►
Description
Kubernetes Storage Special-Interest-Group (SIG) Object Bucket API Standup Meeting - 12 April 2021
Meeting Notes/Agenda: -
Find out more about the Storage SIG here: https://github.com/kubernetes/community/tree/master/sig-storage
A
A
A
B
A
B
No
no,
no
like,
because
this
all
affects
the
downward
facing
api
right
like
in
the
mode
where
you're
using
vault,
you
don't
give
the
pod
the
the
secret
key,
the
access
key
and
the
secret
you
instead
give
it
some
pointer
to
a
vault
thing.
Then
that's
what
it
consumes.
So
the
idea
is
if,
if
the,
if
the
pod
or
the
user,
the
workload
asks
for
a
bucket
with
the
s3
plus
vault
protocol,
then
they'll
get
something
different.
When
they're
workloading.
A
A
A
B
A
A
B
If
they
have
a
service
account
that
can
authenticate
to
s3
yeah
aws
that
then
we
can
control
it,
but
but
I
mean
no,
no.
I
think
this
is
important
that
in
the
model
we've
created
with
cozy,
you
don't
have
that
right.
The
only
thing
that
has
that
is
the
cozy
driver,
the
only
thing
the
cozy
driver
delegates
to
the
workload
is
the
access
key
and
the
secret
right,
and
and
because
we
wanted
to
be
in
the
middle
of
this
process
right
if
you
want
to
just
give
the
pod
the.
B
A
We
want
to
manage
bucket
life
cycles.
Your
workload
can
do
it
sharing
everything,
however,
rotation
alone
be
something
workloads
could
do
we.
We
could
say
okay,
so
maybe
we
could
say
whatever
access
token
we
provide
through
cosy
and
I'll.
Tell
you
why
I'm
thinking
like
this
auto
access
token
we
provide
through
cozy
is
only
good
enough.
A
A
B
Yeah,
that's
what
I'm
getting
at
so
like
an
application
to
perform.
This
function
needs
to
know
what
the
provider
is.
It's
no
longer
portable
to
any
s3
implementation
so
like.
If
you
want
this
functionality
like
you're,
stepping
outside
of
cozy
and
basically
saying
you
know
what
I'm
doing
it
all
myself,
because
I
I
know
I'm
talking
to
amazon
or
I
know
I'm
talking
to
google
and.
E
A
E
A
A
A
G
F
A
A
B
C
A
A
F
A
B
B
F
Right,
it
seems
like
you're
saying
that
this
is
a
functionality
that
is
included
within
the
workloads
code,
because
the
sdk
supports
it
right.
Perfect.
No,
that's
good!
It's
a
good
beginning!
I
mean
now
I
understand
more
about
what
you're
saying
so
you're
saying
that
if
I
work
with
this
and
I
configure
it
correctly,
then
I
get
rotation
out
of
the
box
just
using
the
s3
sdk
right
and
then
there's
an
important
reason.
I
brought
it
up.
It's
important
where's
the
policy
by
the
way
when
to
rotate
how
much
to
rotate
whatever.
A
A
A
Have
the
same
concept,
they
have
the
concept
of
you
know
the
expiry.
However,
again
again,
let's
before
we
get
into
this
right,
it
doesn't
matter
I'll.
Tell
you
the
reason
I
brought
up
the
other
one,
it's
because
at
least
it
seems
to
me
and
correct
me.
If
I'm
wrong,
it
seems
to
me
that
the
best
place
to
initiate
the
rotation
is
from
the
workload
side
and
they
don't
have
to
do
it,
but.
A
F
F
B
So
I
like
this
example
because
I
can
see
a
future
where,
if
we
put
the
right
apis
into
cozy,
like
spark
spark
could
develop
the
integration
to
just
talk
to
cozy
and
make
the
right
thing
happen,
exactly
that's
what
I'm
getting
for
yeah,
okay,
yeah
yeah!
So
so
so
I
that's.
What
I
was
going
to
sort
of
push
forward
too.
Is
we
need
some
sort
of
primitive
that
says
like?
I
would
like
to
rotate
my
key
or.
B
E
B
A
A
No,
no,
I
don't
think
so.
I
I'll
tell
you
why
that's
completely
a
function
of
the
driver
and
the
back
end
the
the
provisioning
workflow
and
accessing
workflow,
again,
even
even
the
rotation,
maybe
we
initiate
the
rotation
again
from
cosy.
However,
at
the
end
of
the
day,
you
provide
credentials
the
same
way
and
and
it's
just
the
client
is
configured
to
access
the
back
in
slightly
different
way
and
then
again,
every
client
knows
how
to
work
with
what
single
sign
on
simple
token
server.
This
is
process
currency
and
what
that
is.
F
But
the
question
is:
are
you
saying
that
we
are
going
in
a
path
where
cosi
has
an
sdk
inside
the
workload?
Oh
definitely
right
and
then
and
then
we
can
include
in
there
rotation
or
you
know,
even
even
configurations
which
you
know
come
directly
from
the
driver
or
from
from
through
cozy,
basically
to
the
pod
and
the
sdk
is
the
consumer
of
it
and
not
really
the
the
workload
itself
and.
A
A
A
B
Api
is
defined
in
such
a
way
that
you're
going
to
get
like
a
few
well-known
parameters.
You
know:
here's
the
bucket
name,
here's
the
endpoint
name,
here's
the
here's,
the
access
key,
here's
the
secret;
you
know
yada
yada
down
the
line
and
then
and
then
we
in
the
future.
We
say:
oh
well,
now
now
you're
going
to
use
vault
to
get
your
keys.
A
A
E
B
A
A
B
So
if
I'm
a
kubernetes
admin,
I
have
my
own
instance
of
vault
that
I
am
maintaining
yes
and
that
I
have
pointed
my
cozy
drivers
to
say
use
this
like
so
so
then
the
only
way
that
a
workload
could
ever
find
out
about
it
is
if
we
provided
the
details
to
my
instance
of
vaults
directly
to
the
pod.
Yes,
so
like
these
are.
F
We
can
also
get
the
keys
from
like
to
to
the
volume
I
mean
to
the
pod
from
vault.
If
that's
the
integration
needed,
I
mean,
I
think,
if,
if
we're
trying
to
add
more
plugins
into
into
cozy
this
way
that
it
supports
more
features,
it
doesn't
mean
that
we
have
to
change
the
the
down
downward
facing
api.
It's
just.
B
F
B
I
I
actually
like
all
these.
I
think
this
is
a
great
future
thing
to
add
right.
I
just
want
to
make
sure
that
we
add
it
in
a
way
where,
like,
if
I
wrote
my
let's
say
we
weren't
going
alpha
beta
ga.
Let's
say
we
was
v1,
v2,
v3
and
so
we're
working
on
v1
right
now
and
if
somebody
consumes
v1
and
then
we
add
v2
with
more
stuff
like
there
should
be
a
path
to
basically
say
migration.
I
I
need
v1
support.
A
A
F
F
B
Right
but
but
the
the
the
how
you
do
that
I
mean
this
is
the
handshake
between
kubernetes
and
the
and
the
the
workload
is.
These
are
the
details
you
need
to
talk
to
your
bucket
and
if,
if
we,
if
we
at
some
point
stop,
including
the
access
key
and
secret
key,
instead
give
you
a
pointer
to
a
vault
server
where
you
can
go,
get
them
like
now,
my
application
has
to
change
to
consume
that
so
like
it's.
There.
G
A
B
F
F
I'm
not
saying
like:
no,
you
don't.
No,
you
don't.
You
don't
have
to
why.
It
really
depends
on
how
your
application
consumes
the
key.
Doesn't
the
key
doesn't
can
be
a
file
right
for
that
same
matter,
right
and
vault
is,
is
just
invisible
just
you
just
have
your
file
appear
in
in
the
pod
for
your
workload,
it's
not
that.
F
B
A
B
It
has
no,
but
so
so
this
is
where
I
think
we're
getting
confused
like
there
is
no
kms
in
s3,
like
s3,
is
an
http
protocol
with
some
gets
and
some
puts
and
some
special
headers
and
like
that's
it,
that's
what
s3
is
like
the
moment.
You
say
you
must
talk
to
this
kms
server,
you've
you're,
not
talking
s3
anymore,
you're,
talking
a
new
protocol.
I
see
right
now,
you're
saying
you're
saying
that
we're
actually
enforcing
kms,
even
though
it
didn't.
B
E
A
We've
designed
our
apis,
as
if
you
know
we
talked
about
two
forms
of
authentication,
one
is
tokens,
access,
keys
and
secret
keys,
and
the
other
was
I
am
we
just
kind
of
said.
I
am,
and
it
was
a
black
box
all
this
well
that
that
I
am
what
we
assumed
was
there's
going
to
be
some
way
to
associate
a
particular
part
of
the
particular
service
account
yeah.
That's
where
this
comes
in
we're
associating
a
particular
part
with
a
particular
account
where
you
know
in
in
vault
and
wall.
E
B
B
A
B
B
Say
ldap,
then
you
know
so
so
if
I
write
like
ben's
cozy
implementation,
that
just
does
s3
and
not
vault,
and
you
take
your
workload
that
expects
to
use
vault
and
you
you
create
a
a
bucket
class
that
that
says
that
says
you
know,
use
the
vault
integration
and
then
you
create
a
bucket,
and
then
it
comes
to
my
cozy
driver.
My
cozy
driver
says
I
don't
know
how
to
do
that.
Then
cell
display
all
right.
Okay,.
A
So
so
any
client,
any
client
that
that
runs
in
the
cloud
always
uses
its
credential
chain
rather
than
a
credential
method.
What
that
means
is
it
first
looks
for
environment
variables.
Then
it
looks
for
you
know.
If
it's
running
on
a
particular
cloud
resource
like
ec2
instance
or
rds
or
whatever,
then
it
looks
for
other
forms
of
access
like
credential
files
and
then
and
then
it's
always
a
chain.
It's
never
a
single
methodology.
Unless
you
hard
coded,
like
you,
have
to
go
out
of
your
way
to
make
it
that
way.
A
B
You're
talking
about
the
widely
available
sdks
for
f4
s3,
right
right,
right,
okay,
so,
but
again
like
do
we
want
to
require
somebody
uses
one
of
the
widely
available
sdks
or
do
we
just
want
to
say
we
support
s3
period
with
without
an
sdk,
but
I
get
what
I'm
worried
is
like
we're
slipping
in
secret
requirements
here.
So
let
me
let.
A
F
Requests
the
authentication
of
when
you,
when
you
send
the
request,
you
have
authorization,
header
or
something
like
a
signed,
request
right
and
the
request
is
self
assigned
and
and
then
the
only
connection
that
you
have
in
the
request
itself
is
the
access
key.
Where
you
can,
then
you
know
have
in
your
system
an
iam
to
represent
that
or
use
you
know
any
public
iam
for
that.
But
the
iam
itself
is
not
part
of
s3.
It's
not
needed
to
the
signature
itself,
the
authentication
to
that
specific
identity.
But
that's.
B
A
A
B
B
So
so,
okay,
I'm
good,
but
I
was
going
to
say:
that's
all
that,
like
you
have
to
do
to
to
claim
s3
compatibility.
Anything
else
is
sdk
magic
to
make
your
life
easier,
but,
like
I
didn't
think
we
were
going
to
require
someone
to
have
any
of
that
magic.
I
thought
we
were
just
going
to
say:
look,
these
are
the
basic
inputs.
You
need
to
do
the
s3
thing
and
the
rest
of
it.
You
know
you're
on
your
own.
Okay,.
A
Okay,
I
I
I
like
that
too.
That's
that's!
That's
where
we
we
should
be
so
you
know
we
got
into
kms
just
now,
because
kms
is
something
people
use
and
I'll.
Tell
you
the
real
reason.
People
get
use
camera,
it's
it's
not
for
credential
rotation.
They
use
it
for
encryption,
server,
side,
encryption
and
also
client-side
encryption.
A
So
for
server-side
encryption,
a
client
just
uploads
an
object
as
if
it
doesn't
know
if
there's
encryption
or
not,
but
for
each
object.
The
server
talks
to
the
kms
gets
a
new
key
for
that
object.
So
it's
a
different
key
for
each
object,
gets
a
new
key
uses
that
to
encrypt
and
then
and
then
responds
to
the
client,
saying
it's
written
so
for
the
client
it's
transparent,
but
then,
on
the
server
side,
every
object
is
encrypted.
A
B
A
So
for
server
side
we
don't
do
anything,
it's
it's
completely
transparent
to
the
client.
It
doesn't
even
have
to
know
it's
encrypted
or
not
on
the
other
side,
but
for
client
side.
The
server
doesn't
have
to
know
about
what
for
client
side.
The
client
talks
to
walt
gets
a
key
uses
that
to
encrypt
the
object
and
puts
it
there
so
so
for
this.
A
F
A
E
B
B
B
A
It
needs
to
be
worked
or
agreed,
but
but
even
before
we
go,
I
think
that's
something
that
we
do
post
alpha
in
this.
We
can
start
working
on
now,
but
we
start
implementing
post
alpha,
but
even
before
that
we
have
to.
We
have
to
go
back
to
this
question
of
so
we've
been
talking
about
kms
based
authentication.
A
B
It
but,
but
I
thought
that
the
direction
you
were
going
with
all
of
this
was
that
like,
if
you
want
rotation
the
right
way
to
get
it
is
through
vault
yeah.
That's
that's!
That's
my
inclination
to
be
honest,
yeah
and
then
we
could
say
like
if
you
don't
support
vault
you're,
just
sol,
and
you
know
you
can
have
one
key
and
one
or
one
access
key
and
one
secret
for
the
lifetime
of
your
workload
and
and
that's
it
yeah
and
we
just
don't
offer
rotation
unless
you
go
with
this
better
way.
Yeah
yeah
yeah!
B
B
A
B
Say
yeah,
I
think
we're
agreed
on
that
there's!
No
there's!
No
disagreement
about
that.
The
problem
is,
is
a
cozy
implementer
who
wants
to
write
a
new
driver
for
like
and
and
just
full
disclosure
like,
I
don't
know
what
netapp
does
here.
I
know
netapp
wants
to
have
cozy
drivers.
I
have
no
idea
how
we
do
rotation
but
like
I'm
pretty
sure
that,
like
vault,
doesn't
have
a
negative
native
integration
with
what
netapp's
s3
implementation
right
so
so,
like
I'm
trying
to
figure
out
is
when
netapp
wants
to
write
the
their
s3
compatible.
A
So
you're
saying
we're
hard
coding
it
to
walt
so
rather
than
walt
kms
is
the
actual
integration.
So
I
believe,
there's
a
there's
a
standard
kms
protocol
because
I
know
within
io
we
just
support
kms.
Most
of
the
people
end
up
deploying
vault,
but
our
integration
is
a
kms
api.
I
have
to
find
out
what
it
is.
B
C
B
And
at
that
point
is,
are
we
adding
a
lot
of
value
if,
if
the,
if
the
whole
function
of
the
credential
minting,
has
been
sort
of
off
or
offloaded
onto
the
kms
and
like
what's
what
function
is
cosi?
Providing
at
that
point
it's
it's
saying
I
create
my
bar
and
I
I
get
something
in
response
to
that,
but
like
the
something
I
get
is
just
basically
a
promise
that
I'm
gonna
be
able
to
talk
to
a
kms
to
get
the
actual
key.
F
A
B
But
furthermore,
like
when
the
application
gets
the
keys
like
so
that
the
the
thing
it
gets
it
from
has
to
put
the
keys
on
the
actual
server
or
talk
to
the
actual
server
to
get
the
keys
from
it
to
put
into
the
so
you
mean
the
storage
system,
the
storage
yeah.
The
storage
system
has
to
agree
with
the
kms
on
what
the
key
is,
and
I
don't
know
if
that's
a
push
or
a
poll
or
something
talking
on
the
side
to
both
right
yeah.
So.
H
D
F
A
F
E
B
F
B
H
H
B
A
H
H
H
So
did
this
part
this
part
would
work,
I
mean
in
a
very
straightforward
way,
but
then
who
could?
Who
would
do
the
refresh
yeah?
That's
the
that's
the
point.
The
last
time.
I
don't
know
if
you
were
here,
but
we
discussed
that
probably
those
keys.
They
are
going
to
be
used
for
at
least
one
day
or
a
couple
of
hours
one
day,
one
week
month
and
designing
a
system
which
basically
refreshes
keys
every
minute,
and
so
I
think
it's
not
the
goal
so
ideally
yeah
good.
