Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5535

Add private endpoints support for Storage Accounts in ARO

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • Installer
    • None

      1. Proposed title of this feature request

      • Add private endpoints support for Storage Accounts in ARO

      2. What is the nature and description of the request?

      • In the context of ARO cluster deployment, there are two storage accounts provisioned with the cluster deployment: namely, clusterStorageAccountName & ImageRegistryStorageAccountName
      • Both of those storage accounts are provisioned with NetworkRuleSet.DefaultAction: Deny (a.k.a. "publicNetworkAccess: False"), which implies the the storage account will only "allow traffic only from specific virtual networks" (i.e. public access is not enabled, but only enabled for specific services, like ARO-RP [0], ARO Hive [2], ARO Egress Lockdown Gateway [3]).
      • For security compliance reasons, certain customer use-cases are requested to set "publicNetworkAccess: Disabled" and, therefore, hand over to customer the access control to those Storage Accounts through the private endpoint.

      3. Why does the customer need this? (List the business requirements here)

      • Security compliance

       

      [0] https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/storage/common/storage-network-security.md
      [1] https://github.com/Azure/ARO-RP
      [2] https://github.com/Azure/ARO-RP/blob/master/docs/hive.md

              okashi1@redhat.com Oren Kashi
              rhn-support-rsandu Robert Sandu
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: