search

kubernetes-sigs / azurefile-csi-driver

Azure File CSI Driver
Apache License 2.0
154 stars 141 forks source link

add feature to disable dns zone creation for private endpoints #1739

Closed jrudley closed 1 month ago

jrudley commented 7 months ago

Is your feature request related to a problem?/Why is this needed When using an enterprise scale approach with Azure Policy and Private Endpoints, the dns zones are in the hub network. The file csi driver will try and create the private dns zones if privateendpoint is configured. Azure policy handles dns registration of private endpoints in the hub. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale.

Describe the solution you'd like in detail Have a feature in parameters to disable creating dns private endpoint zones.

Describe alternatives you've considered To workaround this, I must manually create the storage account, specify the name in my storageclass and go that route instead of having the driver do everything for me within aks.

andyzhangx commented 7 months ago

@jrudley this driver would create a dns zone and then create dns zone group linked to the private end point? so if dns zone is not created, how does this private end point link to the dns zone? do you want to bring your own dns zone and dns zone group?

jrudley commented 7 months ago

With the enterprise scale, azure policy creates the dns records in the hub which has all the privately dns zones. So, yes, I would be using my own dns zones.

On Fri, Mar 1, 2024, 8:55 PM Andy Zhang @.***> wrote:

@jrudley https://github.com/jrudley this driver would create a dns zone and then create dns zone group linked to the private end point? so if dns zone is not created, how does this private end point link to the dns zone? do you want to bring your own dns zone and dns zone group?

— Reply to this email directly, view it on GitHub https://github.com/kubernetes-sigs/azurefile-csi-driver/issues/1739#issuecomment-1974232170, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOYIS54SUHJ5EW7MH4RVPTYWE5RJAVCNFSM6AAAAABECFGGO6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZUGIZTEMJXGA . You are receiving this because you were mentioned.Message ID: @.***>

andyzhangx commented 6 months ago

@jrudley following is current steps to create private endpoint and dns zone, the private endpoint should still be created by the driver, then how would link the DNS zone group to the private endpoint name since if you bring your own dns zone group, the private endpoint is actually not created at that time.

azure_storageaccount.go:614] Creating private dns zone(privatelink.file.core.windows.net) in resourceGroup (capz-ugkm2a) azure_storageaccount.go:636] Creating virtual link for vnet(capz-ugkm2a-vnet-vnetlink) and DNS Zone(privatelink.file.core.windows.net) in resourceGroup(capz-ugkm2a) azure_storageaccount.go:576] Creating private endpoint(ff0f9ebcac377493ab9fab3-pvtendpoint) for account (ff0f9ebcac377493ab9fab3) azure_storageaccount.go:658] Creating private DNS zone group(ff0f9ebcac377493ab9fab3-dnszonegroup) with privateEndpoint(ff0f9ebcac377493ab9fab3-pvtendpoint), vNetName(capz-ugkm2a-vnet), resourceGroup(capz-ugkm2a)

k8s-triage-robot commented 3 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 2 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 1 month ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 1 month ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-sigs/azurefile-csi-driver/issues/1739#issuecomment-2282785290): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.