►
From YouTube: Kubernetes SIG Storage - bi-weekly meeting 20210422
Description
Kubernetes Storage Special-Interest-Group (SIG) bi-weekly meeting - 22 April 2021
Meeting Notes/Agenda: -
Find out more about the Storage SIG here: https://github.com/kubernetes/community/tree/master/sig-storage
Moderator: Xing Yang (VMware)
A
A
B
All
right,
so
let
me
just
give
a
bit
of
a
a
bit
of
background
for
folks
who
don't
know
what
we're
talking
about
here
so
today
the
standard
way
of
limiting
limiting
pod
permissions
is
through
pod
security
policy,
but
starting
in
121
we've
deprecated
pod
security
policy.
We
sort
of
have
known
this
was
coming
for
a
long
time,
but
didn't
have
a
good
path
forward.
So
we
were
waiting
off
on
that.
B
So
pod
security
policy
is
deprecated
in
121
and
we'll
be
removing
it
in
125.,
so
we've
been
discussing.
Actually
let
me
switch
over
to
the
cap
been
discussing
for
a
while
what
the
best
way
to
replace
it
is,
and
we've
come
up
with
this
proposal.
That's
based
on
these
pod
security
standards
that
we
have
documented
here
and
one
of
the
key
differences
between
this
new
proposal
that
we're
hoping
will
replace
pod
security
policy
and
the
previous
pod
security
policy
is
pod.
B
So
some
things
like
a
privileged
container
is
clearly
more
privileged,
so
we
disallow
it,
but
when
it
comes
to
volumes
which
is
actually
what
we're
talking
about
today,
we
allow
all
volumes
under
baseline,
except
for
host
path
volumes,
which
we
completely
forbid
and
then
the
restricted
profiles.
The
third
one
is
much
more
heavily
restricted
and
follows
what
we
consider
to
be
best
practices.
B
We
require
the
secomp
profile
default
second
profile,
which
I
wish
was
enabled
in
baseline,
but
since
it's
not,
we
enable
it
and
restricted,
and
then
notably,
we
are
much
more
restrictive
of
volume.
Types
and
the
philosophy
of
the
volume
types
was
sort
of
for
persistent
volumes.
Rather
than
using
the
built-in
inline
volumes.
Persistent
volumes
should
be
going
through
the
persistent
volume
and
persistent
volume
claim
features.
B
B
So
so
the
the
way
the
the
new
policy
is
bound
is
through
a
label
on
the
namespace.
Let
me
just
pull
that
up
here,
yeah.
So,
basically,
we
put
a
label
on
the
namespace
that
says
what
privilege
level
the
namespace
should
run
as
so,
we
would
have
something
like
pod
isolation
policy,
slash,
allow
restricted
or
or
baseline,
and
this
is
yeah,
so
this
is
label
on
namespace
and
applies
to
all
pods
in
the
name
space,
with
with
some
exceptions
through
another
api.
E
B
Yeah
definitely
so,
if
so,
the
way
mission
control
typically
works
is
each
admission.
Controller
can
say
kind
of
no
opinion
or
deny
so
once
one
admission
controller
rejects
the
request,
then
that
read
kind
of
rejects
it
flat
out.
So
if
you
want
to
layer
on
additional
restrictions
beyond
what's
here,
then
it's
easy
to
kind
of
have
this
work
in
parallel
with
a
custom
admission
plugin.
F
I
know
that
there
are
csi
drivers
being
implemented
for
many
of
those
persistent
disk
types
and
we
weren't
sure.
If,
if
we
allowed
pods
to
use
the
csi
volume
source,
could
they
effectively
make
use
of
the
persistent
disk
implementations
csi
drivers
like?
Could
they
could
they
create
a
gce,
persistent
disk
or
a
azure
file,
persistent
disk
via
the
csi
volume
source,
or
does
that
only
allow
using
ephemeral,
csi
drivers.
E
E
Of
it
and
I
think
for
the
most
part,
we
have
tried
to
sort
of
encourage
the
use
of
this
for
ephemeral,
use
cases
and
discourage
the
use
of
this
feature
for
persistent
use
cases.
But
you
know,
I
think
some
drivers
may
have
already
decided
to
go
ahead
and
implement
the
persistent
case
using
this
api,
even
though
it
wasn't
really
the
intended
option.
E
F
E
F
E
G
G
C
F
E
B
G
F
Is
like
is
it?
Is
it
generally
reasonable
to
say,
restricted,
pods
can
use
ephemeral
volumes
and,
if
you're
going
to
deploy
an
ephemeral,
csi
driver
that
is
unsafe,
then
you
need
to
restrict
that
restrict
use
of
that
by
quota
or
by
custom
admission
like
I'm
trying
to
think
if
there
are
other
equivalent
things
on
a
restricted
pod.
F
That
would
open
holes
that
someone
might
an
admin
might
not
realize
exist
like
even
even
the
new
ephemeral
volume
type
in
the
pod
you're
you're
limited
to
things
that
you
can
express
on
a
persistent
volume
claim.
So
you
don't
have
that,
like
full
control
over
volume,
attributes
that
you
do
under
csi.
G
B
F
E
G
E
B
B
The
next
option
is
to
basically
say
that's
the
default,
but
provide
some
sort
of
escape
hatch
or
configuration
mechanism,
either
statically
configured
or
through
the
the
object
that
you
just
mentioned
to
say
like
well.
We
say
this
volume
is
safe,
so
allow
this
one
kind
of
an
allow
list
approach,
the
other.
H
F
G
E
E
F
E
Yeah,
so
I
guess
to
use
this
feature,
someone
needs
to
install
csi
driver
that
supports
it.
They
also
need
to
set
the
field
in
the
csi
driver
object,
which
is
a
non-namespace
object,
so
they
already
need
some
sort
of
higher
permissions
to
be
able
to
enable
this
to
be
able
to
enable
these
kinds
of
csi
drivers
in
the
cluster.
B
I
E
I
I
J
F
Since
baseline
allows
csi,
I
think
going
back
to
tim's
point.
If
you
have
an
ephemeral,
csi
driver
that
is
exposing
like
behavior,
you
would
consider
unsafe
or
escalating
like
host
path,
or
you
know,
consuming
volume,
attributes
that,
like
give
you
direct
control
over
like
kernel
parameters
or
some
something
like
really
significantly
escalating,
I
think
you
would
not
want
that
ephemeral
driver
accessible
or
you
would
want
to
protect
it,
but
with
quota
or
ignition.
F
B
I
think
I'm
leaning
towards
just
allowing
csi
drivers
for
restricted
and
basically
solving
this
through
documentation
on
the
kind
of
pod
security
side.
We
would
say
you
know
if
you
have
an
unsafe
csi
driver,
then
we
recommend
either
disabling
inline
definitions
or
adding
an
admission
control
and
then
maybe
on
the
csi
documentation
side,
we
could
say
we
recommend
only
using
the
inline
only
enabling
inline
volumes
for
things
that
should
be
safe
to
restricted
users.
F
This
was
one
of
the
options
we
were
considering,
and
I
am
not
a
fan
of
that,
because
it
makes
evaluation
of
a
policy
against
a
given
pod.
Spec
stateful
like
it,
if
you
say,
does
restricted,
allow
this
pod
spec
right
now.
We
don't
need
any
other
cluster
state
to
answer
that
question,
but
as
soon
as
you
make
it
configurable
per
driver
via
the
api.
Now
you
need
to
like
the
question
it
depends
like
it
depends
on
which
cluster
you're
in.
F
Yeah,
so
if
allowing
if
you're
talking
about
policy
level
like
what
pod
specs
are
allowed,
does
anything
prevent
creation
of
a
pod
that
has
a
csi
driver
that
references,
a
driver
name?
That
is
not
that
does
not
exist
or
is
not
ephemeral,
or
is
that
a
runtime
like
it
lets
me
create
the
pod
and
then
when
it
goes
and
gets
scheduled,
and
then
the
cube
tries
to
do
stuff
with
it?
At
that
point
it
I
think
it's
one.
G
F
H
F
Yeah,
a
given
driver
that
says
it
supports
a
thermal
mode,
could
always
be
buggy
or
could
like
I'm
not
as
concerned
about
that.
I'm
mostly
concerned
about
whether
whether
the
known
csi
drivers
for
the
existing
entry,
inline
types
are
saying
they
support
a
female
mode
or
not.
That's
one
question
and
then
whether
it's
reasonable
to
say,
if
you're
going
to
deploy
ephemeral,
csr
drivers
that
are
unsafe
or
allow
like
escalation
like
it's
your
job
to
protect
against
pods
using.
F
A
E
F
B
K
I
I
A
A
Through
okay,
all
right
all
right,
so
this
is
our
pluniche
yeah.
So
I
think,
as
I
said,
you
copied
this
one
from
the
1.21,
so
we
start
with
this.
So
basically
we
will
continue
the
the
items
that
we
didn't
finish
in
in
1.21
and
then,
if
there
are
anything
new
that
are
not
included
here,
you
can
feel
free
to
add
on
this
spreadsheet
so
just
to
go
over
this.
Let's
see
how
much
we
can
we
can
cover
and
then
we'll
continue
the
next
meeting.
A
I
A
I
H
H
A
A
A
G
M
A
N
Yeah,
so
for
this
one
for
the
one
pr
that
was
outstanding-
I
know
humble
I
think,
is
here
as
well.
If
you
don't
know,
if
you
don't
have
time
to
work
I'll
continue
that
pr,
I
get
I'm
happy
to
push
that
forward
as
well,
but
I
think
early
on
when
we
discuss
this
item,
if
I
remember
we
were
talking
about,
there
might
be
a
larger
csi
entry,
read-only
refactor.
A
A
C
A
A
A
C
A
P
A
G
O
O
C
O
P
Okay,
a
question
I
have
around
this
I
mean,
given
that
I
understand
these
pieces
for
this.
Like
are
around
like
search
and
secrets
and
stuff
I
mean
I
know
in
google,
there
was
someone
there
was
a
security
team
that
was
using
this
or
interested
in
using
this.
I
don't
know,
if
other
I
mean,
I
guess
that
my
point
is
like
someone
who's
engaged
in
one
of
these
actual
use
cases
is
going
to
be
a
lot
more
motivated
to
drive
this
forward.
I
think
than
it
sounds
like
anyone
here.
A
P
P
E
A
Okay,
thank
you,
okay,
so
the
next
one
yeah.
So
this
is
a
spreading
over
filler
domain
and
the
next
time.
What
in
group
api
for
consistent
groups,
those
two
related,
the
spreading
one,
is
actually
dependent
on
the
second
one.
I
think
I
still
there's
still
some
design
issues
with
the
supporting
group.
So,
let's
see
if
we
can
get
the
half
merged,
that'll
be
great,
so
I
think
I'll
leave
that
in
design
for
now.
A
Q
A
E
Q
I
I
think
alpha
would
be
a
bit
aggressive.
We
still
there's
still
some
blockers
that
we
need
to
address
and
I'm
not
certain
how
to
address
them,
and
this
all
deals
with
transferring
csi
secrets
and
how
to
respect
those
boundaries.
So
it's
something
that
I
would
like
to
continue
working
on
the
design
in
this
next
release.
A
Okay
and
that
next
one
is
the
boarding
house,
so
this
will
be
staying
in
alpha.
We
have
a
meeting
tomorrow
to
talk
about
use
cases
and
what
are
we
going
to
next
so
we'll
decide
yeah
if
we're
going
to?
Yes,
I
think
there
are
a
few
use
cases
that
I
that
I
heard
about
heard
about,
and
we
can
talk
more
about
that
in
tomorrow's
meeting.
J
A
So
I
think
I
think
beta
is
still
yeah.
I
think
beta
is
also
possible,
but
the
the
thing
is
right
now
I
don't
know
any
anyone
anything
that
has
implemented
yet
I'd
like
to
see
at
least
some
sisa
driver
has
implemented
that
right
now
only
the
we
only
have
that
in
this
hospital
driver.
Okay,
so
so
we'll
see
you
know
if
the
so
maybe
we'll
see
if
the
driver.
E
E
A
Yeah,
so
I
think
so
one
thing
is
the
existing
feature.
I
bring
it
to
beta
and
then
the
second
thing
is,
I
think
there
are
some
requests
on
making
this
feature
available,
so
we
can
actually
do
some
reaction
when
something
happens,
so
that
will
need
some
changes
to
the
existing
design,
but
I
think
that
can
be
like
a
new
new
feature
gate
or
something
or
see
what
that
is,
but
the
existing
one.
If
it's
just
events,
I
think
that's
your
helpful.
A
J
R
R
A
L
J
A
M
A
E
E
A
Oh
yeah,
yeah,
okay,
pre-order
past
time;
okay,
thanks
all
right,
so
yeah.
I
think
I
think
we
went
through
more
than
half
of
this,
so
we're
continuing
our
next
meeting
yeah.
So
for
anyone
who
are
new
contributors
who
are
interested
in
contributing
you
know
if
you
have
any
questions
or
or
to
help
with
anything
feel
free
to
reach
out
to
us
after
the
meeting
all
right.
Thank
you.