azure-file storage class: add missing parameter for multi tenancy #14762 (#14763)

* initial commit

* azure-file storage class: add missing parameter for multi tenancy #14762

* Update storage-classes.md

content/en/docs/concepts/storage/storage-classes.md

@@ -610,13 +610,25 @@ parameters:
   group are searched to find one that matches `skuName` and `location`. If a
   storage account is provided, it must reside in the same resource group as the
   cluster, and `skuName` and `location` are ignored.
+* `secretNamespace`: the namespace of the secret that contains the Azure Storage 
+  Account Name and Key. Default is the same as the Pod.
+* `secretName`: the name of the secret that contains the Azure Storage Account Name and
+  Key. Default is `azure-storage-account-<accountName>-secret`
+* `readOnly`: a flag indicating whether the storage will be mounted as read only.
+  Defaults to false which means a read/write mount. This setting will impact the 
+  `ReadOnly` setting in VolumeMounts as well.
 
-During provision, a secret is created for mounting credentials. If the cluster
+During storage provisioning, a secret named by `secretName` is created for the 
-has enabled both [RBAC](/docs/reference/access-authn-authz/rbac/) and
+mounting credentials. If the cluster has enabled both 
+[RBAC](/docs/reference/access-authn-authz/rbac/) and 
 [Controller Roles](/docs/reference/access-authn-authz/rbac/#controller-roles),
 add the `create` permission of resource `secret` for clusterrole
 `system:controller:persistent-volume-binder`.
 
+In a multi-tenancy context, it is strongly recommended to set the value for 
+`secretNamespace` explicitly, otherwise the storage account credentials may
+be read by other users.
+
 ### Portworx Volume
 
 ```yaml