Reputation: 11
AKS File Share Persistent Mounting with Managed Identity - Having issue after key Rotation
Mounted Azure File shares in AKS deployments using Cluster UAMI with Reader & Storage account key operator service role. It was successfully mounted in all the POD replicas and able to create the files/list all the files of Azure file share from a pod. But, it is not working after key rotation. Also, I tried to create new deployment, storage class, PVC. Still, facing permission issues while PODs are getting created.
Stage 1: (First Time Process)
- Created AKS Cluster, Storage File share, User managed Identity.
- Assigned the UAMI to Cluster and provided the Reader & Storage account key operator service roles in new storage scope.
- Created new Custom Storage class, PVC, deployments. Result: All functionalities were working as expected.
Stage 2: (Failure Process)
- Created new deployment after key rotation as existing PODs were unable to access the Azure File Share. Permission issue.
- Then, Created new Storage Class/PVC/deployment - Still same permission issue.
Error:
default 13s Warning FailedMount pod/myapp-deploymentkey1-67465fb9df-9xcrz MountVolume.SetUp failed for volume "xx" : mount failed: exit status 32
Mounting command: mount
Mounting arguments: -t cifs -o file_mode=0777,dir_mode=0777,vers=3.0,actimeo=30,mfsymlinks,<masked> //{StorageName}.file.core.windows.net/sample1 /var/lib/kubelet/pods/xx8/volumes/kubernetes.io~azure-file/pvc-cxx
Output: mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
default 13s Warning FailedMount pod/myapp-deploymentkey1-67465fb9df-jwmcc MountVolume.SetUp failed for volume "xx" : mount failed: exit status 32
Mounting command: mount
Mounting arguments: -t cifs -o file_mode=0777,dir_mode=0777,vers=3.0,actimeo=30,mfsymlinks,<masked> //{StorageName}.file.core.windows.net/sample1 /var/lib/kubelet/pods/xxx/volumes/kubernetes.io~azure-file/pvc-xx
Output: mount error(13): Permission denied
Upvotes: 1
Views: 1355
Answers (1)
Reputation: 5169
• The error that you are encountering while mounting file share on the Kubernetes pod represents that there is communication protocol issue, i.e., the communication channel used to connect to the azure file share and mount it on the pod after key rotation is unencrypted and the connection attempt was made from different location of Azure datacenter than where the file share resides.
• Also, please check whether ‘Secure Transfer’ required property for the storage account is enabled or not because if it is enabled, then any requests originating from an insecure connection are rejected. Microsoft recommends that you always require secure transfer for all your storage accounts.
• So, for this issue, you can try disabling the ‘secure transfer’ property on the file share storage account as the files share will be shared for all the existing pods so if a new pod deployment with new key rotation related to the user assigned managed identity is detected, the existing ones might not be compatible with the new keys assigned or may not be updated with it.
• You can also check the version of SMB encryption used for the existing pods and the newly deployed ones. Please refer the below links for more information: -
Upvotes: 1
Related Questions
- Kubernetes mount volume storage account fails: mount error(13): Permission denied
- Getting: bad option; for several filesystems (e.g. nfs, cifs) when trying to mount azure file share in K8 container
- Kubernetes Persistent Volume Mount not found
- Azure Kubernetes Service - Persistent Volume / Persistent Volume Claim change permissions
- Azure file shared storage in Kubernetes pod checks default namespace for secrets
- Azure Kubernetes Service - Persistent Volume using Disk on another tenant?
- Not able to update owner and file permission on files mounted on azure fileshare in AKS pod
- Issue with persistent storage in Azure Kubernetes Service using Azure Disk
- Kubernetes AKS Persistent Volume Disk Claims To Multiple Nodes
- AKS Mongo data not persistent with Azure file shares