►
From YouTube: Kubernetes Data Protection Workgroup Meeting 20210310
Description
Kubernetes Data Protection Workgroup Meeting - 10 March 2021
Meeting Notes/Agenda: -
Find out more about the Data Protection WG here: https://github.com/kubernetes/community/tree/master/wg-data-protection
Moderator: Xing Yang (VMware)
A
A
So
today
we
have
a
few
things
on
agenda,
so
we're
going
to
look
at
this
issue
with
a
different
volume
mode
between
source
and
target
pvcs
just
to
look
at
what
are
the
issues
and
the
what
we
should
do
to
solve
the
problem,
and
then
we
can
do
update
of
the
data
protection
white
paper,
okay,
so
the
first
first
one
is
this:
so
we
actually
have
an
issue
open
here.
A
A
So
you
basically
can
actually
switch
the
volume
mode
between
the
you
know,
the
the
original
pvc
and
the
final
target
pvc,
and
then
this
is
actually
used
by
a
lot
of
backup
vendors
already,
because
this
allows
them
to
mount
a
originally
file
system
mode,
pvc
as
a
block
mode,
and
then
they
can
efficiently
copy
the
blocks.
But
then
we
actually
discovered
there
is
some
potential
security
issues.
A
B
C
B
B
Yeah
exactly
so,
you
people
usually
don't
mount
five
like
random
block
volumes
and
people
who
can
mount
are
usually
somehow
trustworthy,
but
in
kubernetes
case,
like
a
random
user,
can
mount
a
random
volume.
B
B
Similarly,
if
you
have
a
block
volume,
you
either
have
a
block
volume
and
you
can
write
anything
there,
but
you
can't
mount
it
or
you
are
trustworthy
enough
to
mount
it
and
then
well.
You
have
extra
permission.
Somebody
allowed
you
to
mount
it,
but
in
this
case,
in
this
snapshot
case,
you
can
create
a
blog
volume,
write
a
wrong
metadata
there.
The
bet
file
system
that
would
crash
a
kernel
and
then
tell
kubernetes
to
mount
it
by
taking
a
snapshot
and
restoring
it
as
a
file
system
volume.
B
B
Well,
we
contacted
security
team
kubernetes
security
team.
These
issues
are
usually
treated
as
medium
severity
in
kernel
and
having
this
possibility
through
kubernetes
doesn't
add
much.
Somebody
did
accounting
and
it
ended
up
as
medium
as
well.
C
D
C
No
yeah,
I'm
saying
like
that,
would
be
a
new
feature
we'd
have
to
implement.
I
I
just
wanted
to
add
some
some
extra
background
for
other
people
here,
so
so,
while
kubernetes
allows
you
to
to
do
this,
you
know
take
a
f,
take
a
snapshot
of
a
raw
block
volume
and
turn
it
into
a
file
system
volume
and
vice
versa.
C
Not
all
drivers
succeed
when
you
try
to
do
this,
so
it's
up
to
the
driver,
whether
this
actually
works
and
some
drivers
allow
it
and
some
drivers
don't
allow
it
in
case
that
wasn't
clear.
I
think
kubernetes
allows
it,
but
it
doesn't
require
drivers
to
succeed
when
you
try.
It.
D
C
So
so
I'll
give
I'll
give
a
perfect
example
with
netapp.
So
so
netapp
our
driver
supports
a
few
different
modes.
We
have
an
iscsi
mode
and
we
have
an
nfs
mode.
If
you
are
in
the
iscsi
mode.
There
is
no
reason
why
you
couldn't
do
this.
You
know
create
a
volume
in
block
mode,
then
turn
it
into
file
system
mode
or
create
a
volume
in
file
system
and
turn
into
block
mode.
C
We
could
implement
that
we
actually
don't
implement
it
today,
for
you
know,
because
we
didn't
realize
this
was
a
thing
that
people
were
even
interested
in.
