Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add Pod Identity support #131

Closed
andyzhangx opened this issue Nov 27, 2019 · 14 comments
Closed

add Pod Identity support #131

andyzhangx opened this issue Nov 27, 2019 · 14 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
azure file driver project

Comments

@andyzhangx
Copy link
Member

Is your feature request related to a problem? Please describe.

Describe the solution you'd like in detail

add support for Pod Identity to enable finer grain scope of identity as an alternative to using the cluster’s identity. We do see cases where Azure resources are closely associated with the cluster. But we also see customers partitioning AKS clusters using namespaces, and in those cases it’s more likely that RBAC grants to resources like storage/key vault would be to Managed Identities that were scoped to a Kubernetes namespace.

Describe alternatives you've considered

Additional context
@andyzhangx andyzhangx added kind/feature Categorizes issue or PR as related to a new feature. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Nov 27, 2019
levimm pushed a commit to levimm/azurefile-csi-driver that referenced this issue Dec 25, 2019
@k8s-ci-robot
Merge pull request kubernetes-sigs#131 from ZeroMagic/dynamically_pro…
da4e655 
…visioned_collocated_pod

test: add e2e test "dynamically_provisioned_collocated_pod_test"
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 25, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 26, 2020
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

azure file driver project automation moved this from To do to Done Apr 25, 2020
@andyzhangx andyzhangx reopened this Apr 25, 2020
azure file driver project automation moved this from Done to In progress Apr 25, 2020
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

azure file driver project automation moved this from In progress to Done May 25, 2020
@andyzhangx andyzhangx reopened this May 25, 2020
azure file driver project automation moved this from Done to In progress May 25, 2020
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

azure file driver project automation moved this from In progress to Done Jun 24, 2020
@andyzhangx andyzhangx reopened this Jun 24, 2020
azure file driver project automation moved this from Done to In progress Jun 24, 2020
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

azure file driver project automation moved this from In progress to Done Jul 24, 2020
@rompom
Copy link

rompom commented Feb 10, 2021

Hi @andyzhangx, do you think the support for podidentity will be feasible ?

I have this kind of architecture : 1 "client" per namespace, , 1 file share / namespace, 1 key vault / namespace

For now I'm using the secret store csi driver to glue everything (shortened version) :

  1. Create the kv
  2. Create the file share, store the keys in kv
  3. Map the kv with podidentity to the secret store csi
  4. Access the azure file in aks with the secrets retrieved from the secret store csi

With a podidentity support, it would looks like (shortened version 2) :

  1. Create the file share
  2. Map the file share with the podidentity
  3. Access the file share in aks

@andyzhangx
Copy link
Member Author

@rompom azure file driver could use k8s secret to access file share, it's not necessary depending on pod identity, here is an example: https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/deploy/example/storageclass-azurefile-secret.yaml

@rompom
Copy link

rompom commented Feb 10, 2021

@andyzhangx sure, but my idea was more or less to not have to use k8s secrets at all if possible, and the pod identity was a pretty good candidate for this :)

@andyzhangx
Copy link
Member Author

andyzhangx commented Mar 1, 2021
edited
Loading

Agent node still needs account name & key to mount azure file, I think the question here is whether it’s necessary to store account key as a secret, answer is No.
There is parameter storeAccountKey(“true” by default) defined here , so if you set as false in storage class, it won’t store account key as a k8s secret, and when there is azure file mount on agent node, it would use node identity to get account key and then mount azure file.

As you could see, there are pros and cons for this feature(storeAccountKey: “false”), pros is no account key restore as a k8s secret, while cons is that agent node should have read access to the account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
azure file driver project
  
Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rompom @andyzhangx @k8s-ci-robot @fejta-bot