-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Network Storage Account Lockdown #1865
Conversation
b1955af
to
a0dc5a2
Compare
Please rebase pull request. |
a0dc5a2
to
5dd6f13
Compare
5dd6f13
to
b8d3f98
Compare
) | ||
|
||
// enableServiceEndpoints should enable service endpoints on | ||
// subnets for storage account access | ||
func (m *manager) enableServiceEndpoints(ctx context.Context) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know about doing this automatically -- I would feel a lot better if this was something we put behind a flag. Maybe not the OperatorFlags, since they are strictly for the operator, but... hmm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we have this only work when we enable storageaccounts new logic? If we create private storage accounts, there will be no access without Service Endpoints.
pkg/operator/controllers/storageaccounts/storageaccounts_test.go
Outdated
Show resolved
Hide resolved
@@ -52,6 +52,9 @@ func (m *manager) adminUpdate() []steps.Step { | |||
toRun = append(toRun, | |||
steps.AuthorizationRefreshingAction(m.fpAuthorizer, steps.Action(m.ensureResourceGroup)), // re-create RP RBAC if needed after tenant migration | |||
steps.Action(m.createOrUpdateDenyAssignment), | |||
steps.AuthorizationRefreshingAction(m.fpAuthorizer, steps.Action(m.enableServiceEndpoints)), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the Operator does it, do we strictly need to do this in the AdminUpdate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't necessarily needed, but it may eliminate some errors upon enabling the storage lockdown on the controller for existing clusters.
Over time, desired state would look good, but if we removed this step during the first controller run and the controller which sets storage account virtual network rules attempts to run first, the storage account will fail to update because storage endpoints must first be set on the subnet.
This will stop an SRE from wondering if this is a normal error with the controller, or if it's a first time reconciliation issue (noise)
a4e3c1b
to
10fde74
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
overall no major concerns. I only reviewed the code and have not spun up any RP or cluster to manually try to verify/ break with any edge cases.
} | ||
|
||
// In development API calls originates from user laptop so we allow all. | ||
// TODO(mjudeikis): Move to development on VPN so we can make this IPRule |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gives me simplysecure smells... @swiencki fyi
b6689af
to
05218fc
Compare
05218fc
to
7b68ab7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
hmm... either really flaky e2e or something is off, going to need to dig deeper tomorrow.
/azp run e2e |
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm - addressed the feedback I had.
Supersedes #1657
Which issue this PR addresses:
Enables storage account lockdown.
Quite a big change so early reviews would be good. Let me know if people want separate review call for this one.What this PR does / why we need it:
This pr will do few things to make storage accounts side more secure:
Split:
#1663 - Subnet related changes in the operator mostly#1664 - client updates#1723 - Registry account populateTODO:
- [ ] Add ARM feature flag for this so we can testTempted just to rollout...Test plan for issue:
Unit tests and mocks
-->
Is there any documentation that needs to be updated for this PR?
Yes