►
Description
Kubernetes Storage Special-Interest-Group (SIG) Data Protection WG Bi-Weekly Meeting - 14 July 2021
Meeting Notes/Agenda: -
Find out more about the Data Protection WG here: https://github.com/kubernetes/community/tree/master/wg-data-protection
Moderator: Xing Yang (VMware)
A
A
D
Yes,
yeah
so
hi
everyone,
so
so
so
I
just
I
was
speaking
to
shane
the
other
day
about
this
issue,
so
I
just
thought
I
would
take
a
stab
at
it
and
basically
we
were
looking
to
get
more
sort
of
input
and
ideas
and
stuff.
So
the
document
that
we
have
here
is
is
pretty
high
level,
so
I
probably
just
go
through
the
problem
and
then
sort
of
high-level
solutions
and
then
of
course,
any
feedback
now
or
offline
later
as
well
as
is
welcome.
D
So
the
issue
is
basically
it
has
to
do
with
the
volume
mode
sort
of
conversion
issue
where
you
could
take
a
snapshot
of
a
pv
with
the
volume
mode
of
block
right.
So
technically,
there's
no
file
system
and
then
a
user
could
sort
of
maliciously
restore
that
that
sort
of
tv
sorry
restore
that
pvc
from
a
snapshot
and
change
the
volume
mode
to
a
file
system
and
then
try
to
mount
it
and
then
eventually
that
will
crash.
D
D
So
I
was
just
looking
at
that
and
seeing
it
seeing
like
how
we
can
sort
of
apply
those
concepts
over
here
to
sort
of
fine-grain
or
sort
of
provide
permissions
to
what
a
particular
user
or
service
account
can
do
right.
So
so
this
document
basically
speaks
of
sort
of
both
of
those
solutions
where
we
have,
I
mean.
D
Obviously,
the
names
are
just
like
not
really
thought
of
in
detail,
but
basically
a
volume,
security
policy
or
a
volume
security
standard
and
how
we
could
potentially
apply
that
to
our
problem
over
here.
So
first
off
like
basically,
we
need
to
store
the
the
pvc
pvcs
volume
mode
right
when
we,
when
a
user
takes
a
snapshot
of
a
pvc.
E
D
D
So
I
haven't
given
that
in
detail
over
here,
but
it's
all
in
this,
this
link
on
the
kubernetes
docs
and
then,
of
course,
we
would
introduce
an
admission
controller
which
basically
intercepts
requests
to
create
a
pvc
right.
So
what
that
admission
controller
is
going
to
do.
Is
it's
going
to
look
at
whether
you
know
the
source
of
the
pvc,
whether
it's
being
restored
from
a
snapshot,
and
if
it
is,
then,
is
it
modifying
the
volume
mode
right?
D
D
D
D
Also
like
a
three-pier
pod
security
proposal,
it's
it's
actually
pretty
interesting,
and
this
proposal
is
actually
very
detailed.
So
I've
again
just
tried
to
take
concepts
similar
concepts
from
there
and
and
see
if
we
can
apply
it
to
sort
of
our
use
case
over
here
in
terms
of
volume
creation,
instead
of
like
pod
creation
and
the
reason
they've
done,
that
is
basically
they're,
a
bunch
of
like
limitations
with
bot
security
policies.
D
D
Privilege
is
basically
allow
the
widest
level
of
permissions,
so
no
restrictions
on
on
creating
pvcs
or
you
know,
modifying
the
volume
mode
and
restricted
would
be
the
most
restrictive
policy
which
you
know
lets
you
fine-grain
your
sort
of
security
model
for
creating
volumes,
and
the
difference
here
from
pod
security
standards
is
that
you
actually
would
label
the
name
space.
So,
rather
than
so,
one
of
the
issues
with
tying
a
policy
to
your
user
is,
is
I
mean
think
of
it
like
this?
D
I
could,
I
could
be
a
user
that
creates
a
pvc
on
my
own
right.
So
in
that
case
I'm
the
user,
but
a
pvc
could
also
be
sort
of
created
as
part
of
a
stateful
set.
So
then
what
is
the
user
in
that
case
right?
So
I
think
those
are
sort
of
the
like
nuances
or
sort
of
these
smaller
issues
with
psp
that
also
apply
here.
