
have
enough
Network
background
to
actually
propose
what's
right
or
wrong,
but
the
point
is
it
doesn't
matter
the
spec
says:
here's
an
address.
B
Yeah
again,
from
my
perspective,
I
think
the
the
the
the
grpc
call,
the
grpc
definition
I
think
those
are
all
good.
My
only
thing
is
like
the
the
authentication
and
authorization
part.
B
Whether
we
need
an
extra
session
token
from
the
provider
or
can
we
just
trust
the
community
service
account
token
I.
Think
that's
that's
my
only
main
thing.
Otherwise,
like
you
know,
this
looks
perfect.
This
looks
great,
that's
the
main
part
for
me,
so
yeah
I
guess.
My
concern
is
from
like
a
security
and
like,
like
the
token.