Forum Discussion
lesliehuang
Microsoft
Jun 19, 2024Persistent volume with Azure Files on AKS
Based on our document, when we need to statically create persistent volume with Azure Files integration, we need to create Kubernetes Secret to store storage account name and access key. And assign the secret into PV yaml file.
https://learn.microsoft.com/en-us/azure/aks/azure-csi-files-storage-provision#create-a-kubernetes-secret
However, this mechanism will allow other people that has read permission of AKS cluster to easily read the Kubernetes secret and get the storage account key.
Our customer has concern about this and want to know if there was other mechanism that can prevent this risk (for example , need to fetch account key from key vault first , not directly put storage account key into Kubernetes secret)
- balasubramanimIron Contributor
To secure Azure Files in AKS without exposing storage keys in Kubernetes Secrets:
- Use Key Vault with CSI Driver: Store keys in Azure Key Vault and fetch them dynamically using the CSI driver. No keys are stored in Kubernetes.
- Enable Managed Identities: Use Azure Managed Identities for authentication, avoiding keys entirely.
- Restrict Access: Use Azure RBAC and Private Link for secure access to Azure Files.
These methods enhance security and reduce risks.
Try this:
- Create an Azure Key Vault: Set up an Azure Key Vault and store your storage account keys there.
- Enable Secret Store CSI Driver: Enable the Secret Store CSI Driver in your AKS cluster. This driver allows Kubernetes to fetch secrets from Azure Key Vault.
- Update Your PV YAML: Modify your persistent volume (PV) YAML to use the Secret Store CSI Driver instead of directly storing the storage account key in Kubernetes secrets.
Sample:
apiVersion: v1 kind: PersistentVolume metadata: name: azurefile spec: capacity: storage: 5Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain storageClassName: azurefile csi: driver: secrets-store.csi.x-k8s.io readOnly: false volumeAttributes: secretProviderClass: azure-keyvault