KEP-3314: adding beta PRR documentation

[carlbraganza]

• One-line PR description: Update KEP-3314 PRR for Beta.

• Issue link: CSI Differential Snapshot for Block Volumes #3314

• Other comments:

[k8s-ci-robot]

Hi @carlbraganza. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[xing-yang]

/ok-to-test

[xing-yang]

You need to update https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/3314-csi-changed-block-tracking/kep.yaml and https://github.com/kubernetes/enhancements/blob/master/keps/prod-readiness/sig-storage/3314.yaml

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: carlbraganza
Once this PR has been reviewed and has the lgtm label, please assign jpbetz, jsafrane for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS
• keps/sig-storage/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xing-yang]

General comment: Please provide more details when you say "CSI driver specific."

For e2e tests, please include links to the test files.

[stlaz]

PRR shadow review

[stlaz]

In the design text, add these changes:

• Explain the abbreviation "SP" which is often used throughout the text. I'm assuming it's "Storage Provider".

• Where it says:

The full specification of the Kubernetes SnapshotMetadata API will be published in the source code repository of the [external-snapshot-metadata sidecar](https://github.com/kubernetes/enhancements/blob/1d3cb5e92e7cb3a815974b172f238e23b957ed96/keps/sig-storage/3314-csi-changed-block-tracking/README.md#the-external-snapshot-metadata-sidecar).

add a link to the actual API spec.

• In the The External Snapshot Metadata Sidecar section, add a link to the repo with the code.
  In the same section - The sidecar must be configured with the name of this CR object. <- it's unclear what this means.

• Since you're referring to it from your official docs multiple times. add a concrete RBAC rule definition that would let a backup client scrape the snapshot metadata to the Risks and Mitigations section. You can just limit the rule to what you've got in your actual authorizer (the volumesnapshots SAR check).

• Also, in the Risks and Mitigations, explain how you implement rate limiting to address the Uncontrolled access issue raised by sig-auth.

• In the e2e section of the Test Plan, add detailed explanation how you're going to test your sidecar's authenticator and authorizer. Make these a requirement for beta in the Graduation criteria section.

In the code of your sidecar:

• Make the authorization test introspect the request so that you actually test that you're sending the correct arguments (https://github.com/kubernetes-csi/external-snapshot-metadata/blob/main/pkg/internal/authz/sar_authorizer_test.go#L33)
• See https://github.com/kubernetes/kubernetes/blob/08764697f483b3bd33cad4e8f2878a04674be272/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go#L96-L99 for a more robust token authentication implementation

In your sidecar repo:

• Create an issue where you explain how you plan on improving the e2e testing for the repository. Currently the only e2e tests live in a .github/workflows directory in a file called integration-test.yaml as a long bash script.
  Make these improvements a requirement for Beta in the Graduation criteria section.

[carlbraganza]

Thanks for the feedback.

Explain the abbreviation "SP" ...

I added a link to https://github.com/container-storage-interface/spec/blob/master/spec.md#terminology for terminology in the Proposal section.

... add a link to the repo with the code ...
Added a link to kubernetes-csi/external-snapshot-metadata.
The KEP was written before the associated external-snapshot-repository was created so lacks these links to the code.

add a concrete RBAC rule definition that would let a backup client scrape the snapshot metadata to the Risks and Mitigations section...

Added a link to deploy/example at the end of the section.

... explain how you implement rate limiting to address the Uncontrolled access issue raised by sig-auth.

We do not implement rate limiting. Our mitigation of the Uncontrolled access is partially achieved as a side-effect of requiring K8s authentication and authorization (TokenRequest/TokenReview/SAR) in order to use the service. This was implied previously, so I added language to call it out explicititly.

In the e2e section of the Test Plan, add detailed explanation how you're going to test your sidecar's authenticator and authorizer. Make these a requirement for beta in the Graduation criteria section.

Hmm... the Test Plan does not provide that level of detail on anything. I've added a link to the E2E test PR in case anyone wants to see the actual test logic, and I also added an explicit requirement for authentication and authorization checks to the Beta graduation criteria.

Make the authorization test introspect...

I created Issue 206 to track your suggestion for the authorization unit test.

[stlaz]

You would still likely have at least one cluster-admin in the cluster that could still use it. I wouldn't say this is a valid way to disable the feature.

[carlbraganza]

Okay, I'll remove this.

[stlaz]

The question is about test presence.

[carlbraganza]

I'll revert to the previous text.

[stlaz]

I don't think the CSI driver should be responsible for API presence.

[carlbraganza]

This is as per the KEP.

This feature adds functionality to a CSI driver and follows the established pattern of existing CSI driver sidecars that provide for volume snapshots, etc, in how the sidecar is deployed (https://kubernetes-csi.github.io/docs/deploying.html).

However, unlike the other CSI features, access to this new sidecar bypasses the K8s API server for the most part, as it involves a lot of I/O. Secure access to the sidecar requires that the client know the server's certificate and audience string - the CR exists to convey this information, and how this CR gets created is up to the CSI driver.

[stlaz]

Right, but the cluster operator/administrator should be responsible for the APIs that exist in the cluster, correct?

If my assumption is wrong, please explain how conflicts in different CRD versions should be handled by the CSI drivers, e.g.. a field gets added into the CRD but an old version of the CSI driver attempts to reconcile the CRD to its desired version.

[stlaz]

The API is common for all the CSI drivers I believe. Please fill this out.

[carlbraganza]

No upgrade or rollback was tested.

