►
Description
Meeting of Kubernetes Storage Special-Interest-Group (SIG) Object Bucket Provisioning Review - 06 August 2020
Meeting Notes/Agenda: -
https://docs.google.com/document/d/1KTh1y9klby64t7btNULtxLWDkRC9SAWE-SZnJeFZqug/edit?pli=1#heading=h.5xeufhnfakeh
Find out more about the Storage SIG here: https://github.com/kubernetes/community/tree/master/sig-storage
A
That,
just
as
a
quick
brief
introduction,
this
is
sort
of
our
third
focused
review
meeting
where
we're
seeking
approval
of
the
cap
get
it
merged,
get
to
the
opportunity
to
use
the
official
repos
for
the
prototyping
and
and
and
and
future
code.
The
kep
is
big
and
it's
long,
it's
difficult
to
go
through
it
all.
In
a
meeting.
A
C
C
Main
thing
is,
I
think,
in
order
to
give
a
high
level
complete
picture
of
what
this
proposal
is
doing
from
the
perspective
of
one,
the
user,
that's
going
to
consume
it
and
to
the
vendor,
that's
going
to
write
the
driver
for
it.
One
of
the
things
we
I
felt
like
it
was
hard
to
cover
last
time
was
the
grpc
spec,
which
is
the
contract
between
the
vendor
and
kubernetes
bucket
apis.
E
C
Okay,
so
I'm
I'm
going
to
start
out
this
slide
that
really
really
in
a
basic
way
quickly,
we'll
jump
into
the
details
I've
taken
for
for
explaining
some
of
the
workflows.
I've
taken
the
simplest,
successful
use
case
and
and
gone
forward
at
that.
You'll
you'll
see
it
shortly,
so
so
we're
defining
a
new
standard,
I'm
starting
with
the
absolute
basics,
just
like
the
definition
for
anyone
that
wasn't
a
part
of
this
all
these
months.
C
Just
so
just
so,
we
clearly
explain
what
you're
doing
it's
a
standard
for
consuming
object,
storage
and
kubernetes.
It's
basically
like
csi
is
a
standard
for
file
and
blocks
we're
creating
a
new
one
for
object,
storage,
we're
calling
it
container
object,
storage
interface,
cos
si
or
cosy
yeah,
and
just
to
reiterate
what
object
storage
is
I'm
sure
we
all
know
what
this
is
it.
C
C
C
Now
this
resource
has
fields
required
to
request
a
bucket
in
the
back
end
as
a
name.
It
belongs
to
a
certain
namespace,
whichever
the
user
is
originating,
the
request
from
and
our
namespace
the
user
has
access
to
a
protocol
which
says
what
kind
of
object
storage
protocol
do.
I
expect
about
bucket
prefix
some
form
of
prefix
to
say
this
is
how
I
want
the
bucket
name
to
start
and
a
bucket
class
name.
C
I've.
I've
created
a
dummy
kind
of
use
case
where
the
name
of
the
bucket
or
the
name
of
this
request
is
something
called
profile.
Pictures
under
the
namespace
profiles
and
the
bucket
class
name
is
write
one's
readmany
to
to
explain
a
scenario
where
you
create
profile
pictures.
You
read
them
many
times.
C
Then
we
have
something
called
this:
the
anonymous
access
mode,
which
sets
the
access
policy
on
the
bucket
itself.
A
bucket
can
be
either
a
public
worker,
so
everyone
can
read
and
write
or
read
only
bucket
self
explanatory
read,
write
or
private
where
by
default
nobody
gets
access
to
it
unless
access
is
explicitly
granted
to
it.
C
A
release
policy
says
what
should
be
done
with
the
data
in
the
bucket
after
this
bucket
is
deleted
from
kubernetes,
not
the
back
end.
Just
kubernetes
allowed
namespaces
is
the
list
of
namespaces
kubernetes
namespaces.
