Security - manual NFS mount in a pod

David Hautbois 20 Reputation points
2024-11-11T20:11:10.2866667+00:00

Hello

I successfully configured my AKS cluster to mount nfs share from a netapp resource.

I use PV and PVC.

If I check the mount points in the pod, I get :

nfs.xxx.com:/share/prd on /var/www/shared type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=X.X.X.X,local_lock=none,addr=Y.Y.Y.Y)

Is there way to manually mount a nfs share in the pod ? :

mount -t nfs nfs.xxx:/share/confidential /mnt

So, it could be a security issue if a pod is compromised...

Maybe, there is security configuration / isolation in AKS to deny manual nfs mounts.

I want to be sure that a pod can only access to nfs shares defined in its definition with PV and PVC.

Thanks.

David.

Azure NetApp Files
Azure NetApp Files
An Azure service that provides enterprise-grade file shares powered by NetApp.
96 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,207 questions
{count} votes

Accepted answer
  1. Prrudram-MSFT 27,251 Reputation points
    2024-11-13T18:28:41.49+00:00

    Hello @David Hautbois

    As far as I know you need to be aware that the actual NFS mount happens at the Kubernetes node level. The NFS mounted on the Kubernetes node is then passed to the pod.

    From here: https://learn.microsoft.com/en-us/azure/storage/files/files-nfs-protocol#security-and-networking

    "The NFS protocol don't offer user-based authentication. Authentication for NFS shares is based on the configured network security rules. Due to this, to ensure only secure connections are established to your NFS share, you must set up either a private endpoint or a service endpoint for your storage account." 

    To test about the access I created a Storage Class:

    k apply -f - <<EOF


    apiVersion: storage.k8s.io/v1

    kind: StorageClass

    metadata:

      name: azurefile-premium-nfs

    allowVolumeExpansion: true

    mountOptions:

      - nconnect=4

      - noresvport

      - actimeo=30

    parameters:

      skuName: Premium_LRS

      protocol: nfs

    provisioner: file.csi.azure.com

    reclaimPolicy: Delete

    volumeBindingMode: Immediate

    EOF 

    It seems the access to the storage account is allowed for the AKS nodes subnet. Depending on the Kubernetes CNI you are using you might have lock down differently if you want to avoid Pods being able to access the Storage Account. You mentioned "netapp resource" in your verbatim. I never used netapp with AKS so my test may not be relevant to your scenario. 

    Please let me know if this helps

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.