Merge pull request #2553 from kubernetes-sigs/vnetlink-access-1.32

[release-1.32] feat: add VNetLinkName and PublicNetworkAccess in account creation

Author: andyzhangx

docs/driver-parameters.md

@@ -67,6 +67,8 @@ vnetResourceGroup | specify vnet resource group where virtual network is | exist
 vnetName | virtual network name | existing virtual network name | No | if empty, driver will use the `vnetName` value in azure cloud config file
 subnetName | subnet name | existing subnet name(s) of virtual network, if you want to update service endpoints on multiple subnets, separate them using a comma (`,`) | No | if empty, driver will use the `subnetName` value in azure cloud config file
 fsGroupChangePolicy | indicates how volume's ownership will be changed by the driver, pod `securityContext.fsGroupChangePolicy` is ignored  | `OnRootMismatch`(by default), `Always`, `None` | No | `OnRootMismatch`
+vnetLinkName | virtual network link name associated with private dns zone |  | No | if empty, driver will use the `vnetName + "-vnetlink"` by default
+publicNetworkAccess | `PublicNetworkAccess` property of created storage account by the driver | `Enabled`, `Disabled`, `SecuredByPerimeter` | No |
 
  - account tags format created by dynamic provisioning
 ```

go.mod

@@ -42,9 +42,9 @@ require (
 	k8s.io/mount-utils v0.32.1
 	k8s.io/pod-security-admission v0.32.1
 	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e
-	sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250425133425-2efcaed305f8
+	sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250430201754-d0603ee5c5a7
 	sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.6.2
-	sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.5.2
+	sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.5.3
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -182,7 +182,7 @@ require (
 	k8s.io/kubectl v0.0.0 // indirect
 	k8s.io/kubelet v0.32.4 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect
-	sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.6.0 // indirect
+	sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.6.1 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 )

go.sum

@@ -893,14 +893,14 @@ k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+Ch
 k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 h1:CPT0ExVicCzcpeN4baWEV2ko2Z/AsiZgEdwgcfwLgMo=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250425133425-2efcaed305f8 h1:6SQj82q2K+kJqqSJf13Z+1qqZrxheNWBhZbdyOxMb0A=
-sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250425133425-2efcaed305f8/go.mod h1:6BBnJ5zA/rD0DQwpSi3hrhH42qFcdXKqQIsbs7TBoUU=
+sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250430201754-d0603ee5c5a7 h1:8jZvDWIksSi4gqFfNUKHM3Xr0XdGFVQQnMTv1gJho2E=
+sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250430201754-d0603ee5c5a7/go.mod h1:E2qP7+4lOorrXzX5rPNKxdNSCV2qoFNaL8b+CbWCN2M=
 sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.6.2 h1:9vsKWUUg5ZPrgx1OTvuJ+tbXU5zt2nOhEt7T1ZlmQ+U=
 sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.6.2/go.mod h1:QFx8YimjDv3fcvpJ1vGey5i8ZDOYmUXWAP1XV9eLVlg=
-sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.6.0 h1:Yz3Uj7sYMiLPgTtPiJECcJdjRiOrCHy6Lyp++CWEI4c=
-sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.6.0/go.mod h1:/7xowKtaqHtz6/Uo6EnIoAlMZJRFgQG6cjmfWt7wxdo=
-sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.5.2 h1:jjFJF0PmS9IHLokD41mM6RVoqQF3BQtVDmQd6ZMnN6E=
-sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.5.2/go.mod h1:7DdZ9ipIsmPLpBlfT4gueejcUlJBZQKWhdljQE5SKvc=
+sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.6.1 h1:3jit+5cskDTISeQUbkoiapdkN2dqQsLxE+zdKMf4dbc=
+sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.6.1/go.mod h1:Gn9ASG6kY9sRvTfuh+HlP5MBWcmQqu+vAmzO47Hon4c=
+sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.5.3 h1:PiQy1U20uPkBgdpbERnX3BZ4bB6tljBJKU9wXmn1GrI=
+sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.5.3/go.mod h1:eBK7J+xfuzLATTK5ALuERxsZv7O4kncWnCW5ILCLX0w=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=

pkg/azurefile/azurefile.go

@@ -120,6 +120,7 @@ const (
 	getAccountKeyFromSecretField      = "getaccountkeyfromsecret"
 	disableDeleteRetentionPolicyField = "disabledeleteretentionpolicy"
 	allowBlobPublicAccessField        = "allowblobpublicaccess"
+	publicNetworkAccessField          = "publicnetworkaccess"
 	allowSharedKeyAccessField         = "allowsharedkeyaccess"
 	storageEndpointSuffixField        = "storageendpointsuffix"
 	fsGroupChangePolicyField          = "fsgroupchangepolicy"
@@ -148,6 +149,7 @@ const (
 	networkEndpointTypeField          = "networkendpointtype"
 	vnetResourceGroupField            = "vnetresourcegroup"
 	vnetNameField                     = "vnetname"
+	vnetLinkNameField                 = "vnetlinkname"
 	subnetNameField                   = "subnetname"
 	shareNamePrefixField              = "sharenameprefix"
 	requireInfraEncryptionField       = "requireinfraencryption"
@@ -921,6 +923,18 @@ func isSupportedAccountAccessTier(accessTier string) bool {
 	return false
 }
 
+func isSupportedPublicNetworkAccess(publicNetworkAccess string) bool {
+	if publicNetworkAccess == "" {
+		return true
+	}
+	for _, tier := range armstorage.PossiblePublicNetworkAccessValues() {
+		if publicNetworkAccess == string(tier) {
+			return true
+		}
+	}
+	return false
+}
+
 func isSupportedRootSquashType(rootSquashType string) bool {
 	if rootSquashType == "" {
 		return true

pkg/azurefile/azurefile_test.go

@@ -1885,3 +1885,34 @@ func TestSetAzureCredentials(t *testing.T) {
 		})
 	}
 }
+
+func TestIsSupportedPublicNetworkAccess(t *testing.T) {
+	tests := []struct {
+		publicNetworkAccess string
+		expectedResult      bool
+	}{
+		{
+			publicNetworkAccess: "",
+			expectedResult:      true,
+		},
+		{
+			publicNetworkAccess: "Enabled",
+			expectedResult:      true,
+		},
+		{
+			publicNetworkAccess: "Disabled",
+			expectedResult:      true,
+		},
+		{
+			publicNetworkAccess: "InvalidValue",
+			expectedResult:      false,
+		},
+	}
+
+	for _, test := range tests {
+		result := isSupportedPublicNetworkAccess(test.publicNetworkAccess)
+		if result != test.expectedResult {
+			t.Errorf("isSupportedPublicNetworkAccess(%s) returned %v, expected %v", test.publicNetworkAccess, result, test.expectedResult)
+		}
+	}
+}

pkg/azurefile/controllerserver.go

@@ -118,7 +118,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	var sku, subsID, resourceGroup, location, account, fileShareName, diskName, fsType, secretName string
 	var secretNamespace, pvcNamespace, protocol, customTags, storageEndpointSuffix, networkEndpointType, shareAccessTier, accountAccessTier, rootSquashType, tagValueDelimiter string
 	var createAccount, useSeretCache, matchTags, selectRandomMatchingAccount, getLatestAccountKey bool
-	var vnetResourceGroup, vnetName, subnetName, shareNamePrefix, fsGroupChangePolicy, useDataPlaneAPI string
+	var vnetResourceGroup, vnetName, vnetLinkName, publicNetworkAccess, subnetName, shareNamePrefix, fsGroupChangePolicy, useDataPlaneAPI string
 	var requireInfraEncryption, disableDeleteRetentionPolicy, enableLFS, isMultichannelEnabled, allowSharedKeyAccess *bool
 	// set allowBlobPublicAccess as false by default
 	allowBlobPublicAccess := ptr.To(false)
@@ -212,6 +212,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 				return nil, status.Errorf(codes.InvalidArgument, "invalid %s: %s in storage class", allowBlobPublicAccessField, v)
 			}
 			allowBlobPublicAccess = &value
+		case publicNetworkAccessField:
+			publicNetworkAccess = v
 		case allowSharedKeyAccessField:
 			value, err := strconv.ParseBool(v)
 			if err != nil {
@@ -237,6 +239,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			vnetResourceGroup = v
 		case vnetNameField:
 			vnetName = v
+		case vnetLinkNameField:
+			vnetLinkName = v
 		case subnetNameField:
 			subnetName = v
 		case shareNamePrefixField:
@@ -322,6 +326,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		return nil, status.Errorf(codes.InvalidArgument, "shareNamePrefix(%s) can only contain lowercase letters, numbers, hyphens, and length should be less than 21", shareNamePrefix)
 	}
 
+	if !isSupportedPublicNetworkAccess(publicNetworkAccess) {
