►
From YouTube: Kubernetes SIG Storage - Bi-Weekly Meeting 2021-11-18
Description
Kubernetes Storage Special-Interest-Group (SIG) Bi-Weekly Meeting - 18 November 2021
Meeting Notes/Agenda: -
Find out more about the Storage SIG here: https://github.com/kubernetes/community/tree/master/sig-storage
Moderator: Xing Yang (VMware)
A
We
will
first
go
through
the
1.23
planning
spreadsheet
and
then
I
think
there
were
a
few
issues
we
want
to
talk
about
on
the
agenda,
so
the
deadline
for
code
freeze
that
was
tuesday,
the
next
deadline
coming
is
actually
oh.
Actually
today,
today
is
deadline
to
open,
placeholder
pr.
I
believe
it's
actually
noontime
pacific
time.
So
all
right,
let's
actually
go
over
this.
B
Yes,
most
of
the
all
the
code
prs
were
merged
right
now,
the
doc
pr
is
out
for
review
and
there's
one
more
e2e
test
pr
that
needs
to
be
sent
out
before
the
test
deadline.
Next
week,
next
tuesday.
D
My
understanding
is
this:
a
is
this
a
capability
that,
like
samba,
has
in
general
like?
Would
any
smb
driver
be
able
to
take
advantage
of
this.
C
D
Oh,
I
just
mentioned
that
because
I
guess
we
do
have
our
we
do.
Have
our
smb
csi
driver
that
maybe
I
think
chang
you
were
looking
for,
like
a
driver
to
use
for
testing.
That
might
be
a
good
one.
B
A
E
Yeah
this
one
was
merged,
I'm
opening
the
docs
pr,
I
haven't
opened
it,
but
I'm
opening
it
like
a
couple
of
bars.
Okay,.
A
E
A
I
think
the
deadline
is
probably
a
couple
hours
thanks
all
right,
advanced
config,
episcopal
policy
and
csr
driver
object
also
goes
to
ga.
D
F
A
D
I
think
we
we
talked
about
this.
Yes,
last
time.
Okay,
we
wanted
to
split
out
the
work
that
the
the
previous
item
was
tracking
and
there's.
A
A
A
Okay,
next
one
is
pvc
inline,
f4
volume,
ga
patrick
here.
A
A
A
It's
mad,
also
I'll
be
looking
at
this
as
well.
Michelle
do
you
know
anything
about
this?
Do
we
have
any
update
on
this
item.
A
Next
time,
next,
one
we've
marked
us
down
is
the
deprecation
notice
for
flex
volume.
I
think
I
just
realized
that
the
the
one
that
I
added
that
issue
is
for,
I
think
that's
for
the
release
blog.
That's
I'm
not
sure.
If
that's
also
for
release
notes,
I
need
to
double
check,
so
at
least
that
should
be
in
the
release
block,
but
I
will
check
with
the
release
team
to
make
sure
also
that
shows
up
in
the
release
notes.
A
A
D
Yeah,
like
we're,
not
gonna,
add
new
features
to
it.
We
might
do
best
effort
at
fixing
bugs
that
kind
of
thing.
C
D
A
Okay,
so
next
one
pvc
volume
snapshot,
namespace
transfer
is
mustafa
here.
A
A
H
Actually
mustafa
and
I
had
a
separate
meeting
rust
feed.
A
A
H
Yeah,
as
we
discussed
in
the
last
meeting,
encryption
secret
and
backup
use
case
may
need
to
be
considered,
but
we
still
don't
have
our
idea
for
that.
A
Well,
I
was
actually
thought
about.
I
was
thinking
about
writing
some
comments
that
I
have
a
chance
to.
I
was
thinking.
Can
you
make
this
like
a
like
a
two-step
thing?
If
secrets
is
required,
then
we
require
the
you
know
secrets
to
be
transferred
using
a
similar
thing
using
the
you
know,
the
what's
that
called
the
reference
cross
referencing
so
use
that
to
transfer
secrets
first
before
a
user
can
transfer
the
snapshot,
it's
like
doing
it
like
a
two-step.
So
when
we
transfer
the
snapshot
just
we
make
sure
that
secrets
are
it's
already
there?
A
Because,
if
a
user,
if,
if
user
initiates
a
secret
transfer,
then
that
means
this
user
knows?
If
you
know
he
or
she
trusts
this
other
user,
then
it's
fine
and
all
the
resources
controlled
by
that
secrets
will
be
transferred.
So
if
we
make
this
kind
of
explicit.
