Step 2: StorageClass Setup
In the previous section, you created a StorageCluster
in the kube-system
namespace with security enabled.
As a result, the operator has created the secret px-user-token
in that namespace. Now you can create a StorageClass which will instruct Portworx to authenticate all requests using the token in that secret.
Portworx validates requests to manage volumes using the token saved in the secret referenced by the StorageClass. As you create more StorageClasses, remember to reference the secret with the token to authenticate the requests. The example below demonstrates a StorageClass with token secrets added:
StorageClass for CSI
When using CSI, the StorageClass references the secret for the three types of supported operations: provision, node-publish (mount/unmount), and controller-expand.
Create the following
storageclass.yaml
file:apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: px-storage
provisioner: pxd.portworx.com
parameters:
repl: "1"
csi.storage.k8s.io/provisioner-secret-name: px-user-token
csi.storage.k8s.io/provisioner-secret-namespace: kube-system
csi.storage.k8s.io/node-publish-secret-name: px-user-token
csi.storage.k8s.io/node-publish-secret-namespace: kube-system
csi.storage.k8s.io/controller-expand-secret-name: px-user-token
csi.storage.k8s.io/controller-expand-secret-namespace: kube-system
allowVolumeExpansion: trueApply the
storageclass.yaml
file:kubectl apply -f storageclass.yaml
StorageClass for non-CSI
For StorageClasses using the (now deprecated from Kubernetes v1.25 onward) in-tree Portworx driver, the approach to leverage PX-Security is as follows:
Create the following
storageclass.yaml
file:apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: px-storage
provisioner: kubernetes.io/portworx-volume
parameters:
repl: "1"
openstorage.io/auth-secret-name: px-user-token
openstorage.io/auth-secret-namespace: kube-system
allowVolumeExpansion: trueApply the
storageclass.yaml
file:kubectl apply -f storageclass.yaml