H
I
mean
I
I
I
may
be
wrong,
but
ideally
you
would
typically
in
your
deployment
file.
You
would
say
I
need
a
key
for
one
month,
because
I
got
a
project
like
a
big
data
project
for
one
month
and
please
give
me
so
the
three
players
access
key,
so
the
secret
key
token
or
whatever
equivalent
in
the
cloud.
You
use
the
system.
H
A
A
So
the
sdk-
you
you
when
you,
when
you
start
you
you
in
your
credential
chain.
You'll
also
put
you
know,
sts
session
credentials
provided
along
with
the
other.
Whatever
you
have,
and
then
you
when
you,
when
you
call
that
credentials
provider
you
also
set
default
duration
seconds
or
how
long
this
is
supposed
to
be
active
and
based
on
whatever
you've
said,
it'll
automatically
go
refresh.
It.
H
No
because
this
is
this
is
a
cooked.
You
know
it's
not
really
a
native
the
truth
is
you
can't
really
refresh
it
yeah?
No,
but
it's
it's
some
convenience
code.
That
does
it
in
your
back.
I
see,
but
in
fact
the
only
way
to
refresh
is
to
generate
a
new
one
right,
but
you
you'll
find,
for
instance,
in
some
python
libraries
and
stuff
like
convenience
code,
to
do
that
in
your
back
for
you
transparently
right,
but
in
fact
you
can
I'm
pretty
sure
you
cannot
refresh
your
token.
H
F
B
H
A
Yeah
yeah,
so
so
let
me
ask
you
this.
So
if
I
have
access
key
and
secret
key,
so
this
is
the
photo
class
you're
talking
about
this
is
the
go
to
class,
so
you
can
use
the
access
key
secret
key
to
create
a
token
and
you
set
the
expiry
expiry
time
on
it
and
and
the
bottles
client,
so
it
uses
the
assume
roll
request.
So
what
is
the
assume
rule
request.
H
Instead
of
giving
you
static
credentials
to
to
perform
action
policies,
you
simply
establish
a
trust
relationship.
So
we
trust
you
enough
to
recognize
you
and
we
give
you
a
temporary
policy
to
perform
the
actions,
but
it's
potentially
be
revoked,
especially
the
action
policy
changes
over
time
or,
if
you're,
not
part
of
the
organization
again
so
the
first
time
you
call
assume
role,
you
come
with
your
actual
existing
credentials,
your
static
access
key
or
it
may
also
come
from
a
third
party,
so
typically
a
summer
or
oigc
or
another
level
of
trust
establishment.
H
F
H
H
B
How
does
it
work
within
without
the
extension
and
then
what
additional
requirements
are?
Are
there
if
you
want
to
support
this
extension
and
are
those
reasonable
requirements
to
impose
on
you
know,
on
applications
and
on
storage
systems
and
on
drivers,
and
you
know
all
the
different
layers
so
so
we
should
have
a
specific
discussion
about
this
particular
extension,
but
I
don't
want
to
tangle
up
the
basic
you
know:
how
do
we
do
bars
and
bas
with
with
this
necessarily.
F
B
I,
like
the
idea
of
the
cozy
driver,
actually
doing
all
of
this.
This
light,
this
heavy
lifting
and
refreshing
your
keys
and
just
having
a
way
for
the
containers
to
know
that,
when
it's
time
for
them
to
go
reload
their
credentials.
This
is
this
is
where
this
is
the
time
stamp,
and-
and
this
is
the
experience
you
just
reload
when
the
timestamp
expires,
and
that
would
be
another
way
to
do
it.
I.
H
F
B
F
B
Why
I
thought
maybe
bas
were
right
once
kind
of
objects
where
you
you
populate
them,
and
then
you
can't
change
them,
because
that's
how
a
lot
of
things
are.
If
the
intention
is
bas
or
right,
many
or
you
can
write
to
them
and
then
write
to
them
and
write
to
them
and
every
time
you
write
to
them
the
the
note
adapter
reads
it
and
updates
everything
that
needs
to
be
updated.
Maybe
that's
a
working
model
and
I
like
that,
if.