So
if
you
try
it
today,
it
will
just
fail,
but
we
could
implement
it
for
iscsi
when
it
comes
to
nfs
like
when
you
ask
for
a
file
system,
we
give
you
like
an
nfs
share
on
our
storage
controller.
C
A
C
E
C
A
But
then
so
I
was
just
wondering
if
that
would
fail
in
all
I
mean
that
would
all
draw
fail
actually
will
any
java
actually
kind
of
create
some
something
which
has
the
wrong
mode,
but
they
actually
do
not
support
and
then
later
I'll
find
out
the
data
is
corrupted.
Would
that
even
happen?
I'm
not
sure.
If
that's
a
possibility,
I.
C
I
that
seems
like
a
place
where
maybe
more
test
coverage
would
help
uncover
issues.
I
don't
think
that
none
of
the
drivers
I
know
about
have
that
problem
like
if
you
ask
for
us
for
a
driver
mode
that
isn't
going
to
work.
We
just
there.
Our
regular
error
checking
will
tell
you
that
and
we
don't
proceed.
C
D
The
just
to
be
clear
right,
the
potential
security
concerns
in
the
issue
477.
She
created
it's
just
taking
a
snapshot
of
a
blocked
device
and
restore
into
a
file
system
right,
not
the
other
way
around.
D
If
you
take
a
snapshot
of
a
file
system
and
restore
into
a
block
device
since
there's
no
attach,
can
we
claim
that
that's
a
safe
operation
per
se.
C
C
It
gets
extraordinarily
complicated
when
you
have
volumes
that
can
be
either
a
file
system
volume
or
a
raw
block
volume,
because
you
can
do
it.
There's
a
csi
call
called
like
get
volume
capabilities
where
you
can
ask
an
existing
volume.
Do
you
support
this
file?
Type
and
kubernetes
doesn't
currently
use
it,
but
it's
part
of
the
csi
spec
and
it's
unclear
what
you're
supposed
to
do.
C
If
you
have
a
volume
which,
like
used
to
be
an
ext4
volume,
but
it
got
snapshotted
and
then
turned
into
a
raw
block
volume
and
then,
if
somebody
comes
and
asks
like,
do
you
support
ext4
like
it's
hard
to
know
how
to
answer
that
question,
because
it's
like
well,
it's
a
roadblock
volume.
So
no,
you
can't
mount
me
a
zxt4,
but
if
you
take
a
snapshot
of
me
and
turn
me
back
into
a
file
system
volume,
it's
going
to
be
an
ext4
volume,
not
like
an
xfs
volume
or
some
other
file
system.
C
You
could
also
argue
that
it's
ridiculous
to
remember
that,
and
I
don't
know
what
what
makes
more
sense
but
like,
but
there's
this
expectation
of
the
csi
layer
that
drivers
know
what
file
system
is
on
the
the
device
or
on
the
volume
and
when
you're
converting
back
and
forth
from
raw
to
I
mean
you
could
imagine,
creating
a
an
ext4
file
system
taking
a
snapshot
turning
into
a
raw
block
device,
wiping
all
of
the
data
on
the
volume,
while
it's
a
raw
block
device
and
like
putting
an
xfs
file
system
on
that,
then
taking
a
snapshot
of
that
and
then
creating
a
new
file
system
volume
and
then
expecting
it
to
work.
C
D
I
I
agree,
I
totally
agree
with
that,
but
should
should
we
be
aware
of
that?
It's
still
a
question
because,
because
the
volume
is
now
in
the
user's
hand,
right
they
have
full
access
to
the
one
they
can
do
pretty
much
whatever
they
want
in
the
application
layer,
as
long
as
they
are
given
the
corresponding
for
ridges.
F
G
Hello,
jan,
I
have
a
question
related
to
the
security
issue.
You
say
that
if
some
rope,
the
software
can
mount
the
the
block
device
and
it
would
potentially
corrupt
the
kernel.
