PX-Security on an existing cluster
This page guides you to enable PX-Security on an existing cluster with no PX-Security setup.
Secure your existing cluster
Perform the following steps to enable PX-Security:
Enable PX-Security in Portworx on each node. You can refer to the following sections depending on your deployment:
Note: To completely secure the cluster, you must enable security on all nodes participating in the Portworx cluster. Do not mix the nodes with enabled and disabled PX-Security.
Operator deployment: Secure your storage with the Operator
DaemonSet deployment: Secure your storage with a DaemonSet
Generate a new cluster token. Run the following command to generate a new cluster token for pairing and migrating your clusters:
pxctl cluster token reset
The following parameters are required and must be provided to Portworx to enable PX-Security.
Provide sensitive information like shared secrets as environment variables. These variables can be provided by secrets through your container orchestration system.
||Yes||Shared secret used by Portworx to generate tokens for cluster communications|
||Yes when using Stork||Share secret used by Stork to generate tokens to communicate with Portworx. The shared secret must match the value of
||Optional||Self-generated token shared secret, if any|
For non-sensitive information, use the
px-runccommand as command-line parameters with the following arguments:
||JSON Web Token issuer (e.g. openstorage.io). This is the token issuer for your self-signed tokens. It must match the
||JSON Web Token RSA Public file path|
||JSON Web Token ECDS Public file path|
||Name of the claim in the token to be used as the unique ID of the user (