CSI sidecar's are deployed as part of a CSI driver installation and hence are vendor specific in nature. The CSI specifies how a sidecar container communicates with the CSI driver container, but does not specify how the containers are deployed.

[stlaz]

ok

[stlaz]

Explain how a backup client should handle rollbacks that would cause the feature to suddenly disappear/stop working for them.

[carlbraganza]

Added:

Any rollback will cause active operations by a backup application to fail.
Such failure is similar to a network failure that the application ought to be
capable of handling.

[stlaz]

Thanks. I think there might be a typo I missed in the first read.

Suggested change

	these objects during rollout or rollback of their driver fails.
	these objects during rollout or rollback if their driver fails.

[stlaz]

This probably shouldn't be logged into events but should just be kept as a response to the client?

[carlbraganza]

Yes, you're right. Reverted.

[stlaz]

Which logs would appear in the CSI driver?

[carlbraganza]

Re-wrote to be:

Log records from the external-snapshot-metadata sidecar container should be visible in its logs,
assuming a typical deployment such as that described in
Deploying CSI Driver on Kubernetes.

[stlaz]

In the Test Plan section you explicitly claim integration tests are not suitable for the feature.

[carlbraganza]

Hmm... Thanks for pointing that out! I removed that comment and moved this link to that section.

[stlaz]

You should follow the template from the .md comment above.

[carlbraganza]

@stlaz I hope I've addressed all your feedback.

[carlbraganza]

Hmm... Thanks for pointing that out! I removed that comment and moved this link to that section.

[carlbraganza]

Okay, I'll remove this.

[carlbraganza]

Thanks for the feedback.

Explain the abbreviation "SP" ...

I added a link to https://github.com/container-storage-interface/spec/blob/master/spec.md#terminology for terminology in the Proposal section.

... add a link to the repo with the code ...
Added a link to kubernetes-csi/external-snapshot-metadata.
The KEP was written before the associated external-snapshot-repository was created so lacks these links to the code.

add a concrete RBAC rule definition that would let a backup client scrape the snapshot metadata to the Risks and Mitigations section...

Added a link to deploy/example at the end of the section.

... explain how you implement rate limiting to address the Uncontrolled access issue raised by sig-auth.

We do not implement rate limiting. Our mitigation of the Uncontrolled access is partially achieved as a side-effect of requiring K8s authentication and authorization (TokenRequest/TokenReview/SAR) in order to use the service. This was implied previously, so I added language to call it out explicititly.

In the e2e section of the Test Plan, add detailed explanation how you're going to test your sidecar's authenticator and authorizer. Make these a requirement for beta in the Graduation criteria section.

Hmm... the Test Plan does not provide that level of detail on anything. I've added a link to the E2E test PR in case anyone wants to see the actual test logic, and I also added an explicit requirement for authentication and authorization checks to the Beta graduation criteria.

Make the authorization test introspect...

I created Issue 206 to track your suggestion for the authorization unit test.

[carlbraganza]

I'll revert to the previous text.

[carlbraganza]

This is as per the KEP.

This feature adds functionality to a CSI driver and follows the established pattern of existing CSI driver sidecars that provide for volume snapshots, etc, in how the sidecar is deployed (https://kubernetes-csi.github.io/docs/deploying.html).

However, unlike the other CSI features, access to this new sidecar bypasses the K8s API server for the most part, as it involves a lot of I/O. Secure access to the sidecar requires that the client know the server's certificate and audience string - the CR exists to convey this information, and how this CR gets created is up to the CSI driver.

[carlbraganza]

No upgrade or rollback was tested.

CSI sidecar's are deployed as part of a CSI driver installation and hence are vendor specific in nature. The CSI specifies how a sidecar container communicates with the CSI driver container, but does not specify how the containers are deployed.

[carlbraganza]

Re-wrote to be:

Log records from the external-snapshot-metadata sidecar container should be visible in its logs,
assuming a typical deployment such as that described in
Deploying CSI Driver on Kubernetes.

[carlbraganza]

Added:

Any rollback will cause active operations by a backup application to fail.
Such failure is similar to a network failure that the application ought to be
capable of handling.

[carlbraganza]

Yes, you're right. Reverted.

[stlaz]

permanent links everywhere, please

[stlaz]

@kubernetes/sig-auth-proposals This KEP suggests that an unauthenticated client can cause N authenticated clients to fan out requests to the KAS until KAS starts rate-limiting each of these authenticated clients. N is the number of CSI driver instances installed in the cluster.

Is this ok?

[stlaz]

Inline the specific RBAC rule here

[stlaz]

permanent link, please

[stlaz]

Permanent link, please.

Why is this considered an integration test?

[stlaz]

Right, but the cluster operator/administrator should be responsible for the APIs that exist in the cluster, correct?

If my assumption is wrong, please explain how conflicts in different CRD versions should be handled by the CSI drivers, e.g.. a field gets added into the CRD but an old version of the CSI driver attempts to reconcile the CRD to its desired version.

[stlaz]

Thanks. I think there might be a typo I missed in the first read.

Suggested change

	these objects during rollout or rollback of their driver fails.
	these objects during rollout or rollback if their driver fails.

[stlaz]

Suggested change

	Such failure is similar to a network failure that the application ought to be
	capable of handling.
	Such failure is similar to a network failure that the backup client application ought to be
	capable of handling gracefully.

[stlaz]

ok

[stlaz]

Define "most of the time" with a specific number.