You
are
talking
the
the
about
the
kernel
of
the
the
the
linux
on
the
pod
kernel
or
are
on
actually
on
the
kubernetes
api
server
or
node,
which.
C
G
So
we
are,
we
are
preventing
that
happen
by
doing
what,
by
not
allowing
to
mount
the
block
at
all
or
what
is
that.
A
So
we
are
talking
about
preventing
this
you
if
you
look
at
this
one
right,
so
we
know
that
that's
the
important
use
case
for
backup
vendors.
So
we're
saying
we
want
to
be
able
to
support
that
for
backups
vendors,
but
not
allow
that
to
be
say
exploited
by
the
malicious
user.
So
basically
we
will
need
to
introduce
some
admissions
control
type
of
thing.
So,
let's.
A
Yeah,
just
a
it's
just.
This
is
something
that
we
we're.
Thinking
of
you
know
how
to
prevent
this,
but
they're
still
supporting
us
for
like
backups
over
that
that.
A
So
I
was
so
I
was
actually
trying
to
this.
Isn't
really
just
something
like
come
up
really
quickly.
It's
not
really
a
thought
entirely.
So
I
think
there
are
a
lot
of
details.
We
seem
to
figure
out
right,
so
this
is
just
some
possible
solution,
so
we
we
need
to
have
some
kind
of
a
back
rule
that
allows
this
and
then
only
like
a
backup
software
is
a
user
can
can
allow
can
be
allowed
to
do
this
conversion.
A
You
know
if,
if
we
are
trying
to
create,
if
we're
trying
to
create
volume
from
a
snapshot
with
a
different
mode
and
but
then
that
also
means
because
right
now
in
our
only
snapshot,
we
don't
really
know
what
is
the
existing
body
mode
right.
So
that
also
means
that
we
will
need
to
add
an
alpha
field
in
the
volume
snapshot.
A
A
This
is
basically
this
is
for.
This
is
that
the
second
point
that
ben
was
talking
about
so
the
c
is
the
driver,
well
need
to
say
whether
it
supports
this
or
not.
If
it's
supported,
then
we
will
allow
this
the
small
conversion,
and
so
so.
I
think
this
part,
I
think
you'll
need
to.
A
Okay,
then
we'll
just
do
the
other
way.
You
know,
so
it's
a
so
we
will
say
by
default.
This
is
we
allow
conversion
and
then.
C
A
D
A
A
So
the
ora
yeah.
So
if
the
original
behavior
is
already
there,
then
we
need
to
keep
those
right
because
that's
the
that's
already
supported.
So
this
is
only
for.
I
think
we
can.
I
don't
think
that
we
can
actually
block
the
old
ones
that
will
be
backward
incompatible
right.
H
A
A
Right
so
by
default,
this
is
this
is
now
and
then
then,
if
this
is
a
set,
then
we
will
based
on
how
that
is,
set
and
decide
what
to
do
right
for
existing
ones.
Then
we
don't,
we
don't
handle
those
existing
ones.
This
is
this
is
a
new
new
feature,
new
optional
feature.
C
So
I
I
want
to
propose
a
slightly
different
flavor
and
I
haven't
thought
deeply
about
this,
but
like
what,
if
you
have
a
volume,
that's
like
say
it's
an
iscsi
volume.
The
volume
itself
doesn't
care,
whether
you
try
to
attach
to
it
as
a
file
system
or
block
device.
Right
like
you
can
do
that
on
a
pod
bipod
basis.
You
can
say:
okay,
this
guy
wants
to
mount
it
as
a
file
system.
This
guy
wants
to
manage
his
block
device.
The
fact
that
kubernetes
has
a
pvc
with
exactly
one
value
is
kind
of
limiting.
