-
Notifications
You must be signed in to change notification settings - Fork 145
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Connection to storage account with storage account keys disabled doesn't work with workload identity (kerberos auth support) #1737
Comments
@Vegoo89 this is by design since this driver would fetch account key by workload identity, and then mount azure file by account key. |
But can't it use RBAC role to authenticate? Is there any reason why it can't be done? My company is enrolling policy to disable shared keys so I am reviewing my options. |
@Vegoo89 that requires AAD auth first: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#configure-share-level-permissions-for-azure-files, AKS nodes does not support AAD auth now. |
Sorry if I am missing something but I am scratching my head now. We use workload identity on AKS for keyless auth to wide range of Azure resources. Can't we use it in similar way to authorize ourselves to file share if UAMI has required role assigned and is present under User Assigned identities on AKS VMSS? |
@Vegoo89 the azure file csi driver does not support keyless auth now unless you use NFS file share, that does not require key auth. |
I understand it is not supported now, however I want to understand what is the limitation and what would be necessary to work around it. You told AKS nodes don't support AAD auth, but these are standard VMSS, managed by MS, right? If I assign UAMI to it, why can't I use it to authenticate to file share? |
@Vegoo89 this is all the Supported authentication scenarios for SMB file share mount: in top level, you could assign UAMI with RBAC role (SMB Elevated Contributor) on desired storage account, but in the backend (SMB file share mount implementation details), it requires the one of the above auth, unfortunately those auth methods all requires AD domain join for aks node which is not supported now. other context: |
in brief, there is no workaround for keyless auth since this driver only supports key auth(called NTLM auth instead of kerberos auth) for smb mount unless you use NFS file share:
|
Thanks a lot for detailed explanation. May I keep it opened until smb mount supports AAD or it won't happen in nearest future? |
@andyzhangx am I understanding that with NFS, we can disable Key Access ? We are also being asked to disable 1- I don't see a option for disabling that even if using NFS correct ? |
@djsly yes, you could disable account key access if you are only using nfs file share. We will add such options for account created by this driver. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/remove-lifecycle rotten |
What happened: We mapped workload identity to UAMI with RBAC role (SMB Elevated Contributor) on desired storage account scope, however it raises permission denied on mount attempt when storage account keys are disabled on this storage account. When we enable storage account keys it starts to work again.
What you expected to happen: CSI Driver should use RBAC role instead of downloading storage keys
How to reproduce it: Setup CSI connection to storage account with usage of workload identity -> disable storage keys on desired accounts -> try to run the application
Anything else we need to know?:
Environment:
kubectl version
): 1.27.7uname -a
): managed by MSThe text was updated successfully, but these errors were encountered: