-
Notifications
You must be signed in to change notification settings - Fork 251
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Documentation on the external-snaphot-metadata sidecar (alpha).
- Loading branch information
1 parent
1360f37
commit 8c9996b
Showing
3 changed files
with
112 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Changed Block Tracking | ||
|
|
||
| ## Status | ||
|
|
||
| Status | Min K8s Version | Max K8s Version | external-snapshot-metadata Version | ||
| -------|-----------------|-----------------|----------------------------------- | ||
| Alpha | 1.32 | - | v0.1.0 | ||
|
|
||
|
|
||
| ## Overview | ||
|
|
||
| This optional feature provides a secure mechanism to obtain metadata | ||
| on the allocated blocks of a CSI VolumeSnapshot, or the changed blocks between two arbitrary pairs of CSI VolumeSnapshot objects of the same PersistentVolume. | ||
|
|
||
| Snapshot metadata must be fetched directly with the | ||
| [Kuberenets SnapshotMetadata gRPC service](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3314-csi-changed-block-tracking#the-kubernetes-snapshotmetadata-service-api) | ||
| from an [external-snapshot-metadata](./external-snapshot-metadata.md) | ||
| sidecar configured by the CSI driver. | ||
| This bypasses the Kubernetes API server for the most part: the API | ||
| server is only used to fetch the Kubernetes objects needed for secure, authorized and mutually authenticated communication. | ||
|
|
||
| > See [Kubernetes Enhancement Proposal 3314](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3314-csi-changed-block-tracking) | ||
| > for details of the Changed Block Tracking feature. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| # CSI external-snapshot-metadata | ||
|
|
||
| ## Status and Releases | ||
|
|
||
| **Git Repository:** [https://github.com/kubernetes-csi/external-snapshot-metadata](https://github.com/kubernetes-csi/external-snapshot-metadata) | ||
|
|
||
| ### Supported Versions | ||
|
|
||
| Latest stable release | Branch | Min CSI Version | Max CSI Version | Container Image | [Min K8s Version](project-policies.md#minimum-version) | [Max K8s Version](project-policies.md#maximum-version) | [Recommended K8s Version](project-policies.md#recommended-version) | | ||
| --|--|--|--|--|--|--|-- | ||
| v0.1.0 | [v0.1.0](https://github.com/kubernetes-csi/external-snapshot-metadata/releases/tag/v0.1.0) | [v1.10.0](https://github.com/container-storage-interface/spec/releases/tag/v1.10.0) | - | gcr.io/k8s-staging-sig-storage/csi-snapshot-metadata:v0.1.0 | v1.32 | - | v1.32 | ||
|
|
||
|
|
||
| ## Alpha | ||
|
|
||
| ### Description | ||
| The sidecar securely serves snapshot metadata to Kubernetes clients through the | ||
| [Kubernetes SnapshotMetadata gRPC Service](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3314-csi-changed-block-tracking#the-kubernetes-snapshotmetadata-service-api). | ||
|
|
||
| The sidecar authenticates and authorizes each Kubernetes backup application request made through the | ||
| Kubernetes SnapshotMetadata gRPC Service API. | ||
| It then acts as a proxy as it fetches the desired metadata from the CSI driver and | ||
| streams it directly to the requesting application with no load on the Kubernetes API server. | ||
|
|
||
| See ["The External Snapshot Metadata Sidecar"](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3314-csi-changed-block-tracking#the-external-snapshot-metadata-sidecar) | ||
| section in the CSI Changed Block Tracking KEP for additional details on the sidecar. | ||
|
|
||
| ### Usage | ||
| Backup applications, identified by authorized ServiceAccount objects, directly communicate with the sidecar using the | ||
| [Kubernetes SnapshotMetadata gRPC Service](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3314-csi-changed-block-tracking#the-kubernetes-snapshotmetadata-service-api). | ||
| The authorization needed is described in the | ||
| ["Risks and Mitigations"](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3314-csi-changed-block-tracking#risks-and-mitigations) | ||
| section of the CSI Changed Block Tracking KEP. | ||
|
|
||
| The existence of this optional service is advertised by the presence of a | ||
| [Snapshot Metadata Service CR](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3314-csi-changed-block-tracking#snapshot-metadata-service-custom-resource), | ||
| named for the CSI driver that provisions the PersistentVolume and VolumeSnapshot objects involved. | ||
| The CR contains the sidecar's address, CA certificate and audience string. | ||
| The backup application must use the Kubernetes | ||
| [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) | ||
| API with the sidecar's audience string to obtain a Kubernetes authentication token for use in the | ||
| Kubernetes SnapshotMetadata gRPC Service API call. | ||
| The backup application should establish trust for the sidecar CA certificate before making the API call | ||
| to the specified address. | ||
|
|
||
| The sidecar repository contains a | ||
| [snapshot-metadata-lister](https://github.com/kubernetes-csi/external-snapshot-metadata/tree/master/examples/snapshot-metadata-lister) | ||
| example command to illustrate how a Kubernetes backup application can fetch snapshot metadata | ||
| through the Kubernetes SnapshotMetadata gRPC Service API. | ||
| It utilizes the services provided by the | ||
| [pkg/iterator](https://github.com/kubernetes-csi/external-snapshot-metadata/tree/master/pkg/iterator) | ||
| Go package, which can be used by the backup application if desired. | ||
|
|
||
| VolumeSnapshot metadata can be lengthy, and the Kubernetes SnapshotMetadata gRPC Service supports | ||
| restarting an interrupted metadata request from an intermediate point in case of failure. | ||
|
|
||
| ### Deployment | ||
| The CSI `external-snapshot-metadata` sidecar should be deployed by | ||
| CSI drivers that support the | ||
| [Changed Block Tracking](./changed-block-tracking.md) feature. | ||
| The sidecar must be deployed in the same pod as the CSI driver and | ||
| will communicate with its CSI [SnapshotMetadata](https://github.com/container-storage-interface/spec/blob/master/spec.md#snapshot-metadata-service-rpcs) | ||
| and [Identity](https://github.com/container-storage-interface/spec/blob/master/spec.md#identity-service-rpc) gRPC services | ||
| over a UNIX domain socket. | ||
|
|
||
| The sidecar should be configured to run under the authority of its | ||
| CSI driver ServiceAccount, which must be authorized as described | ||
| in the | ||
| ["Risks and Mitigations"](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3314-csi-changed-block-tracking#risks-and-mitigations) | ||
| section of the CSI Changed Block Tracking KEP. | ||
| In particular, this requires the ability to | ||
| use the Kubernetes | ||
| [TokenReview](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) | ||
| and | ||
| [SubjectAccessReview](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1/) | ||
| APIs. | ||
|
|
||
| A Service object must be created for the TCP based [Kubernetes SnapshotMetadata](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3314-csi-changed-block-tracking#the-kubernetes-snapshotmetadata-service-api) | ||
| gRPC service implemented by the sidecar. | ||
|
|
||
| A [SnapshotMetadataService CR](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3314-csi-changed-block-tracking#snapshot-metadata-service-custom-resource), | ||
| named for the CSI driver, must be created to advertise the | ||
| availability of this optional feature. | ||
| The CR contains the CA certificate and Service endpoint address | ||
| of the sidecar and the audience string needed for the client | ||
| authentication token. | ||
|
|