Improved Storage Accounts security on CAPZ MCs - Loki

[T-Kukawka]

User Story

As a customer i would like to have the Storage Accounts deployed by Loki on MCs that adhere to the Microsoft Azure Defender recommendations such as:

• Storage account should use a private link connection
• Storage accounts should prevent shared key access
• Storage accounts should restrict network access using virtual network rules

Important note: Taking into account the technical details and the changes to Storage Class, for the changes to be applied, the existing Storage Accounts will have to be recreated, hence data will be lost.

Technical details for CAPZ in general

The storage accounts are created by azurefile-csi-driver, the default application deployed on CAPZ WC, as soon as an azurefile PVC is created.

Upstream controller is responsible for creating the storage account when an AzureFile PVC is created. The options that are sent to azure API are defined here:

https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/223bcdeff42a83bc580126ae695a2be37c5a7597/pkg/azurefile/controllerserver.go#L432

Storage accounts should prevent shared key access

The upstream code does not allow configuring this option. However while testing this out, we have found that if we configure the other two options correctly, this point is also covered as per result of the Microsoft Defender scanning results.

Storage account should use a private link connection

This seems to be configurable using the networkEndpointType parameter in the storage account.

Here is the documentation about that field:

specify network endpoint type for the storage account created by driver. If privateEndpoint is specified, a private endpoint will be created for the storage account. For other cases, a service endpoint will be created by default.

Storage accounts should restrict network access using virtual network rules

when networkEndpointType is set to privateEndpoint then the storage account gets automatically restricted.

Tested Storage Class that satisfies all the criteria with Microsoft Defender

allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: af-standard-private
mountOptions:
- dir_mode=0755
- file_mode=0755
- uid=1000
- gid=1000
parameters:
  skuName: Standard_LRS
  networkEndpointType: "privateEndpoint"
provisioner: file.csi.azure.com
reclaimPolicy: Delete
volumeBindingMode: Immediate

Acceptance Criteria

• [ ] Loki on CAPZ MC deploys the improved Storage Account

Implementation details

• Implementation info to be filled out by engineer

[Rotfuks]

Things to find out from our side:

• How to use the right storage account
• How to automate that usage in object storage operator

-> Let's check with Phoenix -> Dominiks Job