OpenShift icon indicating copy to clipboard operation
OpenShift copied to clipboard
verified publisher icon Azure

Lockdown storage accounts

Open sakthi-vetrivel opened this issue 4 years ago • 5 comments

Today, public access is enabled on the ARO storage account created with a cluster. The TLS for this cluster is also set to 1.0 and network access is allowed from any network. We want to secure access to this storage account and use TLS >1.2.

sakthi-vetrivel avatar Jun 23 '21 16:06 sakthi-vetrivel

This feature will be a combination of the following:

  1. Setting TLS value to 1.2 (this is already live for new clusters getting created)
  2. Setting the flag so that the storage account is private (instead of public)
  3. Setting Encryption on the storage account (new clusters)
  4. In combination with Egress lockdown, the storage account will be accessible through privateLink

jboutaud avatar Jan 25 '22 15:01 jboutaud

Is there a time frame on when this will be default for new customers or migrated for existing customers?

supernovae avatar Mar 03 '22 00:03 supernovae

Is there any information on if clusters created prior to this feature getting introduced will be able to migrate to the privatized design?

jameson-hearn avatar Sep 09 '22 20:09 jameson-hearn

existing clusters should be migrated to storage lockdown and new installs locked by default. should have had a notice in azure service health for this being done earlier in spring i do believe.

supernovae avatar Sep 09 '22 23:09 supernovae

@supernovae I can confirm that I am seeing one customer currently running an ARO cluster that has been up for over a year that never transitioned to the private model for storage.

jameson-hearn avatar Sep 09 '22 23:09 jameson-hearn