Hello @David Hautbois
As far as I know you need to be aware that the actual NFS mount happens at the Kubernetes node level. The NFS mounted on the Kubernetes node is then passed to the pod.
From here: https://zcusa.951200.xyz/en-us/azure/storage/files/files-nfs-protocol#security-and-networking
"The NFS protocol don't offer user-based authentication. Authentication for NFS shares is based on the configured network security rules. Due to this, to ensure only secure connections are established to your NFS share, you must set up either a private endpoint or a service endpoint for your storage account."
To test about the access I created a Storage Class:
k apply -f - <<EOF
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: azurefile-premium-nfs
allowVolumeExpansion: true
mountOptions:
- nconnect=4
- noresvport
- actimeo=30
parameters:
skuName: Premium_LRS
protocol: nfs
provisioner: file.csi.azure.com
reclaimPolicy: Delete
volumeBindingMode: Immediate
EOF
It seems the access to the storage account is allowed for the AKS nodes subnet. Depending on the Kubernetes CNI you are using you might have lock down differently if you want to avoid Pods being able to access the Storage Account. You mentioned "netapp resource" in your verbatim. I never used netapp with AKS so my test may not be relevant to your scenario.
Please let me know if this helps