►
Description
Kubernetes Data Protection WG - Bi-Weekly Meeting - 19 May 2021
Meeting Notes/Agenda: -
Find out more about the Data Protection WG here: https://github.com/kubernetes/community/tree/master/wg-data-protection
Moderator: Xing Yang (VMware)
A
Hello,
everyone
today
is,
may
19
2021.
This
is
the
kubernetes
data
protection,
one
group
meeting.
So
today
we
have
a
few
things
on.
The
shenzhen
gave
a
presentation
at
kubecon
about
the
data
production
group
and
we
got
some
questions,
so
we
will
first
discuss
this
question
that
we
got
there
and
then
we'll
go
over
some
caps.
A
Okay,
so
let's
get
started
is
martin
here.
Yes,
I'm
here
hi
welcome.
B
A
Okay,
so
so
currently,
how
do
you,
let's
say:
how
do
you
protect
your
workloads
right
right
now,.
B
A
Really,
okay,
oh,
I
thought
I
thought
there
was.
I
was
actually
just
reading
this
because
I'm
not
really
familiar
with
how
this
works.
I
was
just
reading
this.
This
is
a
you
know:
amazon
rds.
It
says
that
you
can
also
perform
a
user
initiated
backups,
I'm
not
sure.
If
that
helps
so
you're
saying
you
are
actually
using
this
automatic
one.
Yes,.
A
B
I
work
for
the
dutch
government
and
the
dutch
government
has
a
special
agreement
with
micros
with
only
microsoft,
so
we
can
only
measure
and
azure
isn't
as
complete
in
its
services
as
amazon
is,
unfortunately,
oh
you're
saying
it
does
not
have
this
way
for
you
to.
You
know
I
think
you
can
trigger.
I
think
you
can
trigger
external
backups,
but
what
you
can't
do
is
store
the
backups
outside
of
your
environment.
B
A
B
A
Okay,
oh,
we
actually
have
an
ad
here.
I
wonder
if
ad
actually
works
for
microsoft.
Do
you
have
any
comment
on
this.
C
On
the
effect
of,
we
can't
store
our
backups
outside
of
our
environment.
No,
I
I
don't
really,
I'm
not
a
super
expert
on
the
backup
end
of
things,
but
I
have
contact
with
folks
who
are
and
can
certainly
provide
this
feedback
to
them.
A
Okay,
yeah,
maybe
yeah,
maybe
ad-
can.
C
Yeah
martin,
I'm
happy
to
have
a
conversation
with
you
offline
and
learn
more
about
the
the
differences
here.
I'm
certainly
you
know
some
of
our
backup
folks
have
a
good
idea
about
that,
but
we
can
at
least
provide
some
additional
feedback
to
them.
A
So
I
wonder
if
this
is
okay,
so
you're
talking
as
you,
I
don't,
but
I
don't
know
if
this
problem
is
really
soft
if
we
are
using
aws
that
I'm
not
sure,
because
I
don't
really
have
experience
with
this-
I'm
not
sure
if
anyone
else
on
this
call
have
any
experience
dealing
with
this
cloud
manager,
service.
A
D
What
we
do
is
so
I'm
tom
from
castin
customer
by
veeam.
What
we
do
is
we
treat
it
like
a
snapshot,
so
we
treat
the
cloud
provider
apis
like
a
snapshot
and
then
what
we
do
is
we
do
a
logical
we.
You
can
go
through
and
do
a
restore
of
that
snapshot
separately
and
then
do
an
export
of
that
data
using
a
logical
dump.
D
So
you
you
mentioned
postgres.
So,
for
example,
you
can
do
postgres.
Dump
that
extracts
data
logic
level.
Then
you
can
put
it
kind
of
into
any
backup
repository
you
want.
There
are
not
for
many
databases,
you're
exactly
right,
they're,
not
good
apis
to
get
data
out
into
external
systems,
except
through
kind
of
the
the
database
protocol
itself.
Right.
A
So
looks
like
a
jew,
maybe
there's
us
looks
like
there's
some
issues
with
you,
but
you
try
to
visit
others
or
what
is
this
specific.