D
So
the
idea
here
is
that
you
actually
apply
these
standards
to
a
namespace
rather
than
a
particular
user,
and
that
is
in
the
form
of
labels.
So
there
are
sort
of
three
modes
that
we
would
allow
again
similar
to
bot
security
proposal.
The
the
broad
security
standard,
which
is
enforce
audit
or
one
so
the
idea
behind
that
is
that
sort
of
enforce
is
you
know
if
a
policy
is
violated.
D
That
is
because
you
know
customers
might
be
wanting
or
users
might
be,
wanting
to
move
to
this
model
without
really
or
would
rather
want
to
sort
of
see
how
the
future
works
before
you
know
enforcing
these
sort
of
policy
constraints
so
so
yeah.
So
basically
we
would
add
it
as
a
label
to
the
namespace,
where
this
prefix
is
obviously
still
undefined,
but
so
I
guess
kubernetes
dot,
io
dash,
something
sounds
something
slash
enforce
audit
or
one,
and
then
you
would
specify
the
policy
level,
which
is
either
restricted
or
privileged
right.
D
So
again
it
would
compare
the
pvcs
volume
volume
mode
to
the
sort
of
source
snapshots
volume
of
volume
mode
and
then,
if
they
match
it's
all
good,
if
they
don't
match,
then
it
would
look
at
these
labels
and
then
take
a
decision
accordingly
and
and
yeah.
Basically,
that's
very
high
level
sort
of
blast
of
information-
I
guess
so
yeah.
D
A
A
F
I
don't
want
to
derail
on.
You
know
just
discussion
on
that.
Okay,
you
know
on
that
too
much,
but
I'm
just
curious.
If
there's
any
communication
with
the
you
know,
sort
of
the
the
linux
proper
community
around
hey
is
this
the
right
behavior
and
obviously
it's
their
ball
of
wax
and
that's
a
whole.
That's
a
whole
other
topic
as
to
whether
or
not
this
community
can
influence
that,
but
I'm
just
curious
if
there's
been
anything
established
on
that
end
of
things,
I.
G
G
F
Yeah
understood,
okay,
like
I
said,
didn't,
want
to
derail
but
glad
to
hear
there
has
been.
You
know
there
is
some
intent
on
the
linux
or
in
the
kernel
side
to
maybe
improve
things
over
time,
or
at
least
there's
an
awareness
such
that
they
could
potentially
have
intent
later
anyway.
Let's
not
derail
thanks.
H
I
I
have
this
kind
of
stupid
question
that
the
the
the
when
in
the
statement
of
the
problem,
is
it
looked
like
that
the
couplet
when
we
tried
to
mount
a
corrupted
tv
it
will
crash
and
we're
trying
to
find
a
way
to
address
the
problem
that
you
know
to
avoid
the
situation
like
this
happen,
but
have
you
ever
have
you
ever
I
mean
have
we
we
ever
think
about?
Why
don't
we
just
address
the
original
problem?
H
A
B
H
A
E
A
G
There
are
bugs
in
kernel
some
few
times
a
year.
Somebody
finds
how
to
crash
your
kernel
using
corrupted
fire
system,
either
x4
or
xfs,
or
an
ntfs
or
whatever
these
bugs
happen,
and
there
is
no
way
how
we
can
check
before
we
mount
that.
The
first
system
that
we
are
going
to
mod
is
going
to
crash
the
kernel
or
not.
E
G
J
G
Can
mount
can
crash
the
camera
then
like
they
have
many
other
ways
how
to
crash
the
kernel.
They
don't
need
to
mount
like
they
can
stop
the
they
can
help
the
machine,
basically
even
without
mounting
something
wrong,
so
it
doesn't
have
the
highest
cve
rating,
but
it
is
fixed.
It
is
being
fixed
by
these
throws.
G
C
D
Yeah,
that's
actually
a
good
question
and
I
think
that's
an
open
issue
that
I've
sort
of
listed
at
the
bottom,
which
I
I
didn't
really
go
through,
which
basically
for
pre-provision
volumes.
I
I
think
zheng
pointed
this
out
that
the
same
thing
is
what
you
said
right:
the
status
wouldn't
be
populated.
D
A
A
But
that's
so
this
is
the
volume
snapshot.
