Customizing security setup


This optional document guides you through customizing your Portworx Operator Security install to fit specific needs.

Prerequisites

  • Portworx Operator 1.4 or later
  • Portworx Security enabled

Add a custom issuer, shared secret, and tokenLifetime to your StorageCluster

Add your issuer, tokenLifetime, and sharedSecret Kubernetes secret name to the spec.security.auth.selfSigned object in your StorageCluster:

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: kube-system
spec:
  security:
    enabled: true
    auth:
      selfSigned:
        issuer: "portworx.com"
        sharedSecret: "px-shared-secret"
        tokenLifetime: "1h"

Disable guest role access

Starting with Portworx 2.6.0 and later, the system guest role is enabled by default. To turn off this feature, you can disable it in the StorageCluster spec:

NOTE: Once the guest role is disabled, volumes created without a token will not be accessible without a token.
apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: kube-system
spec:
  security:
    enabled: true
    auth:
      guestAccess: 'Disabled'

Managing the guest role yourself

You can exercise finer control over the system.guest role by setting it managed mode. This instructs the Operator to stop updating the system guest role, allowing you to customize it yourself.

To enter managed mode, set the value of the spec.security.auth.guestAccess field to managed:

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: kube-system
spec:
  security:
    enabled: true
    auth:
      guestAccess: 'Managed'

Increasing token lifetime

Additionally, JWT token lifetime can be specified. The operator will generate a token with this token lifetime and refresh it for the user accordingly.

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: kube-system
spec:
  security:
    enabled: true
    auth:
      tokenLifetime: '4h'


Last edited: Monday, Oct 19, 2020