D
Yeah
I
mean
this
is
kind
of
the
general
approach
we
take
from
many
things
right,
even
with
you
know,
filers,
for
example,.
D
And
then
export
data,
it
takes
kind
of
the
same
approach
where
you
do
a
local,
restore
and
then
export
it,
but
we
yeah
the
apis
for
aws
I
mean
I'm
pretty
familiar
with
I'm
a
little
bit
less
familiar
with
the
backup
apis
for
azure,
but
with
aws.
They
have
a
pretty
rich
suite
of
backup
apis
that
you
can
take
snapshots
of
your
systems.
A
B
Sure
it's
a
great
start,
but
I
think
we
have
to
look
into
so
most
cloud
providers
today
have
a
way
of
creating
cloud
resources
from
kubernetes,
so
you
can
see
them
as
kubernetes
resources
and
what
would
be
great
if
we
could
extend
that
api
to
also
include
things
like
backup
and
snapshots,
and
things
like
that
right
now.
I
think
none
of
them
really
have
that
they
only
allow
you
to
create
a
database
or
a
database
server
from
these
apis.
B
It
came
from
the
cloud
foundry
guys.
A
B
From
pivotal,
they
started
a
way
to
use
resources
in
their
environment.
B
B
A
F
I
believe
these
operators
are
basically
mappings
of
the
apis
from
the
cloud
providers
right.
Basically,
it's
taking
all
the
let's
say
the
aws
cli
or
the
aws
api
and
then
mapping
it
as
kubernetes
calls
within
the
cluster.
So
it
should
be
possible
to
also.
D
Yeah,
martin,
I
think
this
is
kind
of
what
our
product
does
actually.
Okay,.
A
Yeah,
we
maybe
you
know
some
of
those
we
can
even
have
a
session
in
this
group.
I
think
it's
it's
interesting
yeah,
because
I'm
not
I'm
not
sure.
I
thought
I
thought
this
is
a
at
least
right
now.
I
thought
we
don't
have
a
way.
So
until
I
just
hear
about
this,
today
looks
like
there
is
a
way,
actually
so
yeah,
so
I
think
maybe
yeah.
Maybe
we
can
so
tom.
Maybe
we
can
have
a
session
here
as
well
if
of
course,
free
free.
D
A
Okay,
do
you
have
anything
else
about
this
topic?
I
see
that
in
modern.
You
also,
I
think
that
you
added
some
comments
to
our
white
paper
just
trying
to
include
this
one
in
our
scope,
so
I
think
yeah,
let's
see
after
tom's
demo
and
see
what
what
we
should
do,
because
I
was
not
quite
sure
how
to
handle
this
yet
yeah.
So,
let's
take
a
look.
A
Okay,
do
we
have
anything
else
on
this
topic
anywhere
else?
A
A
All
right,
yeah,
so
yeah
so
ben
is
going
to
give
an
update
on
the
volume
populator
cap.
E
G
We
we
merged
an
update
to
the
volume
populators
kepp
last
week,
but
only
after
a
significant
design
change,
and
I
wanted
to
sort
of
socialize
here
what
what
the
design
changes
and
what
the
plan
is
to
sort
of
stave
off
any
confusion
about
this,
because
I
think
when
people
first
hear
about
it,
they're
like
what
the
heck
so
so,
in
short,
the
the
plan
is
we're
gonna,
be
replacing
the
data
source
field
with
a
new
field
called
data
source
ref
kept
1495
was
the
original
volume
data
source
cap.
G
It's
been
updated
for
122.,
here's
a
link
to
it.
The
reason
for
this
is
that
it
was
not
possible
to
proceed
with
the
original
plan
and,
at
the
same
time
guarantee
that
no
workload
anywhere
on
earth
would
be
broken.
G
Now
we
had
been
confident
that,
like
the
probability
of
anyone's
workload
being
broken
was
like
very
very
low,
but
the
current
stance
of
the
kubernetes
api
team
is,
it
has
to
be
zero.
