[csi-cinder-plugin] Ephemeral Volume removal process

[sergelogvinov]

/kind feature

What happened:

CSI Ephemeral Volume has been deprecated #1493 and it requires OpenStack credentials on each node, adding unnecessary complexity to our support processes.

Can we start to removal process of it?

ref #2551

What you expected to happen:

How to reproduce it:

Anything else we need to know?:

Environment:

• openstack-cloud-controller-manager(or other related binary) version:
• OpenStack version:
• Others:

[dulek]

I agree, it makes sense to remove the feature now.

[sergelogvinov]

Reopen issue #2599 @k8s-ci-robot

[kon-angelo]

The issue being on closed is quite misleading at this point. The PR for the ephemeral volume removal only prevents the creation of new ones. However I see no tracking of the overall process for removing the Ephemeral Volume code path and the need for credentials on the nodeserver. Is this tracked somewhere and/or ETA exists for the next steps ?

[sergelogvinov]

I hope to remove all the remaining code in the next release. I've already done some cleanup, but it's still under development (in my branch).

[kon-angelo]

@sergelogvinov How about we feature-gate the complete removal of the remaining code ? So instead of waiting 2 releases for the complete removal and since it is decided that the code will be deprecated, why not give us already the option to disable the credential use. As of now, the only reason to keep it would be the cleanup of ephemeral volumes (pls correct me if I am wrong). I can also help work on that if you wish.

[sergelogvinov]

The new release will come very soon.

I don't believe it's possible to change anything right now. It's better to wait for the new release, and afterward, we can merge all the new changes so you can use the credentials-free node plugin.

[kayrus]

@zetaab @dulek it appears to be a severe security issue in our environment. Do you think we can consider this fix as a security improvement and backport it to lower versions?

[zetaab]

well I do not see this as security issue. Kubernetes secrets mounted to all csi pods in kube-system does not sound security issue. Also removing features in existing old versions sounds like not good way of doing it?

But yeah, if this feature itself is not needed then it should be removed

[kayrus]

If you take a look at the #2640 the credentials code is not fully removed. The is an option to avoid specifying the credentials. And this is basically what our security officer requires.

[sergelogvinov]

Hi, if we accept "bracing changes" in the new release, I can remove all the code that uses cloud-config on the node-side plugin.

Thanks.

[kayrus]

@sergelogvinov I'd be interested in a toggle that allows to use CSI node-server without secrets, and backport it to earlier releases.