-
Bug
-
Resolution: Done
-
Undefined
-
None
-
4.14
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
According to linked access checks in Azure, whenever a subnets/write operation is invoked, the caller must also have the following permissions when the target subnet has these additional properties (resources) configured: Microsoft.Network/serviceEndpointPolicies/join/action Microsoft.Network/natGateways/join/action Microsoft.Network/networkIntentPolicies/join/action Microsoft.Network/networkManagers/ipamPools/associateResourcesToPool/action Permissions have already been added in the upstream azurefile-csi-driver: https://github.com/kubernetes-sigs/azurefile-csi-driver/pull/2495/files Also opened a PR with cluster-storage-operator to add them: https://github.com/openshift/cluster-storage-operator/pull/565 I'm opening this for tracking purposes.
Version-Release number of selected component (if applicable):
4.14+
How reproducible:
Steps to Reproduce:
1. Configure a nat gateway (or service endpoint policy, network intent policy, or ipam pool) on cluster subnets
2. Attempt to use the operator's subnets/write permission by configuring a private endpoint to storage
3. Observe linked access checks failure
Actual results:
Expected results:
Additional info:
- relates to
-
-
- Verified
-