C
If
the
underlying
device
doesn't
care,
then
it
would
be
nice
if
kubernetes
knew
that,
and
it
could
just
say
okay
for
this
pvc,
you
can
mount
it,
however,
and
you
wouldn't
have
to
bother
going
through
the
rigamarole
of
snapshotting
it
and
creating
a
new
volume,
because,
because
the
the
actual
state
on
the
system
is
either
it's
either,
you
can
mount
it
either
way
or
you
can't
I,
I
would
be
very
surprised
to
know
of
a
of
one
where,
like
you
could
mount
it
only
after
a
conversion
but
like
not
as
it
is
right
now.
C
A
You
are
basically
proposing
to
even
open
this
up
even
more
easily,
because
currently
we
do
not
allow
a
pvc
to
be
cloned
if
the
mode
is
mismatched
right.
That's.
C
Is
the
volume
clone
behavior
should
match
the
snapshot
clone
behavior,
and
if
we
put
any
controls
around
snapshots
to
prevent
things
we
don't
like,
then
the
same
should
apply
to
volumes,
but
the
volume
should
be
no
more
limited
than
snapshots
right.
If,
if
I'm,
because
all
the
volume
clone
is,
is
a
shorthand
for
take
a
snapshot
and
then
clone
the
snapshot.
C
A
I
Sorry
so
I
think
we
started
this
discussion
back
when
we
were
talking
about
the
change
block
tracking
api
right
design,
which
only
considered
block
volumes
right,
and
then
somebody
asked
how
does
this
work
with
file
system
volumes?
And
then
we
went
down
the
path
of?
Can
we
even
you
know,
create
a.
A
H
So
that
will
support
block
storage,
irrespective
of
whether
the
pv
mode
is
a
file
system
or
block.
A
C
A
Is
it
this
is
needed
by
backup
vendors
right?
So
maybe,
let's
see
who
who
want
to
explain
this
back
up.
E
Yeah,
I
think,
there's
actually
a
number
of
use
cases,
but
classically
like
if
we
take
a
look
at
unix,
we'll
have
like
the
raw
device
is
not
something
that's
accessible
to
everybody,
and
I
think
that's
kind
of
what
we're
running
into
here
right
is
that
the
basic
bug
is
the
user,
converted
a
volume
to
a
block
volume
twiddled
with
it
and
then
was
able
to
crash
the
system
right,
yeah
and
we're
trying
to
say.
Is
there
a
legitimate
use
case
for
being
able
to
twiddle
with
the
blocks?
E
I
think
there
is,
but
I
think
it's
also
reasonable
to
say
that's
something
that
we
could
restrict
most
users
from
doing,
because
we've
got
scenarios
like
backup
is
one
data
recovery.
You
know
I've.
I've
worked
with
data
recovery
tools
that
go
through
and
read
around
the
file
system
and
reconstruct
file
systems.
Beyond
what
ffck
does
we
can
see
that
as
a
use
case
in
kubernetes?
E
I
E
Mean
but
but
decision
I
mean
you,
know,
fsdk
block
based
backup
data
recovery
tools.
These
do
not
these.
These
understand
the
internal
structure,
databases.
These
will
understand
the
internal
structure
of
the
file
system.
I
E
E
C
Level
yeah,
so
so,
art
alone,
there's
there's
multiple
ways
to
implement
backup
at
the
application
layer
at
this
layer
or
down
at
the
storage
system,
layer
and
they're
all
legitimate
in
different
situations.
I
think
the
problem
we're
facing
is
this
feature
is
ga
and
this
works
now
for
csi
plugins
that
allow
it.
So
we
have
to
do
something
about
that.
I
C
H
Yeah
I
mean
so
that
is
the
flavor
right,
where
that's
enabling
cbt
and
also,
unless
we
block
a
backup
at
block
level
and
then
have
this
capability
to
get
these
change
blocks.
