Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kubernetes / Storage SIG / 25 Mar 2021
Kubernetes / Storage SIG / 25 Mar 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Kubernetes SIG Storage - bi-weekly meeting 20210325

Description

Meeting of Kubernetes Storage Special-Interest-Group (SIG) bi-weekly - 25 March 2021

Meeting Notes/Agenda: -

Find out more about the Storage SIG here: https://github.com/kubernetes/community/tree/master/sig-storage

Moderator: Xing Yang (VMware)

A

Hello, everyone today is march 25th 2021. This is the kubernetes storage sig meeting. Today we will go over our planning sheet 41.21.

A

The first one is delegate fs group to you see the driver instead of cubelet is here.

B

Yeah, I'm here yeah, so this feature did not make into a 121 because we did not get the csi driver, css, spec change and we are trying to push it for next release and yeah. If we, I have pinged people and we'll discuss it in the csi community sync, when we get a chance.

A

Thanks.

A

The next one is the csi online offline resizing.

B

uh Yeah we made some fixes and we are trying to get some we'll try to get some more changes in and for in 1.22, the especially the copying the allow volume expansion field that requires a gap and then the recovery from resize failures, the the yeah. So this is like I have to there's a cap already merged for recovery from resize failure, but I have to update it for for the new design.

A

Okay, so this is actually the next one right. I think we have yeah okay, so this is recovering from resize failure. Okay, yeah.

A

You update the cap.

C

Yeah thanks.

A

Next, one is the skill linux recursive permission handling young. Do you have an update on this?

A

You see on there.

A

No okay, it's maybe no.

A

Update one, a csr entry read only handling, there's a chang here.

A

Does anyone know about this.

A

uh Next, one issues related to assuming volumes are monk point.

D

Last time, so, last time we mentioned there is, there was a pr reverted, and so I checked that again, because the risk risk condition between like politician and volume management still exists, that pr will not be able to merge again until we resolve that risk condition, which is right now we don't have a full complete solution. Yet, okay,.

C

Okay, thank you.

A

The next one is the storage classic tracking for pot scheduling. Do we have patrick here.

A

uh So I think this one is almost ready, I think, uh does anyone know more about this.

E

Yeah, oh sorry,.

A

There's.

E

A number of reviews going on in external provisioner, but I think they're, mostly in good shape, so they should be complete within the next week.

A

Okay thanks the next one is also patrick's pvc in line f, more volumes.

A

uh Michelle young, do you know this one.

E

Is there I think this one's done? um I think the docs pr merged and there aren't any more rpr's pending. So we can mark this one. As done. I think.

A

There was a test uh I thought chen is supposed to review that one yesterday, I'm not sure if that one is, uh but I forgot.

E

The test that chang was reviewing was related to capacity. Oh.

A

Okay, so that's okay, then this one will just mark it as down there. Okay is that one merged one, the test, yeah. I thought it was one test.

E

uh Yeah the test merged.

A

Oh okay,.

E

Cool, I think so right um jing did you have something.

D

Oh no, I was just talking I I read. I saw the test. Pr was reviewed for storage capacity.

A

Okay, so the test.

A

Merged, okay, thanks, uh okay, next one is the starting or field domain. I think this one is depending on the next one. What in group, um I thought you haven't, got a chance to update and actually I need to schedule a review meeting first, so I need to uh do that soon.

A

Next, one cs output, three more iscsi driver, see that finish.

F

This has some nominal progress made up to pr to include the staging repository so once that gets merged I'll ping, the people necessary and keep moving it on so minor.

A

Progress. Thank you.

A

Next one about nfs, parishioner and then fs client provision, okay, so client twice done what about afs provisional? Do you have a carry here.

E

Where is your michelle? Do you know, is this a work in progress, or um I haven't seen anything since last time? Okay,.

A

So no update then, and then the next one is the pvc volume snapshot. Namespace transfer question no.

F

Updates on this one, we still need to figure out a good way of the secrets.

A

Okay, thank you uh next warning house. So there is a dog pr that is being reviewed, so I need to update that trying to get that merged um and and then ryan is working on. um Removing the agent logic from the external uh house monitor repo.

A

And next one is a voting populator ben.

G

As I think I mentioned last time, this did not make beta for 121, so we're aiming for beta 122 in the 121 time frame. We're gonna try to do alpha releases of both the data source, validator controller and the the live, the volume populator library.

G

That's what I'm working on now. Okay,.

A

Is the uh the repos created yet or is he waiting for that to be? I.