A
You
have
to
transfer
your
secrets,
you
have
to
transfer
your
secrets
first
step
and
then,
when
you
transfer
the
you
know
the
the
snapshot,
the
other
secret
has
to
be
already
available
in
that
namespace.
Something
like
that
maybe
need
to
maybe.
A
Maybe
that's
something
you
need
to
maybe
a
question
yeah,
that's
something
we
need
to
yeah!
Think
about,
I'm
not
sure.
What
is
the
answer.
Do
we
expect
the
old
ones
to
to
be
around?
A
A
A
Okay,
next
one
is,
since
I
wanted
house
adding
additional
metrics.
Unfortunately,
this
the
pr
did
not
get
merged.
There
were
some
issues.
I
think
ryan
is
still
trying
to
get
those
results.
He
was
busy
last
few
days
so
and
that
didn't
get
in.
So
I
think
he
said
he's
going
to
look
into
that
and
see.
A
A
And
then
next
one
is
a
sisa
warren
house.
This
is
the
reaction
part,
so
I
think
so
nick
and
I
we
discussed
about
this
last
time,
so
we
will
maybe
figure
out
how
to
write
up
some
some
document
and
move
this
forward.
C
This
this
missed
the
deadline
for
123.,
the
the
out
of
tree.
Work
can
still
happen,
but
the
entry
move
from
alpha
debata
will
have
to
be.
Wait,
walked
away
till
124.
I
C
Let
me
think
most
of
what's
happened.
The
last
two
weeks
has
been
trying
to
figure
out
a
solution
for
how
to
use
a
cloud
account
based
authentication
or
identity-based
authentication,
and
the
the
struggle
is
that
it's
coming
up
with
an
api
that
works
the
same,
whether
you
have
access
key
secret
style,
authentication
or
cloud
authentication.
C
A
Okay,
yeah.
I
think
we
need
to
update
that
one
soon,
actually
because
it's
getting
close
to
the
end
of
1.23,
yes,
we'll
see
thanks
next
one
change
block
tracking,
I
think
vong
is
still
looking
to
it,
but
I
don't
think
there's
any
update
on
that.
Yet
next
one
is
runtime.
Assisted
mounting
is
deep
here.
G
Yeah,
hey
so
I'm
making
progress
on
the
cap.
G
A
A
I
A
D
One
was
making
sure
that,
like
we
actually
sent
out
deprecation
notices
for
all
the
plugins
when
they
went
to
beta-
and
I
think
we've
done
that.
A
D
There
is
one
bug
that's
still
remaining.
I
don't
think
it
will
be
fixed
this
in
123,
but
we
might
look
at
it
for
124.
A
D
H
D
A
And
then
next
one
is:
this
is
a
seph,
oh
yeah.
I
think
the
sword
missed
this
one.
We
sphere,
I
think,
yeah
with
this
one
also
delayed.
A
Okay,
so
this
is
from
humble
because
he
said
merged
and
then
there
is
a
dark
pr
that
is
merged
queue.
Anything
else
shelf
on
this
one.
No,
that's
it.
Okay,
and
next
one
is
the
footworks.
D
A
And
yeah,
so
this
one
is
the
next
one
is
always
owner
reclaim
policy.
This
one
is
almost
there
I
mean
the
entry
pr
merged.
Oh
actually,
I
should
see
deepak
says
you
have
here
by
any
vanishings.
A
So
you
know
the
pr
in
three
pies
merged
and
I
think
the
the
provisional
lib
pr
is
merged
and
I
think
deepak
is
updating.
A
A
Actually,
should
we
just
close,
do
we
still
need
this
need
to
keep
this
as
star
need
this
as
this,
or
should
we
just
sit
down?
If
this
is
only
blog
remaining,
we
shall.
A
I
think
I
can
keep
it
like
this.
It's
fine
next
one
is
control
volume,
mode
conversion
between
source
and
target
pvc.
So
talk
to
ronak
about
this,
he
is
updating
the
design
doc
just
incorporating
the
feedback
from
the
last
meeting.
As
we
talked
about
this
in
the
last
data
protection
group
meeting.
A
Next,
one
is
a
secret
production
mazaki.
Do
you
have
any
update.
A
E
Yeah,
there's
no
there's
not
been
any
update.
Basically
the
authors
sort
of
I
don't
know:
yeah
took
a
break
from
it.
I
guess.
A
A
E
This
is
about
this
is
about
running
cubelet,
non-privileged
and
yeah.
