Step 3: Customizing security setup


This document guides you through optionally customizing your Portworx Operator Security configuration further to fit specific needs.

Prerequisites

  • Portworx Operator 1.4 or later
  • PX-Security enabled

Disable guest role access

Starting with Portworx 2.6.0 and later, the system guest role is enabled by default. To turn off this feature, you can disable it in the StorageCluster spec:

NOTE: Once the guest role is disabled, volumes created without a token will only be accessible with a token.
apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: kube-system
spec:
  security:
    enabled: true
    auth:
      guestAccess: 'Disabled'

Managing the guest role yourself

You can exercise finer control over the system.guest role by setting it to managed mode. This instructs the Operator to stop updating the system guest role, allowing you to customize it yourself.

To enter managed mode, set the value of the spec.security.auth.guestAccess field to managed:

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: kube-system
spec:
  security:
    enabled: true
    auth:
      guestAccess: 'Managed'

Changing token lifetime

By default, the token is valid for 24 hours. You can optionally specify a different JWT token lifetime. The Operator then generates a token with that token lifetime and refreshes it for the user accordingly.

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: kube-system
spec:
  security:
    enabled: true
    auth:
      tokenLifetime: '4h'

Add a custom issuer, shared secret, and tokenLifetime to your StorageCluster

Add your issuer, tokenLifetime, and sharedSecret Kubernetes secret’s name to the spec.security.auth.selfSigned object in your StorageCluster:

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: kube-system
spec:
  security:
    enabled: true
    auth:
      selfSigned:
        issuer: "portworx.com"
        sharedSecret: "px-shared-secret"
        tokenLifetime: "1h"


Last edited: Tuesday, Dec 20, 2022