►
From YouTube: Kubernetes SIG Security Assessments 20230322
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So,
just
based
on
how
pushker
ran
these
sessions,
I
think
Shing,
like
you
said,
I,
think
you
taking
some
time
to
just
walk
through
your
diagram
so
that
we're
all
sort
of
familiar
at
a
high
level
with
the
service
and
how
it
works,
I
think,
would
be
a
great
place
to
start
and
then
really
the
next
Step
from
there
was
oh
crap
I
have
to
claim
host
I'll
share
my
screen
in
a
second
once
I
for
my
host
code
and
then
from
there.
A
We
can
start
to
really
get
into
doing
the
data
flow
diagram
so
really
getting
into
okay.
You
know,
let's
say
like
when
we
bootstrap
this.
You
know
what
service
talks
to
what
on
what
ports?
Is
it
encrypted
all
that
kind
of
thing
and
that's
what
we
will
use.
A
Excalibur
and
so
you
know,
Shang
I,
you
know
it'll
really
be
based
on
your
sequence,
diagrams.
A
But
you
know
talking
it
through
is
really
where
the
the
value
comes
in
so
with
that
I
we'll
turn
it
over
to
you,
and
let
me
give
you
I,
don't
think
you
have
sharing
abilities.
Let
me
make
you
a
co-host.
C
C
So
this
is
of
course
assumed
that
we
already
have
a
persistent
volume
claim,
so
user
will
go,
try
to
create
a
volume
one
in
Snapchat,
so
that's
a
crd
so
hold
on
a
second
okay,
so
that
this
one
should
be
the
cube
API
server.
Basically-
and
we
can
maybe
skip
this
for
now-
but
basically
what
happens
is
the
nearest
a
snapshot
controller?
C
This
is
a
kubernetes
component
that
watches
the
wooden
snapshot.
Api
objects,
so
this
awarding
Snapchat
the
snapshot.
Controller
will
be
creating
a
volume,
snapshot,
content
customer
resource,
and
there
is
another
controller.
This
is
a
sidecar.
External
snapshot
is
a
side
card
that
that
is
deployed
together
with
the
VCR
CSI
driver
that
they
are
deployed
in
the
same
part.
So
this
this
sidecar
will
be
watching
for
the
volume
snapshot
content
resource
and
then,
when
it
sees
that
it
it
knows.
Oh
I
need
to
create
a
snapshot.
So
it's
going
to
call
the
vcocita
driver.
C
This
is
a
CSI
interface.
It's
a
grpc
call,
so
one
when
the
CSL
driver
gets
this
call
it's
going
to
communicate
with
the
Slayer
in
this
is
a
vsphere
component.
So
this
is
the
CIS.
Is
a
layer
in
bsphere.
So
it's
going
to
create
this.
Make
this
a
create
snapshot,
call
so
vsphere
API
and
then,
if
it's
successful
it
will
get
a
ID
back
and
and
then
the
the
CSI
driver,
the
VC
is
a
driver.
C
Will
return
this
back
to
the
to
the
sidecar
external
snapshot,
recite
card
and
and
then
there's
this
update
of
the
volume
snapshot
content
status
and
then
the
wooden
snapshot
status
will
also
be
updated
by
the
by
the
snapshot
controller.
C
E
A
bit
of
a
clarifying
question:
yes
me,
which
is
that
snapshot
controller
and
external
snapshotter?
E
Are
they?
Are
they
separate
controllers
like
because
of
because
of
historical
reasons
or
like,
like
separation
of
Duties,
to
have
a
bunch
of
controllers,
Each
of
which
has
one
tiny
job
or
is
or
is?
Is
external
snapshot
or
something
where,
depending
on
the
depending
on
the
storage
driver?
That
was
on
the
back
end,
one
might
choose
different
external
snapshots
or
the
implementations,
depending
on
what
kind
of
interface
was
needed?.
C
Yeah
good
question:
so
it's
more
like
two
and
three:
we
actually
split
the
snapshot
controller
into
two.
