Network Storage Account Lockdown #1865
Conversation
25region
requested review from
bennerv,
hawkowl,
jewzaam,
m1kola,
mwoodson and
rogbas
as code owners
25region
added
hold
25region
force-pushed
the
storage.lockdown.final
branch
2 times, most recently
from
b1955af
to
a0dc5a2
Compare
|
Please rebase pull request. |
25region
force-pushed
the
storage.lockdown.final
branch
from
a0dc5a2
to
5dd6f13
Compare
25region
force-pushed
the
storage.lockdown.final
branch
from
5dd6f13
to
b8d3f98
Compare
| ) | ||
|
|
||
| // enableServiceEndpoints should enable service endpoints on | ||
| // subnets for storage account access | ||
| func (m *manager) enableServiceEndpoints(ctx context.Context) error { |
There was a problem hiding this comment.
I don't know about doing this automatically -- I would feel a lot better if this was something we put behind a flag. Maybe not the OperatorFlags, since they are strictly for the operator, but... hmm.
There was a problem hiding this comment.
Should we have this only work when we enable storageaccounts new logic? If we create private storage accounts, there will be no access without Service Endpoints.
pkg/operator/controllers/storageaccounts/storageaccounts_test.go
Outdated
Show resolved
Hide resolved
| @@ -52,6 +52,9 @@ func (m *manager) adminUpdate() []steps.Step { | |||
| toRun = append(toRun, | |||
| steps.AuthorizationRefreshingAction(m.fpAuthorizer, steps.Action(m.ensureResourceGroup)), // re-create RP RBAC if needed after tenant migration | |||
| steps.Action(m.createOrUpdateDenyAssignment), | |||
| steps.AuthorizationRefreshingAction(m.fpAuthorizer, steps.Action(m.enableServiceEndpoints)), | |||
There was a problem hiding this comment.
If the Operator does it, do we strictly need to do this in the AdminUpdate?
There was a problem hiding this comment.
This isn't necessarily needed, but it may eliminate some errors upon enabling the storage lockdown on the controller for existing clusters.
Over time, desired state would look good, but if we removed this step during the first controller run and the controller which sets storage account virtual network rules attempts to run first, the storage account will fail to update because storage endpoints must first be set on the subnet.
This will stop an SRE from wondering if this is a normal error with the controller, or if it's a first time reconciliation issue (noise)
25region
force-pushed
the
storage.lockdown.final
branch
from
a4e3c1b
to
10fde74
Compare
ross-bryan
added
priority-high
| } | ||
|
|
||
| // In development API calls originates from user laptop so we allow all. | ||
| // TODO(mjudeikis): Move to development on VPN so we can make this IPRule |
There was a problem hiding this comment.
gives me simplysecure smells... @swiencki fyi
25region
force-pushed
the
storage.lockdown.final
branch
from
b6689af
to
05218fc
Compare
25region
force-pushed
the
storage.lockdown.final
branch
from
05218fc
to
7b68ab7
Compare
ross-bryan
dismissed
their stale review
hmm... either really flaky e2e or something is off, going to need to dig deeper tomorrow.
|
/azp run e2e |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Supersedes #1657
Which issue this PR addresses:
Enables storage account lockdown.
Quite a big change so early reviews would be good. Let me know if people want separate review call for this one.What this PR does / why we need it:
This pr will do few things to make storage accounts side more secure:
Split:
#1663 - Subnet related changes in the operator mostly#1664 - client updates#1723 - Registry account populateTODO:
- [ ] Add ARM feature flag for this so we can testTempted just to rollout...Test plan for issue:
Unit tests and mocks
-->
Is there any documentation that needs to be updated for this PR?
Yes