You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've successfully setup the Synology CSI driver on my Microk8s cluster to primarily provision iSCSI - thank you for providing a CSI driver.
I do however have a few security-related enhancement aside from adding CHAP support (#63). IMO mutual CHAP, least-privileged service accounts, TLS verification, and network binding control would make the Synology CSI driver much more viable in a corporate setting.
Enable iSCSI Management From Lower Privilege Group
As mentioned in #62, there isn't clear documentation on how to properly setup a service account user. The configuration that worked for me was to (a) disable 2FA and (b) add the user to the administrators group. While disabling 2FA is reasonable there really should be a lower privilege group the service account can be a member of.
Add TLS Verification
The CSI driver does not verify the certificate of the DiskStation, see pkg/dsm/webapi/dsmwebapi.go. Ideally a path to a CA trust should be read from a user-specified environment variable.
Network Binding Control
When the CSI driver provisions new iSCSI targets, it would be good to be able to control network binding restrictions as a first-layer security measure. Perhaps these could be quickly added as additional parameters to the StorageClass.
The text was updated successfully, but these errors were encountered:
I've successfully setup the Synology CSI driver on my Microk8s cluster to primarily provision iSCSI - thank you for providing a CSI driver.
I do however have a few security-related enhancement aside from adding CHAP support (#63). IMO mutual CHAP, least-privileged service accounts, TLS verification, and network binding control would make the Synology CSI driver much more viable in a corporate setting.
Enable iSCSI Management From Lower Privilege Group
As mentioned in #62, there isn't clear documentation on how to properly setup a service account user. The configuration that worked for me was to (a) disable 2FA and (b) add the user to the administrators group. While disabling 2FA is reasonable there really should be a lower privilege group the service account can be a member of.
Add TLS Verification
The CSI driver does not verify the certificate of the DiskStation, see pkg/dsm/webapi/dsmwebapi.go. Ideally a path to a CA trust should be read from a user-specified environment variable.
Network Binding Control
When the CSI driver provisions new iSCSI targets, it would be good to be able to control network binding restrictions as a first-layer security measure. Perhaps these could be quickly added as additional parameters to the
StorageClass.The text was updated successfully, but these errors were encountered: