Skip to content

Fix: preserve user-configured PrivateEndpointNetworkPolicies on subnets#2961

Closed
Copilot wants to merge 3 commits intomasterfrom
copilot/fix-azurefile-nsg-setting
Closed

Fix: preserve user-configured PrivateEndpointNetworkPolicies on subnets#2961
Copilot wants to merge 3 commits intomasterfrom
copilot/fix-azurefile-nsg-setting

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 4, 2026
edited
Loading

When creating private endpoints for Azure File storage, the driver unconditionally calls CreateOrUpdate on subnets, overwriting user-configured PrivateEndpointNetworkPolicies (e.g., NetworkSecurityGroupEnabled, RouteTableEnabled) back to Disabled.

Root Cause

The vendored cloud-provider-azure code checks if the policy is already set and logs accordingly, but still executes the subnet update:

// Before: always updates subnet, even when policy already configured
if subnet.Properties.PrivateEndpointNetworkPolicies == nil || *subnet.Properties.PrivateEndpointNetworkPolicies == Enabled {
    subnet.Properties.PrivateEndpointNetworkPolicies = to.Ptr(Disabled)
} else {
    klog.V(2).Infof("PrivateEndpointNetworkPolicies is already set to %s", ...)
}
// BUG: CreateOrUpdate still called here, resetting policy
if err := az.subnetRepo.CreateOrUpdate(ctx, ...); err != nil {
    return err
}

Changes

Skip subnet update when PrivateEndpointNetworkPolicies is already configured to a non-Enabled value:

needSubnetUpdate := false
if subnet.Properties.PrivateEndpointNetworkPolicies == nil || *subnet.Properties.PrivateEndpointNetworkPolicies == Enabled {
    subnet.Properties.PrivateEndpointNetworkPolicies = to.Ptr(Disabled)
    needSubnetUpdate = true
}

if needSubnetUpdate {
    if err := az.subnetRepo.CreateOrUpdate(ctx, ...); err != nil {
        return err
    }
}

Modified file: vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/storage/azure_storageaccount.go

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • test.file.ut
    • Triggering command: /tmp/go-build2503608668/b001/azurefile.test /tmp/go-build2503608668/b001/azurefile.test -test.testlogfile=/tmp/go-build2503608668/b001/testlog.txt -test.paniconexit0 -test.v=true -test.timeout=5m0s zcVHaXu6v .cfg ux_amd64/vet h.go /listers/resourc-atomic -lang=go1.24 ux_amd64/vet -o driver/azurefile-errorsas .cfg ux_amd64/vet /publicipprefixc/opt/hostedtoolcache/go/1.24.12/x64/pkg/tool/linux_amd64/vet d-provider-azure-atomic -lang=go1.24 ux_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Azurefile with privateEndpoint forcibly disables NSGs from subnets network policy setting - AGAIN</issue_title>
<issue_description>

What happened:

I created an Azure File StorageClass with networkEndpointType: privateEndpoint in my AKS cluster, which is already integrated into my virtual network subnet. This subnet is configured with:

Private endpoint network policy: Route tables, Network security groups

However, when I create a PVC using this Azure File StorageClass, the CSI driver overrides this setting and changes it to:

Private endpoint network policy: Disabled

The same issue is described here:
#2634

According to this pull request, the issue has already been fixed:
#2637

So why is this still happening?

What you expected to happen:

I expected my setting to remain as i had pre-configured it with.

How to reproduce it:

I've implemented 2 new classes to my AKS

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: azurefile-csi-premium-private
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
    kubernetes.io/cluster-service: "true"
provisioner: file.csi.azure.com
parameters:
  networkEndpointType: privateEndpoint
  skuName: Premium_LRS
reclaimPolicy: Delete
mountOptions:
  - mfsymlinks
  - actimeo=30
  - nosharesock
allowVolumeExpansion: true
volumeBindingMode: Immediate


apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: azurefile-csi-private
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
    kubernetes.io/cluster-service: "true"
provisioner: file.csi.azure.com
parameters:
  networkEndpointType: privateEndpoint
  skuName: Standard_LRS
reclaimPolicy: Delete
allowVolumeExpansion: true
volumeBindingMode: Immediate

Then I deploy the following test resources:

apiVersion: v1
kind: Namespace
metadata:
  name: pe-policy-test
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: azurefile-pe-pvc
  namespace: pe-policy-test
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  storageClassName: azurefile-csi-premium-private
---
apiVersion: v1
kind: Pod
metadata:
  name: writer
  namespace: pe-policy-test
spec:
  containers:
    - name: busybox
      image: busybox:1.36
      command: ["sh", "-c"]
      args:
        - |
          set -eux
          echo "hello $(date -Iseconds)" >> /mnt/azurefile/hello.txt
          ls -la /mnt/azurefile
          sleep 3600
      volumeMounts:
        - name: vol
          mountPath: /mnt/azurefile
  volumes:
    - name: vol
      persistentVolumeClaim:
        claimName: azurefile-pe-pvc

After the PVC is created, the AKS managed identity performs a subnet write operation:

Microsoft.Network/virtualNetworks/subnets/write on /

This happens at the same time as PVC creation

Example Azure Activity Log event ( anonymized ):

{
  "authorization": {
    "action": "Microsoft.Network/virtualNetworks/subnets/write",
    "scope": "/subscriptions/<subscription-id>/resourceGroups/<managed-rg>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>"
  },
  "caller": "<aks-managed-identity-object-id>",
  "channels": "Operation",
  "claims": {
    "aud": "https://management.azure.com/",
    "iss": "https://sts.windows.net/<tenant-id>/",
    "appid": "<aks-managed-identity-app-id>",
    "appidacr": "2",
    "idtyp": "app",
    "http://schemas.microsoft.com/identity/claims/tenantid": "<tenant-id>"
  },
  "correlationId": "<correlation-id>",
  "eventDataId": "<event-data-id>",
  "eventName": {
    "value": "EndRequest",
    "localizedValue": "End request"
  },
  "category": {
    "value": "Administrative",
    "localizedValue": "Administrative"
  },
  "eventTimestamp": "2026-02-04T07:16:27Z",
  "level": "Informational",
  "operationId": "<operation-id>",
  "operationName": {
    "value": "Microsoft.Network/virtualNetworks/subnets/write",
    "localizedValue": "Create or Update Virtual Network Subnet"
  },
  "resourceGroupName": "<managed-rg>",
  "resourceProviderName": {
    "value": "Microsoft.Network",
    "localizedValue": "Microsoft.Network"
  },
  "resourceType": {
    "value": "Microsoft.Network/virtualNetworks/subnets",
    "localizedValue": "Microsoft.Network/virtualNetworks/subnets"
  },
  "resourceId": "/subscriptions/<subscription-id>/resourceGroups/<managed-rg>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>",
  "status": {
    "value": "Succeeded",
    "localizedValue": "Succeeded"
  },
  "subscriptionId": "<subscription-id>",
  "tenantId": "<tenant-id>",
  "properties": {
    "event...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes kubernetes-sigs/azurefile-csi-driver#2960

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for you](https://github.com/kubernetes-sigs/azurefile-csi-driver/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 4, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Feb 4, 2026

Hi @Copilot. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 4, 2026
@andyzhangx
Fix: only update subnet when PrivateEndpointNetworkPolicies needs to …
f25964e 
…change

The issue was that even though the code checked if PrivateEndpointNetworkPolicies was already set to a value other than nil or Enabled, it would still call CreateOrUpdate on the subnet, which could cause Azure to reset the policy.

This fix ensures that the subnet is only updated when we actually need to change the PrivateEndpointNetworkPolicies from nil or Enabled to Disabled. If the policy is already set to NetworkSecurityGroupEnabled or RouteTableEnabled, we skip the subnet update entirely.

Co-authored-by: andyzhangx <4178417+andyzhangx@users.noreply.github.com>
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Feb 4, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Copilot
Once this PR has been reviewed and has the lgtm label, please ask for approval from andyzhangx. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@andyzhangx
Add explanatory comments for PrivateEndpointNetworkPolicies fix
49dff95 
Co-authored-by: andyzhangx <4178417+andyzhangx@users.noreply.github.com>
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 4, 2026
Copilot AI changed the title [WIP] Fix Azure File StorageClass NSG settings override Fix: preserve user-configured PrivateEndpointNetworkPolicies on subnets Feb 4, 2026
Copilot AI requested a review from andyzhangx February 4, 2026 11:33
@gandalf1990PL
Copy link
Copy Markdown

gandalf1990PL commented Feb 25, 2026

hello, when we can expect to implement this fix?
#2960

@andyzhangx
Copy link
Copy Markdown
Member

andyzhangx commented Feb 26, 2026

will fix it in another PR

@andyzhangx andyzhangx closed this Feb 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andyzhangx andyzhangx Awaiting requested review from andyzhangx

Assignees

@andyzhangx andyzhangx

Copilot code review Copilot

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@k8s-ci-robot @gandalf1990PL @andyzhangx