Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unnecessary storage service endpoint created on subnet? #2277

Closed
kewalaka opened this issue Dec 16, 2024 · 8 comments
Closed

unnecessary storage service endpoint created on subnet? #2277

kewalaka opened this issue Dec 16, 2024 · 8 comments

Comments

@kewalaka
Copy link

What happened:

We pre-create a storage account with a private endpoint.

When creating an NFS share via a storage class & PVC, a service endpoint is created on the subnet.

What you expected to happen:

It's unclear to me why storage accounts that are accessed via private endpoint need a service endpoint provisioned?

The additional service endpoint then requires routes on the UDR if we wish to avoid situations where operators provision additional storage without private endpoints and traffic bypasses the next-hop firewall because the service endpoint routing is more specific.

Ideally, we want a policy in place to block service endpoints.

Anything else we need to know?:

Can workaround this by adding a route, but preference is to avoid unnecessary service endpoints.
@andyzhangx
Copy link
Member

are your node pools on that subnet? @kewalaka

@kewalaka
Copy link
Author

hi @andyzhangx - yes, the service endpoint has been made at the vnet and applies to all subnets in that vnet.

in my situation I have three subnets

  1. nodes pools
  2. api server
  3. a base subnet where we place some private endpoints

@andyzhangx
Copy link
Member

@kewalaka could you set subnetName: nodepoolSubnetName in storage class, then only that subnet would be created with service endpoint, thx.

@kewalaka
Copy link
Author

true - does the node pool even need it though, if the target storage account has a private endpoint?

That's what I was meaning, the service endpoint seems redundant.

Or does the node pool require this for internal reasons?

@andyzhangx
Copy link
Member

@kewalaka
what is your storage class config? if networkEndpointType: privateEndpoint is not set, the driver would update the subnet with service endpoint.

@kewalaka
Copy link
Author

unless i'm mistaken, this seems to be creating the private endpoint ? this is already in place, so is undesirable.

@andyzhangx
Copy link
Member

from the driver code, the driver would only update subnet (add Microsoft.Storage service endpoint) for nfs volume only when networkEndpointType: privateEndpoint is not set in storage class:

azurefile-csi-driver/pkg/azurefile/controllerserver.go

Lines 356 to 362 in a277f7a

if !ptr.Deref(createPrivateEndpoint, false) {
// set VirtualNetworkResourceIDs for storage account firewall setting
var err error
if vnetResourceIDs, err = d.updateSubnetServiceEndpoints(ctx, vnetResourceGroup, vnetName, subnetName); err != nil {
return nil, status.Errorf(codes.Internal, "update service endpoints failed with error: %v", err)
}
}

@andyzhangx
Copy link
Member

so if you want to avoid creating unnecessary storage service endpoint on the storage account you have provided, pls set networkEndpointType: privateEndpoint in your storage class

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kewalaka @andyzhangx