Remove the default azurefile-csi storage class
This content is authored by Red Hat experts, but has not yet been tested on every supported configuration. This guide has been validated on OpenShift 4.20. Operator CRD names, API versions, and console paths may differ on other versions.
Azure Red Hat OpenShift (ARO) clusters, while offering a robust application platform for containerized applications, come with a default storage class named azurefile-csi. This default storage class is provided for user convenience, allowing for immediate persistent storage provisioning using Azure Files without additional configuration. However, it’s crucial to understand that this azurefile-csi storage class, by default, does not leverage a private endpoint. This can introduce a significant security vulnerability, as data traffic to and from Azure Files shares a public endpoint, potentially exposing sensitive information. Therefore, for environments with stringent security requirements, removing or replacing this default azurefile-csi storage class and implementing a solution that utilizes private endpoints is a critical step in securing your ARO deployment.
Prerequisites
- ARO cluster logged into
- oc cli
Remove the default azurefile-csi storage class
To remove the default azurefile-csi storage class that comes with ARO, we first need to change the file.csi.azure.com cluster csi driver to not be managed.
After that, we can now delete the azurefile-csi storage class.
(Optional) Re-create the Azure Files Storage class with a private endpoint
Follow this guide to create an azure files storage class with a private endpoint.