We
want
this
bucket
to
be
provided
to
so
when
requesting
the
bucket
so
say
for
in
this
example,
a
profile
picture
bucket
would
ideally
only
be
relevant
in
this
made-up
scenario,
say
it's
only
relevant
for
teams
that
work
with
profiles,
and
let's
say
they-
they
use
an
install
profiles,
and
so
you
set
the
allowed
namespaces
to
this.
C
I
was
yeah,
I
I
thought
the
same
as
well,
I'm
explaining
it
exactly
as
we've
we've
put
in
the
cap.
One
of
the
reasons
being
I
I
came
in
kind
of
midway
so
in,
but
I
completely
agree
with
you.
It
should
be
just
the
name
and
if
someone
does
do
that,
where
they
delete
the
namespace
and
bring
it
back
in,
it
should
apply
to
the
new
one.
So.
A
E
Right
in
general,
that's
what
we
care
about
in
kubernetes,
there's
very
few
cases
where
we
actually
care
about
the
uid
where
we
care
about
the
uid
is
things
like
the
persistent
volume
claim
and
persistent
volume
objects
where
the
specific
instance
actually
matters,
but
outside
of
that,
it's
generally
the
name.
That's.
A
D
C
Yep,
okay,
yeah,
so
parameters
here
is
a
generic
map
string
string
structure
that
lets
a
cloud
provide
a
vendor
specific
parameters
to
pass
be
passed
in.
In
this
case.
I've
just
set
the
region,
however,
like
if
you
look
at
gcs,
there's
a
project
id
and
or
azure
has
a
project
id
and
another
container
name.
C
G
C
But
yes,
the
original
intention
was
here
that
we
have
a
list
of
allowed
namespaces.
The
idea
was
only
the
namespaces
that
we've
deemed
as
safe
for
you
know
safe
for
providing
access
to
this
bucket,
or
these
classes
of
buckets
should
be
allowed
to
do
them
should
be
allowed
to
access
them.
However,
our
concern
was
if
we
set
the
allowed
namespaces
to
a
bunch
of
namespaces
and
someone
goes
ahead
and
deletes
those
and
recreates
a
new
one
with
new
credentials.
They
shouldn't
be
allowed
access
to
these
buckets.
C
C
Yeah,
I
think
we
can
correct
that
in
the
documentation
for
sure
we
can.
We
can
add
a
statement
clearly
saying
how
we're
going
to
represent
this
we're
going
to
move
forward
with
this.
Thank
you
for
your
patience
here.
Oh
absolutely,
no
worries
so
so
earlier.
We
saw
how
the
user
admin
communicates
cozy
once
the
bucket
requests
and
bucket
class
are
provided
to
the
system,
because
it
goes
ahead
and
processes
it
before
translating
it
to
a
request
that
the
backend
understands
and
what
it
does
is
it
takes
the
bucket
request,
object.
C
I've
just
put
the
relevant
fields
here
and
then
it
takes
the
bucket
class
object
again
put
the
relevant
fields
here.
Basically,
all
the
fields
and
respect
for
both
of
them
and
I've
marked
the
bucket
class
fields
with
orange
and
bucket
requests
in
green
and
my
my
mouse
scroll
bar
is
super
sensitive
and
I
don't
know
how
to
fix
it.
It's
the
apple
magic
mouse.
I'm
just
going
to
go
ahead
with
this,
so
the
bucket
object
is
created
by
the
system.
C
C
The
release
policy
is
from
bucket
class
anonymous
access,
modbus
class
again
there's
a
bindings
field
we'll
get
into
it.
In
a
few
slides
allowed.
Namespaces
remove
the
uid
parameters
comes
from
the
class,
and
the
protocol
structure
generates
a
bucket
name
based
on
the
prefix.
That's
provided
and
adds,
as
you
ready
to
it,
and
then,
when
it,
when
it
first
gets
created
the
status
of
the
bucket.
C
E
I
know
we
talked
about
the
using
conditions,
but
instead
of
conditions
we
may
want
to
just
use
boolean
values
here
things
like
bucket
ready
and
then
you
could
add
additional
booleans
in
the
future
for
any
other
kind
of
binary
state
that
you
want
to
add.
