feat: set allowBlobPublicAccess as false by default

andyzhangx · andyzhangx · commit db317406f910 · 2021-09-24T03:44:24.000Z
diff --git a/docs/driver-parameters.md b/docs/driver-parameters.md
@@ -17,7 +17,7 @@ protocol | specify blobfuse mount or NFSv3 mount | `fuse`, `nfs` | No | `fuse`
 containerName | specify the existing container name | existing container name | No | if empty, driver will create a new container name, starting with `pvc-fuse` for blobfuse or `pvc-nfs` for NFSv3
 isHnsEnabled | enable `Hierarchical namespace` for Azure DataLake storage account(only for blobfuse) | `true`,`false` | No | `false`
 server | specify Azure storage account server address | existing server address, e.g. `accountname.privatelink.blob.core.windows.net` | No | if empty, driver will use default `accountname.blob.core.windows.net` or other sovereign cloud account address
-allowBlobPublicAccess | Allow or disallow public access to all blobs or containers for storage account created by driver | `true`,`false` | No | `true`
+allowBlobPublicAccess | Allow or disallow public access to all blobs or containers for storage account created by driver | `true`,`false` | No | `false`
 storageEndpointSuffix | specify Azure storage endpoint suffix | `core.windows.net` | No | if empty, driver will use default storage endpoint suffix according to cloud environment, e.g. `core.windows.net`
 tags | [tags](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources) would be created in newly created storage account | tag format: 'foo=aaa,bar=bbb' | No | ""
 
diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go
@@ -66,7 +66,9 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		parameters = make(map[string]string)
 	}
 	var storageAccountType, resourceGroup, location, account, containerName, protocol, customTags, secretNamespace string
-	var isHnsEnabled, allowBlobPublicAccess *bool
+	var isHnsEnabled *bool
+	// set allowBlobPublicAccess as false by default
+	allowBlobPublicAccess := to.BoolPtr(false)
 
 	// store account key to k8s secret by default
 	storeAccountKey := true
@@ -102,8 +104,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 				storeAccountKey = false
 			}
 		case allowBlobPublicAccessField:
-			if strings.EqualFold(v, falseValue) {
-				allowBlobPublicAccess = to.BoolPtr(false)
+			if strings.EqualFold(v, trueValue) {
+				allowBlobPublicAccess = to.BoolPtr(true)
 			}
 		case pvcNamespaceKey:
 			if secretNamespace == "" {
