Not able mount azure fileshare in AKS pod

Question

Hello there,
I am trying to mount an Azure fileshare onto AKS pod and seeing this error -

MountVolume.MountDevice failed for volume "somevol" : rpc error: code = Internal desc = volume(#secret#cloudfs#somevol-staging#somevol-staging) mount "//cloudfs.file.core.windows.net/cloudfs" on "/var/lib/kubelet/plugins/kubernetes.io/csi/pv/somevol/globalmount" failed with mount failed: exit status 1 Mounting command: mount Mounting arguments: -t cifs -o dir_mode=0777,actimeo=30,mfsymlinks,file_mode=0777,<masked> //cloudfs.file.core.windows.net/cloudfs /var/lib/kubelet/plugins/kubernetes.io/csi/pv/somevol-staging/globalmount Output: mount error: could not resolve address for cloudfs.file.core.windows.net: Unknown error

I went through the diagnostics procedure @ https://github.com/Azure-Samples/azure-files-samples/tree/master/AzFileDiagnostics/Linux and tried to manually run the mount command on the node (Linux)

mount -t cifs //cloudfs.file.core.windows.net/cloudfs /testmnt -o vers=3.0,username=storageaccountname,password='password',dir_mode=0777,file_mode=0777,sec=ntlmssp

and I get the following error.

Unable to apply new capability set.

Any idea what could be the problem?

Thank you in advance for any help.

Best regards,
Kailash

Answer 1

Hello @Kailash ,
As per the mount error , It seems your POD is not able to resolve that fileshare account. If you are using CustomDNS can you kindly check the Custom DNS configuration whether the POD is able to reach out to that storage account file share ?

Also kindly check the address , i think the complete path should be https://cloudfs.file.core.windows.net
One more thing to check:- The secret which you have created which uses Storage Account Key - kindly double check if the Key was copied properly while creating the secret. (Try to recreate the secret)
Additional checks: Validate if your storage account is associated with a private link , if yes Private Link needs to have the association to cluster VNET.

Hope above validations will help out in resolving the issue.

Answer 2

@Kailash Can you please refer to this Troubleshooting guide that talks about solutions for the error that you are facing i.e., Mount Error(13)-

Cause 1: Unencrypted communication channel
For security reasons, connections to Azure file shares are blocked if the communication channel isn't encrypted and if the connection attempt isn't made from the same datacenter where the Azure file shares reside. Unencrypted connections within the same datacenter can also be blocked if the Secure transfer required setting is enabled on the storage account. An encrypted communication channel is provided only if the user's client OS supports SMB encryption.

To learn more, see Prerequisites for mounting an Azure file share with Linux and the cifs-utils package.

Solution for cause 1
Connect from a client that supports SMB encryption or connect from a virtual machine in the same datacenter as the Azure storage account that is used for the Azure file share.
Verify the Secure transfer required setting is disabled on the storage account if the client does not support SMB encryption.

Cause 2: Virtual network or firewall rules are enabled on the storage account
If virtual network (VNET) and firewall rules are configured on the storage account, network traffic will be denied access unless the client IP address or virtual network is allowed access.

Solution for cause 2
Verify virtual network and firewall rules are configured properly on the storage account. To test if virtual network or firewall rules is causing the issue, temporarily change the setting on the storage account to Allow access from all networks. To learn more, see Configure Azure Storage firewalls and virtual networks.Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.