As
long
as
it
doesn't
invalidate
the
previous
state.
C
E
C
E
C
Yeah
I'll
go
with
them:
jeff,
okay,
thanks
yeah
yeah,
all
right.
So
so
we
saw
what
cosy
did
so.
It
takes
the
bucket
request
in
the
bucket
class
and
creates
he
creates
a
bucket
object.
Now,
then,
the
bucket
object
is
passed
along
to
the
vendor
side
of
the
the
back
end
or
vendor
side
of
the
system
where
we
use
a
grpc
protocol.
C
The
grp
pc
protocol
defines
a
contract
between
cosy
and
the
vendor
library
of
the
vendor
driver
or
the
provisioner,
and
here's
what
the
protocol
looks
like
and-
and
these
are
the
fields
that
that
driver
requires
to
go
ahead
and
create
a
bucket
in
the
back
end.
So
it
needs
a
bucket
name
needs
a
bucket
context
for
different
cloud
providers.
E
C
C
So
the
fields
for
you
know
filling
in
these
fields.
For
the
example
we
just
showed.
The
bucket
name
is
the
auto
generator
one
profile:
pics
dash,
uuid
bucket
context,
parameters,
region,
usc,
spawn
and
then
the
anonymous
bucket
access
mode
set
to
private,
which
is
what
we
wanted
in
the
bucket
object.
B
B
C
Yeah
back
in
that
that
advertises
the
specific
provisioner
comes
into
existence.
Yes,
okay,
good
and
the
response,
if
everything
is
successful,
is
an
empty
response.
If
there
is
an
error,
there's
a
separate
error
channel
in
the
rpc,
along
which
an
error
would
be
passed,
I'm
going
to
go
ahead
without
going
into
the
errors.
Since
I'm
only
explaining
the
easiest
simplest
successful
case
here,
we
will
get
into
the
errors
as
the
second
step
of
this
presentation,
but
for
now
we'll
move
forward
with
the
provisioning.
I
B
Okay,
so
that
was
that
was
the
question
that
I
had.
If
my
provisioner
takes
10
minutes
to
set
everything
up,
will
the
grpc
call
just
be
left
open
for
10
minutes,
or
will
the
gp
rpc
call
return
immediately
and
then
there's
some
other
indications,
some
asynchronous
indication
that
then
triggers
the
bucket
available
being
changed
to
status.
C
Oh
that
way,
so
the
grpc
request
has
a
timeout.
So
let's
assume
that
the
timeout
expires,
how
much
every
time
it
takes
to
create
the
bucket
is
longer
than
the
timeout.
Then
another
status
is
returned
and
a
bucket
available
is,
you
know,
continues
to
be
false,
but
then
we
keep
retrying.
So
when
error
status
occurs,
we
push
the
request
to
the
back
of
the
queue
and
the
queue
of
requests
that
need
to
be
served
and
when
it
gets
retriggered
again
say
the
bucket
is
created.
B
E
B
A
Yeah-
and
you
know
david-
it's
a
good
point-
you
brought
it
because
the
bucket
name
can
be
the
same
for
different
requests.
There
could
be
a
green
field
request
and
right
behind
it,
a
brownfield
request
and
they're
both
the
same
bucket
name,
right
and
they're,
trying
to
do
green
to
brown
and
and
so
a
driver
could
get
the
same
bucket
name
provisioning.
The
bucket
food
takes
a
long
time.
You
can
get
food
coming
back
again,
but
this
time
it's
a
brownfield
request
to
food
right
yeah
we
do
have
to
handle
that.
C
So
yeah
at
this
point
is
where
provisioning
ends.
Provisioning
is
strictly
creating
the
bucket
loan.
You
know
in
case
it
doesn't
exist
and-
and
that's
the
simple
use
case,
if
shown
here
and
at
this
point
provisioning
ends
and
and
any
application
or
any
user
that
wants
to
consume.
This
bucket
has
to
first
request
for
access
to
this.
C
With
the
second
workflow,
the
grant
access
workflow,
I
can
hear
someone's
background
noise,
okay,
so
the
grand
access
workflow
and
this
in
in
in
for
this
workflow
there's
a
there's,
an
additional
component,
which
is
the
application
that's
going
to
consume
this
bucket
once
it's
granted
access
so
just
shown
in
the
arrows
here.
The
user
talks
to
cosy
to
request
a
request,
access
for
an
application,
cosy
talks,
the
back
end
gets
the
access
and
then
from
the
back
end
it
it
takes
the
credentials
and
gives
it
to
the
application.
B
C
C
C
B
C
C
C
B
Oh,
I
thought
we
have
a
single
layer
of
abstraction.
The
bucket
name
is
a
protocol
specific
construct
with
respect
to
the
kubernetes
environment.
You
wouldn't
ever
refer
to
bucket
name
directly.
You'd
refer
to
this
other
name
that
you
used
to
access
it.
Is
that
correct
summary:
when
you
mean
other
name,
you
mean
the
one:
that's
not
shown
in
the
bucket
request
that
you
were
just
alluding
to.
C
B
C
B
I
C
B
I
C
C
C
A
G
E
E
E
D
A
F
E
C
In
this
case,
I've
written
out
a
spec
access
control
spec
for
aws
s3,
where
you
can
write
and
read
so
put
object
and
get
object
are
allowed
and
everything
else
is
denied.
So
this
is
right
once
read
many
times,
which
is
right
once
read.
Many
is,
is
the
access
control
we
wanted
to
provide
for
this
bucket.
Based
on
the
example
I
explained
and
yeah.
This
is
the.
E
C
Should
we
make
it
an
opaque
string,
yeah,
I'm
actually,
so
again
we
had
a
conversation
about
this
jeff
ion
string.
Yesterday,
however,
again
we
wanted
to
make
sure
that
when
we
bring
about
changes,
we
want
to
include
everyone.
I
think
that's
a
valid
suggestion
and
yeah
it's
something
we
can
add
yeah,
so
that.
E
L
C
C
M
The
problem
is:
is
that
the
identity
you're
mapped
to
on
the
server
you
might
map
to
that
identity
from
several
places,
and
so
therefore,
theoretically
from
those
different
places,
you
could
also
all
access
the
same
brownfield
bucket
and
I'm
trying
to
figure
out.
If
I'm
talking
myself
into
a
hole
here.
M
So
so
I
I
guess
yeah
so
this
this
is.
This
makes
the
assumption
that
a
particular
bucket
access
can
be
uniquely
crafted
at
this
point
and
that
if
you
therefore
have
multiple
cases
of
that
user
trying
to
access
that
bucket,
that's
kind
of
its
own
problem-
and
I
guess
there's
no
way
around
that
and
it
doesn't
matter
that
these
policy
actions-
I
don't
think
make
that
problem
worse.
F
M
M
But
in
the
case
where
you're
doing
a
service
account
mapping,
there
is
no
longer
a
guarantee
that
every
single
access
is
uniquely
minted
right.
It
could
be
that
oh,
the
access
is
already
defined
there,
or
at
least
the
user
is
already
defined
there.
So
I'm
not
minting
a
new
user
on
the
other
end,
but
what
it
implies
is
that
if
I
craft
multiple
cases,
even
different
clusters,
same
cluster
whatever,
where
I'm
asking
for
the
same
service
account
to
have
access
to
the
same
bucket,
I
can
have
conflicting
permissions.
L
K
B
M
I
mean
the
new
user
approach
makes
sense
if
you're
doing
the
sort
of
credential
minting,
but
if
you're
not
using
a
credential
minting.
If
you're
using
the
gcp
or
amazon
approach
of
doing
service
account
mapping,
then
the
credentials
are
already
known.
The
users
on
both
sides
are
known.
The
only
thing
that
you're
minting
is
the
particular
access
and,
but
even
then,
if
that
access,
if
an
access
binding,
already
exists
for
that
user.
M
F
M
M
So
there's
a
couple
of
of
scenarios
right,
so
one
of
the
possible
scenarios
is
that
I
am
crafting
the
complete
access
out
of
band
right,
so
I've
I've.
I've
got
a
service
account
on
the
on
the
cloud
side
that
I've
created.
I've
set
up
roles
for
that,
so
I've
got
all
of
my
permission
in
place.
For
that
account
to
get
to
that
object.
M
Then
I
then
I
set
up
a
workload,
identity
or
the
equivalent
aws
to
map
a
kubernetes
service
account
to
that,
in
which
case
there
is
really
nothing
for
a
driver
to
do
potentially
right.
One
possibility
is
the
driver,
could
just
say:
oh
it's
already
there
and
that
I
I
don't
think
you
would
necessarily
want
that
to
be
an
error.
A
L
M
Sure
I'm
just
suggesting
a
a
mode,
and
this
gets
back
to
the
whole
problem
of
sort
of
greenfield
versus
brownfield
right
in
greenfield.
You
really
want
to
automate
all
of
it.
You
want
to
automate
bucket
creation.
You
want
to
automate
if
necessary,
service
account
minting.
You
want
to
automate
credential
minting.
M
You
want
to
automate
passing
the
credentials
into
into
the
the
client
side
into
the
app,
but
all
that
stuff
you
may
have
to
support
kind
of
from
scratch
and
then
there's
various
modes
on
top
of
that,
like
workload,
identity
or
the
equivalent,
where
I'm
not
minting
service
accounts,
but
I
may
be
minting
just
credentials,
but
then
you
could
even
say
I'm
not
minting
service
account
or
credentials.
I'm
just.
M
M
It's
just
one
of
the
things
we
got
to
do
is
to
say
something
in
a
bucket
access
class
or
something
that
says:
hey,
I'm
expecting
this
to
have
already
been
handled
or
overwrite
on
you
know
or
don't
override,
or
you
know
what
I
mean
some
kind
of
of
deconfliction
policy
statement
at
the
class
level.
I
think,
does
it.
D
K
M
L
For
me,
you
know
that
that
that
that
corresponds
to
the
policy
right,
so
that
I
can
I
can
you
know
I
can
I
can
craft
this,
this
bucket
access
class,
cr
or
whatever,
and
and
it
you
know,
if
it's
minting,
if
it's
minting
something
new
it
it.
You
know
it,
it
creates
the
the
I
am
roll
or
whatever
it
was
necessary.
That
would
be
mapped
in
here.
I'm
not
sure.
Maybe
not.
I
don't
know.
M
M
Do
you
reject
something
whose
policy
actions
don't
match?
What
you
currently
have,
I
mean
that's
a
possibility,
and
then,
if
you
don't
provide
these
policy
actions
at
all,
then
effectively
you're
making
some
statement
about
then
right
I
mean
I,
I
think,
with
just
a
little
bit
of
fleshing
out
yeah.
We
could.
We
could
come
up
with
something
reasonable
here
that
that
isn't
dangerous.
L
I
I
mean
it,
it
might
be
as
simple
as
just
if
it's,
if
we're
minting
something
new,
then
then
you
can
impart
policy
and
you
create
a
new
iam
that
only
like
a
new
iam
user
that
only
kubernetes
can
only
this
specific
kubernetes
can
use
and
then
basically
then
you
know
that
particular
kubernetes
is
the
only
one.
That's
going
to
be
able
to
update
that
policy
object
and-
and
you
could
you
know
you,
could
you
could
share
that
with
you?
Could
you
could
also
share
that
bucket
with
with
the
application
user?
F
M
What
I
imagine
is
several
levels
of
action
you
might
take
in
response
to
a
bucket
class
right.
One
action
is
and-
and
I'm
going
to
use,
I'm
going
to
try
to
use
generic
terminology
and-
and-
and
you
know,
hopefully
it
ports
to
the
different
platforms.
So
one
action
is
I'm
going
to
mint
a
user
in
response
to
this.
M
M
I
M
C
F
C
I
want
to
finish
this
and
you
know,
come
to
a
just
get
through
this.
To
be
honest,
there's
only
like
two
or
three
slides
left
and
I
think
it'll
paint
a
picture
of
what
the
response
looks
like
and
then
that'll
give
us
more
context
after
after
you
know
we
go
through
and
make
this
bucket
access
request
call.
C
So
I'm
going
to
quickly
just
go
through
this,
and
so
that
we
have
a
picture
of
everything.
That's
going
on
so
with
this
flawed
model.
Okay,
so
so
you
have
to
use
an
admin
request.
Cozy
cozy
goes
and
creates
a
bucket
access,
object,
copies
over
fields,
and
then
it
goes
ahead
and
calls
the
back
end
call
this
parameters
again
bucket
name.
So
here
we
have
something
called
as
a
principle,
which
is
what
I
want
to
introduce
you
to.
C
C
So
access
policy
is
a
direct
copy
of
whatever
is
then
the
bucket
access
class
bucket
context
is
again
a
copy
of.
What's
in
the
parameters
and
the
name
we've
said,
we've
set
the
principle
empty
in
this
case,
and
the
response
is
creates
a
new
user
gives
that
as
the
principle
so
far,
what
we
start
is
the
credentials
file,
content
and
credential
file
path
will
decide
how
this
access
is
provided
to
the
application.
In
case
it's
minted
credentials
in
case
it's
a
service
account.
C
C
B
C
A
E
E
I
think
it's
close,
but
we
need
to
probably
go
through
the
flows
for
both
a
service
account
that
already
exists
using
workload,
identity
and
minting
a
new
service
account
walk
through
both
of
those
flows
just
to
make
sure
that
they're
handled
properly,
and
then
I
think
the
third
thing
we
need
to
walk
through
is
the
binding
logic,
because
that
will
be
that's
going
to
be
crazy
here,
because
we're
proposing
something
completely
new,
which
is
a
many
to
one
binding.
So
I
want
to
make
sure
we
review
that
as
well.
J
Yeah
yeah
I'll
just
echo
that
that
I
think
these
these
review
meetings
are
extremely
productive
and
we
should
keep
going
as
long
as
people
keep
having
questions
and-
and
I
don't-
I
don't
see
any
reason
to
hurry
towards
having
it
be
done.
I
mean
if
there
is
a
a
reason
like
a
deadline
we
have
in
mind.
Maybe
we
want
to
go
faster,
like
we
should
just
schedule
more
time
per
week
to
do
these
kinds
of
meetings
two
hours
three
hours
whatever
it
takes,
but
we
should
take
the
time.
C
A
Storage,
you
know
ben
you
mentioned
urgency
and
I
agree
we
want
to
get
it
right.
I
mean
there's
no
point
in
rushing
and
and
getting
it
wrong,
but
what
what
I'm
thinking
is
that
if
we
get
this
pr
merged,
we
can
start
using
official
repos
and
we
can
get
some
prototype.
You
know
pre-pre
pre-alpha
code
out
there
and
start
using
it,
and
I
think
when
you
have
it
in
your
hands
and
you're
using
and
you're
trying
to
write
a
driver,
things
are
going
to
come
up
that
we
aren't.
We
may
not
just
discover.
J
C
True,
we
can
work
on
our
own
repositories.
Code
yeah.
I
don't
think
I
don't
think
we're
really
gated
on
having
this
merged
before
we
can
start
writing
code,
but
I
think,
having
you
know
it
be
more
official,
would
would
certainly
not
hurt
us
anyways.
So
I
think
I
think
the
the
next
step
is
really
to
get
nailed
the
design
of
the
bucket
access
pipes
and
then
yeah,
hopefully
I'll
see
you
all
on
monday
at
11.