As a customer i would like to have the Storage Accounts deployed by Loki on MCs that adhere to the Microsoft Azure Defender recommendations such as:
Storage account should use a private link connection
Storage accounts should prevent shared key access
Storage accounts should restrict network access using virtual network rules
Important note: Taking into account the technical details and the changes to Storage Class, for the changes to be applied, the existing Storage Accounts will have to be recreated, hence data will be lost.
Technical details for CAPZ in general
The storage accounts are created by azurefile-csi-driver, the default application deployed on CAPZ WC, as soon as an azurefile PVC is created.
Upstream controller is responsible for creating the storage account when an AzureFile PVC is created. The options that are sent to azure API are defined here:
The upstream code does not allow configuring this option. However while testing this out, we have found that if we configure the other two options correctly, this point is also covered as per result of the Microsoft Defender scanning results.
Storage account should use a private link connection
This seems to be configurable using the networkEndpointType parameter in the storage account.
Here is the documentation about that field:
specify network endpoint type for the storage account created by driver. If privateEndpoint is specified, a private endpoint will be created for the storage account. For other cases, a service endpoint will be created by default.
Storage accounts should restrict network access using virtual network rules
when networkEndpointType is set to privateEndpoint then the storage account gets automatically restricted.
Tested Storage Class that satisfies all the criteria with Microsoft Defender
User Story
As a customer i would like to have the Storage Accounts deployed by Loki on MCs that adhere to the Microsoft Azure Defender recommendations such as:
Important note: Taking into account the technical details and the changes to Storage Class, for the changes to be applied, the existing Storage Accounts will have to be recreated, hence data will be lost.
Technical details for CAPZ in general
The storage accounts are created by
azurefile-csi-driver
, the default application deployed on CAPZ WC, as soon as anazurefile
PVC is created.Upstream controller is responsible for creating the storage account when an
AzureFile
PVC is created. The options that are sent to azure API are defined here:https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/223bcdeff42a83bc580126ae695a2be37c5a7597/pkg/azurefile/controllerserver.go#L432
Storage accounts should prevent shared key access
The upstream code does not allow configuring this option. However while testing this out, we have found that if we configure the other two options correctly, this point is also covered as per result of the Microsoft Defender scanning results.
Storage account should use a private link connection
This seems to be configurable using the
networkEndpointType
parameter in the storage account.Here is the documentation about that field:
Storage accounts should restrict network access using virtual network rules
when
networkEndpointType
is set toprivateEndpoint
then the storage account gets automatically restricted.Tested Storage Class that satisfies all the criteria with Microsoft Defender
Acceptance Criteria
Implementation details