Skip to content

Commit e8fe92a

Browse files
authored
Merge pull request #2552 from kubernetes-sigs/vnetlink-access
feat: add VNetLinkName and PublicNetworkAccess in account creation
2 parents cadbf6f + 6f936e5 commit e8fe92a

File tree

20 files changed

+255
-139
lines changed

20 files changed

+255
-139
lines changed

docs/driver-parameters.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,8 @@ vnetResourceGroup | specify vnet resource group where virtual network is | exist
8080
vnetName | virtual network name | existing virtual network name | No | if empty, driver will use the `vnetName` value in azure cloud config file
8181
subnetName | subnet name | existing subnet name(s) of virtual network, if you want to update service endpoints on multiple subnets, separate them using a comma (`,`) | No | if empty, driver will update all the subnets under the cluster virtual network
8282
fsGroupChangePolicy | indicates how volume's ownership will be changed by the driver, pod `securityContext.fsGroupChangePolicy` is ignored | `OnRootMismatch`(by default), `Always`, `None` | No | `OnRootMismatch`
83+
vnetLinkName | virtual network link name associated with private dns zone | | No | if empty, driver will use the `vnetName + "-vnetlink"` by default
84+
publicNetworkAccess | `PublicNetworkAccess` property of created storage account by the driver | `Enabled`, `Disabled`, `SecuredByPerimeter` | No |
8385