I
C
I
A
C
And
after
that
presentation
I
went
off
and
I
wrote
a
poc
csi
driver
that
supports
this,
and
that's
when
I
discovered
how
hard
it
is
to
get
the
file
system
type
metadata
correct
when
you're
going
through
these
conversions
back
and
forth
and
back
and
forth-
and
you
don't
know
what
the
hell
is
happening
when
someone's
accessing
the
raw
block
version
of
the
p
of
the
volume
and
that
that
was
my
big
concern
was
the
csi
spec
is
too
vague
about
what
you're
supposed
to
do
with
fs
types.
In
this
situation,.
C
So
so
I
I
like
I
mean
given
that
this
is
allowed
today
and
it's
ga.
We
can't
just
yank
it
back
and
say
nope,
you
can't
do
it
anymore,
but
but
we
can,
I
think,
find
a
way
to
control
it
better
and
put
access
control
around
it
so
that
it's
not
abused
and
that
if
it's
not
going
to
you
know
for
like
an
nfs
based
driver
where
this
is
never
going
to
work.
You
can
just
say
that
and
then
have
better
error
handling.
A
Okay,
all
right,
so
let
me
continue.
Actually
I
I
was
actually
halfway
through.
I
think
I
think
I
talked
about
adding
some
capability
in
the
css
back
and
then
I
think
this
is
actually
the
difficult
part.
So
how
do
we
add
this
rule
to
prevent
this?
So
I'm
thinking
that
we
need
a
validation
hook
and
just
to
checks
to
check
this
rule.
If
you
know,
if
we
detect
that
okay,
this
is
a
two,
this
mode
does
not
match.
A
This
is
them,
of
course,
assuming
this
is
in
the
status,
but
that's
still
you
know,
we
need
a
debate
and
see
you
know.
I
don't
know
if
that's
the
right
place
for
that,
but
if
there's
there's
a
mismatch,
then
the
validation
hook
will
check.
If
the
our
back
rule
is
set
did
not
set,
then
that's
just
not
allowed
right
and
then
in
the
external
relation.
A
We
already
have
some
code
today
that
the
checks
for
the
clone,
if
at
the
clone
time,
if
it
was
a
mismatch,
it
actually
will
block
it.
So
we
could
make
something.
A
Identity
yeah,
so
I
think
the
well
so
basically,
then
you
just
have
to
set
the
rule.
The
rule
will
only
be
assigned
to
the
user
who
are
allowed.
So
that's
the
same.
It's
not
like
it's
not
like
we!
So
basically
we
know
those
are
trusted
users.
So
we
only
assign
those
people.
C
A
Okay,
so
you
guys
have
yeah.
This
is
a.
This
is
a
as
I
said,
this
is
a
just
I'm
not
really
sure
about
this
party.
This
is
actually
the
hard
part.
D
Like
how
do
you
prevent
right
another
right,
the
one
model
cannot
be
in
status
right.
How
do
you
do
important
if
it's
in
status.
A
Well,
so
we
can't
have
that
in
spec
either.
That's
a
problem
right
because
that's
actually
when
you
so
when
we
take
a
snapshot
right.
So
pvc
is
already.
We
already
know
the
pvc,
that's
the
source
which
we're
not
supposed
to
also
get
the
the
because
the
volume
mode
is
not
required
by
requested
by
the
users
already
hold.
A
C
A
D
C
A
E
C
What
we
would
like
to
do
is
maybe
provide
a
recipe
to
an
admin,
who's
worried
about
the
security
threat,
say:
hey,
mr
admin.
You
can
go
through
and
update
all
your
snapshots
with
the
correct
value.
If
you
know
what
it
is
and
thereby
protect
yourself
from
the
security
threat
and
then
maybe
that
would
be
sort
of
a
path
to
get
a
legacy
system
updated
to
be
secure.
D
But
we
we
need
to
think
through
all
these
cases
as
ben
was
saying,
and
luckily
we
currently
do
not
have
any
issue
at
this
moment
and
not
non-issue
at
this
moment.
So
we
brought
this
up.
We
still
have
time
to
fix
this
slowly
in
the
right
way.
A
Yeah,
I
just
want
to
start
start
this
discussion,
and
this
is
like
brainstorming.
