►
Description
Kubernetes Data Protection WG Bi-Weekly Meeting - 22 February 2023
Meeting Notes/Agenda: -
Find out more about the DP WG here: https://github.com/kubernetes/community/tree/master/wg-data-protection
Moderator: Xing Yang (VMware)
A
Hello:
everyone:
it
is
February
22nd
2023.
This
is
the
kubernetes
data
protection
working
group
meeting
I.
Think
today
the
main
topic
is
we're
going
to
continue
discussion
on
CBT.
Then
I
can
give
a
quick
update
on
the
volume
group
snapshot
cap
all
right,
so
Yvonne
or
Prasad,
who
want
to
start
I,
can
make
you
both
co-host.
C
B
A
B
A
A
B
C
Yeah
all
right
so
to
give
the
context.
So
this
is
the
kind
of
very
high
level
theme
where
we
are
trying
to
achieve
with
CPT
data
path,
so
backup
software
would
basically
call
CPT
service
endpoint
and
we
will
get
the
change
block
data
and
for
authentication,
so
mpls
is
obviously
is
the
is
one
way,
but
that
adds
dependency
and
extra
overhead
of
managing
certificates.
C
It
is
also
add,
depends
your
you
know,
third
party
tools,
if
you
want
to
achieve
the
mpls
using
service
mesh
or
start
manager,
for
example,
so
we
discussed
and
thought
of
alternate
to
this.
How
we
can
you
know,
use
kubernetes
apis
to
to
have
the
authentication
and
that
way
we
don't
have
to
go
into
managing
all
these
certificate
certificates
and
we
don't
have
to
rely
on
the
tools
like
service
meshes
or
cert
managers
as
well,
so
I
would
divide
the
whole
workflow
into
two
parts.
C
One
is
authentication
and
then
then
the
actual,
how
the
data
flow
happens
so
for
authentication
yeah.
So
first
talk
about
I'll
talk
about
the
components
we
will
be
discussing
so
CBT
client
is
basically
the
client
would
be
requesting
the
Change
clock
data
so
backup
software
could
be
one
symmetic
client
you
can
imagine
currently
CPR
server
and
the
CBD
Service
Board.
The
security
service
board
will
basically
have
will
still
solve
two
endpoints.
One
is
the
AG
API
service
endpoint
and
the
possibility
service.
A
D
C
B
C
C
C
So
once
the
client
makes
a
request,
the
request
will
go
through
APS
server
and
through
API
API
service
resource
will
will.
So.
This
is
similar
to
how
tag
API
service
igps
service,
request
flow
happens
right,
so
the
request
will
go
through
the
security
part.
The
CBD
part
will
authenticate
client
and
it
also
do
authorization
using
the
service
account
token.
C
So
next
step
is
the
service
creates
a
token
and
in
the
response
it
it
returns
URL
to
get
the
change
group
data
along
with
the
token
okay.
So
this
object
will
not
persist
anywhere.
It's
similar
to
how
we
had
designed
the
list
change
block
API
right,
so
there
will
be
unique
token
per
session
and
once
the
client
gets
the
token
and
URL
it
will
make
the
grpc
call
with
with
that
client
on
the
on
the
endpoint
to
get
the
change
of
data.
C
So
this
authentication
flow
will
be
secured
as
it's
going
through
the
qvps
server
and
using
the
kubernetes
ca.
So
so
it
will
be
secured
and
TLS
communication
The
Next
Step
once
it
gets
into
token,
then
when
it
when
it
calls
the
grpc
endpoint
we
so
so,
with
the
token,
we
can
assume
that
the
trust
is
already
there,
so
we
don't
have
to
do
again.
The
server-side
validation,
server,
validation
at
client
side,
so
that
removes
dependency
on
you
know.
C
C
A
D
A
D
D
C
A
D
C
C
A
C
A
D
Probably,
by
the
by
the
CBT,
sir,
by
the
CPT
service,
I
mean
the
the
sidecar
exists
to
listen
and
communicate
with
the
CSI
driver
in
a
standard
fashion
correct.
So
all
the
implementation
details
are
in
the
CSI
driver,
so
it
makes
sense
that
the
CSI
driver
returns
both
the
URL
and
the
token,
because
essentially,
when
that
token
is
conveyed
to
to
the
through
the
URL
into
in
the
session,
calls
it
has
to
be
decoded
by
the
by
that
receiving
entity
right.
B
So
I
I
guess
like
I,
just
okay,
yeah,
yeah
I,
think
I
get
that
part
I.
Just
don't
click
to
confirm.