8486
- account tags format created by dynamic provisioning
8587
```

go.mod

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,8 +40,8 @@ require (
4040
k8s.io/mount-utils v0.32.1
4141
k8s.io/pod-security-admission v0.32.1
4242
k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e
43-
sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250411033641-95731ae4347d
44-
sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.20
43+
sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250430114234-9721ab91da23
44+
sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.6.2
4545
sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.5.2
4646
sigs.k8s.io/yaml v1.4.0
4747
)

go.sum

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -893,10 +893,10 @@ k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+Ch
893893
k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
894894
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 h1:CPT0ExVicCzcpeN4baWEV2ko2Z/AsiZgEdwgcfwLgMo=
895895
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
896-
sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250411033641-95731ae4347d h1:l5IVHndcJAJO0rtA08IJVlvyuFjqhbMdUTzPgr3CNSk=
897-
sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250411033641-95731ae4347d/go.mod h1:ftiwQdo8hx/aG4+moIenxAtt/E4abjEo4ZnlzevMiuE=
898-
sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.20 h1:aVSc4LFdBVlrhlldIzPo4NrcTQRdnAlqTB31sOcPIrM=
899-
sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.20/go.mod h1:OkkCYstvomfIwV4rvVIegymcgMnt7ZQ3+1Wi9WZmP1s=
896+
sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250430114234-9721ab91da23 h1:Bh0K4c+wBamX/q0mSJjDNAGSI3kT2dZjRP5RyYpZzHc=
897+
sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250430114234-9721ab91da23/go.mod h1:TezgC5EnFB5srxPQS162WJvQMoZy91bj2xueSaFQ1AA=
898+
sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.6.2 h1:9vsKWUUg5ZPrgx1OTvuJ+tbXU5zt2nOhEt7T1ZlmQ+U=
899+
sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.6.2/go.mod h1:QFx8YimjDv3fcvpJ1vGey5i8ZDOYmUXWAP1XV9eLVlg=
900900
sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.6.0 h1:Yz3Uj7sYMiLPgTtPiJECcJdjRiOrCHy6Lyp++CWEI4c=
901901
sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.6.0/go.mod h1:/7xowKtaqHtz6/Uo6EnIoAlMZJRFgQG6cjmfWt7wxdo=
902902
sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.5.2 h1:jjFJF0PmS9IHLokD41mM6RVoqQF3BQtVDmQd6ZMnN6E=

pkg/azurefile/azurefile.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,7 @@ const (
120120
getAccountKeyFromSecretField = "getaccountkeyfromsecret"
121121
disableDeleteRetentionPolicyField = "disabledeleteretentionpolicy"
122122
allowBlobPublicAccessField = "allowblobpublicaccess"
123+
publicNetworkAccessField = "publicnetworkaccess"
123124
allowSharedKeyAccessField = "allowsharedkeyaccess"
124125
storageEndpointSuffixField = "storageendpointsuffix"
125126
fsGroupChangePolicyField = "fsgroupchangepolicy"
@@ -150,6 +151,7 @@ const (
150151
networkEndpointTypeField = "networkendpointtype"
151152
vnetResourceGroupField = "vnetresourcegroup"
152153
vnetNameField = "vnetname"
154+
vnetLinkNameField = "vnetlinkname"
153155
subnetNameField = "subnetname"
154156
shareNamePrefixField = "sharenameprefix"
155157
requireInfraEncryptionField = "requireinfraencryption"
@@ -927,6 +929,18 @@ func isSupportedAccountAccessTier(accessTier string) bool {
927929
return false
928930
}
929931

932+
func isSupportedPublicNetworkAccess(publicNetworkAccess string) bool {
933+
if publicNetworkAccess == "" {
934+
return true
935+
}
936+
for _, tier := range armstorage.PossiblePublicNetworkAccessValues() {
937+
if publicNetworkAccess == string(tier) {
938+
return true
939+
}
940+
}
941+
return false
942+
}
943+
930944
func isSupportedRootSquashType(rootSquashType string) bool {
931945
if rootSquashType == "" {
932946
return true

pkg/azurefile/azurefile_test.go

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1885,3 +1885,34 @@ func TestSetAzureCredentials(t *testing.T) {
18851885
})
18861886
}
18871887
}
1888+
1889+
func TestIsSupportedPublicNetworkAccess(t *testing.T) {
1890+
tests := []struct {
1891+
publicNetworkAccess string
1892+
expectedResult bool
1893+
}{
1894+
{
1895+
publicNetworkAccess: "",
1896+
expectedResult: true,
1897+
},
1898+
{
1899+
publicNetworkAccess: "Enabled",
1900+
expectedResult: true,
1901+
},
1902+
{
1903+
publicNetworkAccess: "Disabled",
1904+
expectedResult: true,
1905+
},
1906+
{
1907+
publicNetworkAccess: "InvalidValue",
1908+
expectedResult: false,
1909+
},
1910+
}
1911+
1912+
for _, test := range tests {
1913+
result := isSupportedPublicNetworkAccess(test.publicNetworkAccess)
1914+
if result != test.expectedResult {
1915+
t.Errorf("isSupportedPublicNetworkAccess(%s) returned %v, expected %v", test.publicNetworkAccess, result, test.expectedResult)
1916+
}
1917+
}
1918+
}

pkg/azurefile/controllerserver.go

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
118118
var sku, subsID, resourceGroup, location, account, fileShareName, diskName, fsType, secretName string
119119
var secretNamespace, pvcNamespace, protocol, customTags, storageEndpointSuffix, networkEndpointType, shareAccessTier, accountAccessTier, rootSquashType, tagValueDelimiter string
120120
var createAccount, useSeretCache, matchTags, selectRandomMatchingAccount, getLatestAccountKey, encryptInTransit bool
121-
var vnetResourceGroup, vnetName, subnetName, shareNamePrefix, fsGroupChangePolicy, useDataPlaneAPI string
121+