Initially,
we
have
them
together
as
one,
but
when
we
deploy
this
right
so
this
this
component
will
need
to
make
a
call
to
the
CSS
driver,
so
it
has
to
be
deployed
as
a
sidecar
together
with
the
cset
driver
and
then
the
reason
we
separate
this
is
that
we.
C
So
there
are
a
lot
of
common
logic
like
The
Binding
of
the
you
know,
the
volume
snapshot
and
the
snapshot
content
a
lot
of
common
logic
that
we
basically
put
them
into
the
snapshot
controller,
so
think
about
this
one.
As
the
like
in
Cube
Cube
controller
manager,
we
have
a
PV,
you
know,
there's
a
persistent
welding
controller,
so
the
Snapchat
controller
is
more
like
that.
It's
like
a
common
controller
that
handles
some
common
functionalities
that
can
be
shared
by
all
the
drivers.
C
Now,
the
snapshotter,
the
CSI,
the
external
snapshotter.
This
is
deployed
together
with
the
CSI
driver.
Okay,.
E
C
One
will
only
be
this:
one
will
be
directly
calling
the
CSS
driver.
The
snapshot
controller
will
not
be
directing
calling
the
system
driver,
so
this
component
is
very
small.
This
external
snapshot
is
is
very,
very
small.
We
actually
like
here
that
we
only
handle
the
volume
snapshot,
content,
API,
object.
C
E
Then
external
snapshotter
I
am
guessing
from
this
description
is
generic
enough
that
it
can
function
with
almost
any
CS
like
external
CSI
controller.
But
then,
if
you
had
some,
if
you
had
some
kind
of
some
kind
of
storage
interface
that,
for
whatever
reason
was
not
working
using
CSI
interface,
then
you
might
Implement
something
that
that
does
the
same
operations
on
volume
snapshot.
Contents
objects,
but
is
using
some
other
method
to
communicate
with
other
components
that
that
impact
storage
so
like
the
left
side
of
this
diagram
might
be
different.
But
the
might
be
the
same.
C
So
yeah
well
so
snapshot
already
stopped
this.
The
snapshot.
Functionality
is
only
supported
the
Four
Season
drivers.
It
won't
be
supported
by
like
other
type
of
storage.
That
is
not
okay,.
E
C
C
E
Okay,
yeah
yeah
so
like
if
I
wanted
to
do
something
if,
like,
if
I,
wanted
to
look
at
some
of
the
some
of
the
fancy
storage
options
that
were
available
before
CSI,
then
like
I,
would
see
the
same
world.
That
I
saw
back
then
of
like
having
some
controllers
that
ended
up
doing
weird
surgery
on
crds
and
PVCs
yeah.
C
E
C
So
that's
like
a
general
CSI
deployment
model.
We
actually
I
think
last
time
we
teach
a
show
a
maybe
maybe
I
should
show
that
again.
D
C
This
is,
which
is
the
one
that
you
put
there.
Oh,
maybe
not
this
one
I
think
this
one
is
too
high
level.
I
think
there's
another
one.
So
let
me
actually
I,
don't
know
where's
that
I
know
I
have
this
one
I
know
I
shared
last
time.
So
let
me,
let's
give
him
a
minute
to
find
it.
I
always
thinking
one
of
the
and.
A
C
So
I
know
one
of
the
things
has
the
so
I'm
just
I'm,
not
sure
where
that
is
now
just
give
me
a.
C
C
Yeah
I
think
this.
This
is
this
one
right.
So
if
you
look
at
look
at
this
one
right
so
so
this
is
the
the
this
is
the
VCR
CSI
driver
controller,
and
you
see
in
here
we
have
the
oh.
This
is
the
this
is
the
Pod.
This
is
the
entire
pod.
The
thin
side
is
part.
We
have
our
driver
container,
the
vccsi
controller,
that
you
see
that
there's
a
container
for
that
and
then
there's
a
the
the
CSS
snapshotter
that
we
were
looking
at
earlier
in
the
side
car
that's
see.
C
C
The
CSI
calls
coming
from
the
side
car
to
the
cset
driver,
so
they
are
deployed
together
so
and
yeah,
and
then
this
is
the
the
into
the
cube
controller
manager
and
there's
a
have
this
PV
controller
attached
that
controller
snapshot
controller
is
somewhere
here
right,
it's
kind
of
like
the
the
swamp
at
the
same
because
this
is
out
of
three.
So
it's
a
independent
controller.
E
C
We
actually
tried
to
get
that
entry,
but
you
know
they're
trying
to
make
the
big
the
core
components
smaller
right.
So
since
this
works,
so
you
just
stay
out
of
tree.
It's
fine
yeah.
C
D
C
One
thing,
maybe
I
think
that's
relevant
for
their
secure
analysis
is
how
do
we
pass
in
the
credentials
to
the
search
system?
Would
that
be
something
that
I
should
talk
about?
Yeah.
A
C
Okay,
so
we
can
do
that
next
time:
okay,
good
yeah,
yeah,
okay,
so
this
is
okay.
The
are
there
any
before
we
move
on
to
the
next
diagram.
I
think
I
think
they're,
actually,
all
very
similar
you'll
see
all
those
components
there.
So
that's
why
I
want
to
see
if
there
are
anything
else,
I
should
address
on
this
one
before
we
move
over
there,
if
you're
good,
then
I'll
just
move
on
to
the
next,
which
is
delete,
delete
Snapshot.
F
B
C
And
then
maybe
I
just
want
to
just
talk
about
that
query
volume
as
well,
since
I
don't
have
the
diagram,
but
it's
going
to
be
very
similar.
Can
I,
just
maybe
I'll
just
go
over
that
here.
I
can
definitely
also
create
a
diagram.
I
just
haven't
finished
that
one
for
the
you
know
for
the
talk
for
the
final
talk,
but
basically,
if
it's
like,
if
it's
create
PVC
right,
then
you
just
think
about
this
one.
C
This
one
will
be
a
Creator
PVC
here,
but
we
wouldn't
have
the
Snapchat
controller
and
it's
not
snap
shutter.
So
we
will
have
the
cube
controller
manager.
There's
the
PV
there's
a
PV
controller
inside
that
Q
controller
manager,
and
then
this
one
will
become
the
external
provisioner,
but
the
rest
of
them
are
actually
very
similar
to
this
right.
So
basically
user
created
PVC
and
then
there
is
some
logic
in
the
in
the
pvpvc
controller
that
does
The
Binding
and
because
it
is
a
it
is
a
external.
C
It's
like
an
extra
professional.
It's
not
like
the
entry
thing,
so
it's
going
to
wait
for
and
it's
not
provision
to
provision
and
the
external
provisioner.
Getting
that
request,
then
it's
going
to
make
a
call
to
the
CSI
vcsi
controller.
Bcs
is
a
controller,
make
a
call
to
CNS,
where
it's
very
similar
to
this
one,
getting
an
ID
back
returning
here
and
then
there's
some
small
differences
like
the
the
the
the
PV,
the
external
snap.
C
The
external
provisioner
will
be
the
one
who
is
creating
the
PV
object
and
then
getting
the
basically
setting
the
volume
handle
in
there
and
returning
and
and
then
the
common
control,
the
cube
controller
manager.
The
PV
controller
will
be
the
one,
does
the
binding.
So
this
is
very
similar
to
this
one.
C
A
That,
well,
you
know
what
just
to
make
sure
just
to
yeah
keep
some
momentum.
Maybe
what
we
could
focus
on
is
just
let's
like
flow
diagram
out
the
create
workflow,
and
so
we
can
just
hop
to
that
now.
Instead
of
going
through
the
delete,
workflow.
C
A
A
Put
and
yeah.
C
Kind
of
the
the
secret
okay,
this
one
can
actually
have
a
lot
of
diagrams
on
this
one
page.
That's
nice,
yeah,.
A
Yeah
and
then
I
figure,
so
in
terms
of
like
data
flow
diagramming
it
which
it's
basically
so
I,
think
what
we
need
to
do
here-
and
you
know
definitely
want
folks
to
weigh
in,
is,
let's
create
a
slightly
more
like
kind
of
visually
inclined
version
of
of
the
sequence
diagram
like
a
component
like
a
componentized
version,
in
other
words,
that's
sort
of
what
I'm
thinking
so
I,
just
like
at
a
high
level,
just
like
pulled
out
the
services
that
we
were
talking
about
here
that
are
represented
here.
C
E
I'm
I'm
I'm
kind
of
I'm
kind
of
imagining
that
if
we
work
through
all
of
these
all
of
these
sequence
diagrams
for
all
of
the
operations
that
we
can
end
up
with.
E
Basically
like
a
like
a
boxes
and
lines,
kind
of
architecture,
diagram
that
has
all
of
the
different
software
components
that
interact
with
each
other.
At
any
point
during
any
of
those
workflows
with
lines
between
them
indicating
the
kinds
of
requests
that
are
made,
but
from
the
one
component
to
the
next
and
when
and
then
having
that,
we
can
look
at
all
of
those
arrows
and
start
asking
questions
about
them
like
like
that.
E
G
Yeah
and
also
like
all
of
this
sidecar,
we
don't
share
the
vsphere
credential.
Only
the
controller
CSI
controller
and
the
Sinker
has
access
to
the
vsphere
credential
restore
sidecar
control
generic
one,
but
this
other
non-vsphere
CSI
driver
as
well.
So
and
we
don't
have
any
code
flow
which
which
send
the
request
and
response
with
the
vsphere
credentials.
A
Well,
I
think
we'll
connect
to
that
inside,
but
that's
definitely
good
to
know,
but
yeah
Tabby
that's
right
on
and
it's
basically
like.
We
can
get
that
like
componentized
architecture,
diagram
that
and
I'm
thinking
like
we
can
color
code
the
lines
between
them
per
like
per
different
workflow,
so
like
green,
could
be
like
creating
a
persistent
volume.
A
Red
could
be
deleting
one
and
then
we
can
have
each
of
those
lines
sort
of,
like
you
said,
annotated
with
the
relevant
information,
and
then
we
can
back
up
and
really
like
take
an
assessment
for
like
everyone's
talking
to
you
know
the
the
CSI
driver
controller
pod,
like
what
does
that
mean
and,
like
you
said,
authenticate
or
not
or
and
whatnot.
E
Yeah
yeah,
like
I'm
I'm
kind
of
trying
to
to
hedge
on
whether
or
not
which
areas
to
focus
on
will
be
quote
unquote
obvious,
like
obvious,
is
such
a
dirty
word
like,
like
I,
feel
like
there's,
probably
a
couple
of
them.
That
will
be
really
obvious
to
everyone,
but
I
am
also
also
trying
to
start
with
the
assumption
that,
as
we
do
this,
we
will
surprise
ourselves
at
least
once.
A
Indeed,
awesome
so
yeah,
if,
if
everyone
is,
is
on
board
with
that
I
guess
to
kind
of
jump
in
you
know
to
the
creation
workflow
shank.
Could
you
who
is
the
who
is
someone
and
I
put
devops
persona,
but
maybe
we
have
a
different,
a
different
name
for
it,
but
who
would
you
know
who
is
the
human
user?
Who
would
be
wanting
to
do
this?
Let's
start
there.
C
And
also
seaweed
in
our
secretary,
or
we
also
have
this
backup
app.
That's
because
that
is
specific
for
volume
snapshot
right,
so
not
for
other
workflows,
but
for
one
snapshot
because
backup
software
they
tend
to
use
one
snapshot
for
their
for
their
backup
workflow.
That's
that's
why
we
have
that
one
for
this
particular
for
this
particular
create
a
snapshot
workflow.
So,
like
the
you
know,
the
the
rectangular
one,
that's
actually
it's
not
a
not
really
code
right.
C
A
Gotcha,
okay,
so
yeah,
then
oh
wait!
Whoops
there
we
go
Okay
so
yeah
they
create.
They
create
a
volume
snapshot
on
a
persistent
volume
claim
so
yeah
I
guess
just
yeah.
What
is
it
like?
What
do
they,
like
you
know?
Do
they
go
to
a
CLI
to
do
this
like
what
do
they?
What
what
happens
or
a
human
user
might
do
that,
but
obviously.
C
So
yeah,
so
this
one
is
actually
should
be
instead
of
a
kubernetes
control.
Plane
should
be
just
a
like
API
service,
it's
basically
devops
or
backup
software
create
a
volume.
Snapshot
API
object
that
triggers
this.
A
And
then
yeah,
okay
and
then
what
happens
so
then
the
kubernetes
control
plane
gets
the.
C
A
So,
let's
see
is
it
the
is
that
through
occultism.
C
Right
so
I
don't
know
how
you
so
this
one
will
be
listening
to
the
you
know.
Basically,
it's
going
to
be
watching
for
the
yeah,
so
I
don't
know
what
kind
of
line
you're
drawing
for
this
one.
So,
basically,
this
natural
controller
will
be
watching
for
kubernetes
API
objects
and
then
the
Central
controller
will
be
creating
a
volume
snapshot.
Content
API
object,
so
you
could.
C
Maybe
you
could
have
a
error
going
from
snapshot
controller
to
cube
API
server,
I'm,
not
sure
what
is
the
best
way
to
show
that
it's
like
chords,
like
you
know,
it's
going
to
create
this.
It's
going
to
create
a
API
object
right,
I,
don't
know
how
you
typically
show
that
in
your
other
diagrams.
B
B
A
Then
it
creates
sorry
and
it
creates
a
what
was.
A
A
C
B
A
All
right
so
yeah
once
the
once
the
volume
snapshot,
content
crd
is
created.
Then
the
snapshot
controller.
C
And
then
the
the
sidecar,
the
the
external
snapshot
or
Sidecar,
so
the
yeah,
the
next
one,
the
snapshot,
the
yeah,
the
one
you
you
have
that
so
this
one
will
be
this
one
will
be
watching
for
voting
snapshot,
content.
F
B
A
Again
need
to
figure
out
like
some
eyeballs
here.
Oh
so
is
it
is
it
actually
I
mean
it's
not
watching
the
smell
like
not,
and
it's.
E
C
Yeah,
so
after
this
one,
it's
all
just
to
cause
function,
calls
will
be
more
stable,
so
external
snapshotter
costs,
VCR
CSI
driver.
F
E
Something
else
I
just
learned
about
Excalibur
that
might
be
helpful.
I
believe
that
you
can
make
a
shape
and
then,
with
the
shape,
selected
press
the
enter
key
and
start
typing,
and
you
get
text
bound
into
that
object
rather
than
having
the
like
separate
text
and
object.
That
has
been
a
struggle.
Yes,.
A
E
And,
and
now
is
where
now
is
where
I
am
going
to
put
on
my
fun
attacker
hat
and
ask
very
specific
questions
about
that.
So
that's
that's!
Making
a
grpc
call.
How
is
that
grpc
interface
exposed
from
the
CSI
driver
to
its
sidecars.
C
So
so
yeah
so
the
well.
There
was
the
interface
we
there
is
a
another.
How
do
you
say
library,
one
repo
near
the
CSI
spec
Ripple.
D
B
C
E
D
A
Putting
it
yeah
I'm
putting
it
so
you
know
what
I
should
do
is
do
a
box
for
a
box.
A
What
is
it
sidecar.
C
Things
compile
together.
Those
type
of
the
questions
you
also
need
to
ask
right
is
that,
because
how
does
this
one
know?
This
interface
is
the
right
one
things
like
that
right,
so
so
the
sidecar
yeah,
it's
the
snapshotter
that
whole
the
whole
report.
We,
of
course
we
do
that
with
this,
the
sea
size
back
definitions-
driver
of
course
also
needs
to
depend
on
those.
So
so,
basically
we
are
reading
the
same
interface.
G
So,
are
you
interested
in
knowing
how
this
grpc,
like
is
working
with
this
CSI
driver
in
the
external
sidecar
container,
like
we
don't
use
any
IP
address
or
over
the
network
communication
we
use
a
Unix
dominant
socket.
It's
a
file
based
communication,
I.
E
Love
I
love
that
that's
exactly
the
that's
exactly
the
sort
of
thing
that
I
was
that
I
was
asking
about,
and
also
like
that
I
realize.
I
am
accidentally
distracting
us
from
finishing
making
the
diagram
with
but
yeah
like
that's
the
that's
the
sort
of
place
that
we
are
headed
with.
Making
this
diagram
is
then
being
able
to
ask
questions
like.
Oh
this
communication
between
the
sidecars
and
the
CSI
driver
is
really
sensitive.
How
is
it
protected?
G
Yes,
it's
mtdir
file.
A
Yeah
I
just
put
a
a
star
for
a
placeholder
for
yeah
holding
place
for
questions
so
that
we
can.
C
It
might
be
I,
don't
know
if
there
was
actually
another
diagram
which
is
more
like
a
standard
CSI
deployment
diagram.
That
actually
has
that
shows
that
the
socket
and
I
think
because,
like
my
dog
I
yeah,
that
one
probably
will
be
helpful
right,
that's
like
in
actually
it's
in
Upstream.
Let
me
actually
find
out.
You
can
include
that
that's
better
than
my
my
diagram.
I
didn't
include
those.
A
Yeah
that
would
be
great
to
this
and
we'll
we'll
we
can
totally
but
I
mean
we
should
put
all
the
diagrams
in
the
final
write-up.
We
do,
including
this
one,
that
we
build
together,
but
that
sounds
awesome
cool
all
right,
so
the
external
snapshotter
has
called
the
the
CSI
driver
over
a
grpc
function
and
now
it's
time
to
talk
to
the
vsphere
CNS.
So
how
does
that?
A
C
G
Yes,
so
for
credential
we
are
creating
a
config
secret
file,
just.
A
One
quick
question
is
this:
also,
just
like
a
grpc
function
call
like
how
how
do
these
two
components
interact.
G
So
these
two
components
interact
over.
We
create
a
Gobi,
mommy
client
from
the
driver.
We
create
a
vsphere
client
using
Gobi
Mommy
and
to
create
a
vsphere
client
using
Google
VC
hostname
BC
username
password,
and
if
it
is
a
secure
connection,
we
also
need
a
certificate.
G
A
G
It's
the
go
library
for
VMware
API,
but
let
me
share
this
in
the
chat:
oh
sweet,
okay,
so
so
we
use
this
library
to
connect
to
the
vcenter,
and
we
have
also
added
some
code
in
this
Kobe
mommy
repository
to
implement
the
CNS
volume
manager,
API
bindings.
A
Oh
okay,
I.
A
A
F
B
B
A
Awesome
all
righty,
so,
let's
see
where
are
we
created
these
to
your.
G
And
the
username
and
the
password
and
the
certificate
all
of
this,
so
we
get
it
from
the
vsphere
config
cigarette,
so
we
create
a
vsphere
config
secret
is
a
kubernetes
secret.
In
that
we
place
this
username
and
password
it's
not
encrypted.
It's
just
the
base.
64
encoded
file.
B
A
All
right,
awesome
and
yeah
we'll
we'll
come
back
to
to
get
more
of
that
detail
later
once
we
get
kind
of
the
fill
up
a
flow
down
here.
Okay,
so
I
guess,
let's
start
working
our
way
back
so
zooming
in
here,
so
we're
yeah
returning
a
snapshot
ID
on
success
or
returning
a
failure,
and
this
is
to
the
CSI
controller.
So
then
let
me:
how
should
we
do
this?
B
B
F
A
G
G
So
inside
this
virtual
Center
we
have
services
to
various
Services
SPS
spbm,
FCD
Service.
We
storage
object
service
right,
so
those
Services
we
are
interacting,
but
that's
part
of
the
RECenter
one
is
called
reaches
to
the
vcenter.
All
of
this
is
internal
to
be
centered.
