►
Description
Kubernetes Storage Special-Interest-Group (SIG) Object Bucket API Design Meeting - 04 November 2021
Meeting Notes/Agenda: -
Find out more about the Storage SIG here: https://github.com/kubernetes/community/tree/master/sig-storage
Moderator: Sidhartha Mani (Minio)
A
B
Okay,
yeah,
I
think
I
think
there
was
some
deadlines.
Let's
see,
yeah
the
cold
freeze
deadline
coming.
I
think
it's.
What
is
that
code
free
16th
november
16th
and
then,
and
then
there
is
this?
There
is
this
deadline
november,
23rd
that
that
is
basically
for
us
to
submit
some
entry
to
show
up
in
the
major
major
things
for
1.23
release,
but
yeah.
So,
let's
see
if
we
can
get
it
in
before
that,
because
otherwise
we
can't.
A
A
Yeah
nobody's
gonna,
yeah,
okay,
so
yeah,
let's
start
off
today,
so
in
terms
of
the
overall
plan,
if
we
figure
out
workload,
identity
based
authentication,
if
we
have
a
clean
story
around
it,
I
think
things
will
move
very
fast,
because
that
was
that
was
the
big
thing
that
that
tim
wanted
addressed
it's.
It
seemed
very
important
for
google
cloud
and
I
would
presume
other
cloud
providers
also
would
say
the
same
thing
so
far.
A
A
So
I
spent
some
time
trying
out
workload,
identity,
based
authentication,
and
here
let's
see
yeah.
So
it's
it's
very
straightforward.
It's
it's
what
we
guessed
it
works
like
last
week
when
we
were
talking.
So
what
I
would
like
to
do
is
explain
how
this
works,
and
I
think
this
will
help
us
model
the
api
and
answer
some
of
the
questions
we
had
last
week,
much
better.
A
So
what
what
kubernetes
does
in
or
what
gke
does
google
kubernetes
engine
does
is.
First,
you
have
to
enable
something
called
workload
identity,
but
but
they
recommend
that
you
know
all
kubernetes
clusters
that
are
run
by
gk
enable
this.
If,
if
there
are
workloads
that
talk
to
the
gke
itself,
google
cloud
itself
for,
for
example,
like
buckets,
so
what
it
does
is
it
creates.
It
creates
a
iam
account
for
every
service
account
that
you
create.
A
So
there's
a
lot
of
text
around
it,
but
that's
basically
what
I
just
explained
is
basically
what
happens?
Okay,
so
once
you
enable
it,
I
want
to
quickly
show
you
something
yeah
you
you
can
enable
it
by
default,
it's
gc
metadata.
Otherwise,
it's
gk.
What
this
means
is
there
is.
There
is
something
called
as
a
metadata
service
that
runs
whenever
you're
running
in
the
cloud
you
can.
You
can
query
the
metadata
service
and
based
on
who
the
source
is
that's
querying
it.
The
result
is
given
according
to
that.
A
If
not,
it
gets
set
to
gc
metadata.
This
gke
metadata
is
important.
If
you
want
to
do
workload,
identity,
style,
authentication,
the
gke
metadata
is
the
metadata
service
that
understands
the
mapping
between
service
accounts
and
kubernetes
and
im
accounts
in
google
cloud
okay.
So
that
was
a
that
piece
of
information
is
important,
even
though
it's
slightly
tangential.
A
A
So
yeah,
so
you
know
you
get
service
accounts
and,
let's
see
all
the
gke
or
google
cloud,
sdks
already
know
how
to
work
with
this.
So
if
you
take
any
of
the
sdks
for
talking
to
google
storage
buckets,
they
would
just
be
able
to
talk.
If,
if
you
already
map
the
service
account
to
the
im
account
for
the
bucket,
then
you
know
any
sdk.
That's
that's
built
by
google
will
just
know
how
to
use
this
yeah.
This
is
this
is
what
the
metadata
service
looks
like.
A
C
D
C
A
E
A
Right
so
there
has
to
be
a
an
admin
user
and
a
user
with
admin
level
permissions.
It
can
be
a
it
can
be
a
service
account
or
it
can
be
a
you
know,
real
user,
and
they
would
have
admin
permissions
to
update
and
create
iam
roles
and
imm
identities,
and
and
they
would
they
would
have
to
create
a
service
account
in
kubernetes,
and
there
is
a
way
google
cloud
provides
to
map
this
kubernetes
service
account
to
the
service
account
in
google
cloud
and
once
that
mapping
is
done
it's
somewhere
here
yeah.
A
A
Be
managed
by
admin:
well,
no,
okay,
so
that
is
also
so.