var vnetResourceGroup, vnetName, vnetLinkName, publicNetworkAccess, subnetName, shareNamePrefix, fsGroupChangePolicy, useDataPlaneAPI string
122122
var requireInfraEncryption, disableDeleteRetentionPolicy, enableLFS, isMultichannelEnabled, allowSharedKeyAccess *bool
123123
// set allowBlobPublicAccess as false by default
124124
allowBlobPublicAccess := ptr.To(false)
@@ -212,6 +212,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
212212
return nil, status.Errorf(codes.InvalidArgument, "invalid %s: %s in storage class", allowBlobPublicAccessField, v)
213213
}
214214
allowBlobPublicAccess = &value
215+
case publicNetworkAccessField:
216+
publicNetworkAccess = v
215217
case allowSharedKeyAccessField:
216218
value, err := strconv.ParseBool(v)
217219
if err != nil {
@@ -237,6 +239,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
237239
vnetResourceGroup = v
238240
case vnetNameField:
239241
vnetName = v
242+
case vnetLinkNameField:
243+
vnetLinkName = v
240244
case subnetNameField:
241245
subnetName = v
242246
case shareNamePrefixField:
@@ -328,6 +332,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
328332
return nil, status.Errorf(codes.InvalidArgument, "shareNamePrefix(%s) can only contain lowercase letters, numbers, hyphens, and length should be less than 21", shareNamePrefix)
329333
}
330334

335+
if !isSupportedPublicNetworkAccess(publicNetworkAccess) {
336+
return nil, status.Errorf(codes.InvalidArgument, "publicNetworkAccess(%s) is not supported, supported PublicNetworkAccess list: %v", publicNetworkAccess, armstorage.PossiblePublicNetworkAccessValues())
337+
}
338+
331339
if protocol == nfs && fsType != "" && fsType != nfs {
332340
return nil, status.Errorf(codes.InvalidArgument, "fsType(%s) is not supported with protocol(%s)", fsType, protocol)
333341
}
@@ -492,8 +500,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
492500
DisableFileServiceDeleteRetentionPolicy: disableDeleteRetentionPolicy,
493501
AllowBlobPublicAccess: allowBlobPublicAccess,
494502
AllowSharedKeyAccess: allowSharedKeyAccess,
503+
PublicNetworkAccess: publicNetworkAccess,
495504
VNetResourceGroup: vnetResourceGroup,
496505
VNetName: vnetName,
506+
VNetLinkName: vnetLinkName,
497507
SubnetName: subnetName,
498508
RequireInfrastructureEncryption: requireInfraEncryption,
499509
AccessTier: accountAccessTier,

pkg/azurefile/controllerserver_test.go

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -265,6 +265,23 @@ var _ = ginkgo.Describe("TestCreateVolume", func() {
265265
gomega.Expect(err).To(gomega.Equal(expectedErr))
266266
})
267267
})
268+
ginkgo.When("Invalid PublicNetworkAccess", func() {
269+
ginkgo.It("should fail", func(ctx context.Context) {
270+
allParam := map[string]string{
271+
publicNetworkAccessField: "test_publicNetworkAccess",
272+
}
273+
274+
req := &csi.CreateVolumeRequest{
275+
Name: "PublicNetworkAccess-invalid",
276+
CapacityRange: stdCapRange,
277+
VolumeCapabilities: stdVolCap,
278+
Parameters: allParam,
279+
}
280+
expectedErr := status.Errorf(codes.InvalidArgument, "publicNetworkAccess(%s) is not supported, supported PublicNetworkAccess list: %v", "test_publicNetworkAccess", armstorage.PossiblePublicNetworkAccessValues())
281+
_, err := d.CreateVolume(ctx, req)
282+
gomega.Expect(err).To(gomega.Equal(expectedErr))
283+
})
284+
})
268285
ginkgo.When("nfs protocol only supports premium storage", func() {
269286
ginkgo.It("should fail", func(ctx context.Context) {
270287
allParam := map[string]string{
@@ -529,6 +546,7 @@ var _ = ginkgo.Describe("TestCreateVolume", func() {
529546
ginkgo.It("should fail", func(ctx context.Context) {
530547
allParam := map[string]string{
531548
networkEndpointTypeField: "privateendpoint",
549+
vnetLinkNameField: "vnetlink",
532550
subnetNameField: "subnet1,subnet2",
533551
}
534552

test/e2e/dynamic_provisioning_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1480,6 +1480,7 @@ var _ = ginkgo.Describe("Dynamic Provisioning", func() {
14801480
scParameters := map[string]string{
14811481
"protocol": "nfs",
14821482
"networkEndpointType": "privateEndpoint",
1483+
"publicNetworkAccess": "Disabled",
14831484
"skuName": "Premium_LRS",
14841485
"rootSquashType": "AllSquash",
14851486
"mountPermissions": "0",

vendor/modules.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1874,7 +1874,7 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client
18741874
sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/metrics
18751875
sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/common/metrics
18761876
sigs.k8s.io/apiserver-network-proxy/konnectivity-client/proto/client
1877-
# sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250411033641-95731ae4347d
1877+
# sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250430114234-9721ab91da23
18781878
## explicit; go 1.24
18791879
sigs.k8s.io/cloud-provider-azure/pkg/cache
18801880
sigs.k8s.io/cloud-provider-azure/pkg/consts
@@ -1904,7 +1904,7 @@ sigs.k8s.io/cloud-provider-azure/pkg/util/string
19041904
sigs.k8s.io/cloud-provider-azure/pkg/util/taints
19051905
sigs.k8s.io/cloud-provider-azure/pkg/util/vm
19061906
sigs.k8s.io/cloud-provider-azure/pkg/version
1907-
# sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.5.20
1907+
# sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.6.2
19081908
## explicit; go 1.23.0
19091909
sigs.k8s.io/cloud-provider-azure/pkg/azclient
19101910
sigs.k8s.io/cloud-provider-azure/pkg/azclient/accountclient

vendor/sigs.k8s.io/cloud-provider-azure/pkg/azclient/utils/poller.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)