We
can't
even
risk
it
so
so
we
can
put
this
new
plan
with
the
help
of
the
the
kubernetes
api
folks.
So
I'm
gonna
outline
what
the
plan
is
over.
G
All
the
different
releases,
so
in
122
we're
going
to
introduce
a
new
alpha
field,
called
data
source
ref,
it's
going
to
be
controlled
by
the
existing
any
volume
data
source,
feature
gate,
we're
going
to
add
backwards,
compatibility
logic
to
cube
api
server
such
that
you
know.
If,
if
you
have
clients
using
the
new
field
and
clients
using
the
old
field,
everything
interoperates
in
exactly
the
way
you
would
expect
without
the
potential
to
break
anything
that
already
exists.
G
So
there's
a
lot
of
thought
went
into
how
to
do
this
right
and
the
kep
spells
it
out.
If
you're
curious
about
the
details,
we'll
document
this
as
a
new
alpha
field
and
in
this
time
frame,
I
expect
to
update
the
existing
volume
populators
implementations
to
use
the
new
field
so
that
you'll
have
to
switch
on
this
feature
gate
in
a
kubernetes
cluster
to
actually
test
the
volume
populator.
But
that's
how
it
is
today
already
so
so
that's
not
going
to
be
too
new.
G
A
G
G
Everything
in
the
field
is
identical
to
the
data
source
field.
It
just
has
a
different
name,
and
it
has.
It
has
different
semantics
such
that,
if
you
put
garbage
into
it,
unlike
today,
where
your
garbage
just
gets
ignored,
you
will
the
garbage
will
either
be
accepted
or
you'll,
get
a
rejection,
error
and
it'll
throw
out
your
pvc
so
so
you'll
all
you'll
never
have
a
situation
where
the
user
input
will
be
ignored.
G
You'll
either
get
a
success
or
an
error.
And
then,
if
you
get
a
success,
you
know
the
the
results
will
depend
on
exactly
what
the
data
source
is
and
whether
the
popular
is
installed
and
all
the
current
considerations
that
you
have
with
the
old
design
so
and
and
I'm
happy
to
go
into
detail
on
on
on
how
this
is
going
to
work.
G
If
we
want
to
discuss
it,
but
I
just
wanted
to
lay
out
the
initial
plan
so
so
in
the
1283
time
frame,
this
would
mean
the
data
or
volume
populators
would
be
usable
on
production
clusters,
because
the
feature
gate
would
be
turned
on,
and
that
would
be
the
release
coming
in
the
winter
time.
I
think
if
all
goes
well
in
124,
this
new
feature
would
move
to
ga.
G
G
We
would
deprecate
the
data
source
field,
but
it
would
continue
to
work
as
before,
as
part
of
the
deprecation
pvcs
submitted
with
data
source
fields
would
start
to
get
api
warning
saying,
like
hey,
you
know
I'll
accept
this
request,
but
by
the
way
you're
using
a
deprecated
field,
you
should
consider
using
the
new
field,
and
you
know
the
warning
would
sort
of
spell
out
the
change
that
we
had
made
and
at
this
point
we
would
update
the
kubernetes
documentation
to
stop
mentioning
data
source
and
just
tell
people
use
this
instead
going
forward.
G
Now,
even
if
new
users
did
use
the
data
source,
ref
old
clients
will
continue
to
work
and
be
compatible
and
nothing
will
break.
I
want
to
emphasize
that,
but
but
like
this
has
to
be
the
the
path
forward
to
sort
of
get
past
the
existing
bad
design
with
the
data
source
field
in
the
125
time
frame,
we
would
probably
be
switching
the
external
provision
or
sidecar
to
start
using
the
new
field.
G
G
Yeah,
what
it
would
mean
is
is
people
who
were
using
like
yaml
from
today
to
create
a
pvc
from
a
snapshot.
It
would
work
exactly
the
way
it
does
today,
people
that
were
using
side
cars
from
today
that
that
are
working
on
the
data
source
field.
They
would
continue
to
work
the
same
as
well.
They
might
receive
deprecation
warnings,
but,
like
you,
can
ignore
those
so.
A
E
A
G
G
It'll
have
two
copies
of
the
data:
yeah
it'll
just
be
a
little
ugly,
but
but
we'll
tell
people,
don't
don't
look
at
that
old
field?
It's
it's.
It's
legacy
cruft,
but
you
know
we.
Obviously
we
have
to
keep
it
for
backwards,
compatibility
all
the
way
up
to
you
know
one
dot
whatever
and
then
someday
kubernetes
2.0.
We
would
remove
the
data
source
field,
but
this
will
probably
never
happen.
So
this
is
just
to
emphasize
that
you
know
if
there
is
ever
a
2.0.
G
G
A
Can
you
show
how
that
api
looked
like?
I
just
want
to
remind
everyone,
not
sure
if
folks
realize
what
this
mean
yet.
A
G
Right,
the
cap
is
approved
for
122.,
so
api
guys
are
happy
with
this,
and
they
see
this
as
the
future
to
sort
of
get
out
of
the
mess
we're
in
with
the
existing
data
source
field.
I
need
to
write,
write
the
code
and
and
get
it
approved
by
the
api
guys
and
the
storage
and
us
the
storage.
G
You
know
people
we
all
need
to
make
sure
that
we're
on
the
same
page
about
this,
but
but
but
the
the
understanding
is
that
the
way
that
the
existing
data
source
field
was
implemented,
we
made
some
mistakes
along
the
way
and
we
shouldn't
have
been
ignoring
user
input
starting
at
around
115.
A
Okay,
so
maybe
I
will
share,
I
don't
know
if
this
isn't
that
clear,
it's
just
just
showing
how
the
api
looks
like.
A
A
This
is
the
data
source
or
it
can
be
a
pvc
when
you
are
doing
a
cloning,
create
a
pvc
file
on
pvc
or
does
any
modern
data
source,
any
volume
data
source
that
your
brand
has
been
working
on
for
the
voting
population.
So.
G
What
we'll
do
here
is
we'll
we'll
copy
this.
This
field
data
source,
so
line
line
459
will
get
cloned
and
there'll
be
a
second
field
with
the
same
type
called
data
source.
Ref,
we'll
probably
update
the
comments
to
remove
any
reference
to
custom
resources
in
the
old
field,
because
we
won't
support
them
and
those
will
all
be
moved
to
the
new
field
and
and
then
there
will
be
compatibility
between
the
two.
A
A
Right
so
this
is
yeah
yeah.
So
this
is
the
example
right.
This
is
just
the
source
field.
When
you
create
a
pvc,
you
specify
data
source
field.
Now
this
is
the
example
you
take
the
one
in
snapshot,
but
in
future
ben
is
going
to
add
another
one
called
data
source
ref
well,.
G
G
Therefore,
if
an
old
client
looks
at
it,
it'll
see
the
data
source
that
it's
expecting
and
if
a
new
client
looks
at
it,
it'll
also
see
the
new
field
and
then-
and
if
you
specify
this
yaml
with
data
source
ref
instead
of
data
source,
the
same
thing
would
happen.
It
would
populate
the
data
source
ref
field,
with
what
you
wanted.
Oh.
G
Yeah
it'll
copy
you
back
too
yeah.
The
crucial
thing
is,
if
you
specify
something
other
than
a
pvc
or
a
snapshot
today
in
the
data
source
field,
what
happens?
Is
it
just
gets
ignored?
Like
you
never
specified
anything,
you
get
an
empty
volume.
If
you
try
to
do
that
with
the
data
source
ref
field,
it
will
either
accept
it
and
and
preserve
the
contents,
and
then
you'll
get
a
pvc
with
that
data
source
set
or
if
it's
invalid,
you
will
get.
A
G
A
A
A
Right,
okay,
is
this
clear
to
everybody
I
just
want?
I
thought
it's
important
for
for
him
to
talk
about
this.
When
I
first
saw
this
one,
I
was
a
little
surprised
and
worried
that
what
will
happen
to
a
to
this,
the
absolute
field,
but
I
think
it's
okay.