This
is
no
way
I
just
like
before
the
meeting
so
that
we
can
get
something
to
start.
We
can
start
discussion
yeah.
So
this
part,
I'm
not
sure
this
is
actually
kind
of
tricky.
I
think
this,
how
to
you
know
how
to
block
this.
Do
you
have
any
thoughts
on
this
like
if
we're
setting
our
back
rule?
A
C
C
It's
not
really
tied
to
an
individual
user,
it's
just
tied
to
the
resource,
so
you
know
that
all
the
security
policy
switches
for
pods
exist
on
the
pod
security
poly
policy
object,
which
applies
to
all
users
and
then
and
then
I
think
there
might
be
some
mapping
of
you
know
how
users
that
can
request
different
policies.
C
B
A
Yeah,
I
think
I
was
really
then
one
thing,
I'm
still
not
quite
sure
is
they
talked
about
this.
I
think
they
talked
about
persistent
volume
claims
review
raw.
You
know
that
thing.
That's
is
that,
like
a
field
of
the
pvc,
I'm
not
quite
understanding
what
I
mean
because
we're
looking
at
a
better
rules
because
they
talked
about
other
rules.
I
think
those
are
all.
D
B
I
didn't
check
much
but
from
what
I
saw
in
documentation
of
webhooks,
they
pass
user
info
with
username
and
groups
and
whatever
so
do.
Are
you
telling
me
that
this
information
is
wrong?
Which
information
is
wrong?
I'm
sorry!
In
web
hook
in
admission
controller
you
get
a
json.
Is
it
json
some
object
wave?
How
is
it
called
admission
review
and
the
webhook
sends
a
response?
D
A
Okay,
so
this
is
the
part
that
I'm
not
question,
because
when
you're
setting
up
the
rows
right,
you
would
need
to
you
know
it's
kind
of
you
just
look
at
this
as
an
example.
It
doesn't.
You
know
it
doesn't
matter
what
you
know.
This
can
be
something
else,
but
this
can
be
pvcs,
but
I
think
the
problem
I'm
having
is
we're
not
talking
about
the
whole
pvc
resource,
we're
not
talking
they
are
they
talking
about
this
one
field
of
I'm
not
sure
what
they
mean
by
this.
D
This
is
a
permission.
This
is
a
permission.
This
is
a
permission
right.
This
is
a
permission
attached
to
this
precision
volume
claims.
Okay,
I
think
why
don't
we
take
take
all
this
our
background,
stuff
offline,
because
we
have
another
item
in
the
agenda.
A
All
right,
okay,
so
yeah.
So
we
have
talked
about
the
first
item
and
just
I
was
you
know.
I
want
to
start
this
discussion
and
the
second
item
is
the
white
paper
update
tom?
Do
you
have
an
update
on
this.
J
Yes,
I
still
have
schedule,
meaning
you
get
feedback
on
the
motivation,
so
people
can
ping
me
unless
we've
already
chatted
for
being
added
to
that,
I
haven't
made
progress
on
the
cleanup
for
the
application
examples,
so
I'll
try
to
do
that
by
the
meeting.
Maybe
we
do
friday
or
something
to
to
go
through
that,
but
you
know
we
can
definitely
review
the
motivation
section
here,
asynchronously
and
before
that
meeting.
If
we.
A
A
J
Yeah,
I
think
this
is
not
the
right
place
to
go
through
it.
Okay,
read
and
get
feedback
make
edits
whatever
we
work
best.
A
Okay,
yeah,
okay,
okay,
we
can
do
that.
So
do
we
have
yeah,
I
think
that's
probably
the
main
update
does
anyone
else
have
an
update
on
the
white
paper.
I
think
I
forgot
to
assign
this
to
some
people,
so
I
need
to.
I
need
to
actually
check.
Go
over
that
and
see.
C
A
Yes,
please,
I
still
have
a.
A
Yeah,
so
if
yeah
I
know
you're
busy
with
other
think
so
yeah.
If
you
can
add
white,
fill
that
section
it'll
be
great.
G
Beta
well,
I
think,
for
the
the
white
paper
is
related
to
the
data
protection
for
the
application,
backup
and
restore.
I
think
we
have
some
rough
graph
of
us,
oh,
but
we
need
we
need
to
to
sit
down
and
rewrite
because
right
now,
it's
in
like
a
in
a
very
chaos
format.
G
So
maybe
we
should
have
a
next
meeting
or
we
to
discuss
about
how
to
who
can
do
what
to
to
clean
it
up
to
make
it
into
like
a
white
paper
format,
and
from
last
time
we
talked
about
the
application,
backup
and
restore.
G
There
is
a
lot
of
feedback
related
to
one
scenario
is
restored
to
original
pvc,
and
I
think
that
seemed
to
be
a
little
bit
too
specific
to
you
know
as
emc.
So
maybe
we
should
remove
that
segment
from
the
main
white
paper
and
and
move
the
I'm.
G
Oh,
that
was
when
I
present
that
that
that
scenario
is
this
was
related
to
restore
to
original
pvc,
where.
E
G
G
So
maybe
we
should
remove
that
segment
out
of
the
main
white
paper,
but
put
it
into
like
an
appendix
or
something
so
that
for
most
people
would
only
concern
about
backup
and
restore
application
to
a
new
pvc,
then
that
that
would
be
like
degenerate
for
everyone
and
the
the
one,
whoever
interested
in
the
restore
to
original
pvc.
With
this,
we
can
put
it
in
like
an
appendix
segment
or
in
the
white
paper.
Yeah.
A
Okay,
okay,
so
I
think
that's
all
on
the
agenda
today.
Does
anyone
have
anything
else
you
want
to
talk
about?
If
not
wait,.
A
G
Yeah,
please
look
into
that
that
discussion
on
the
on
the
security
solution,
if
I
say
whether
we
want
to
whether
we
want
to
mouse
open,
convert
and
apply
systems
a
pvc
to
a
block
system,
pvc
is
important
to
me.
A
Okay,
yeah
yeah.
I
think
it's
just
we
definitely
want
to
you
know
we
want
the
backup
vendor
just
to
be
able
to
support
that
yeah
just
need
to
figure
out
how
to
control
this
better
yeah.
A
Yeah
no,
this
is
this
is
right
now,
just
I'm
just
starting
the
discussion,
so
I
just
want
people
to
know.
I
know
that
you
wanted
to
talk
about
this.
That
was
actually
before.
C
C
C
A
C
Yeah
but
but
I
I
I
hope,
it's
solvable.
A
J
C
Well,
I
know
I
I
just
built
given
that
the
regular
netapp
csi
driver
doesn't
let
you
do
this.
I've
built
one
that
does
just
to
see
what
would
be
involved,
and
I
encountered
all
kinds
of
problems
that
had
nothing
to
do
with
the
security
issue.
Just
like
the
basics.
C
Keeping
track
of
what
the
file
system
is
so
that,
when
you
go
through
a
file
system
to
raw
block
to
back
to
file
system
conversion,
you
you
have
a
sense
of
what
your
what
commands
you're
supposed
to
be
running
on
that
volume,
because
if,
if
somebody
swapped
out
xff
or
ext,
while
it
was
in
raw
block
mode,
then
all
bets
are
off.
You
know
you're
going
to
have
problems.
A
C
Like
iscsi
storage,
it's
it's
like
the
vmware
case.
We
provide
you
a
bag
of
bits
and
we
never
look
inside.
The
only
thing
that
knows
what's
inside
is
the
csi,
plugin
and,
and
the
csi
plugin
only
knows
what
kubernetes
tells
it
or
what
it
stores
by
itself,
and
so
it
has
to
play
a
lot
of
games
to
sort
of
keep
track
of.