I,
don't
think
like
so
the
CSI
plug-in
is
like
the
plug-in.
The
container
that's
maintained
by
the
provider
right
correct,
so
I
just
want
to
make
sure
that
not
every
CSI
plugin
have
to
implement
their
own
token.
In
general,.
D
No,
no,
no,
in
fact,
the
thing
is
the
the
way
the
CSI
deployment
model
is
that
picture
right
that
that
little
green
container
right
it
talks
via
Unix
sockets
to
all
these
sidecars
right,
so
each
side
car
is
talking
to
it.
So
there's
a
protocol
there
and
all
the
logic.
The
business
logic
of
the
domain.
Knowledge
of
that
environment
is
in
that
green
picture,
right
that
the
CSI
driver
can
data.
So
there
is
nothing
we
can
do
in
aspect
which
defines
how
the
snapshot
data
is
is
constructed.
It
is
up
to
the
implementer.
D
D
D
B
D
B
D
What
is
the
token
convey
right
so,
and
that
depends
on
the
on
the
protocol.
We're
going
to
Define
for
the
grpc
part
see
so
Prasad.
Maybe
you
can
expound
on
that
little
bit
more
next
time,
because
essentially,
when
we
look
at
the
API
right,
we
have
to
convey
through
the
API
what
will
the
context
in
which
it's
operating
correct
so
so
that
token
has
to
represent
that
context.
Now
how
it's
done
is
totally
up
to
the
storage
vendor.
A
D
B
B
D
D
Maybe
they
spawn
another
process,
they
we
don't
care,
they
can
do
whatever
they
want
right
and
they
have,
and
they
have
to
give
us
some
sort
of
token,
which
is
going
to
incorporate
and
represent
the
fact
that
you've
gone
through
this
authentication
or
authorization
phase,
because
once
you
go
into
the
yellow
box
below
right
in
this
figure,
you
are
now
talking
with
you're
now
talking
encrypted,
yes,
but
not
with
mutual
authentication.
Necessarily
it's
that
token.
D
B
D
B
D
Yeah,
essentially,
you
have
a
session
right.
You,
you
said
I
want
to
get
the
change
blocks
for
this
volume
between
this
wall.
With
this
volume
snapshot
and
this
volume
snapshot,
so
it
returns,
so
it
authenticates
your
request,
validates
it
and
then
returns
your
session
token
and
a
URL
to
contact.
They
use
that
session
data
to
talk
make
make
all
your
calls
and
you're
done.
B
D
A
B
D
D
B
C
C
B
D
We
absolutely
do
not
want
to
redo
what
kubernetes
does
for
for
us
today
correct.
We
don't
want
to
take
on
any
management
of
network
security,
because
that's
that's
not
our
40
R40
is
the
domain
over
here.
Kubernetes
does
all
this
for
us,
so
we
have
to
piggyback
as
much
as
we
can
on
the
functionality
that
kubernetes
gives
us.
D
A
C
D
So
this
is
the
control
part.
What
Prasad
started
showing
you
in
the
in
the
Sim
link,
figure
right
and
the
swim.
Lane
figure,
it's
all
about.
It's
all
about
the
control
path,
the
weight,
the
cube,
API
server,
you're,
making
an
up
you're
posting
a
request
right
through
Cube
API
server,
which
is
because
of
an
AG
API
service
type
right
register
there.
It
goes
all
the
way
without
creating
an
FCD
object.
It
goes
all
the
way
to
the
service.
D
B
D
Okay,
so
let's,
let's
not
mistake
the
word
token
token,
as
a
general,
it
just
means
something
opaque.
You
can
call
this
a
session
token
if
you
want
to
make
it
clear,
but
the
point,
the
point
is
the
session
token
is
something
which
was
constructed
as
part
of
authenticating
and
authorizing,
and
it
it
basically
carries
your
right
to
make
a
call
to
the
other
API.
D
It's
more
than
just
look
it's
more
than
understand
the
domain
of
the
credential.
Okay,
the
the
domain
of
the
kubernetes
credential
coming
in
was
all
about
security
and
identifying
who
the
client
was
it's
that
type
of
a
token
right.
It's
a
security
ready
token.
This
token
right
is
something
constructed
by
the
CSI
driver
to
understand
that
it's
this
volume,
it's
these
snapshots,
it's
this
user,
it's
you
know
all
the
underlying
stuff,
and
it
goes
with
the
URL
right,
because
that's
also
where
the
CSI
driver
decides
what
endpoint
to
expose.
D
A
D
C
C
A
D
B
D
D
It's
this
request,
so
the
client
made
a
post
right
and
got
a
response.
