►
From YouTube: Kubernetes Data Protection Workgroup Meeting 20210310
Description
Kubernetes Data Protection Workgroup Meeting - 10 March 2021
Meeting Notes/Agenda: -
Find out more about the Data Protection WG here: https://github.com/kubernetes/community/tree/master/wg-data-protection
Moderator: Xing Yang (VMware)
A
A
A
So
you
basically
can
actually
switch
the
volume
mode
between
the
you
know,
the
the
original
pvc
and
the
final
target
pvc,
and
then
this
is
actually
used
by
a
lot
of
backup
vendors
already,
because
this
allows
them
to
mount
a
originally
file
system
mode,
pvc
as
a
block
mode,
and
then
they
can
efficiently
copy
the
blocks.
But
then
we
actually
discovered
there
is
some
potential
security
issues.
A
B
C
B
B
B
Similarly,
if
you
have
a
block
volume,
you
either
have
a
block
volume
and
you
can
write
anything
there,
but
you
can't
mount
it
or
you
are
trustworthy
enough
to
mount
it
and
then
well.
You
have
extra
permission.
Somebody
allowed
you
to
mount
it,
but
in
this
case,
in
this
snapshot
case,
you
can
create
a
blog
volume,
write
a
wrong
metadata
there.
The
bet
file
system
that
would
crash
a
kernel
and
then
tell
kubernetes
to
mount
it
by
taking
a
snapshot
and
restoring
it
as
a
file
system
volume.
B
B
C
D
C
No
yeah,
I'm
saying
like
that,
would
be
a
new
feature
we'd
have
to
implement.
I
I
just
wanted
to
add
some
some
extra
background
for
other
people
here,
so
so,
while
kubernetes
allows
you
to
to
do
this,
you
know
take
a
f,
take
a
snapshot
of
a
raw
block
volume
and
turn
it
into
a
file
system
volume
and
vice
versa.
C
D
C
So
so
I'll
give
I'll
give
a
perfect
example
with
netapp.
So
so
netapp
our
driver
supports
a
few
different
modes.
We
have
an
iscsi
mode
and
we
have
an
nfs
mode.
If
you
are
in
the
iscsi
mode.
There
is
no
reason
why
you
couldn't
do
this.
You
know
create
a
volume
in
block
mode,
then
turn
it
into
file
system
mode
or
create
a
volume
in
file
system
and
turn
into
block
mode.
C
We
could
implement
that
we
actually
don't
implement
it
today,
for
you
know,
because
we
didn't
realize
this
was
a
thing
that
people
were
even
interested
in.
So
if
you
try
it
today,
it
will
just
fail,
but
we
could
implement
it
for
iscsi
when
it
comes
to
nfs
like
when
you
ask
for
a
file
system,
we
give
you
like
an
nfs
share
on
our
storage
controller.
C
A
C
E
C
A
But
then
so
I
was
just
wondering
if
that
would
fail
in
all
I
mean
that
would
all
draw
fail
actually
will
any
java
actually
kind
of
create
some
something
which
has
the
wrong
mode,
but
they
actually
do
not
support
and
then
later
I'll
find
out
the
data
is
corrupted.
Would
that
even
happen?
I'm
not
sure.
If
that's
a
possibility,
I.
C
I
that
seems
like
a
place
where
maybe
more
test
coverage
would
help
uncover
issues.
I
don't
think
that
none
of
the
drivers
I
know
about
have
that
problem
like
if
you
ask
for
us
for
a
driver
mode
that
isn't
going
to
work.
We
just
there.
Our
regular
error
checking
will
tell
you
that
and
we
don't
proceed.
C
D
C
It
gets
extraordinarily
complicated
when
you
have
volumes
that
can
be
either
a
file
system
volume
or
a
raw
block
volume,
because
you
can
do
it.
There's
a
csi
call
called
like
get
volume
capabilities
where
you
can
ask
an
existing
volume.
