►
Description
Kubernetes Storage Special-Interest-Group (SIG) Object Bucket Review Meeting - 01 October 2020
Meeting Notes/Agenda: -
Find out more about the Storage SIG here: https://github.com/kubernetes/community/tree/master/sig-storage
A
Okay,
so
last
week,
where
we
left
off,
we
were
talking
about
what
monday,
where
we
left
off.
We
were
talking
about
how
the
development
is
coming
along.
As
of
as
of
today,
we've
started
working
on
the
sample.
Provisioner
we've
got
a
new
developer
sergeant,
helping
out
with
that
and
development,
as
of
right
now
is,
is
going
at
a
good
cadence
and
and
it's
moving
forward,
I
would
say
we're
still
on
track
to
do
the
demo
in
a
few
weeks
again.
A
A
So
the
talk
we
originally
submitted
was
with
the
john
cope,
and
I
I
don't
know
if
everyone
here
knows
john
koh,
but
he
was
leading
this
group
before
I
came
along
and
when
we
both
were
here
at
one
point,
we
decided
to
submit
this,
I'm
not
sure
if
john
is
going
to
speak
at
this
stock.
This
time,
however,
if
john
cannot
make
it
jeff
who
is
taking
out
jon's
version
will
will
help
us
out
with
that.
A
A
We
got
a
bunch
of
feedback
this
morning
from
andrew.
Thank
you
so
much
andrew
and
you
know
I
would
like
to
go
through
them
and
answer
the
questions
that
are
there
or
figure
out.
If
there's
anything,
we
don't
know
that
we
need
to
answer
in
a
different
way,
so
I'm
going
to
open
up
the
email
so
so
andrew.
I
haven't
had
a
chance
to
go
through
this.
It
came
in
like
what
seven
minutes
ago.
I
know
sorry
about
that.
A
B
B
The
the
driver,
the
the
cap
says
basically,
oh
yeah.
This
basically
doesn't
have
any
effect,
in
which
case
I
I
I
don't
know
if
that
statement
means
that
really
or
yeah
yeah.
So
that's
what
I
was
kind
of
trying
to
to
get
at
there.
Okay,
so
I
yeah.
Let
me
open
it
up
and
I
can
quote
you
the
actual,
no.
B
C
Right
yeah,
I
was
on
mute
andrew.
You
know
this
is
a
carry
over
some.
I
think
it's
john's,
it's
john
wrote
it
and
I'm
not
sure
I
fully
understood
how
it
was
used
and
I
sort
of
as
I
was
refreshing,
the
kept
didn't
really
focus
much
on
there.
My
understanding
was,
if
you
don't
have
a
more
formal
policy.
This
is
a
way
to
say:
what's
the
access
for
generally
open
buckets
for
anonymous
access,
non-user,
non-specific
user
type,
access
policies?
What
what?
B
Yeah,
I
just
don't
understand
how
this
would
be.
I
mean
I
I
could
understand
if
if
if,
if
this
actually
should
be
reflected
in
setting
public
read-only
access
to
the
bucket,
but
that
line
below
it
says:
oh
no,
no
we're
not
going
to
do
that.
So
that's
I'm
just
confused!
That's
all
because
it's
just
decoration,
I'm
not
really
sure.
I
understand
why
it's
there.
A
C
B
C
Yeah,
I
guess
I
guess
I
see
the
source
of
compute,
I'm
saying
that
if
the
you,
if
a
bucket
class
describes,
defines
an
anonymous
access-
and
so
it's
reflected
in
the
bucket
instance-
object-
which
is
what
we're
looking
at
here-
the
the
cosy
itself
isn't
going
to
make
any
kind
of
driver
call.
So
what
the
grpc
will
pass
in
this
private,
public
or
public
settings.
The
three
public
settings
are
private
right,
we'll
pass
that
down
to
the
driver.
A
C
B
C
Talking
about
it
andrew's,
looking
at
our
definition
and
oh
the
definition,
it
doesn't
have
the
note
in
bucket
class
like
it
does,
for
the
bucket
instance.
