Jan Šafránek

What people in my social bubble use is [kube-rbac-proxy](https://brancz.com/2018/02/27/using-kube-rbac-proxy-to-secure-kubernetes-workloads/). I.e. the attacher (and other sidecars) listen on http on loopback only and another sidecar listens on a public https port...

> The problem is that we decided to move away from kube-rbac-proxy. I don't know the details but it's just not feasible solution for us. Can you please check what...

> i. Pick a random CSI driver to fix this issue in the driver > ii. Write an E2E test to catch this issues I'm experimenting with a Kubernetes e2e...

Turned into real e2e test in Kubernetes: https://github.com/kubernetes/kubernetes/pull/102538

IMO this is covered in "Timeouts" chapter: https://github.com/container-storage-interface/spec/blob/master/spec.md#timeouts. It IMO applies not only to timeouts, but also to similar errors like interrupted gRPC connections, where the caller cannot be sure...

Yes, Kubernetes already breaks CSI spec and can call ControllerUnpublish without NodeUnpublish / NodeUnstage succeeding if Kubernetes thinks the node is broken - it can't really call NodUnstage/Unpublish in that...

@mattcary, while it would be possible to add a new test to test/e2e, it's not easy to fix e2e/sanity - all `NodeStage` calls there will fail, because the fake mounter...

> That would be skipping resize tests in sanity (the other tests will continue to work, or have those been broken too?) Unfortunately, all sanity tests that call NodeStage will...

/refresh /retest

/remove-lifecycle rotten