H

Just uh approved them so hopefully soon, oh.

G

Okay, oh thank you sad. I was gonna hunt you down.

A

Thank you.

A

The next one is cozy. Do you have anyone from cozy side.

A

Or ben you want to talk about this. One.

G

uh Update on cozy yeah.

A

um

G

Let me think um that we continue to be tinkering with the api design in the cab. I guess the the plan is is to address all the existing concerns that prevented it from getting approved for 121 and to try to go alpha in 122..

G

The biggest change that is going on right now is an alteration to the way they handled the brownfield case or or the way that they handle sharing of buckets across namespaces, because I know with object. Storage sharing is expected to be much more common than it is with like block storage or file storage.

G

So they really want to make sure they get that use case right and the current design is moving from having an object per namespace to having uh one object that all the namespaces can point to.

G

But if you're interested in that, please come to the meetings, we're getting a ton of work done.

A

Yeah he's actually meeting a meeting uh after this.

G

Yeah, the regular weekly meeting for cozy is is subsequent to this one. Every week.

A

So if you're interested, you can join that meeting right after this meeting is complete thanks ben next. One is a change block tracking. uh So we had a meeting to talk about the cpt use case just to talk about how to describe the workflow, uh because there are a couple pending things like the potential security issue: how to address that, and also we're still waiting for feedback from aws eps side um on the api design stuff.

A

So that's the status next one is a new uh rewrite on the access mode. There's chris here.

E

Michelle do you know the status of this. um He has a provisional cap out um so yeah. I think um we can take a look at it and at least, if it's provisional, we can, we can merge it. um I think chris plans on uh working on the cap in multiple pieces, um so we're gonna, keep it provisional until everything is there.

A

Okay, is there plan to doing conducting to you or right now.

E

Yes, okay, yeah alpha and 122.

A

Thanks, oh next, one, let's update topology labels from beta to ga.

A

Do you have lana or jelly here.

I

Yeah laila: do we want to talk about this.

J

um Yeah, uh I think the azure one I made some updates to it, but I it's not mergeable right now, but um I'm working on getting it to pass the azure file test that it's failing, um yeah I'll, be done soon. Okay, thank you.

A

The next one is this: is a migration core? Shall we.

I

Yeah, so um for this one I think most of the work is is down for 1.21 um there's still one small bug fixed um that are still in discussion with young.

I

We're still trying to figure out, what's the best way to fix that other than that. I think in 1.21 we're all good, except for the updates topology, um but I think layla will take care of that so yeah. It should be good.

A

Okay thanks next one is vsphere, so I think uh so. Support for 67 u3 uh is planned to be in the next 2.3 release. Still right now uh we're working on it, and then I think still need to follow up on this is that windows support.

A

Next one is the csm migration azure file.

A

uh Java.

I

Yeah, um uh I think it has been moved to to beta, but I I do I do know there is another. There is another uh issue related to secret that has been raised. Michelle do you know that.

A

Somehow I thought this one didn't make it I I know it's it made it. It made it. Oh it's there, oh okay, then okay, then maybe the wrong.

E

Commission there is one um yeah, there is one uh regression that was identified and so there's a revert in progress, but I think I think from the migration standpoint um I mean it's it's I think migration will still be beta, but there's going to be another issue that will have to be fixed after we revert the other change.

C

Okay, thanks.

A

So this one can this one be marked down: let's do or.

E

I think there's still a dox uh doc is still pending.

I

The dock is, I think, is merged. No, I I I saw the dock is being approved. Absolutely okay. I should be fine yeah.

A

Okay, so this one is down there.

I

Or yeah, I think we can mark it as.

A

No, but we didn't mark any of the questions that we would just leave. It.

I

Yeah, okay, yeah sure.

A

Okay: cs migration: gce.

A

uh Do we have an update.

K

Yeah I mean this is the um the same update as last time. It is. We are not turning on by default um upstream in 121, but this is uh still going out in gke 121 in a month, dish.

A

Okay,.

A

Thanks uh next one is uh openstack synthesis migration. It's not the size. I believe this one is the only one that is on by d4. Is that right.

C

Yes,.

A

My.

C

Default.

C

All right.

A

Thanks uh cease: migration cef set the person the rbd. um Do we okay? It looks like there's no update.

C

Do you know.

I

If hambo is still working on this.

A

I'm not sure I thought he's back, but I haven't seen him still, I'm not sure. What's the stuff yeah.

E

We haven't.

A

Seen him during this meeting, I I thought he's back, but maybe he's uh still busy with other things. So.

I

uh I think I I try to pin him on the on the issue about this, but um I didn't get any reply.

A

So, do you try chipping him slack.

I

uh I will try.

A

I'll try next.

I

Yeah yeah.

A

We got an email from him when he was back and but then, after that he seems to be still busy with other things. I haven't seen him in these meetings, so I'm not sure.

A

Thank you. The next one is uh now grace for no shutdown, so I will still need to update the cap.

A

Next one is the enable username spacing cubelet, so your ids get shifted and that's it. Okay, I don't know, looks like it looks like command is on this, but we don't really have any update yet do do. We know anything come on about this. One.

B

uh No, I haven't had time to track this section.

A

Okay thanks next one is the immutable secrets, complete maps that one is done and uh so okay, so next one is uh pvc created by stefan said when I'll be altering me.

K

Yes, so I um did not manage to make the uh code code freeze. Oh, I guess I gave that update last week yeah. So this is still in progress. The api is is done. Implementation is still in process.

K

Okay, yeah.

A

Yeah, okay, so we'll try next release, hopefully get it merged early.

K

Fingers crossed yeah.

A

uh Next, one is the one expansion for safe was set. This is a kk where matt is. Are you also keeping track of this one ahamad.

B

um This requires, I think, new owner. I haven't heard back.

A

From.

B

Kkk, it is yeah, so it's been couple of releases, I think, and there's a lot of community interest in it. So if anybody's and it's there's already like 70 percent done kept is there, but we need to update it and it's a very interesting feature. If anybody wants to work on it.

K

Yeah, so I'd actually be so this is. This has actually recently come up um a bit on slack and stuff. I mean I think there may be a more a slightly more general way to do it um just in terms of updates hey anyway. If anyone else is interested in talking about this I'd be interested as well. I don't know if I can commit to.

K

Taking this as I've already, you know I'm hardly managing to deal with the auto delete one, but if there's anyone else, who's interested I'd like to uh discuss.

A

Okay, so I'll put your name there and that's all I'll see if we have someone from outside we're interested in this sure makes sure.

A

Okay, next one is execution for content notifier, uh so shenzhen has updated the cap, so we need to uh get api reviewers to review it again. We also reviewed the new proposal in yesterday's data protection. Working group meeting get some feedback.

A

Next, one is kubernetes euros months, leaving a new ripple um username here: okay,.

A

Next, one six scheduling prioritization on volume capacity, so this one is uh misha.

A

This one is done right, so do we have any.

E

Yeah, it emerged, I think it's done. um The docs update also merged as well. So we can mark this.

J

One as.

E

Though,.

C

Okay, thanks.

A

Next, one is a user id ownership in config maps and the secrets shall we do? We have any update on this.

I

Yeah, so I I don't think I don't get enough psycho this uh this release, but I I have another like outside contributor, whose name is ambassador- and uh he said, he's also like very interested in this, and uh he will take this up um yeah, so I'll work with him to to figure out. What's the what's, the next plan.

A

Great, thank you. Okay, uh I think that's all we have on the spreadsheet. uh Okay, yeah.

D

Oh, I realized that uh and never put css proxy in here. Oh so, let's give a quick update on css proxy. Okay. um So right now is beta, so we are working on to move it to ga.

D

uh There is uh mauritio uh from.

A

Rt already.

D

Ga for for this release or next release, I kind of like this release is independent of kubernetes is released.

J

But.

D

But um kind of uh at the end of this month: okay, so there's our already pr to move uh the major api groups uh like disk volume file system smb into b1, and there is one small issuer to checking volume checking disk formatted or not after that resolved and pr can be merged. I think uh we're pretty much ready for ga.

A

Okay, that's cool! Thank you.

A

Sure.

A

So we don't really have we don't have a cap for the story. Do we actually have a christmas issue that we can add here.

D

Yes, I think I I can add it: okay, there's a project for csf proxy. I can add that project here.

A

Okay, thanks for sure, okay going back to this, uh so uh we have passed the the test phrase deadline. I think that was yesterday. uh The next deadline is next wednesday march. 31St uh docks must be merged, so I think that's the next uh yeah, that's the next that line, and we have in issue here.

A

um Do we have a gym here.

L

Yes, I am here, oh.

A

Okay, so we can talk about this one relaxing month, propagation conformance.