Then
it
takes
that
response
and
makes
a
grpc
call
so
essentially
the
the
it's
a
session.
For
that
thing,
it
doesn't
have
to
be
unique.
In
any
sense,
there
can
be
five
sessions
on
the
same
two
pairs
of
snapshots.
Who
cares
right?
But
the
point
is
it's:
this
client
it's
this
request
and
something
is
going
to
handle
this
request.
So
that's
what
session.
A
B
A
B
C
B
Okay,
so
the
request
doesn't
have
to
be
unique.
That's
what
we
just
said.
So,
just
like
some
sort
of
thing
that
says
this
is
a
request
from
client
a,
and
this
is
another
request
from
client,
B
and
client.
A
is
asking
for
the
CBT
between
snapshot,
one
and
snapshot.
Two
yeah
and
client
B
is
asking
for
the
same
thing:
Snapchat
one
and
Snapchat.
Two.
The
only
difference
is
playing
in
client
B,
which
is
really
just
in
service
account
tokens
which
again.
D
D
But
all
that
is
taken
care
of
at
the
first
phase,
right,
authentication
and
authorization
is
happening
in
the
first.
The
first
kubernetes
call.
So
you
know,
let
me
make
an
analogy:
Ivan,
it's
like
open,
like
like
open
in
the
file
descriptor
right
in
posix.
At
that
point,
at
the
open
call
right,
it
returns
an
FD,
and
then
you
do
I
O
with
the
FD
right.
Well,
that
open
call
is
validate
authenticating,
you
and
you
know,
based
on
for
your
credential,
your
user,
ID,
Etc
and
and
the
and
the
path
you
are
opening.
D
But
once
that
is
validated,
it
goes
down
to
a
lower
level
of
the
kernel
where
you
get
a
where
you
get
a
file.
Whatever
you
file,
structure,
Etc,
sign,
stuffed
it
to
your
user
area
and
your
process,
and
you
got
to
file
the
script
back
from
that
correct.
And
then
you
work
on
that
and
multiple
processes
can
open
the
same
file
exactly.
B
D
But
the
sessions
are
used
in
okay,
maybe
we're
talking
cross
purposes
in
the
green
box.
Above
This
negotiation
is
done
securely
with
kubernetes
API
in
the
yellow
box
below
this
is
done
securely,
but
it's
valid.
It's
done
without
Mutual
authentication
and
it's
valid,
and
the
The
Authority
is
conveyed
right
via
the
talk
session
token,
which
was
securely
established.
D
D
D
B
Simple,
it's
a
CSI
driver,
so
let's
assume
the
CSI
driver
managed
the
entire
life
cycle.
The
csis
driver
have
a
state
of
the
session
because
if
you
crash
a
restart,
you
still
remember
where
the
token
is
good
or
not
somehow
the
goal
magically
taken
care
of
right
I
would
like
to
know.
Okay,
maybe
like,
if
you
want
to
extend
this
diagram
a
little
bit.
I
want
to
know
like
what
country.
What
makes
a
session
like?
B
C
D
Request
but
let's,
let's
handle,
let's
handle
the
problem
this
way.
So
this
is
a
post
call.
You
said:
what
is
the
session
correct?
The
session
is
returning
the
result
of
this
post
call.
The
Post
call
returns
an
immediate
result,
but
you
haven't
got
the
data.
Yet
right,
you
haven't,
got
the
changed
block
metadata.
So
the
session
is
all
about
retrieving
that
change
the
change
block
metadata
and
then
it's
when
you
finish
with
it
you're
done
it
could
have
a
time
to
live
whatever
you
want.
As
an
implementer.
You
put
that
in
right.
B
D
B
B
B
B
A
B
D
A
B
A
C
D
Action
taken
on
on
that
call
right
that
authentication
not
declined
that
that
actually
is
the
target
of
the
left
of
the
left
swim
Lane.
Then
that
makes
a
call
to
another
as
Prasad
we
can
work
on
the
figure
later
on,
but
now
we
have
we
have.
This
is
the
correct
part:
a
set
of
actors
involved
right.
The
CSI
driver
actor
was
missing
from
this
chart
before
so
now
you
can
see
that
the
CSI
driver
actor
creates
the
session
token
and
returns
it
back,
and
this
is
done.
D
B
D
This
is
wrong.
The
figure
is
wrong
here.
These
calls
are
made
now
not
to
the
not
to
the
side
car
but
actually
to
this
service.
So
you
have
to
extend
the
yellow
box
to
the
right
and
talk
to
the
second
actor.
