KEP-3636 CSI Drivers in Windows as HostProcess Pods#3641
KEP-3636 CSI Drivers in Windows as HostProcess Pods#3641mauriciopoppe wants to merge 1 commit intokubernetes:masterfrom
Conversation
k8s-ci-robot
added
cncf-cla: yes
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
2 times, most recently
from
edbe2bc to
8cfda48
Compare
mauriciopoppe
changed the title
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
3 times, most recently
from
ddd8336 to
7eeaac8
Compare
|
/sig storage |
k8s-ci-robot
added
the
sig/storage
|
/cc @jingxu97 |
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
from
7eeaac8 to
53b68cf
Compare
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
from
53b68cf to
5d34ce0
Compare
ameade
left a comment
ameade
left a comment
There was a problem hiding this comment.
Hey @mauriciopoppe, was nice meeting you briefly at KubeCon. Just some minor comments.
From the code PR, "The named pipes are not protected, this means that not only CSI Drivers but any Windows workload can mount them and execute privileged storage operations (imagine a workload reformatting the volume of another workload ). This is a current problem as of now." I think this is the case for any Pod that mounts a hostPath, windows or otherwise. I guess filesystem permissions help here?
We should mention that hostProcess support is going stable in k8s 1.26 and requires containerd 1.7 (unreleased) as mentioned in the SIG Windows update at KubeCon.
Maybe mention for those that will need to make the conversion about the new small host process base image. bit.ly/hpc-base-image
You're right on it being a problem in Linux too, I've updated the security part so that there's a suggested workflow for Cluster Administrators to determine the workload privileges per namespace using Pod Security Standards.
Good points, I'll add them to the doc |
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
from
2f9072b to
83bfe25
Compare
torredil
left a comment
torredil
left a comment
There was a problem hiding this comment.
Updated graduation criteria and latest revision looks good to me.
/lgtm
k8s-ci-robot
added
the
lgtm
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
from
83bfe25 to
d67674f
Compare
k8s-ci-robot
removed
the
lgtm
|
New changes are detected. LGTM label has been removed. |
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
2 times, most recently
from
135cacd to
0cc4c1c
Compare
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
from
0cc4c1c to
6bfa38f
Compare
mauriciopoppe
left a comment
mauriciopoppe
left a comment
There was a problem hiding this comment.
I made a few changes to the KEP:
- Completed the section "Feature Enablement and Rollback"
- Deprecation (mentioning that there's no deprecation of the v1 model)
Could you please take a look again @msau42? Also cc @torredil @andyzhangx @laozc, hopefully this goes to "alpha" in 1.35.
torredil
left a comment
torredil
left a comment
There was a problem hiding this comment.
/lgtm for the alpha target, thank you @mauriciopoppe!
|
|
||
| The core of this proposal is to: | ||
|
|
||
| - Refactor the CSI Proxy codebase to expose its API groups as importable Go packages, removing the client/server gRPC architecture. |
There was a problem hiding this comment.
In a sig-storage meeting, @bswartz advocated for supporting both solutions (existing CSI-proxy, due to security benefits) and HostProcess mode. As I understand it, the current KEP proposes that HostProcess mode be a replacement for CSI-proxy. So I think this is something worth discussing more, seems like a really important decision that we should close on sooner rather than later.
Right now we maintain the HostProcess implementation in a separate branch over at https://github.com/kubernetes-csi/csi-proxy, which may not be ideal in the world where we decide to maintain both solutions.
cc: @msau42
There was a problem hiding this comment.
Thanks for the comment. I added the following non-goal:
- Deprecate the client/server model - This model is still used by the majority of CSI Driver implementations,
adopting the new go module model will take time and in the meantime we still plan to maintain
both models.
Also in the "Deprecation" section:
We plan to maintain both versions (the client/server model and the go library model) because the majority of CSI Drivers use the client/server model. There is no deprecation of the CSI Proxy v1 model.
Agreed, it's hard to maintain both solutions in different branches. At some point we made changes in the branches (moved master = v2, branch 1.x = v1) and that broke our internal release pipeline and might have broken other pipelines as well.
I can expand on how the branches will move in a separate document. I don't think we'll have updates in the branch assignments even when we reach GA.
|
This is a nice way to document how to leverage this feature for out of tree projects. PRR isn't needed since these projects are out of tree. /approve |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: deads2k, mauriciopoppe The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
11 participants
/cc @msau42 @ddebroy @jingxu97