--You may be interested in this draft design proposal: https://docs.google.com/document/d/1d1KXKArMgEGMGw5Sos4lFVlg0-CtG-ESZsKXy18P-CQ/edit#. It's a different use case. It tries to define "VolumeSecurityStandards" based on "PodSecurityStandards" and use that to have a more fine-grained control of volume mode conversion between source and target PVCs.Thanks,On Thu, Sep 23, 2021 at 6:01 PM Adam Kaplan <adam....@redhat.com> wrote:Hello sig-storage and sig-auth,--My team is developing a CSI driver which provides inline ephemeral CSI volumes [1]. In thinking through how this driver could be secured by cluster administrators, we found that current pod security standards default to allowing these volumes to be mounted [2]. Current guidance recommends that either:1. Cluster admins deem these drivers safe for all when the CSIDriver object is created, or2. Cluster admins rely on third party admission control.We'd like to propose a middle ground whereby Kubernetes provides some first-class admission control for inline CSI volumes. This was initially discussed during sig-security's biweekly meeting, where we felt it was best to solicit use cases here for such an enhancement. I have a bare draft KEP in the linked Google doc, where I'm attempting to capture said use cases [3].Please feel free to add your suggestions for use cases, or risks/mitigations that should be considered, to the Google doc.Thank you,Adam[2] https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/2579-psp-replacement/README.md#pod-security-standards[3] https://docs.google.com/document/d/1FSHyYrb0_zWL3d1KZRA_6aXfhF8N-v9D-ggYAidHkwE/edit?usp=sharing--Adam Kaplan
He/Him
Principal Software Engineer
100 E. Davie Street
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/CADmLb%2B%3D6Cc9Ae20xwgwj0WF07FRHg4a2bP3%2BbTZMMRMMAjuyqg%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/CADwwA9uDSvKE_3zEgBHy4tbVhzD6RPDzNpsDJZ8SexoQ-UWpKQ%40mail.gmail.com.