Let
me
go
over
the
lifecycle,
so
bucket
provisioning
will
happen
through
cosy
where
it
will
create
a
bucket
cosy
in
order
to
run
it.
It
needs
some
privileges
to
do
it
and
we
expect
cozy
to
run
as
an
admin
that
can
create
buckets
and
also
you
know,
provision
access
for
those
buckets,
so
provision.
A
C
C
A
C
G
G
C
E
C
A
C
A
E
C
F
C
A
C
A
A
A
Does
the
binding
of
the
service
account
to
a
cloud
using
the
driver
service
account
to
a
cloud
entry
and
the
service
phone
goes
into
the
part
and
the
application
is
presumed
to
have
the
necessary
facilities
to
use
this
service
account
based,
authentication
and
and
as
far
as
official
cloud
sdks
are
concerned.
Now
all
of
them
support
this
style
if
you're
using
a
vendor
sdk.
A
That
is
that
is
not
the
case.
So
if
you
are
moving
from
on-prem
to
cloud-
and
you
know,
let's
say
you
you're
using
min
io
now
you're
moving
to
google
cloud,
I
mean
they're
incompatible
protocols,
s3
versus
gcs,
but
but
let's
say,
google
cloud
suddenly
started.
Supporting
s3
min
ios
sdk
will
not
know
how
to
talk
to
google
cloud's
metadata
service
to
leverage
the
service
account
cell
authentication.
A
You
know
star
to
it
saying
disclaimer
to
it,
saying
that
we
allow
portability
as
long
as
the
protocol
is
the
same
and
the
access
mechanisms
are
supported
by
are
understood
by
by
the
sdk.
So
there
is
this
reliance
on
on
the
application
sdk's
facilities
here,
and
we
want
to
model
that
in
the
api.
Somehow
we
want
to
model
this
in
the
api.
A
A
A
Anyone
if
they
have
any
thoughts,
feel
free
to
pitch.
In
the
second
question
since
silent,
I'm
gonna
go
to
the
second
question.
If,
if
it's
not
the
application
that
says
hey,
I
want
I
want
workload,
identity
versus
access,
key
secret
key-
maybe
maybe
this
this
field
should
be
a
part
of
the
bucket
class
or
the
bucket
access
class.
E
Yeah
like
last
week,
we
don't
know
the
input
part
right,
so
this
is
a
dependency
from
the
user
to
provide
the
service
account
right.
So
in
case
of
access,
key
and
secretary
user
did
not
don't
want
to
provide
anything,
but
we
can
automatically
mount
that
information
to
the
port.
But
here
we
are
expecting
user
to
give
the
service
account
details
right,
like
it
is
expected
from
the
user
part
right.
So
we
are.
A
A
A
C
C
Yeah
that
I
mean
that's,
it
is
a
problem
right
like
in
with
pvcs
and
pb.
Today
we
have
a
bunch
of
we.
We
do
have
a
bunch
of
features
that
are
dependent
on
the
volume
driver
to
support,
like
snapshots,
for
instance
like
if
not
all,
drivers
support
snapshots.
So
if
someone
creates
a
pvc
and
then
takes
a
snapshot
and
tries
to
take
a
snapshot,
but
the
driver
doesn't
support
it
they'll,
you
know
get
some
error
or
something
but
like
they
don't
really
know.
A
Interesting,
okay,
so
so
pv
portability
is
dependent
on
multiple
things.
Then
it's
it's
dependent
on
yeah,
well,
actually
just
one
which
is
a
rewrite
mini
or
volume
mode.
It's
portable.
As
long
as
the
volume
mode
is,
you
know,
supported
by
the
driver
right,
correct,
okay,
understood,
okay,
interesting!
So
if
we
were
to
put
the
authentication
mechanism,
okay,
so
that
that
argument
would
also
apply
for
the
protocol,
then
s3
or
gcs,
and
so
far
the
argument
for
protocol
has
been.
A
A
H
H
A
A
A
C
A
A
The
admin
is
expected
to
provide
the
user
with
the
storage
class
name,
and
this
storage
class
is
assumed
to
always
provide
a
bucket
that
the
user
expects.
So
if
the
user
expects
s3
buckets,
then
the
storage
class
is
supposed
to
provide
some
s3
compatible
bucket
that
might
be
from
any
vendor
could
be
from
from
aws
or
any
any
other
vendor
out
there.
H
C
A
H
D
H
A
No,
I
I
don't
want
to
get
distracted,
so
the
bigger
question
is:
do
we
do
the
same
for
authentication
model
or
not?
I
I
don't
know
if
we
should
go
back
and
question
the
protocol
argument.
Yet
unless
we
have
a
strong
case
for
for
for
choosing
not
to
have
or
having
a
list
and
and
the
same
argument,
you
know
whatever
we
decide
for
authentication
method
would
apply
to
protocol
as
well.
But
I
can
see
that
these
two
being
you
know
symmetric,
I
would
say.
C
A
C
D
A
C
G
A
So
question
of
portability
here
is
that
a
concern
at
all
here
like
based
on
this
approach?
Can
we
yeah?
Is
there
a
concern
with
this
approach?
Not
this
portability
important
but
more.
Like
does
this
in
this
model?
If
you
wanted
to
move
from
an
environment
that
allows
authentication
mechanism
a
to
an
environment
that
doesn't
allow
it
but
doesn't
support
it,
are
we
now
not
portable?
A
C
Yeah,
but
I
think
you
can
argue
that
this
is
similar
to
like
any
like
volume
feature
we
have
today
right,
like
you,
could
be
using
volume
snapshots
in
one
environment
and
move
to
another
environment
where
snapshots
doesn't
work,
so
I
think
it's
a
similar
boat.
I
think
what
the
maybe
the
important
part
is
is
like,
if
say,
the
feature
capabilities
were
equivalent
on
both
environments.
A
E
So
last
week,
like
the
decision
was
to
like
a
driver
is
the
holder
like
says
it
can
support
lot
of
protocols
and
when
the
application
is
mounted
with
a
bucket,
I
mean
bucket
claim.
The
driver
will
give
all
the
information
on
the
port
or
the
application
like
for
the,
for
example,
in
this
case
for
identity
base,
it
will
be
the
service
account
for
the
secret
and
access
key.
It
will
be
saved
in
a
file
like
that
and
the
application
can
pick
any
one
of
it.
Really
if
you
it's
like
that,.
E
A
Yeah,
for
the
sake
of
portability,
but
for
the
sake
of
saying
that
it
is
portable,
we,
we
were
kind
of
going
down
this
road
where
we
were
saying.
Oh,
we
list
everything
that
that
this
application
supports,
or
this
driver
supports
the
driver
is
free
to
choose
one.
I
would
think
that
is
even
less
deterministic
than
not
having
the
field
at
all.
E
A
A
A
So
we
don't
even
need
to
represent
it
anywhere
either
the
class
or
the
user.
Well,
the
user
objects
somehow
and
just
pass
it
along.
So
how
would
that
look?
Like
sure
would
do
you
have
any
thoughts
on
what
that
would
look
like
where
how
the
user
would
say?
This
is
the
authentication
mechanism
that
I
want.
A
A
E
So
we
still
have
bucket
taxes
class
right.
It's
still
the
right
authentication
people
protocol
is
the
highest
level
like
at
least
for
me
and
authentication
is
the
next
level
under
protocol
right.
So
as
calendar
process,
the
protocol
will
be
staying
on
storage
class,
and
can
we
have
something
on
the
bucket
access
class?
Saying
authentication
mechanism
will
be
part
of
this,
like
this
authentication,
like
this
worker
class,
I
mean
bucket
access
class
supports
this
authentication
and
all
the
bucket
workers
created
from
that
bucket
access
class
will
have
that
authentication
or
something
like
that.
A
I
see
yeah
so
so
what
you're
saying
is
you
you
want
to
define
on
the
bucket
itself
that
this
thesis
authentication
mechanism
supported?
Is
that
what
you're
saying
I
mean
the
bucket
access
class
or
something
like
that
yeah
yeah?
So
that
is
what
we
discussed
last
week
right
that
we'd
have
a
list
of
authentication
mechanisms
written
down
in
the
class
object,
and
that's.
E
E
B
B
B
A
A
Yeah
yeah,
so
the
these
two
are
completely
opposite
of
what
each
other
is
saying
right,
like
tim,
wants
it
either
in
the
class
no
need
to
list
protocol
in
the
bucket
request,
so
he
doesn't
want.
The
request
may
want
a
list
protocol
in
the
bucket
class
he's
okay
with
putting
in
class,
but
he
sees
even
that
is
overkill
to
start
so
yeah
we
need
to.
We
need
to.
There
are
no
there's
no
wrong
answer
here.
A
It's
just
different
styles.
I
would
rather
go
with
what
tim
is
saying
right
now,
because
tim
has
been
more
involved.
He
knows
this
more
deeply,
so
so
going
accord
by
this
we
would
have
you
know
a
list
of
authentication
mechanisms
in
in
the
bucket
access
class
object.
If
you
were
to
go
this
route
of
how
tim
is
thinking
about
it.
A
Similar
to
protocols
we'll
have
authentication
mechanisms,
and
that
would
be
in
the
class
object,
and
when
someone
wants
access
to
a
bucket
they
would
refer
to
the
class
object
and
based
on
what
we
spoke
last
week
we
said
yeah,
so
that
part
is
still
confusing
to
me.