So
basically,
that's
what
it
is
about
and.
A
D
A
E
D
E
No
there's
there
there
isn't
anything
in
this
one,
but
they
they
have
done
some
work
in
the
sierra
layer
before
I
think.
C
D
E
C
A
A
D
A
D
A
A
Okay,
good
glad
that
it's
actually
finally
made
it
all
right.
It's
also
it's
met
also
working
on
a
blog
for
this
one.
A
E
A
Next
one
is
the
container
notifier,
so
I
think
this
one's
still
an
update,
I
think,
maybe
to
schedule
a
meeting
yeah.
I
think
we
need
to
schedule
a
meeting
with
derek.
Like
I
heard
his,
he
was
busy
something
so
aussie
plus
you
can
figure
out
some
time
to
have
a
meeting
with
him.
A
So
this
is
the
this
is
the
application
level
one.
This
is
the
one
that
we
did
we're
going
to
do
the
signal,
so
I
think
the
fs
freeze
that
can
also
be
part
of
it
right,
because
this
is
not
like
we
automatically
adding
any
freeze
command.
A
Yeah
yeah!
Yes,
yes
for
application
class.
Yes,
I
think
that's
all
we
have
in
our
spreadsheet
so
to
go
back
to
this.
We
have
one.
So
we
have
a
couple
of
things.
So
this
so
humble
asked
me
to
add
this
one,
because
he
has
a
question
about
this
review
yeah.
So
this
one
is
basically
trying
to
add,
listen
to
note,
expand
the
secret
ref
and,
let's
see,
I
think,
but
then
we
got
some
review
comments
from
the
api.
A
Reviewer,
basically
saying
that
that
this
one
actually
need
a
feature
gate
availability.
So
I
think
he
was
asking
if
you
think
that
the
the
control
expansive
graph
did
not
need
a
apophysical
buy.
This
one
now
need
a
pharaoh
teacher
kite.
E
A
Okay,
all
right,
so,
okay,
what
is
the
answer?
Is
we
shoot
one
of
these
okay.
A
A
D
A
F
Yes,
so
this
document
yep.
So
this
is
a
draft
cap
that
I've
been
circulating
more
with
folks
in
red
hat
and
I
posted
to
the
sig
storage
mailing
list.
I
think
I
also
posted
the
link
to
sigoth
and
sig
security.
F
I
call
it
an
effective
profile,
but
it's
basically
the
level
that
we
should
consider
the
csi
driver
safe
for
use
if
the
namespace
has
is
either
enforcing
or
adding
warnings
and
audit
labels
to
pods,
given
the
pod
security
standards
and
the
and
the
way
they're
enforced
with
the
pot
security
plug-in.
F
So
maybe,
if
you
scroll
down
a
little
bit,
you
can
see
kind
of
how
it
would
work.
So
the
mechanism
is
that
either
a
cluster
administrator
or
a
maintainer
who
is
creating
a
csi
driver
that
provides
inline,
ephemeral
volumes,
can
add
this
label
and
give
it
the
value
of
restricted,
baseline
or
privileged.
F
And
then,
when
the
pod
security
admission
plug-in
is
evaluating
the
pod
to
see
whether
or
not
it
should
either
be
accepted,
or
if
warnings
or
audit
labels
or
audit
annotations
should
be
added
to
the
pod,
it
will
basically
look
up
the
reference
csi
driver,
see
if
the
profile
for
the
driver
aligns
with
the
pod
security
provi
profile
and
then
make
the
decision
accordingly.
F
So
if
a
namespace
has,
for
example,
the
is
enforcing
the
restricted
profile,
if
you
are
using
a
csi
driver
that
declares
itself
is
safe
for
only
baseline
or
it's
safe.
Only
for
privileged
workloads,
then
the
pod
is
denied
and
it's
not
admitted.
F
And
then
similar
decision
tables
exist
for
adding
warnings
back
to
the
user
if
they
try
to
create
a
pod
that
uses
a
csi
driver
whose
basically
effective
profile
doesn't
align
with
the
pod
security
profiles
on
the
namespace.
C
F
So
that's
where
the
setting
of
in
both
of
those
that's
where
there
are
advantages
to
enhancing
the
pod
security
admission
plugin.
So
by
default
we
can
have
the
csi
drivers
be
treated
as
having
the
restricted
profile
which
aligns
with
the
current
pod
security
standards.
F
F
Irish
is
the
admission
plugins
configuration.
The
other
thing
that
exists
inside
of
the
pod
security
admission
plugin
is
that
they
define
levels
for
the
checks.
F
So
what
if
this
check
is
introduced,
we
would
introduce
it
for
the
version
of
kubernetes,
where
this
is
introduced
as
likely
alpha
so
or
we
might
have
to
work
with
sigoth
to
determine
how
we
would
do
this
so
that,
certainly
if,
in
the
pod
security
admission
plug-in,
you
can
say,
I
want
to
enforce
the
restricted
profile
as
of
coupe
1
22,
for
example,
or
you
can
have
it
be.
F
F
So
I
guess
the
the
question
is:
that
is
a
really
interesting
thing
to
think
about.
If
you
have
a
csi
draw,
if
you
have
a
pod
already
and
you
have
the
csi
driver
update
itself,
will
that
pod
still
run
or
will
the
pod
have
to
be
deleted?.
C
Well,
I
mean
someone
should
be
able
to
override
whatever
you
do
but
like
so
if
an
admin
just
wants
to
make
it.
So
he
should
say
sure:
go
ahead.
Do
this,
but
I
imagine
that
csi
plugins
will
have
a
recommendation
like
this.
One
is
secure
and
is
safe
to
run
with
any
sort
of
restricted
pod,
but
this
one
is
less
secure
and
should
only
be
run
with
privileged
pods,
so
they'll
at
least
want
a
way
to
communicate
from
the
csi
plugins
perspective.
F
So,
in
that
sense,
it
would
all
this
all
this
happens
on
pod
admission,
so
I
think,
for
certainly
when
the
pod
is
created,
these
checks
would
go
in.
So
if
someone
tries
to
create
the
pod
and
admission
is
denied.
If
the
admin
then
changes
the
value
of
the
label
and
then
create
tries
to
create
the
pod
again,
then
that
check
will
be
rerun
and
it
should
succeed.
F
C
C
A
F
A
A
Does
the
so
you
said
you
talked
to
sick
ass?
Are
they
do?
They
have
any
concerns
about
adding
this
to
the
pod
security
itself?.
F
So
I
have
just
discussed
this
a
little
bit
with
david
eads
who
sits
on
sigoth.
He
was
the
general
idea
here
of
adding
a
label
to
csi
drivers.
The
csi
driver
object.
He
was
in
favor
of
it,
but
in
terms
of
enhancing
the
pod
security
admission
plugin,
I
haven't
gotten
any
feedback
one
way
or
the
other.
F
A
So
this
this
plug-in,
can
this
be
auto-tree
or
has?
Does
this
have
to
be
entry?
If
we
I
mean,
if
we
do
this
ourselves?
Yes,
that's
my
question.
J
Yuri
you
could,
we
could
make
admission
web
hook,
which
would
be
optional
similar
to
I
don't
know,
snapchat
very
web.
Hopefully
we
have
no.
A
J
A
C
J
I
have
seen
csi
drivers
which
use
inline
csi
volumes
to
point
to
a
random
nfs
server,
for
example.
So
any
user
can
point
to
any
ip
address
in
the
class.
C
A
J
Do
they
have
admission
plugin?
I
don't
think
so.
I
J
A
If
we
should
do
this
as
a
separate,
separate
web
hook,
then
either
either
entry
or
option
1.3.
F
Yeah
it'll
be
interesting
to
see
if
we,
if
we
go
the
route
of
having
a
separate
web
hook,
I
think,
regardless
of
its
entry
or
out
of
tree,
we'll
still
have
the
challenge
of
having
potentially
different
defaults.
F
If
folks
change
the
or,
if
change,
if
people
change
the
configuration
or
the
default
configurations,
it's
one
thing
for
us
to
you
know,
use
the
same
kind
of
ideas
throughout
it's
a
another
thing,
though,
if
like
say-
and
I
think
I
put
this
as
a
potential
drawback
of
the
alternate
approach
of
having
a
separate
web
hook-
is,
if
you
configure
the
pod
security
admission
plugin
to
enforce
the
restricted
profile
by
default.
F
If
we
then
have
the
the
separate
web
hook
enforce
effectively
privileged
by
allowing
any
csi
driver
to
provide
these,
then
you
kind
of
have
at
least
a
little
bit
of
a
mismatch
in
terms
of
intent.
F
A
Okay,
then,
because
you
yeah
this
stock,
you
have
the
stock
here,
so
everyone
can
add
comments
there
and
maybe
after
you
talk
to
seek
off,
you
can
come
back
and
then
we
can
talk
about.
What's
next.