Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connection to storage account with storage account keys disabled doesn't work with workload identity (kerberos auth support) #1737

Open
Vegoo89 opened this issue Mar 1, 2024 · 16 comments
Open

Connection to storage account with storage account keys disabled doesn't work with workload identity (kerberos auth support) #1737

Vegoo89 opened this issue Mar 1, 2024 · 16 comments

Comments

@Vegoo89
Copy link

Vegoo89 commented Mar 1, 2024
edited
Loading

What happened: We mapped workload identity to UAMI with RBAC role (SMB Elevated Contributor) on desired storage account scope, however it raises permission denied on mount attempt when storage account keys are disabled on this storage account. When we enable storage account keys it starts to work again.

What you expected to happen: CSI Driver should use RBAC role instead of downloading storage keys

How to reproduce it: Setup CSI connection to storage account with usage of workload identity -> disable storage keys on desired accounts -> try to run the application

Anything else we need to know?:

Environment:

  • CSI Driver version: 1.30
  • Kubernetes version (use kubectl version): 1.27.7
  • OS (e.g. from /etc/os-release): Ubuntu Linux
  • Kernel (e.g. uname -a): managed by MS
  • Install tools:
  • Others:
@andyzhangx
Copy link
Member

@Vegoo89 this is by design since this driver would fetch account key by workload identity, and then mount azure file by account key.

@Vegoo89
Copy link
Author

Vegoo89 commented Mar 1, 2024

But can't it use RBAC role to authenticate? Is there any reason why it can't be done? My company is enrolling policy to disable shared keys so I am reviewing my options.

@andyzhangx
Copy link
Member

@Vegoo89 that requires AAD auth first: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#configure-share-level-permissions-for-azure-files, AKS nodes does not support AAD auth now.

@Vegoo89
Copy link
Author

Vegoo89 commented Mar 1, 2024

Sorry if I am missing something but I am scratching my head now. We use workload identity on AKS for keyless auth to wide range of Azure resources.

Can't we use it in similar way to authorize ourselves to file share if UAMI has required role assigned and is present under User Assigned identities on AKS VMSS?

@andyzhangx
Copy link
Member

@Vegoo89 the azure file csi driver does not support keyless auth now unless you use NFS file share, that does not require key auth.

@Vegoo89
Copy link
Author

Vegoo89 commented Mar 1, 2024

I understand it is not supported now, however I want to understand what is the limitation and what would be necessary to work around it.

You told AKS nodes don't support AAD auth, but these are standard VMSS, managed by MS, right? If I assign UAMI to it, why can't I use it to authenticate to file share?

@andyzhangx
Copy link
Member

@Vegoo89 this is all the Supported authentication scenarios for SMB file share mount:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#supported-authentication-scenarios

in top level, you could assign UAMI with RBAC role (SMB Elevated Contributor) on desired storage account, but in the backend (SMB file share mount implementation details), it requires the one of the above auth, unfortunately those auth methods all requires AD domain join for aks node which is not supported now.

other context:
Azure Files enforces authorization on user access to both the share level and the directory/file levels. Share-level permission assignment can be performed on Microsoft Entra users or groups managed through Azure RBAC. With Azure RBAC, the credentials you use for file access should be available or synced to Microsoft Entra ID. You can assign Azure built-in roles like Storage File Data SMB Share Reader to users or groups in Microsoft Entra ID to grant access to an Azure file share.

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#access-control

@andyzhangx
Copy link
Member

andyzhangx commented Mar 1, 2024
edited
Loading

in brief, there is no workaround for keyless auth since this driver only supports key auth(called NTLM auth instead of kerberos auth) for smb mount unless you use NFS file share:

azurefile-csi-driver/pkg/azurefile/nodeserver.go

Line 343 in 3162e05

return true, SMBMount(d.mounter, source, cifsMountPath, mountFsType, mountOptions, sensitiveMountOptions)

@Vegoo89
Copy link
Author

Vegoo89 commented Mar 1, 2024

Thanks a lot for detailed explanation. May I keep it opened until smb mount supports AAD or it won't happen in nearest future?

@andyzhangx andyzhangx changed the title Connection to storage account with storage account keys disabled doesn't work with workload identity Connection to storage account with storage account keys disabled doesn't work with workload identity (keberos auth support) Mar 4, 2024
@andyzhangx andyzhangx changed the title Connection to storage account with storage account keys disabled doesn't work with workload identity (keberos auth support) Connection to storage account with storage account keys disabled doesn't work with workload identity (kerberos auth support) Mar 4, 2024
@djsly
Copy link

djsly commented Mar 15, 2024

@andyzhangx am I understanding that with NFS, we can disable Key Access ? We are also being asked to disable Allow storage account key access on ALL Storage Account.

1- I don't see a option for disabling that even if using NFS correct ?

@andyzhangx
Copy link
Member

@andyzhangx am I understanding that with NFS, we can disable Key Access ? We are also being asked to disable Allow storage account key access on ALL Storage Account.

1- I don't see a option for disabling that even if using NFS correct ?

@djsly yes, you could disable account key access if you are only using nfs file share. We will add such options for account created by this driver.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 14, 2024
@MikeKlebolt
Copy link

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 12, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 10, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 9, 2024
@Vegoo89
Copy link
Author

Vegoo89 commented Dec 1, 2024

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Dec 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@andyzhangx @djsly @MikeKlebolt @k8s-ci-robot @Vegoo89 @k8s-triage-robot