So
so,
first
before
you
go
there
shane
does
it
make
sense,
is
whatever
we
talked
about
just
now.
B
A
A
H
So
this
is
the
whole
problem
that
we
don't
have
a
posix
standard
for
bucket
access,
and
so
the
the
sdk
is
defining.
What
is
defining
the
protocol
inherently
and
and
the
application
uses
the
sdk
and
cosy
has
no
idea
what
sdk
an
application
is
using
that
a
workload
uses.
So
so
there's
always
a
chance,
no
matter
what
we
do,
no
matter
where
protocol
gets
defined
or
no
matter
how
a
driver
name
is
used
that
the
application
is
out
of
sync
with
the
underlying
bucket
right,
and
we
can't.
A
Yeah,
I
don't
know
if
we
can,
I
mean
we
could
do
one
thing
where
you
know
we.
We
create
a
three
different
bucket
types
like
it's.
It's
a
it's
not
just
bucket,
there's
no
bucket
anymore,
I'm
just
like
hypothetically
going
there.
I
don't.
I
don't
know
if
you
should
even
go
down
this
route,
but
one
possible
solution
is
to
standardize
three
different
types
of
buckets:
s3
bucket
gcs
buck
in
azure.
Buckets
that
way.
There's
there's
no
single!
You
know
generic
bucket.
It's
just
one
of
these
three.
H
H
A
A
Let's
see,
say,
services
services
only
behave
in
in
one
way
right.
They
just
route
your
request
to
one
of
the
pods.
Let
me
try
and
remember
this:
does
service
do
tcp
level
load,
balancing
yeah
it
does
because
it's
an
ip
tables.
Let
me
think
about
a
different
resource
where
there
could
be
a
possible
mismatch.
A
I
think
I
think
I
think
I
think
we
need
to
looking
at
how
pvcs
do
it
looking
at
how
pvc
models
the
volume
mode,
because
application
needs
to
know
if
if
a
volume
is
rewrite
many
or
rewrite
once
the
pvc
allows
you
to
specify
the
volume
mode
shouldn't
shouldn't
our
bucket
access
request
or
bucket
access
now.
But
that's
what
we're
calling
it
now
model
authentication
mechanism,
because
it's
very
application.
Centric.
A
A
F
A
Yeah
jeff,
I'm
hearing
an
echo
so
yeah,
no,
it's
gone
so
so.
Where
do
we
put
it
though?
The
the
question
is:
should
it
be?
It
should
be
in
the
class
object.
We
should
be
in
the
user,
controlled
object
and,
as
I
think
about
it
more,
I
think
it
should
be
in
the
user
controlled
object.
It
should
be
in
the
bucket
request
for
protocol
and
bucket
access
for
the
authentication
mechanism.
H
A
Yeah
so
so
class
would
be
provider
plus
parameters
for
that
provider,
except
here
the
application
is
involved
right.
So
my
my
reason
for
not
putting
it
in
the
class
is
because
there
is
a
there
is
a
role
for
the
application
to
play
here
and,
and
that
should
be
modeled
somehow
right
or
are
we
saying
like
it
can't
be
in
the
class
right?
H
A
Yeah,
that's
what's
making
me
think.
Maybe
we
should.
We
should
go
down
this
path
of
saying
that
protocol
you
know
remain
so
what
michelle
is
saying
is
is
very
similar
to
what
I
just
said,
but
but
with
another
step
further
she's
saying
don't
even
model
it,
don't
don't
even
have
protocol
in
the
as
a
separate
field
or
don't
even
have
authentication
mechanism
a
separate
field
just
pass
it
through
blindly.
A
A
Like
like,
if
because
because
then
you
know
we'll
have
we'll
have
vendors
creating
their
own
specialized
protocols,
so
you
know
mineo
won't
do
this,
but
you
know
we
might
we.
Let's
say
menu,
creates
its
own
mineo
protocol,
which
is
basically
s3,
but
we
just
call
it
minio
and
then
now
we're
suddenly
not
portable
between
minion
s3.
We
would
never
do.
H
A
A
H
Right
I
agree.
Xing
had
mentioned
that
in
our
last
meeting
that
if
we
could
get
something
written
down,
we
could
post
the
link
to
sig
storage,
cozy
and
and
then
we
have
some
ability
to
digest.
It
better
think,
do
a
little
research
and
make
comments.
But,
okay,
it's
it's
all.
You
know
we
hear
it
and
there's
a
recording,
but
it's
it's
hard
to
give
it
a
lot
of
thought.
I
think.