B
A
Order
it's
basically,
those
interactions
have
to
take
place
in
order
for
us
to
either
return
a
snapshot,
snapshot
ID
on
success
of
provisioning,
a
storage
volume
or
returning
an
error.
A
C
Okay,
but
you
are
basically
not
really
analyzing,
what's
happening
in
internal
of
obesity,
right
you're,
just
a
more
look
at
the
like
between
the
CSI
driver
and
the
the
atmosphere
CNS
that
layer.
That's
what
we'll
be
looking
at
right,
exactly.
A
Yeah
because
yeah
doing
a
yeah
I
think
keeping
keeping
as
much
of
these
fear
outside
of
the
scope
of
this
is
definitely
yeah.
Otherwise
we
would
get.
We
would
get
into
some
pretty
yeah.
That
would
definitely
blow
up
the
scope
but
yeah
so
in
terms
of
the
vsphere
CNS,
communicating
with
the
CSI
driver
in
terms
of
returning
either
an
ID
or
I.
Think
it's
a
what
is
it
a
failure
code?
G
Yeah
we
create
a
task,
we
create
a
task
of
on
the
vcenter
and
then
watch
on
that
task,
so
either
the
task
will
pass
or
it
will
fail
if
it
is
of.
If
the
task
fails,
we
get
a
fault
from
that
task
and
do
the
appropriate
action
whether
we
need
to
retry
or
we
want
to
fail
the
operation
completely,
so
that
that
depends
on
the
fault
type
that
we
are
receiving
and
if
the
task
is
successful,
we'll
get
the
snapshot
ID
or
volume
ID.
Out
of
that
a
task
foreign.
G
So
so,
basically
I
think
you
can
put
this
on.
The
upper
diagram
like
task
is
already
created
when
vsphere
CSI
driver
send
a
request
to
the
CNS
and
then
driver
watches
on
that
task,
so
vsphere
CNS
doesn't
interact
with
driver.
Only
driver
driver
asks
a
CNS
to
get
the
detail,
but
CNS
doesn't
know
anything
about
the
driver.
A
Okay,
so
see
how
to
so
yeah
the
the
CNS
is
really
just
like,
just
like
a
really
simple,
simple
conveyor
belt
of
of
that
information
that
the
the
CSI
driver
just
consumes
it
from
yes,.
G
A
G
A
Gotcha
wait,
so
it
only
updates
the
task
so
it
only
when
you
say
update.
Do
you
mean
it
only?
It
just
looks
for
any
change
in
information
based
on
whether
it's
successful
or
not.
B
B
B
A
More
babies
so
yeah
it's
basically
it's
kind
of
loosely
coupled
in
that
yeah.
It's
the
the
CNS,
isn't
pushing
anything
anywhere.
It's
just
observing
updating
information
in
the
CSI
driver-
just
pulls
you
know,
is
basically
just
looking
at
that
information
via
the
CNS
so
but
just
to
make
sure
that
I
understand
the
CSI
driver
isn't
looking
at
the
task
directly
in
vcenter.
G
A
E
A
A
A
Oh,
my
gosh
yeah
tell
me
about
it
all
right,
so
yeah,
so
just
keeping
an
eye
on
time.
Yeah
I
think
we
did
a
lot
of
really
good
work
here,
so
I
think
yeah
I
mean
really.
Next
steps
is
like
I'll
I'll
send
out
a
poll
for
a
follow-on
meeting.
I,
don't
think
we
have
too
much
left
here.
A
We
can
finish
up
this
workflow
and,
let's
see
I'm,
not
Tabby.
I
could
lean
on
your
your
judgment
and
expertise
here.
Do
you
advise
that
we
first
get
through
all
of
the
data
flow
diagramming
like
we're
doing
here
and
then
go
through
and
ask
questions,
or
do
you
think
in
the
next
session?
We
can
just
finish
this
diagram
and
then
ask
our
questions.
A
You
know
and
think
about
concerns
and
stuff
so
that
we
can
have
a
workflow
completed.
What
would
your
guidance
be
here?
I.
E
E
F
Okay,
I
can
take
on
replicating
the
diagram.
What
you're
getting
at
is
once
we
have
diagram
down.
We
can
start
digging
into
the
connection
points
between
the
notes
is
that
right.
E
Without
Really
requiring
the
level
of
expertise
that
that,
like
Chang
and
devian,
have
and
then
with
that
potentially
imperfect,
set
of
all
the
boxes
filling
in
where
the
arrows
belong
is
a
matter
of
going
through
the
state
diagrams
for
the
different
workflows
and
and
then
leaning
on
the
expertise
in
the
room
for
where
to
put
the
arrows.
E
D
E
Yeah,
like
I
would
say
there
is
no
authority
to
say
yes,
you
must
have
every
single
thing:
sequence,
diagrammed,
but,
like
you
know,
think
about
what
you
would
want
to
give
to
someone
to
help
them
understand.
What's
going
on
in
a
way
that
is
as
easy
for
them
as
possible,
and
so
maybe
that's
one
or
two
sort
of
generic
sequence
diagrams
or
maybe
it
is
a
detailed
list
of
a
lot
of
sequence,
diagrams.
C
Yeah
some
are
different.
Some
are
similar,
so
yeah,
then.
E
Maybe
yeah,
maybe
a
few
sequence
diagrams,
like
you
know,
for
the
for
the
workflows
that
that
feel
different
from
each
other
and
then
notes
on
them.
Explaining
you
know
which
workflows
are
are
similar
so
like
in
the
way
that
you
were
saying
the
create
and
the
create
snapshot
and
the
delete
workflows
are
all
somewhat
similar
than
than
maybe
they
could
share
a
diagram
just
with
with
notes
in
the
labels
explaining
how
to
read
it
for
each
of
them.
C
Yeah
that
one
probably
you
know
some
variation,
the
general
workflows
the
same,
but
there's
some.
We
have
some
other
component
that
that
that
is
for
the
for
the
crate
for
the
volume,
but
not
for
the
snapshot.
That
is
not
not
right
now
in
there.
So,
okay,
yes,
so
I,
I,
yeah
I,
will
add
more
I.
G
Also,
would
you
be
interested
in
knowing
the
roles
and
the
privilege
that
we
assign
to
the
user
that
the
CSI
driver
is
using?
So
since
this
is
for
the
security
Evolution,
the
only
thing
here
could
be.
A
problem
is
when
this
credential
is
lost,
someone
hack
into
a
cluster
and
get
access
to
CSI
pod
and
get
access
to
this
username
password
I.
E
E
A
Yeah
so
divyan,
if
you
wanna
like
if.
A
To
it
so
feel
free
to
dump
them
in
the
parking
lot
too
and
then
yeah
Shing.
If
you
want
to
like
just
identify
and
slack
like
what
are
you
know,
what's
what's
the
next
one
or
a
few
data
flow
diagrams
that
you
think
we'd
need,
and
then
we
can
use
that
as
input
to
do
that,
like
pre-mapping
for
our
next
session,
so
that
we
can
make
sure
that
we
have
all
the
components
in
place,
and
we
can
talk
about.
A
You
know
the
connections
between
them
to
just
get
all
the
workflows
defined
and
then
once
all
the
workflows
are
defined,
we
can
then
start
digging
into
questions
like
Debian
was
asking.
F
Yeah
sure
so
just
to
wrap
up
I
have
two
awesome
items.
One
is
for
me
to
replicate
the
the
diagram
and
then,
if
you
and
if
you
can
like
drop
all
the
links
that
you
think
could
be
helpful
in
the
notes.
So
we
can
just
you
know
home
it
somewhere
for
now
yeah
sure.
A
Great
well,
everyone!
Thank
you
so
much.
This
was
a
great
session
thanks
for
staying
a
little
late
and
yeah
Grace.
Thank
you
so
much
for
just
all
your
help,
taking
notes
and
Tabby
and
yeah
I
think
this
is
really
productive
and
yeah
I'll
send
out
a
note
or
a
doodle
Poll
for
the
next
meeting.