It's
the
calls
are
made
not
to
the
side
cup.
The
calls
I
need
to
the
CSI
driver
piece
which
is
listening
so.
B
B
D
I
I
hear
you:
let's
say
that
let's
say
there
were
a
thousand
calls
made
right,
or
every
call
would
have
to
be
authenticated
in
that
remember.
This
is
now
a
data
transfer
API.
This
is
not
a
a
control
API,
so
the
whole.
The
whole
point
expressed
in
the
previous
meetings
was
about
how
we
overload
the
API
service.
Even
authentication
requests
overload
services
and
the
other
part
is
the
other
part
which
Prasad
I
think
had
researched
again.
I'm,
not
a
I'm,
not
an
expert
in
security,
so
we
really
have
to
get
this
through
security.
D
B
So
forget
about
certificate.
Signing
so
forget,
okay,
so
the
server
will
always
have
a
certificate.
Yes
right,
the
client
side.
So
let's
say
the
client
side
doesn't
have
a
certificate,
so
we
don't
want
to
do
mtrs,
but
at
least
the
communication
would
be
over
secure,
grp,
at
least
it's
encrypted
correct,
so
like
regardless
of
thousands
of
requested.
B
The
the
green
box
will
still
need
to
happen
right.
So
in
the
first
part
of
the
green
box,
is
you
still
have
to
ask
kubernetes
API
server?
You
should
scrub
a
little
bit.
What
inscribe
like
that,
that
first
gray
box,
token
review
and
subject
access
review,
whether
it
is
50
requests,
is
a
thousand
or
million
requested
that
first
grade
box
will
always
happen.
You
still
have
to
ask
kubernetes
APS.
Yes,
you
will
still
ask
to
win
at
least
appear,
so
it
doesn't,
it
will
still
put
load
and
pressure
on
the
kubernetes
apis.
B
B
D
Quality
again,
okay,
so
yeah
I
I,
don't
I,
don't
get
the
I
think
Prasad
has
to
expound.
What
this
thing
is
you
understand
what
this
volume
snapshot,
Delta
object
looks
like
and
I'm
sure
Prasad
has
a
different
figure
for
it
different
definition
of
it.
Maybe
we
should
call
it
a
session,
talk
response
or
something
I.
B
C
D
So
it
can
be
done
directly
as
in
the
case
of
the
green
box
right,
it
can
be
done
with
mutual
authentication
and
authorization
done
through
CSI
through
the
kubernetes
mechanisms,
that's
in
the
green
box,
and
that
that's
because
the
client
is
coming
in
with
say
the
whatever
Q
kernel
Authority
give
granted
to
the
client
right.
It
has
all
that
type
of
stuff
and
we,
the
cube
API
server,
is
the
one
which
is
trusted
and
then
there
it
then
forwards
the
request
to
the
AG
API
server,
which
responds
validates
all
the
other
stuff.
C
D
Since
we
use
encryption
over
the
Y
in
this
yellow
box,
you
it's
a
secure
call
coming
in
the
client.
Can
trust
the
fact
that
the
endpoint
came
as
a
response
from
The
Trusted
request
and
the
service
receiving
the
request
can
trust
that
the
token
right
was
issued
by
it,
because
the
service
cannot.
At
this
point,
the
service
of
the
yellow
box
cannot
identify
the
client
and
doesn't
have
to
actually
you
just
trust
the
fact
that
the
token
conveys
all
the
all
the
authentication
granted
in
the
green
section.
B
D
D
A
A
That
this
is
not
something
that
we
have
used
before
right.
So
it's
basically
now
you
get
the
token
now
you
just
trust
this
right,
the
the
and
then
the
backup
software
will
be
using
this
token
right.
So
that's
the
part
I'm,
not
sure.
If
how
secure
is
this
this
way?
So
like
you,
you,
you
do
the
secret,
basically,
the
first
one.
B
Yeah
I
think,
like
anyways
I,
finally
tell
me
that
he
wants
to
continue
to
work
with
us
on
this,
but
just
subjected
to
his
own
other
full-time
job
and
stuff,
like
that,
but
anyways
regardless
I
think
fundamentally
right.
I
think
the
the
main
disagreement
is
that,
like
so
so,
I
think
Carl
you,
you
put
it
nicely
by
saying
that
okay,
so
the
the
the
client
trust
the
server
via
the
the
TLs
certificate.
I
think
that
we
cannot
get
away
with
that.
One.
B
But
now
how
does
the
the
the
the
the
other
part
of
the
equation
is?
