Forum Discussion

lesliehuang's avatar
lesliehuang
Icon for Microsoft rankMicrosoft
Jun 19, 2024

Persistent volume with Azure Files on AKS

Based on our document, when we need to statically create persistent volume with Azure Files integration, we need to create Kubernetes Secret to store storage account name and access key. And assign the secret into PV yaml file.

https://learn.microsoft.com/en-us/azure/aks/azure-csi-files-storage-provision#create-a-kubernetes-secret

However, this mechanism will allow other people that has read permission of AKS cluster to easily read the Kubernetes secret and get the storage account key. 

Our customer has concern about this and want to know if there was other mechanism that can prevent this risk (for example , need to fetch account key from key vault first , not directly put storage account key into Kubernetes secret)
  

  • lesliehuang 

    To secure Azure Files in AKS without exposing storage keys in Kubernetes Secrets:

    1. Use Key Vault with CSI Driver: Store keys in Azure Key Vault and fetch them dynamically using the CSI driver. No keys are stored in Kubernetes.
    2. Enable Managed Identities: Use Azure Managed Identities for authentication, avoiding keys entirely.
    3. Restrict Access: Use Azure RBAC and Private Link for secure access to Azure Files.

    These methods enhance security and reduce risks.

  • Try this:

     

    • Create an Azure Key Vault: Set up an Azure Key Vault and store your storage account keys there.
    • Enable Secret Store CSI Driver: Enable the Secret Store CSI Driver in your AKS cluster. This driver allows Kubernetes to fetch secrets from Azure Key Vault.
    • Update Your PV YAML: Modify your persistent volume (PV) YAML to use the Secret Store CSI Driver instead of directly storing the storage account key in Kubernetes secrets.

     

    Sample:

     

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: azurefile
    spec:
      capacity:
        storage: 5Gi
      accessModes:
        - ReadWriteMany
      persistentVolumeReclaimPolicy: Retain
      storageClassName: azurefile
      csi:
        driver: secrets-store.csi.x-k8s.io
        readOnly: false
        volumeAttributes:
          secretProviderClass: azure-keyvault
    

     

Resources