Do
you
support
this
file?
Type
and
kubernetes
doesn't
currently
use
it,
but
it's
part
of
the
csi
spec
and
it's
unclear
what
you're
supposed
to
do.
C
If
you
have
a
volume
which,
like
used
to
be
an
ext4
volume,
but
it
got
snapshotted
and
then
turned
into
a
raw
block
volume
and
then,
if
somebody
comes
and
asks
like,
do
you
support
ext4
like
it's
hard
to
know
how
to
answer
that
question,
because
it's
like
well,
it's
a
roadblock
volume.
So
no,
you
can't
mount
me
a
zxt4,
but
if
you
take
a
snapshot
of
me
and
turn
me
back
into
a
file
system
volume,
it's
going
to
be
an
ext4
volume,
not
like
an
xfs
volume
or
some
other
file
system.
C
D
I
I
agree,
I
totally
agree
with
that,
but
should
should
we
be
aware
of
that?
It's
still
a
question
because,
because
the
volume
is
now
in
the
user's
hand,
right
they
have
full
access
to
the
one
they
can
do
pretty
much
whatever
they
want
in
the
application
layer,
as
long
as
they
are
given
the
corresponding
for
ridges.
F
G
Hello,
jan,
I
have
a
question
related
to
the
security
issue.
You
say
that
if
some
rope,
the
software
can
mount
the
the
block
device
and
it
would
potentially
corrupt
the
kernel.
You
are
talking
the
the
about
the
kernel
of
the
the
the
linux
on
the
pod
kernel
or
are
on
actually
on
the
kubernetes
api
server
or
node,
which.
C
A
So
we
are
talking
about
preventing
this
you
if
you
look
at
this
one
right,
so
we
know
that
that's
the
important
use
case
for
backup
vendors.
So
we're
saying
we
want
to
be
able
to
support
that
for
backups
vendors,
but
not
allow
that
to
be
say
exploited
by
the
malicious
user.
So
basically
we
will
need
to
introduce
some
admissions
control
type
of
thing.
So,
let's.
A
A
So
I
was
so
I
was
actually
trying
to
this.
Isn't
really
just
something
like
come
up
really
quickly.
It's
not
really
a
thought
entirely.
So
I
think
there
are
a
lot
of
details.
We
seem
to
figure
out
right,
so
this
is
just
some
possible
solution,
so
we
we
need
to
have
some
kind
of
a
back
rule
that
allows
this
and
then
only
like
a
backup
software
is
a
user
can
can
allow
can
be
allowed
to
do
this
conversion.
A
You
know
if,
if
we
are
trying
to
create,
if
we're
trying
to
create
volume
from
a
snapshot
with
a
different
mode
and
but
then
that
also
means
because
right
now
in
our
only
snapshot,
we
don't
really
know
what
is
the
existing
body
mode
right.
So
that
also
means
that
we
will
need
to
add
an
alpha
field
in
the
volume
snapshot.
A
A
A
C
A
D
A
A
H
A
A
C
So
I
I
want
to
propose
a
slightly
different
flavor
and
I
haven't
thought
deeply
about
this,
but
like
what,
if
you
have
a
volume,
that's
like
say
it's
an
iscsi
volume.
The
volume
itself
doesn't
care,
whether
you
try
to
attach
to
it
as
a
file
system
or
block
device.
Right
like
you
can
do
that
on
a
pod
bipod
basis.
You
can
say:
okay,
this
guy
wants
to
mount
it
as
a
file
system.
This
guy
wants
to
manage
his
block
device.
The
fact
that
kubernetes
has
a
pvc
with
exactly
one
value
is
kind
of
limiting.
C
A
C
Is
the
volume
clone
behavior
should
match
the
snapshot
clone
behavior,
and
if
we
put
any
controls
around
snapshots
to
prevent
things
we
don't
like,
then
the
same
should
apply
to
volumes,
but
the
volume
should
be
no
more
limited
than
snapshots
right.