G
A
A
Right
because
yeah,
when
you
do
back
on
risk,
do
you
actually
I
mean
not?
Maybe
not
not
all
the
time,
maybe
sometimes.
A
A
G
G
They
don't
use
the
data
source
field.
We
are
hoping
someday
to
have
a
built-in
backup
restore
api
in
kubernetes.
That
would
use
this,
but
but
that's
a
that,
that's
sort
of
would
depend
on
having
the
volume
populator's
mechanism
working
at
all.
A
F
A
No,
no,
no,
I
know
there
are.
I
know
there
are
people
who
actually
use
this
already,
but
it's
just
of
course
that's
only
for
cloud
providers,
but
anyway,
I
was
just
trying
to
see
if
there
were
any
feedbacks
from
this
group.
That
was
that's
why
I
was
asking
this
because
I
does
not.
I
didn't
hear
anyone.
This
was
surprised
by
this.
A
Okay,
do
you
not
use
it,
but
I
think
for
cloud
providers
you
actually
could
use
this
right.
You
don't
need
to
use
this
field,
so
if
it
is
like
for
like
aws
ebs,
you
can
just
use
this
directly.
Can
you.
G
I
don't
believe
so
I
I
I
will
mention
that,
like
you
know,.
A
G
A
Yeah,
that's
normally
yeah!
That's
because
netapp
is
also
the
same
right,
not
not
a
cloud
provider.
I'm
just
saying
like,
for
example,
if
you
look
at
the
velara,
vallar
has
a
velara
plug-in
for
csi.
If
you
use
that
one
for
aws
ebs
believers-
maybe
I
don't
know
if
that's.
A
A
Yeah
yeah
backup.
Yes,
they
use
that
so,
but
that's
just
for
that,
but
then
that's
not
going
to
work
for
for
other
storage
systems.
Well,
the
snapshot
is
actually
local
right.
So
it's
just
not
not
right.
That's
what
I'm
just
saying!
That's
why
I
was
asking
if
anyone
actually
is
already
has
already
been
using,
I'm
just
thinking
that
some
backup
software
actually
uses
in
for
some
code
path.
That's.
D
A
Okay,
anything
else,
any
other
questions
regarding
this
change.
D
Can
you
share
those
slides,
then?
Are
they
in
here.
G
E
G
On
a
sharepoint
I
can,
I
can
share
it
absolutely
it's
just
it'll
only
be
good
for
30
days.
I
can
copy
it
out
if
you
did.
Thank
you.
D
G
A
You're,
not
okay,
you
know,
if
you,
if
you,
why
don't
we
provide
that
here,
then
I
can
convert
that
to
your
google
slide.
Okay,
thank
you!
Okay!
So
that's
this
first
one
and
then
I
just
want
to
give
a
quick
update
on
the
container
notified
cap.
A
So
this
cup
we
actually
got
an
approval
from
the
front
team
api
reviewer,
so
which
is
good,
so
we
made
some
progress
that
we
actually
so
he
actually
gave
a
look
good
to
me
so
right
now
we
are
waiting
for
review
from
signaled,
but
we,
you
know,
passed
the
merged
airline,
so
this
is
going
to
be
1.23,
but
we
want
to
get
this
cub
merged
early.
I
don't
want
to
wait
until
the
merge
deadline
yeah.
So
that's
this
one.
A
And
and
then
for
cozy,
I
just
want
to
give
a
quick
update
so
that
cap,
it's
a
it's
a
very
big
cap,
so
we
didn't
meet
the
we
didn't
make
the
merge
deadline,
but
then
we
realized
that
all
the
development
work
for
cozy
actually
happened
out
of
three,
so
we
don't
have
to
be
restricted
by
this
merge
deadline.
Actually,
so
we
can
actually
continue
to
work
on
this
continue
with
the
api
review
still
trying
to
get
this
one
in
1.22
timeframe.
A
So
that's
the
that's
the
status
for
cozy
yeah,
because
this
this
is
a
really
really
big
cab
and
did
not
get
time
to
resolve
all
their
concerns.