How
does
the
server
trust
the
client
so
in
this
in
this
proposal,
like
we're,
saying
that
the
client,
the
server
or
trust
the
client,
because
the
client
has
a
token
that
the
server
issue-
that's
right?
Okay,
so
which
I
think
like
from
that?
B
A
D
To
driver
yeah
and
by
the
way
I
I,
really
think
we
can
make
it
really
strong.
If
say,
every
grpc
call
can
mutate
the
token
and
return.
The
next
token
you
know
I
mean
that's,
that's
how,
for
example,
web
authentication
works
right,
the
JWT
is,
is,
is
mutated
and
returned
back
I.
Think
every
call
something
like
that
right.
So
essentially,
this
is
a
session,
and
if
the
session
breaks,
there's
no
retrying,
you
go
start
a
new
session,
but.
A
D
Let
me
spin
out
an
example:
how
I
would
do
it
just
just
a
very
simple
example,
because
you
know
I
prefer
to
implement
simple
B.
So
if
I'm,
the
CSI
driver,
I,
would
say,
construct
create
a
token
I
would
spin
off
a
pod
potentially
would
run
this
service.
It
gives
you
isolation,
it
gives
you,
you
know
rate,
limiting
everything
on
that
thing
and
I
give
it
all
these
secret
information
and
spin
it
off
and
forget.
So
my
my
CSI
driver
now
goes
back
to
doing
its
own
stuff
right.
D
The
client
contacts
that
URL,
which
now
points
to
that
new
service
running
in
that
pod
and
it
does
its
session
and
when
it's
done
it
closes
off
and
the
Pod
dies.
If
the
if
the
client
doesn't
call
and
say
some
time
to
live,
the
thought
just
says
bye-bye:
it's
dead
right,
something
like
that.
I
mean
that's,
that's
how
I
would
implement
it
as
a
naive
first
pass
approach.
B
Right
I
think
this
definitely
this
design
definitely
definitely
makes
it
very
simple
on
the
client
side.
So
the
part
where
you
talk
about
when
the
CSI
driver
comes
up
somehow
have
a
secret
or
something
that
it
passed
along
the
secret
and
it
went
back
to
do
his
own
thing.
So
that
is
the
part
that
I'm
not
sure.
D
So
let
me
take
a
concrete
example:
I've
worked
a
lot
with
VMware,
as
you
guys
know,
right
so,
and
right
now,
I
the
way
we
talk
to
VMware,
we
spin
off
apart.
You
know
because
it
has
C
GoGo
bindings
Etc.
We
spin
off
a
bar
with
all
that
stuff
and
it
we
give
it
all
the
arguments
which
include
say
the
the
volume
either
FCD
ID
and
the
snapshot.
Ids
Etc
and
we
tell
it
go,
do
its
thing
correct,
so
I
would
consider
doing
it
in
a
similar,
Manner
and
spin
off
the
spot
right.
D
All
the
data
is
then
packaged
and
construct
concerned
turned
into
the
domain
specific
FCD
ID
and
snapshot
ID
Etc
and
given
to
the
spot,
somehow
through
a
secret
or
through
command
line,
arguments
or
whatever
you
know,
that's
totally
vendor
specific
and
the
URL
is
given
to
it
and
the
token
is
given
to
it
right
and
then
that
guy
then
listens
for
until
sometime.
You
know
until
it
you
know
until
the
time
expires
Etc,
but
it
listens
for
the
client.
When
the
client
call
contacts
it,
it
knows
what
it's
doing
and
it
starts.
A
D
A
B
D
A
D
D
C
A
B
D
D
That
you
know
the
CSI
thing
just
also
handles
all
the
volume
requests
together
and
one
thing
it
doesn't
care.
You
know
so
the
URL
I
mean
look
at
the
variance
variations.
We
have
this
return,
grpc
endpoint
it
could
be
dynamically
it's
created
per
session.
It
could
be
one
common
thing
for
all
sessions.
Right
I
mean
there's
so
much
variation
here.
I
don't
have
enough
Network
background
to
actually
propose
what's
right
or
wrong,
but
the
point
is
it
doesn't
matter
the
spec
says:
here's
an
address.
B
B
Whether
we
need
an
extra
session
token
from
the
provider
or
can
we
just
trust
the
community
service
account
token
I.
Think
that's
that's
my
only
main
thing.
Otherwise,
like
you
know,
this
looks
perfect.
This
looks
great,
that's
the
main
part
for
me,
so
yeah
I
guess.
My
concern
is
from
like
a
security
and
like,
like
the
token.