If
you
go
to
the
bucket
instance
and
you
look
at
anonymous
access
description,
number
six
you'll
see
a
note
after
it
says,
does
not
reflect
or
alter
the
backing,
storage,
apples
or
iam
policies.
C
A
C
B
Right
but
but
following
anonymous
access,
I
mean
there's
two
parts
to
this.
One
is
imagine
this
is
applying
to
greenfield.
How
do
you
implement
that
right?
That's
the
first
problem,
the
second
problem,
which
is
what
sid
just
kind
of
mentioned,
which
is
okay.
What
are
the
implications
on
bucket
access
when
you've
got
anonymous
because
you
don't
need
any
kind
of
credentialing
if
anonymous
access
is
available
right,
and
so
it
almost
strikes
me
that
this
ought
to
be
moved.
This
whole
concept
ought
to
be
moved
into
bucket
access.
C
B
A
B
Right
so
so
right,
presumably
if
it's
anonymous
access,
that
means
it
does
not
require
any
kind
of
credentialing,
either
the
identity,
mapping
or
downloaded
credentials
right.
So
fine,
that's,
okay!
I
don't
know,
I
don't
argue
with
that
as
a
potentially
desirable
thing.
My
question
is:
how
do
you
model
that?
B
A
B
I'm
sorry
sid,
I
didn't
mean
there's
no
point
in
having
credential
access.
I
meant
in
a
world
in
a
scenario
where
the
workload
wants
to
access
something
anonymously
right.
So
how
do
we
say
that
I
don't
think
it
makes
sense
to
put
that
particular
access
question
on
the
base
bucket
itself.
It
seems
like
that
really
ought
to
be
an
option
that
can
be
put
in
the
bucket
access
request.
A
B
Yeah
so
so
I
take
your
point
so
so,
let's
look
at
it
this
way.
So
fine
we
want
to
make
this
private
basically
means.
Don't
do
anything
in
this
case
right.
The
three
different
publics
would
reasonably
be
expected
to
then
at
the
time
that
you
are
provisioning
this
bucket
to
set
these
public
access
modes
and
yeah
your
point
being:
is
this
isn't
specific
for
user?
So
it
shouldn't
be
on
bucket
access,
but
that's
fine.
I
get
that,
but
then
what
do
you
do
for
bucket
access
when
you
want
to
access
a
bucket?
B
That
is
a
public
bucket.
How?
In
other
words,
there
has
to
be
an
option
that
says
I'm
going
to
be
accessing
this
bucket.
Give
me
the
end
point
for
it,
but
don't
try
to
give
me
any
credentials
and
don't
try
to
set
up
any
kind
of
workload,
identity,
mapping
or
anything
like
that,
because
I
just
know
that
I'm
going
to
be
able
to
access
it
anonymously.
C
B
Yeah
and
and
further,
I
think
that,
based
on
what
I
the
way,
the
way,
what
that
I
heard
is
that
setting
this
public
read-only
public
right-only
public
read
write
does
have
an
impact
on
the
back
end.
It
is
expected
to
implement
that
on
the
back
end.
So
this
note
here
is
a
little
misleading.
It
isn't
misleading
because
yeah
it
doesn't
impact
apples
or
iam
policies,
but
it
does
move
back
to
back
end.
A
C
A
Yeah
yeah
I'm
going
into
that,
so
okay,
so
about
that,
I
think
I
think
modeling
anonymous
access
is
something
which
might
need
a
I'm,
not
sure
if
we
need
a
longer
discussion,
but
I
think
it's
worth
having
it.
I
think
I
think
this
is
so
so
earlier
we
talked
about
how
you
know
we
were
sure
there
were
going
to
be
some
changes
that
will
come
into
the
cap
even
after
the
cap
goes
through.
A
This
is
the
first
thing
you'll
have
to
address,
and
I
think
this
this
anonymous
access
is
with
the
current
workflow
it'll
still
work
except
you
know
you
will
go
through
the
credentialed
way
of
doing
things.
However,
in
order
to
really
model
anonymous
access,
I
think
I
think
we
can
have
that
discussion
after
the
the
kept
deadline
after
we
go
through
with
the
with
the
cap
process.
A
A
B
A
B
And
then
we're
using
azure
blob
and-
and
I
don't
know
if
there's
a
url
format
for
azure
blob
storage,
but
is
the
protocol
azure
blob
in
that
like
in
the
case
of
gcs,
the
protocol
is
gs
colon
just
like
s3
colon,
so
I'm
wondering
if
there
isn't
an
a
b
colon
or
something
like
that.
I
don't
know
yeah
hey
chris.
Do
you
think
you
could
check
that
out.
C
A
B
Well,
I
can
mention
that,
because
that's
that
is
my
other
one
of
my
other
question
areas.
So
let
me
let
me
up
level
just
one
thing.
As
I
was
reading
the
the
cap,
I
was
very
much
trying
to
put
myself
in
the
position
of
an
app
developer,
trying
to
decide
which
of
these
fields
to
use,
and
I
would
say,
as
a
meta
comment,
it
is
not
always
obvious
why
I
would
use
a
particular
field,
whether
it
was
optional
or
not,
and
what
I
should
supply
to
get.
B
What
behavior-
and
I
know
this
is
an
authorship
issue,
it's
less
of
a
technical
issue,
but
it's
difficult
to
fully
reason
about
things
when
it's
not
super
clear
what
the
intent
is
and-
and
sometimes
I
feel
like-
I'm
not
even
sure
that
keph
itself
has
consistency
of
intent.
The
language
is
a
little
bit
different
in
an
access
versus
you
know
or
the
you
know
the
namespace
versus
non-name
space
or
etc.
A
Yeah,
I
think
you
know
we'll
we
will
have
definitely
have
to
write
good
documentation,
which
is
a
part
of
our
milestone
and
also
the
api
review
process
is
going
to
get
into
all
of
this.
So
I
think
we
we're
we're,
set
up
to
go
through
this
at
a
higher
higher
detail
and-
and
you
know,
get
it
right
so.
B
Basically,
how
you
support
the
various
scenarios,
the
various
scenarios
being
workload,
identity,
a
driverless
kind
of
thing
which
says
hey.
I
got
everything
defined
here.
You
don't
need
to
invoke
a
driver
at
all
and
the
third
being.
I
want
you
to
actually
go
mint.
What
you
need
to
mint
on
the
server
and
give
me
credentials
back
so
the
case
where
you
provide
the
sorry.
Let
me
I
have
to
look
at
the
actual
cap
here
when
you
provide
the
secret.
The
service
account
name
that
I
think
that
that
feels
fairly
clear.
B
B
A
C
C
B
A
The
that's
the
right
answer,
so
I
think
this
has
been
left
over
from
again
from
from
the
previous,
I
think,
yeah
so
yeah.
So
this
is
good.
This
is
how
it
gets
removed.
So
yeah,
I
think
we
can.
We
should
remove
this
field
because
we
added
we
added
the
minted
secret
name
here,
which
is
what
holds
the
actual
secret
and
in
a
static
brown
field
case.
The
admin
would
create
the
bucket
access
with
the
secret
provided
here
not
here.
A
A
B
D
C
But
from
cozy
point
of
view,
guy
we
are
just
going
to
write
to
the
volume
for
the
endpoint
information
and
the
credential
tokens
and
the
and
the
app
will
have
to
consume
those
whether
it
can
use
projected
volume.
I
don't
know
that
concept
exists,
but
I
don't
know
if
that
works
for
csi
driver
volumes
or
not
node.
A
D
A
C
D
A
A
C
C
Are
you
asking
or
he's
telling
jeff
I'm
saying
that's
my
understanding
of
how
it
works,
because
I
wanted
I
I
wanted
to
make
sure
that
we
aren't
cozy,
isn't
creating
or
copying
a
secret
into
the
user
name
space.
It's
not,
and
I
wanted
just
to
make
because
that
one
one
of
these
earlier
iterations
we
were
doing
that
side
and
we're
not
doing
that
got.