0

I used Azure files to share storage between many pods in AKS.

In this Cluster we have multiple applications, I want access to this storage to be secure, each storage account is accessible only via one user managed identity assigned to these pods :

  • use pod identities
  • Assign "Storage File Data SMB Share Contributor" role to our Managed Identity.

option1: using pod-identity, when we create a storage class and persistent volume claim it automatically creates the PV and storage account, so how to dynamically retrieve the name of this storage account? (IaC with Terraform)

option2: without using pod-identities, how can we secure access to this storage account from pods?

admin
  • 55
  • 8

1 Answers1

1

option1:

  1. You can create the Storage Account beforehand, assign the role on the Storage Account and use the StorageClass storageAccount parameter to use it instead of creating a new one.

  2. You can create a Resource Group beforehand, assign the role at the scope of the Resource Group and then specify that Resource Group with the the resourceGroup StorageClass parameter to make sure the storage account is created in this Resource Group.

option2:

  1. You will have to use a Service Principal or the Storage Account Access Key. You can either get them from a Vault (Ex : Azure Key Vault, using CSI Driver) or stored them in Kubernetes Secret.
Jean-Philippe Bond
  • 10,089
  • 3
  • 34
  • 60
  • Thank you for your answer, it help me to solve my problem, I will use option1 (creation custom resourceGroup and storageAccount which will used in my storageClass) as defined also here https://github.com/Azure/AKS/issues/1263#issuecomment-544541244 – admin May 02 '21 at 10:54
  • 1
    But what about security using pod-identity in the case of multiple app deployed on AKS ? I think we can't use pod-identity to secure access to these storage accounts, in this case, I think it's the AKS identity (systemAssigned) that should have the right permissions to manage all these storage accounts – admin May 02 '21 at 11:05
  • 2
    I may be wrong but I think that you can't use pod Identity with Volume. If you want to use aad pod identity, your pod will need to connect directly to the storage account whitout using a volume. AKS will used the cluster's user or system assigned identity. If you want more security your best bet would probably to implement something around namespace and admission controller logic with OPA for example. – Jean-Philippe Bond May 03 '21 at 00:30