L

Yes, um so I have done a little bit of work on this, since I I logged the request to talk in this meeting. It turns out. This is not a conformance test, as I originally thought, but there is still an e to e test that does check that when you've got bi-directional amount propagation, it the amount done by a container with bi-directional propagation turned on, does propagate all the way up to the host os.

L

um This is something that we would like to get relaxed and the main driving factor behind this is that on linux systems with systemd, there is a lot of systemd overhead involved in parsing the mount table as changes occur, and basically a workaround we found for this.

L

That seems to address the underlying system d issue as well as not causing any issues with any containers that we've ever tried it with is to basically take the um the container runtime and also cubelets, and move them down into a separate mountain namespace, and as long as that's set up cleverly with mount propagation, so it still receives host os mounts into that namespace.

L

Every other usage of container bi-directional mount propagation seems to work great with csi, with other other mechanisms where, like the container runtime hooks, might need access to. um You know a mount point that was created by a container.

L

There is a link. I can't remember if it's in this document, I can just uh drop it in the chat as well. It's got sort of a graphical representation sort of how the mount namespaces are laid out now versus um how they would be laid out in a you know, potential implementation if we relax this test, but basically the thing that I'm trying to at least start with is just a discussion around. Do we know of any use cases where um something running in the host os?

L

That's not a container and not sort of beneath the the call tree of the container, runtime or cubelet itself. Is there anything up there that really needs access to these mount points that are created by containers?

L

um So I have this issue that you've got open here, where I hope we can have some more discussion about it. I've also posted to uh the kubernetes development list, as well as sig node and n6 storage, mailing lists, looking just for, if there's any information about known use cases where there's something at the host os.

L

That really needs access to these mount points so far other than the idea that there might be sort of legacy monitoring tools that might want access to it that we haven't found anything that sort of requires this access, and so it's so far looking like you know for for most container native um applications.

L

There isn't any need for the host os to have access to any of those mount points either the ones created by cubelet, the ones created by the container runtime, the ones created by containers with bi-directional amount, propagation setup and so just hoping to sort of keep the discussion going and and see.

L

If we can uncover any use cases we haven't thought of and the the driving force behind this is is openshift has uh some applications where we we have sort of a resource, constrained environment, we're trying to sort of get the cpu utilization down as much as possible. And so uh you know, this is actually going quite quite a long ways to sort of reducing the systemd overhead um and, among other some other improvements. We kind of want to squeeze as much cpu to make it available for workloads as we possibly can.

C

Can you get my slingshot.

E

um I had a.

J

Question.

E

On this, um so at least from my experience- we sometimes you know just just for like debugging and triaging purposes, we might want to go in and view all the mounts that are on the host. um Is that still possible, with some alternative command or something like that? Absolutely.

L

It's actually very easy effectively. All you need to do is in your shell. If you know where the the name space itself is pinned in the file system, you can use the ns enter command and that will basically drop you into that mounting space and then using the mount command or find mount. You get the full listing of everything. That's in there.

L

uh Likewise, if there is some sort of legacy tool that needs access, it's actually very easy to again. You can use ns enter to wrap that command, so it spawns inside of that mount namespace, and then it will still have access to all of those. um You know container specific matinee spaces, so there are workarounds.

E

For both.

L

Threader access and legacy tools: okay,.

E

And and it's also possible to just list all the available mountain into spaces.

L

um That's a good question: yes, um if you run find mount in the host os namespace yeah, you would get yeah even running mount. It sort of depends on how the namespace is created and- and what's done with it, um in the proof of concept that I've done for open shift.

L

I explicitly bind the mount namespace to a file, and so that does show up in in the listing of mount, it is possible to have a mount namespace, that's just owned by a process id and that doesn't really show up because it's not bind mounted in the mount file system.

L

So if it were implemented in another way where it's sort of attached to a pid instead of a file on disk, it would be more difficult to know how to do that.

G

But but you can enumerate all of the pids and find all of their namespaces and enumerate all their mounts.

L

That's true absolutely, and I guess, because by its very nature, we would know that both cubelet and the container runtime would necessarily be inside of that mount space. You can always look at what is what is the pit of cubelet find out what mount namespace it's in enter that one and there you are in fact.

G

Actually, I I had a question. I I assume that we already looked at changes to system d to not go crazy when there's a lot of mounts to alleviate the cpu problem, because that would be the other.

F

Way.

L

To.

G

Attack the underlying issue.