From
april
reviewers
last
week,.
A
Okay,
anything
else.
A
That's
all
I
have
here,
hey
tom,
I
actually
missed
your
your
talk.
You
want
to
give
a
just
to
talk
about
what
is
this?
Let's
talk
about.
D
Yeah
definitely
so
we
added
ransomware
to
our
product,
but
this
was
obviously
a
vendor
neutral
talk,
so
we
just
talked
about
how
to
build
this
kind
of
on
your
own,
and
so
what
we
we
described
is
how
to
create
immutable
backups
in
s3,
using
the
different,
advanced,
locking
apis
that
the
s3
protocol
provides.
It.
We've
also
tested
it
with
many
different
providers
that
have
the
s3
protocol
and
it
seems
to
work
with
the
ones
we've
tested,
but
obviously
like
different.
D
If
you
you
have
your
own
version
of
s3,
maybe
you
don't
have
to
run
all
the
locking
apis,
but
I
think
it
went
pretty
well
with
a
good
attendance,
some
good
feedback,
but
yeah
it's
it's
this.
This
is
kind
of
a
mix
of
a
fairly
technical
talk,
so
we
dive
into
the
exact
apis.
You
need
to
use
if
you
want
to
back
up,
have
immutable
backups
in
s3.
A
And-
and
this
is
a
okay,
this
is
s3
compatible
okay,
so
this
is
only
for
s3,
so
those
are
like
s3
specific
apis
that
you're
using
there.
D
They
are
yeah,
and
so,
for
example,
you
know
we
have
our
own
storage
engine
in
in
s3
kind
of
similar
rustic,
and
so
we've
added
these
support
for
understanding
these
apis
and
be
able
to
restore,
and
so
with
that
you
can
get
a
protection
from
ransomware,
because
once
you
write
and
if
you
treat
the
blobs
immunity,
you
cannot,
you
cannot
overwrite
them
or
delete
them,
and
so
you
can
have
permanent
backups
that
will
last
for
some
retention
period.
D
If
you
use
s3
to
target
you
know
we
added
the
star
rs3
storage
engine,
you
could
do
something
similar
just
on
your
own
with,
if
your
backup
is
an
individual
blob,
but
you
could
also
do
this
with
something
like
rustic
yeah.
The
second
half
goes
into
the
actual
kind
of
apis.
A
A
D
Edging,
how
was
I
I
couldn't
tell,
but
how
was
cn
cdm
cloud
native
data
management.
A
A
A
Yeah
yeah,
so
I
think
it
overall
definitely
went
well.
D
A
A
A
Yeah
yeah,
that's
the
plan
right.
I
was
just
hoping
that
nothing.
Nothing
weird
happens
before
that.
But
right
now,
at
least
in
the
u.s
seems
like
it's
going
going
into
the
positive
direction.
So
everybody
is
getting
vaccines.
D
D
A
G
G
E
Well,
there's
there's
a
huge
topic
or
a
huge
sort
of
debate.
I
guess
ultimately
around
whether
or
not
in-person
attendance
should
be
gated
on
the
basis
of
establishing
that
you
you've
been
vaccinated
and
that
gets
into
a
lot
of
hairy
issues
and
the
board
has
a
working
group
that
will
be
touching
upon
that.
But
you
know
another
factor
is
that
certain
corporations,
you
know
as
a
from
a
corporate
events
policy
just
basically
aren't
doing
anything
in
person
this
calendar
year.
E
Not
not
yet
but,
like
I
said,
planning
ongoing
for
both
both
both
scenarios.
It
does
get
a
little
hairy.
I
mean
it
could
be
as
straightforward
as
if
you
can
stop
show
me
some
sort
of
authenticated
vaccination
come
on
in
and
if
not
or
if
you're,
not
comfortable
or
whatever
attend
the
virtual
event,
but
none
of
that's
been
decided
yet.
A
A
E
A
Okay,
okay,
yeah,
probably
we'll
see
whether
olympics
can
happen.
First,
maybe
that's
an
indicator.