Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unnecessary storage service endpoint created on subnet? #2277

Open
kewalaka opened this issue Dec 16, 2024 · 5 comments
Open

unnecessary storage service endpoint created on subnet? #2277

kewalaka opened this issue Dec 16, 2024 · 5 comments

Comments

@kewalaka
Copy link

What happened:

We pre-create a storage account with a private endpoint.

When creating an NFS share via a storage class & PVC, a service endpoint is created on the subnet.

What you expected to happen:

It's unclear to me why storage accounts that are accessed via private endpoint need a service endpoint provisioned?

The additional service endpoint then requires routes on the UDR if we wish to avoid situations where operators provision additional storage without private endpoints and traffic bypasses the next-hop firewall because the service endpoint routing is more specific.

Ideally, we want a policy in place to block service endpoints.

Anything else we need to know?:

Can workaround this by adding a route, but preference is to avoid unnecessary service endpoints.

@andyzhangx
Copy link
Member

are your node pools on that subnet? @kewalaka

@kewalaka
Copy link
Author

hi @andyzhangx - yes, the service endpoint has been made at the vnet and applies to all subnets in that vnet.

in my situation I have three subnets

  1. nodes pools
  2. api server
  3. a base subnet where we place some private endpoints

@andyzhangx
Copy link
Member

@kewalaka could you set subnetName: nodepoolSubnetName in storage class, then only that subnet would be created with service endpoint, thx.

@kewalaka
Copy link
Author

true - does the node pool even need it though, if the target storage account has a private endpoint?

That's what I was meaning, the service endpoint seems redundant.

Or does the node pool require this for internal reasons?

@andyzhangx
Copy link
Member

@kewalaka
what is your storage class config? if networkEndpointType: privateEndpoint is not set, the driver would update the subnet with service endpoint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants