-
Feature Request
-
Resolution: Done
-
Normal
-
openshift-4.10, openshift-4.10.z
-
False
-
None
-
False
-
Not Selected
-
-
-
-
-
-
Azure Red Hat Openshift
1. Proposed title of this feature request
Enable AD DS authentication for Azure file shares
2. What is the nature and description of the request?
Azure storage account key is super user, it's security issue because with storage account, you can access storage anywhere
3. Why does the customer need this? (List the business requirements here)
Customer: Persistent storage using Azure File requires secret that requires azure storage account key, we don't want to use storage account key accessing to storage account https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access#understand-authorization-for-data-operations we're looking for either "Azure Active Directory (Azure AD)" or "On-premises Active Directory Domain Services" which listed at https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access#understand-authorization-for-data-operations If we're able utilize AD DS based integrated authentication for Azure file shares , then we need to use AD DS account to mount PV/PVC in POD Azure storage account key is super user, it's security issue because with storage account, you can access storage anywhere
4. List any affected packages or components.
AzureFile CSI driver StorageClass [1] https://github.com/openshift/azure-disk-csi-driver [2] https://github.com/kubernetes-sigs/azurefile-csi-driver
5. Dialogue as I (Red Hatter) understand it
Following the documentation [1][2] to add the AzureFile CSI driver StorageClass, it requires you to use 'azurestorageaccountkey' to create PVCs. This method works as expected. However, customers' expectation is that the PVC is provisioned using Azure AD DS to authenticate before building the PVC and then use that same user to mount the NFS share to the node/pod [1] https://github.com/openshift/azure-disk-csi-driver [2] https://github.com/kubernetes-sigs/azurefile-csi-driver
- is blocked by
-
-
- Closed
-