L

Absolutely so so, basically, um this this actually sort of originated from a red hat bugzilla, and uh there are some changes in in system d that reduce this load. However, um the the estimate of how much it reduces the overhead is 30 to 50, which is good a step in the right direction. However, it doesn't help us in open shift where we're sort of working on an older version of a system that does not doesn't necessarily have the fixes.

L

Yet it also doesn't get us all the way down to zero um and the the change of being required to get that overhead much lower would actually be a kernel change to to actually get more granular updates on the the mount point changes.

L

So we there are the upstream system d that openshift doesn't have access to is better than the older version of systemd that that openshift currently has. But it's there is still uh some significant overhead there. That's just based on the fact that it doesn't get a succinct list of exactly what changed in the mount name space as mounts go in and out.

L

So this is the path of least resistance is.

G

Doing it this way exactly.

L

Exactly it's also much easier to sort of backport it to older versions, for you know, customers that might be stuck on an old version for some reason they aren't able to upgrade and get a new resistance d.

H

uh What actual changes are needed to enable this? On the kubernetes side?.

L

Well, the real change is that there's a single e to e test that currently checks this mount propagation logic and in its design, such that it's enforcing the fact that if you do a mount inside of a bi-directional container, it's visible at the host os.

L

I do have actually just scrolled up the top of the screen there. um I have a link to a uh sorry. I think it's my first comment after this, I I have a link that is to a branch in kubernetes, basically just fixes the ete test, so that, if it notices that cubelet is in a different mount namespace, it does the the checking inside of that mounts nice namespace. Instead of checking at the the top level.

L

Where is it.

A

There.

L

We go black commented that first link there yeah, that's right. um So if you, if you dive in there, basically what this does is. It has a check to see whether or not we're in the name space and then, if so, does the test differently. It also changes some of the language around the mount propagation flags themselves, because they it does change the meaning a little bit compared to how it's documented.

H

Yeah, I think this sounds like a reasonable change overall and probably good for older systems that are suffering from uh from these performance issues.

E

I I guess my only concern is, since we are changing the behavior of a ga feature. Do we need to go and go through the standard, deprecation policy for this, just in case someone was actually depending on it.

A

uh Are we actually deprecating this already? I thought he was just suggesting. Relaxing the scene test case itself.

L

Yeah, that's the tricky thing about this feature. Is it it's? It's really just sort of a an implied feature that it doesn't require an actual change to kubernetes itself. It's yeah, it's relaxing the test. It's changing some documentation about what some flags mean.

L

So it's it's a little bit more nebulous than something that can be deprecated, we're sort of deprecating an expectation of what the environment is where kubernetes is running.

E

I.

L

See so.

J

So.

E

To enable to basically enable this behavior, you need to make a change to the way that the mount namespaces are set up for exactly.

L

Kubernetes and to some degree it's it's kind of outside of the scope of kubernetes, I think um I mean I was looking through the kubernetes documentation. I mean sort of coming at this from openshift there's a whole suite of like install tools and stuff that are part of openshift, but, looking at like the kubernetes, how do I install kubernetes page?

L

It basically says you know it's up to you to tell your init system to start kubelet at boots and that's kind of where the change would have to be made is when you start up your container runtime and your cubelet instance. You need to do the work to put those inside of a a new namespace.

L

um I have a proof of concept that does this it. I think it's very easy to adapt to any system that has systemd running. I'm not just openshift, specifically.

D

So in this case, what's the difference between the by the amount is still bi-directional and how about host to container.

L

Yeah so see here, basically, here's how it works and let me drop this link into chat it might it does, I think, a good job of sort of explaining.

L

Graphically sort of how things look now and how things look under you know an implementation of of the the my my proposed way of of this. The way this could change.

L

I just threw that in chat there.

L

So if we look at this first diagram, this is basically effectively how it looks. Today. You've got system d, login shells cubelet the container runtime. Everything is in the same name space when container a has mount propagations to bi-directional and it mounts run, slash a everybody in the upper level sees it and then container b that has host to container propagation setup. It also sees it because it gets pulled down with all the other things in the host.

L

Now, if you scroll down a little bit, uh there's another diagram that will show sort of what it would look like after, and so basically you can see here that anything, that's mounted by system d or login shells as long as the namespace that this new secondary namespace is set up properly, uh with with appropriate. um It has to be slave, shared propagation, um but effectively.

L

Anything from the os still goes down into cubelet in the container runtime and from there they propagate down into containers that have host to containers set up properly um and then, as you can see here, when container a mounts, it's it's, but in its bidirectional space run slash a that propagates up to cubelet and container runtime. It also propagates down to container b, uh but it does not propagate up to where systemd and login shells can see it by default. Unless something in that name, space explicitly enters that lower level.

L

Namespace.

D

So, if container a use mount propagation host to container instead of bi-directional, what's the difference like when you use these.

L

Two, so you can see the an example that is container b that uses host to container so both today and under this proposal. um If a container that uses host to container mounts its own mount namespace inside of that area, it sees run slash b, but the parent name space is not c runs flash b. However, it does see all of the mounts that are below that um that volume as though they were locally available.

L

So if, if container a was host to container and not bidirectional container a would see, run slash a the parent run time, the the container, runtime name space would not see, run slash a and container b would not see, run slash a but because container a is bi-directional that allows that mount of run, slash a to propagate up to container runtime and also down to container b, because it has hosted container.

G

Does this mean that um pods that are run with uh escalated privileges so like just privileged pods, would end up in the same name space as cubelet and container d, but not.

F

Not the systems.

L

That's a good question.

L

I think that by default, that is true, um and so, if a privileged pod would want access to that top level name space, it would need to like ns, enter into slash proc slash one uh namespace.

G

Right, I mean that's not so much a storage concern as a just a pod security concern. You know, but by trying to run everything.

J

In something.

G

Other than the system name space. That means every privileged pod will also be often that other namespace that you created, which right I don't. I don't think it's going to mess up any csi plugins, because nearly all csi plugins are privileged.

G

um But I wonder if there are other non-csi use cases where this could get us in trouble.

L

Yeah, that's a good question and a good point. um I'm gonna make a note to uh see if I can figure out where to ask that question to get more details um and bring that up as a potential like a privileged pod that would expect to be in that sort of highest level. Name. Space would no longer be in that highest level. Name space.

L

I think the there's a sig security right.

G

They would probably be experts on such.

L

Things that's a good idea, um and in fact I mean I guess. One thing that we could say about my proposal is that if you have the security namespace, it is actually slightly more secure in that a privileged pod isn't in that highest level.

L

Name stories where you could like unmount, slash proc, for example, you know you would not have access at that host level to the mounts to the mount points, you would only be sort of contained inside of the cubelet container runtime area unless you explicitly use ns enter to pop back up into the parent name, space.

H

Yeah, I think, from the storage side of things. This doesn't look concerning to me. I think, going back to the concern that michelle raised about deprecation.

H

It seems like this is a requirement on the underlying system that kubernetes has and we're relaxing that and so kind of the burden of validation rests on that distributor rather than on kubernetes. So I don't know if we actually need to go through any alpha beta ga for this just do it.

L

Yeah, that's a good way to think about it, especially because this is really like it once the test is relaxed, whether or not a distributor wants to do. It is really an opt-in like it allows them.

J

To do it.

L

Should they want to do so and take on the burden of you know the qualification and documentation changes and such, but it doesn't require anyone to do.

D

So so the proposal is to kind of have option. When you test right, you can choose test either relax or use the existing logic.

L

That's right and basically the the way that I have sort of done. My my proof of concept with the change to the e to e test is the the test automatically detects, and so you can see that right at the uh before all these changes, there's basically a single. If um actually right there line 198. um it.

L

It basically checks what names, what mountain space, what mountain name space is cubelet in is that the same as the amount name space that system d is in and based on that it either executes the exact same logic as the previous test or the new logic that sort of understands that when you've got your container mounts segregated from your host mounts, um you know it. The test is slightly different.

L

It still ensures that you know container mount propagation goes up from a bi-directional container to the container runtime level and back down to anything that has host to container since that's critical for things like csi, but it doesn't check. It actually explicitly checks that in that, if you have this segregated mount namespace, the host os that top level name space does not see those bi-directional mounts.

L

So it just sort of flips that one piece of this test on its head and.

G

Just to double check you're only talking about the mount namespace, not the network, namespace or any other namespaces right. That is correct, yeah mount namespace only yeah, so things like cni, plug-ins and other things won't care yep. That's exactly.

L

Right.

L

So if there aren't any other questions today, I mean feel free to you know if you think of something after the fact come back to either the mailing list threads or the the issue that I've logged there uh for for more discussion, and uh I I made a note to follow up with sig security, since I think that was a really good suggestion um and uh yeah thanks. So much for your time and and uh talking to me about this.

G

Awesome.

A

Thank you.

A

Okay, uh are there any other issues we want to discuss in this meeting.

A

If not, that is for today thanks everyone bye.

H

Take care.

H

You.