+		return nil, status.Errorf(codes.InvalidArgument, "publicNetworkAccess(%s) is not supported, supported PublicNetworkAccess list: %v", publicNetworkAccess, armstorage.PossiblePublicNetworkAccessValues())
+	}
+
 	if protocol == nfs && fsType != "" && fsType != nfs {
 		return nil, status.Errorf(codes.InvalidArgument, "fsType(%s) is not supported with protocol(%s)", fsType, protocol)
 	}
@@ -480,8 +488,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		DisableFileServiceDeleteRetentionPolicy: disableDeleteRetentionPolicy,
 		AllowBlobPublicAccess:                   allowBlobPublicAccess,
 		AllowSharedKeyAccess:                    allowSharedKeyAccess,
+		PublicNetworkAccess:                     publicNetworkAccess,
 		VNetResourceGroup:                       vnetResourceGroup,
 		VNetName:                                vnetName,
+		VNetLinkName:                            vnetLinkName,
 		SubnetName:                              subnetName,
 		RequireInfrastructureEncryption:         requireInfraEncryption,
 		AccessTier:                              accountAccessTier,

pkg/azurefile/controllerserver_test.go

@@ -265,6 +265,23 @@ var _ = ginkgo.Describe("TestCreateVolume", func() {
 			gomega.Expect(err).To(gomega.Equal(expectedErr))
 		})
 	})
+	ginkgo.When("Invalid PublicNetworkAccess", func() {
+		ginkgo.It("should fail", func(ctx context.Context) {
+			allParam := map[string]string{
+				publicNetworkAccessField: "test_publicNetworkAccess",
+			}
+
+			req := &csi.CreateVolumeRequest{
+				Name:               "PublicNetworkAccess-invalid",
+				CapacityRange:      stdCapRange,
+				VolumeCapabilities: stdVolCap,
+				Parameters:         allParam,
+			}
+			expectedErr := status.Errorf(codes.InvalidArgument, "publicNetworkAccess(%s) is not supported, supported PublicNetworkAccess list: %v", "test_publicNetworkAccess", armstorage.PossiblePublicNetworkAccessValues())
+			_, err := d.CreateVolume(ctx, req)
+			gomega.Expect(err).To(gomega.Equal(expectedErr))
+		})
+	})
 	ginkgo.When("nfs protocol only supports premium storage", func() {
 		ginkgo.It("should fail", func(ctx context.Context) {
 			allParam := map[string]string{
@@ -529,6 +546,7 @@ var _ = ginkgo.Describe("TestCreateVolume", func() {
 		ginkgo.It("should fail", func(ctx context.Context) {
 			allParam := map[string]string{
 				networkEndpointTypeField: "privateendpoint",
+				vnetLinkNameField:        "vnetlink",
 				subnetNameField:          "subnet1,subnet2",
 			}
 

test/e2e/dynamic_provisioning_test.go

@@ -1480,6 +1480,7 @@ var _ = ginkgo.Describe("Dynamic Provisioning", func() {
 		scParameters := map[string]string{
 			"protocol":            "nfs",
 			"networkEndpointType": "privateEndpoint",
+			"publicNetworkAccess": "Disabled",
 			"skuName":             "Premium_LRS",
 			"rootSquashType":      "AllSquash",
 			"mountPermissions":    "0",

vendor/modules.txt

@@ -1873,7 +1873,7 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/metrics
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/common/metrics
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client/proto/client
-# sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250425133425-2efcaed305f8
+# sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250430201754-d0603ee5c5a7
 ## explicit; go 1.23.2
 sigs.k8s.io/cloud-provider-azure/pkg/cache
 sigs.k8s.io/cloud-provider-azure/pkg/consts
@@ -1988,10 +1988,10 @@ sigs.k8s.io/cloud-provider-azure/pkg/azclient/virtualnetworkclient
 sigs.k8s.io/cloud-provider-azure/pkg/azclient/virtualnetworkclient/mock_virtualnetworkclient
 sigs.k8s.io/cloud-provider-azure/pkg/azclient/virtualnetworklinkclient
 sigs.k8s.io/cloud-provider-azure/pkg/azclient/virtualnetworklinkclient/mock_virtualnetworklinkclient
-# sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.6.0
+# sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.6.1
 ## explicit; go 1.23.0
 sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache
-# sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.5.2
+# sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.5.3
 ## explicit; go 1.23.0
 sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader
 # sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3