If,
if
I'm,
because
all
the
volume
clone
is,
is
a
shorthand
for
take
a
snapshot
and
then
clone
the
snapshot.
C
A
I
A
H
A
C
A
E
Yeah,
I
think,
there's
actually
a
number
of
use
cases,
but
classically
like
if
we
take
a
look
at
unix,
we'll
have
like
the
raw
device
is
not
something
that's
accessible
to
everybody,
and
I
think
that's
kind
of
what
we're
running
into
here
right
is
that
the
basic
bug
is
the
user,
converted
a
volume
to
a
block
volume
twiddled
with
it
and
then
was
able
to
crash
the
system
right,
yeah
and
we're
trying
to
say.
Is
there
a
legitimate
use
case
for
being
able
to
twiddle
with
the
blocks?
E
I
think
there
is,
but
I
think
it's
also
reasonable
to
say
that's
something
that
we
could
restrict
most
users
from
doing,
because
we've
got
scenarios
like
backup
is
one
data
recovery.
You
know
I've.
I've
worked
with
data
recovery
tools
that
go
through
and
read
around
the
file
system
and
reconstruct
file
systems.
Beyond
what
ffck
does
we
can
see
that
as
a
use
case
in
kubernetes?
I
E
I
E
E
C
Level
yeah,
so
so,
art
alone,
there's
there's
multiple
ways
to
implement
backup
at
the
application
layer
at
this
layer
or
down
at
the
storage
system,
layer
and
they're
all
legitimate
in
different
situations.
I
think
the
problem
we're
facing
is
this
feature
is
ga
and
this
works
now
for
csi
plugins
that
allow
it.
So
we
have
to
do
something
about
that.
I
C
I
C
I
A
C
And
after
that
presentation
I
went
off
and
I
wrote
a
poc
csi
driver
that
supports
this,
and
that's
when
I
discovered
how
hard
it
is
to
get
the
file
system
type
metadata
correct
when
you're
going
through
these
conversions
back
and
forth
and
back
and
forth-
and
you
don't
know
what
the
hell
is
happening
when
someone's
accessing
the
raw
block
version
of
the
p
of
the
volume
and
that
that
was
my
big
concern
was
the
csi
spec
is
too
vague
about
what
you're
supposed
to
do
with
fs
types.
In
this
situation,.
C
So
so
I
I
like
I
mean
given
that
this
is
allowed
today
and
it's
ga.
We
can't
just
yank
it
back
and
say
nope,
you
can't
do
it
anymore,
but
but
we
can,
I
think,
find
a
way
to
control
it
better
and
put
access
control
around
it
so
that
it's
not
abused
and
that
if
it's
not
going
to
you
know
for
like
an
nfs
based
driver
where
this
is
never
going
to
work.
You
can
just
say
that
and
then
have
better
error
handling.
A
Okay,
all
right,
so
let
me
continue.
Actually
I
I
was
actually
halfway
through.
I
think
I
think
I
talked
about
adding
some
capability
in
the
css
back
and
then
I
think
this
is
actually
the
difficult
part.
So
how
do
we
add
this
rule
to
prevent
this?
So
I'm
thinking
that
we
need
a
validation
hook
and
just
to
checks
to
check
this
rule.
If
you
know,
if
we
detect
that
okay,
this
is
a
two,
this
mode
does
not
match.
A
This
is
them,
of
course,
assuming
this
is
in
the
status,
but
that's
still
you
know,
we
need
a
debate
and
see
you
know.
I
don't
know
if
that's
the
right
place
for
that,
but
if
there's
there's
a
mismatch,
then
the
validation
hook
will
check.
If
the
our
back
rule
is
set
did
not
set,
then
that's
just
not
allowed
right
and
then
in
the
external
relation.
A
A
C
A
D
A
Well,
so
we
can't
have
that
in
spec
either.
That's
a
problem
right
because
that's
actually
when
you
so
when
we
take
a
snapshot
right.
So
pvc
is
already.
We
already
know
the
pvc,
that's
the
source
which
we're
not
supposed
to
also
get
the
the
because
the
volume
mode
is
not
required
by
requested
by
the
users
already
hold.
A
C
A
D
C
A
E
C
What
we
would
like
to
do
is
maybe
provide
a
recipe
to
an
admin,
who's
worried
about
the
security
threat,
say:
hey,
mr
admin.
You
can
go
through
and
update
all
your
snapshots
with
the
correct
value.
If
you
know
what
it
is
and
thereby
protect
yourself
from
the
security
threat
and
then
maybe
that
would
be
sort
of
a
path
to
get
a
legacy
system
updated
to
be
secure.
D
A
Yeah,
I
just
want
to
start
start
this
discussion,
and
this
is
like
brainstorming.
This
is
no
way
I
just
like
before
the
meeting
so
that
we
can
get
something
to
start.
We
can
start
discussion
yeah.
So
this
part,
I'm
not
sure
this
is
actually
kind
of
tricky.
I
think
this,
how
to
you
know
how
to
block
this.
Do
you
have
any
thoughts
on
this
like
if
we're
setting
our
back
rule?
A
C
C
A
Yeah,
I
think
I
was
really
then
one
thing,
I'm
still
not
quite
sure
is
they
talked
about
this.
I
think
they
talked
about
persistent
volume
claims
review
raw.
You
know
that
thing.
That's
is
that,
like
a
field
of
the
pvc,
I'm
not
quite
understanding
what
I
mean
because
we're
looking
at
a
better
rules
because
they
talked
about
other
rules.
I
think
those
are
all.
D
B
I
didn't
check
much
but
from
what
I
saw
in
documentation
of
webhooks,
they
pass
user
info
with
username
and
groups
and
whatever
so
do.
Are
you
telling
me
that
this
information
is
wrong?
Which
information
is
wrong?
I'm
sorry!
In
web
hook
in
admission
controller
you
get
a
json.
Is
it
json
some
object
wave?
How
is
it
called
admission
review
and
the
webhook
sends
a
response?
D
A
Okay,
so
this
is
the
part
that
I'm
not
question,
because
when
you're
setting
up
the
rows
right,
you
would
need
to
you
know
it's
kind
of
you
just
look
at
this
as
an
example.
It
doesn't.
You
know
it
doesn't
matter
what
you
know.
This
can
be
something
else,
but
this
can
be
pvcs,
but
I
think
the
problem
I'm
having
is
we're
not
talking
about
the
whole
pvc
resource,
we're
not
talking
they
are
they
talking
about
this
one
field
of
I'm
not
sure
what
they
mean
by
this.
D
A
J
Yes,
I
still
have
schedule,
meaning
you
get
feedback
on
the
motivation,
so
people
can
ping
me
unless
we've
already
chatted
for
being
added
to
that,
I
haven't
made
progress
on
the
cleanup
for
the
application
examples,
so
I'll
try
to
do
that
by
the
meeting.
Maybe
we
do
friday
or
something
to
to
go
through
that,
but
you
know
we
can
definitely
review
the
motivation
section
here,
asynchronously
and
before
that
meeting.
If
we.
A
A
J
A
C
A
G
G
E
G
So
maybe
we
should
remove
that
segment
out
of
the
main
white
paper,
but
put
it
into
like
an
appendix
or
something
so
that
for
most
people
would
only
concern
about
backup
and
restore
application
to
a
new
pvc,
then
that
that
would
be
like
degenerate
for
everyone
and
the
the
one,
whoever
interested
in
the
restore
to
original
pvc.
With
this,
we
can
put
it
in
like
an
appendix
segment
or
in
the
white
paper.
Yeah.
A
A
A
A
C
C
C
A
A
J
C
C
Keeping
track
of
what
the
file
system
is
so
that,
when
you
go
through
a
file
system
to
raw
block
to
back
to
file
system
conversion,
you
you
have
a
sense
of
what
your
what
commands
you're
supposed
to
be
running
on
that
volume,
because
if,
if
somebody
swapped
out
xff
or
ext,
while
it
was
in
raw
block
mode,
then
all
bets
are
off.
You
know
you're
going
to
have
problems.
A
C
Like
iscsi
storage,
it's
it's
like
the
vmware
case.
We
provide
you
a
bag
of
bits
and
we
never
look
inside.
The
only
thing
that
knows
what's
inside
is
the
csi,
plugin
and,
and
the
csi
plugin
only
knows
what
kubernetes
tells
it
or
what
it
stores
by
itself,
and
so
it
has
to
play
a
lot
of
games
to
sort
of
keep
track
of.
You
know,
what's
going
on
with
this
particular
iscsi
line,.
C
A
A
A
E
C
A
C
K
A
C
Right,
the
the
problem
is,
is
there's
no
way
for
the
application.
That
knows
to
tell
the
csi
plug-in
that
wants
to
know.
There's
no
communication
channel
there.
So
so,
regardless
of
how
smart
the
backup
application
is,
you
can't
inform
the
csi
plugin
they're
like
hey
this
raw
block
volume
that
I'm
creating
I'm
sticking
an
ext4
file
system
in
it.
Just
for
your
information,
like
the
the
csi
plugin,
has
to
figure
that
out
empirically,
and
that's
it's
a
little
gross
that
that
was
my
big
complaint.
C
Pointing
out
the
kind
of
robustness
issue
right
then
yeah
yeah
yeah
it
it
absolutely
can
work.
If
you
don't
do
anything
hokey,
but
the
problem
is
no
one's
preventing
you
from
doing
anything
hokey,
and
so,
if
you're
defensively
programming,
your
csi
plugin,
you
have
to
you,
have
to
think
like
a
like
someone,
who's
trying
to
fuzz
your
api
and
doing
all
of
the
bad
things.
A
A
A
C
A
A
A
plug-in
is
not
not
going
to
like,
if
you
don't
have
the
automatic
data
and
you
don't
really
know
how
to
create
your
like
your
pvc
ammo
when
you
are
when
you're
creating
a
new
pvc
from
the
source
right,
if
you
don't
have
all
those
parameters,
that's
like
user
side.
It's
not
like
you're
going
to
read
from
the
seaside
drivers
together,
that's
not
the
case.
C
The
thing
that
gives
me
fits
is
that
there's
there
are
capabilities
checks
in
the
csi
driver
that
are
supposed
to
fail,
if,
if
the
capabilities
that
are
requested,
don't
match
the
actual
capabilities
and
you're
allowed
to
when
you
create
a
volume
say
like
I
expect
this
to
be
xfs,
and
if
it's
not
you're
supposed
to
fail
and
what
you're
saying
is
like
well,
you
just
have
to
trust
the
application
that
says
yeah.
It's
xfs
trust
me
right.
E
C
C
Have
to
initialize
like
an
xfs
file
system
right
right,
like
the
node.
Does
that
and
so
that's
why
I'm
saying
like
the
node
has
to
know
it.
It
needs
to
know
to
do
its
job
and
then
it
needs
to
store.
There
needs
to
be
metadata
tracking
somewhere
what
it,
what
the
system
thinks,
what
the
csi
plug-in
thinks
it
is
and
then
to
implement.
E
C
E
I
think
it
would
be
worthwhile
to
separate
out,
like
dumb
things,
users
do
that
cause
them
headaches
that
we
would
like
to
make
better
and
dumb
things.
Users
do
or
malicious
things.
Users
do
that
actually
cause
security.
Holes
like
crashing
the
worker
nodes,
or
you
know
elevating
privileges
or
things
like
that.