This
is
the
name
spaceman,
so
the
admin
will
be
creating
the
content
right.
Unless,
if
you're
saying
that
we
do,
we
add
that
in
and
also
when
you're
creating
that
the
con
the
status
will
not
be
populated
right,
so
admin
normally
probably
using
the
cli
cubacado
to
create
it
and
it
so
they
won't
be
able
to
change
the
status
unless
they
write
a
controller.
J
A
Are
you
suggesting
to
like
we
have
this
field
in
both
content
and
the
one
snapshot
so
right
now
in
this
current
proposal,
this
field
is
only
in
the
volume
snapshot
status,
not
in
content
status.
So
I
mean,
I
guess
there
are
a
couple
of
things
here:
do
we
also
want
that
field
to
be
in
the
content
status?
Because
that's
one
question
and
the
second
question
is:
when
the
admin
creates
it:
normally,
they
use
the
cube
card,
or
at
least
right
now.
A
J
E
E
A
A
A
E
A
E
A
E
E
E
A
Yeah,
all
I'm
saying
is
right.
We're
going
back
to
I
mean
I
think
it's
fine,
I'm
open
to
this
one.
Maybe
we
can.
This
is
an
option,
maybe
a
ronald.
You
can
write
this
down.
So
this
is
one
option
that
we
could
solve
this
problem,
which
is
to
have
this
in
volume
snapshot
content
where
we
have
this
field
in
spec.
E
E
At
least
we
would
have
a
record
of
if
someone
did
create
a
raw
block,
pvc
and
then
snapshot
it.
We
would
at
least
know
then,
when,
when
they
tried
to
turn
it
into
a
faucet
and
pvc,
that
they
were
making
the
change,
and
then
you
could
examine
some
policy
to
say
is
that
okay
or
not
and
for
a
backup
system,
you'd,
say
sure?
That's
okay,
because
we
trust
the
backup
system
before
joe
shmoe
say
no
we're
not
going
to
let
him
do
that.
A
A
D
A
A
D
A
A
A
J
A
L
D
M
D
Yeah,
so
I
think
that's
right
so
in
this
second
sort
of
when
you
apply
to
the
namespace,
rather
than
having
the
thing
like
the
policy
assigned
to
the
user.
In
that
case,
you're
saying
that
for
each
namespace
we
just
have
one
sort
of
standard
and
any
namespace.
Sorry
any
pvc
creator,
and
that
namespace
is
going
to
follow
that
standard.
M
A
I
thought
there
was
a
something
else,
but
I
couldn't
remember
what
that
was.
I
thought
was
that
something
else
that
we
also
oh,
I
think,
can
we
actually
can
you
go
back
to
share
that
again,
so
the
the
new
api
object
you're,
adding,
is
that
the
that's
like
under
the
policy
group
right
policy.
Api
group
is
that.
A
A
Oh,
I
think
this
is.
This
is
option
two,
so
I
guess
maybe
it's
okay.
I
was.
I
was
just
so
so
if
we
oh,
so
this
is
yeah,
so
this
would
be
a
new
api
object,
but
I
think
this
is
since
this
is
option
two,
maybe
it's
okay,
I
was
just
trying
to
think
like
this
is
like
an
entry
api
object
right
and
then
because
we
talked
about
the
admissions
controller,
should
that
be
auto
tree
or
entry.
A
A
L
A
You
can,
maybe
just
like,
add
a
link
instead
of
writing
down
the
details.
Maybe
that's
fine
as
well
just
say
when
there's
another
example
and
then
just
here's
the
link-
that's
maybe
okay,
but
that's
okay,
I'll,
take
a
look
and
and
see
if
we
can
add
this
to
the
main
dock,
and
also
I
see
that
you
you're
trying
to
set
a
meeting
to
talk
about.
J
L
L
A
A
A
A
A
N
A
I
okay,
so
I'm
not
sure
that
we
want
to
do
a
pdf.
I
was
actually
thinking,
maybe
oh
yeah.
We
can
that
we
can
decide
later
yeah
we
can
pdf
is
one
way.
Otherwise
we
can
actually
just
to
enter
this
as
a
just
like
the
like
the
text
like
the
the
markups,
it's
fine
too,
I
think.
Well,
we
can
decide
that
later.