-
Notifications
You must be signed in to change notification settings - Fork 145
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unnecessary storage service endpoint created on subnet? #2277
Comments
are your node pools on that subnet? @kewalaka |
hi @andyzhangx - yes, the service endpoint has been made at the vnet and applies to all subnets in that vnet. in my situation I have three subnets
|
@kewalaka could you set |
true - does the node pool even need it though, if the target storage account has a private endpoint? That's what I was meaning, the service endpoint seems redundant. Or does the node pool require this for internal reasons? |
@kewalaka |
What happened:
We pre-create a storage account with a private endpoint.
When creating an NFS share via a storage class & PVC, a service endpoint is created on the subnet.
What you expected to happen:
It's unclear to me why storage accounts that are accessed via private endpoint need a service endpoint provisioned?
The additional service endpoint then requires routes on the UDR if we wish to avoid situations where operators provision additional storage without private endpoints and traffic bypasses the next-hop firewall because the service endpoint routing is more specific.
Ideally, we want a policy in place to block service endpoints.
Anything else we need to know?:
Can workaround this by adding a route, but preference is to avoid unnecessary service endpoints.
The text was updated successfully, but these errors were encountered: