Handle training data and model artifacts on CoreWeave persistent storage. Use when managing large datasets, configuring storage classes, or implementing data pipelines for GPU workloads. Trigger with phrases like "coreweave data", "coreweave storage", "coreweave pvc", "coreweave dataset management".
CoreWeave GPU cloud workloads involve large-scale data artifacts: model weights (multi-GB safetensors/GGUF), training datasets (parquet, TFRecord, WebDataset), checkpoint snapshots, and inference cache volumes. Data flows through Kubernetes PersistentVolumeClaims backed by region-specific storage classes. Compliance requires encryption at rest via the storage driver, namespace-scoped RBAC for volume access, and audit logging for any data egress from GPU nodes.
| Data Type | Sensitivity | Retention | Encryption |
|---|---|---|---|
| Model weights | Medium | Until deprecated | AES-256 at rest |
| Training datasets | High (may contain PII) | Per data license | AES-256 + TLS in transit |
| Checkpoint snapshots | Medium | 30 days post-training | AES-256 at rest |
| Inference cache | Low | Session/TTL |
| Volume-level encryption |
| HuggingFace tokens | Critical | Rotate quarterly | K8s Secret + KMS |
import { KubeConfig, BatchV1Api } from '@kubernetes/client-node';
async function importDataset(pvcName: string, sourceUrl: string, namespace: string) {
const kc = new KubeConfig();
kc.loadFromDefault();
const batch = kc.makeApiClient(BatchV1Api);
const job = {
metadata: { name: `import-${Date.now()}`, namespace },
spec: { template: { spec: {
restartPolicy: 'Never',
containers: [{ name: 'loader', image: 'python:3.11-slim',
command: ['python3', '-c', `
import urllib.request, hashlib
dest = '/data/dataset.tar.gz'
urllib.request.urlretrieve('${sourceUrl}', dest)
print(f"SHA256: {hashlib.sha256(open(dest,'rb').read()).hexdigest()}")`],
volumeMounts: [{ name: 'storage', mountPath: '/data' }],
}],
volumes: [{ name: 'storage', persistentVolumeClaim: { claimName: pvcName } }],
}}}
};
await batch.createNamespacedJob(namespace, { body: job });
}
async function exportCheckpoint(pvcName: string, destBucket: string, ns: string) {
// Validate export destination is in approved region list
const APPROVED_REGIONS = ['us-east-1', 'us-central-1', 'eu-west-1'];
const region = destBucket.split('-').slice(0, 3).join('-');
if (!APPROVED_REGIONS.some(r => destBucket.includes(r))) {
throw new Error(`Export blocked: ${region} not in approved regions`);
}
// Stream from PVC → object storage with integrity check
const exportCmd = `tar czf - /models | gsutil cp - gs://${destBucket}/export.tar.gz`;
console.log(`Exporting from PVC ${pvcName} to ${destBucket}`);
return exportCmd;
}
interface ModelArtifact {
name: string; format: 'safetensors' | 'gguf' | 'bin' | 'pt';
sizeBytes: number; sha256: string;
}
function validateArtifact(artifact: ModelArtifact): string[] {
const errors: string[] = [];
if (!artifact.name || artifact.name.length > 255) errors.push('Invalid artifact name');
if (artifact.sizeBytes <= 0) errors.push('Size must be positive');
if (!/^[a-f0-9]{64}$/.test(artifact.sha256)) errors.push('Invalid SHA-256 hash');
if (!['safetensors', 'gguf', 'bin', 'pt'].includes(artifact.format)) errors.push(`Unsupported format`);
return errors;
}
| Issue | Cause | Fix |
|---|---|---|
| PVC pending indefinitely | Storage class unavailable in region | Check kubectl get sc and switch to available class |
| Download job OOMKilled | Dataset exceeds container memory limit | Increase resource limits or use streaming download |
| Permission denied on volume | RBAC misconfigured for namespace | Verify ServiceAccount has PVC access via RoleBinding |
| Checksum mismatch after import | Partial transfer or corruption | Re-run import job; enable retry with backoff |
| Secret not found | KMS key rotation or namespace mismatch | Verify secret exists in target namespace with kubectl get secret |
See coreweave-security-basics.