Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-41542

[CAPI Azure] storage account created by installer has public access on fully private cluster

XMLWordPrintable

    • Important
    • None
    • Installer (PB) Sprint 259
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required
    • Done

      This is a clone of issue OCPBUGS-37506. The following is the description of the original issue:

      Description of problem:

      Install Azure fully private IPI cluster by using CAPI with payload built from cluster bot including openshift/installer#8727,openshift/installer#8732,
      
      install-config:
      =================
      platform:
        azure:
          region: eastus
          outboundType: UserDefinedRouting
          networkResourceGroupName: jima24b-rg
          virtualNetwork: jima24b-vnet
          controlPlaneSubnet: jima24b-master-subnet
          computeSubnet: jima24b-worker-subnet
      publish: Internal
      featureSet: TechPreviewNoUpgrade
      
      Checked storage account created by installer, its property allowBlobPublicAccess is set to True.
      $ az storage account list -g jima24b-fwkq8-rg --query "[].[name,allowBlobPublicAccess]" -o tsv
      jima24bfwkq8sa    True
      
      This is not consistent with terraform code, https://github.com/openshift/installer/blob/master/data/data/azure/vnet/main.tf#L74
      
      At least, storage account should have no public access for fully private cluster.

      Version-Release number of selected component (if applicable):

          4.17 nightly build

      How reproducible:

          Always

      Steps to Reproduce:

          1. Create fully private cluster
          2. Check storage account created by installer
          3.
          

      Actual results:

          storage account have public access on fully private cluster.

      Expected results:

           storage account should have no public access on fully private cluster.

      Additional info:

          

            sdasu@redhat.com Sandhya Dasu
            openshift-crt-jira-prow OpenShift Prow Bot
            Jinyun Ma Jinyun Ma
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: