Comments (12)
@Vegoo89 this is by design since this driver would fetch account key by workload identity, and then mount azure file by account key.
from azurefile-csi-driver.
But can't it use RBAC role to authenticate? Is there any reason why it can't be done? My company is enrolling policy to disable shared keys so I am reviewing my options.
from azurefile-csi-driver.
@Vegoo89 that requires AAD auth first: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#configure-share-level-permissions-for-azure-files, AKS nodes does not support AAD auth now.
from azurefile-csi-driver.
Sorry if I am missing something but I am scratching my head now. We use workload identity on AKS for keyless auth to wide range of Azure resources.
Can't we use it in similar way to authorize ourselves to file share if UAMI has required role assigned and is present under User Assigned identities on AKS VMSS?
from azurefile-csi-driver.
@Vegoo89 the azure file csi driver does not support keyless auth now unless you use NFS file share, that does not require key auth.
from azurefile-csi-driver.
I understand it is not supported now, however I want to understand what is the limitation and what would be necessary to work around it.
You told AKS nodes don't support AAD auth, but these are standard VMSS, managed by MS, right? If I assign UAMI to it, why can't I use it to authenticate to file share?
from azurefile-csi-driver.
@Vegoo89 this is all the Supported authentication scenarios for SMB file share mount:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#supported-authentication-scenarios
in top level, you could assign UAMI with RBAC role (SMB Elevated Contributor) on desired storage account, but in the backend (SMB file share mount implementation details), it requires the one of the above auth, unfortunately those auth methods all requires AD domain join for aks node which is not supported now.
other context:
Azure Files enforces authorization on user access to both the share level and the directory/file levels. Share-level permission assignment can be performed on Microsoft Entra users or groups managed through Azure RBAC. With Azure RBAC, the credentials you use for file access should be available or synced to Microsoft Entra ID. You can assign Azure built-in roles like Storage File Data SMB Share Reader to users or groups in Microsoft Entra ID to grant access to an Azure file share.
from azurefile-csi-driver.
in brief, there is no workaround for keyless auth since this driver only supports key auth(called NTLM auth instead of kerberos auth) for smb mount unless you use NFS file share:
from azurefile-csi-driver.
Thanks a lot for detailed explanation. May I keep it opened until smb mount supports AAD or it won't happen in nearest future?
from azurefile-csi-driver.
@andyzhangx am I understanding that with NFS, we can disable Key Access ? We are also being asked to disable Allow storage account key access
on ALL Storage Account.
1- I don't see a option for disabling that even if using NFS correct ?
from azurefile-csi-driver.
@andyzhangx am I understanding that with NFS, we can disable Key Access ? We are also being asked to disable
Allow storage account key access
on ALL Storage Account.1- I don't see a option for disabling that even if using NFS correct ?
@djsly yes, you could disable account key access if you are only using nfs file share. We will add such options for account created by this driver.
from azurefile-csi-driver.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/stale
is applied - After 30d of inactivity since
lifecycle/stale
was applied,lifecycle/rotten
is applied - After 30d of inactivity since
lifecycle/rotten
was applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale
- Close this issue with
/close
- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
from azurefile-csi-driver.
Related Issues (20)
- PVC cloning does not work with private endpoints enabled on StorageClass HOT 4
- add feature to disable dns zone creation for private endpoints HOT 5
- [Not working] workload identity support on static provisioning on AKS 1.29 HOT 5
- csi-azurefile-controller pod constantly restarts HOT 4
- Azure file mount failed in AKS having storage account in different subscription HOT 3
- New 1.30 patch release with commits after 2/22/2024 HOT 1
- No helm chart for release v1.30.1
- cifs credentials appear in process table HOT 3
- Frequent controller restarts HOT 6
- remove smb-globalmount when azure file is unmounted on windows node
- PVC fails to be provision HOT 9
- Add update strategy in helm chart
- Move helm chart version to strict SemVer 2 HOT 4
- Allow PV Finalizer to be removed HOT 2
- RemoveSmbGlobalMapping makes Windows node very slow HOT 24
- Invalid parameter "clientID" in storage class HOT 1
- PVC using Bring Your Own share in a StorageClass throws error HOT 1
- PVC+PV using Bring Your Own Share throws warning when changing capacity request + capacity not updated HOT 1
- azcopy can't resume cloning job if controller pod is killed during job run HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azurefile-csi-driver.