You
know,
what's
going
on
with
this
particular
iscsi
line,.
C
A
A
A
Right
right,
so
you
don't
have
to
go
yeah.
So
I'm
just
saying
that
use
case,
it's
straightforward.
I
don't
believe
we
actually
need
to
make
some
any
additional
changes.
That's
my
understanding.
E
C
A
C
K
A
You
should
already
you
you
are
you
need
to
back
up
a
that,
your
metadata
in
your
pvc
anyway,
so
all
everything
in
your
pvc
ammo
should
be
stored.
So
you
actually
know
what
you
have
to
restore
back
with
right.
So
that's
something
that
you
should
not
have
to
guess.
C
Right,
the
the
problem
is,
is
there's
no
way
for
the
application.
That
knows
to
tell
the
csi
plug-in
that
wants
to
know.
There's
no
communication
channel
there.
So
so,
regardless
of
how
smart
the
backup
application
is,
you
can't
inform
the
csi
plugin
they're
like
hey
this
raw
block
volume
that
I'm
creating
I'm
sticking
an
ext4
file
system
in
it.
Just
for
your
information,
like
the
the
csi
plugin,
has
to
figure
that
out
empirically,
and
that's
it's
a
little
gross
that
that
was
my
big
complaint.
C
Pointing
out
the
kind
of
robustness
issue
right
then
yeah
yeah
yeah
it
it
absolutely
can
work.
If
you
don't
do
anything
hokey,
but
the
problem
is
no
one's
preventing
you
from
doing
anything
hokey,
and
so,
if
you're
defensively
programming,
your
csi
plugin,
you
have
to
you,
have
to
think
like
a
like
someone,
who's
trying
to
fuzz
your
api
and
doing
all
of
the
bad
things.
A
A
C
A
A
A
A
plug-in
is
not
not
going
to
like,
if
you
don't
have
the
automatic
data
and
you
don't
really
know
how
to
create
your
like
your
pvc
ammo
when
you
are
when
you're
creating
a
new
pvc
from
the
source
right,
if
you
don't
have
all
those
parameters,
that's
like
user
side.
It's
not
like
you're
going
to
read
from
the
seaside
drivers
together,
that's
not
the
case.
A
So
there
is.
C
The
thing
that
gives
me
fits
is
that
there's
there
are
capabilities
checks
in
the
csi
driver
that
are
supposed
to
fail,
if,
if
the
capabilities
that
are
requested,
don't
match
the
actual
capabilities
and
you're
allowed
to
when
you
create
a
volume
say
like
I
expect
this
to
be
xfs,
and
if
it's
not
you're
supposed
to
fail
and
what
you're
saying
is
like
well,
you
just
have
to
trust
the
application
that
says
yeah.
It's
xfs
trust
me
right.
E
C
C
Have
to
initialize
like
an
xfs
file
system
right
right,
like
the
node.
Does
that
and
so
that's
why
I'm
saying
like
the
node
has
to
know
it.
It
needs
to
know
to
do
its
job
and
then
it
needs
to
store.
There
needs
to
be
metadata
tracking
somewhere
what
it,
what
the
system
thinks,
what
the
csi
plug-in
thinks
it
is
and
then
to
implement.
E
C
E
I
think
it
would
be
worthwhile
to
separate
out,
like
dumb
things,
users
do
that
cause
them
headaches
that
we
would
like
to
make
better
and
dumb
things.
Users
do
or
malicious
things.
Users
do
that
actually
cause
security.
Holes
like
crashing
the
worker
nodes,
or
you
know
elevating
privileges
or
things
like
that.
A
Yeah,
okay,
time
check,
okay
and
yeah
and
the
top
of
the
hour
yeah
so
yeah.
Well,
we
will
need
to
think
about
this
more
and
come
up
with
a
solution
and
we'll
talk
discuss
about
this
again.
All
right,
then
I
think
that's
it
for
today
thanks
everyone.