Create and use FlashArray PVCs

After installing Portworx CSI to work with your FlashArray, you need to create PVCs to make storage available to your application.

Create a StorageClass

Create a StorageClass with a specified storage type and performance settings. For FlashArray, set the backend type to "pure_block". You can also configure parameters like IOPS and bandwidth.

important

If you need the mount path to have 777 permissions, set parameters.allow_others to true in your StorageClass. This setting grants read, write, and execute access to all users. Use with caution to avoid unintended access.

Example StorageClass specification:

Without CSI topology

1. Create a new StorageClass to add parameters such as IOPS and bandwidth, as shown below:

   • max_bandwidth The bandwidth limit must range between 1 MB/s and 512 GB/s.
   • max_iops: The IOPS limit must range between 100 and 100 million.
   • (Optional) secure: Set this to true to enable encryption on PVCs that reference this StorageClass. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.

   kind: StorageClass
   apiVersion: storage.k8s.io/v1
   metadata:
     name: sc-fa-direct-access
   provisioner: pxd.portworx.com
   parameters:
     backend: "pure_block"
     #pure_fa_pod_name: "<fa-pod-name>"  #Use this parameter to specify the Pure FlashArray pod within the realm defined in pure.json when using the secure multi-tenancy feature of FlashArray.
     max_iops: "1000"
     max_bandwidth: "1G"
     #allow_others: true    # Uncomment this line if you need the mount path to have 777 permissions.
     #secure: "true" # Uncomment this line to encrypt all PVCs associated with this `StorageClass`

With CSI topology

1. If you have enabled CSI topology, ensure you specify the volumeBindingMode: WaitForFirstConsumer parameter along with allowedTopologies. The volumeBindingMode: WaitForFirstConsumer delays volume binding until the Kubernetes scheduler selects a suitable node that matches the allowedTopologies labels.

   • max_bandwidth The bandwidth limit must range between 1 MB/s and 512 GB/s.
   • max_iops: The IOPS limit must range between 100 and 100 million.
   • (Optional) secure: Set this to true to enable encryption on PVCs that reference this StorageClass. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.

   kind: StorageClass
   apiVersion: storage.k8s.io/v1
   metadata:
     name: sc-fa-direct-access
   provisioner: pxd.portworx.com
   parameters:
     backend: "pure_block"
     #pure_fa_pod_name: "<fa-pod-name>"  Use this parameter to specify the Pure FlashArray pod within the realm defined in pure.json when using the secure multi-tenancy feature of FlashArray.
     max_bandwidth: "10G"
     max_iops: "30000"
     csi.storage.k8s.io/fstype: ext4
     #allow_others: true     # uncomment this line if you need the mount path to have 777 permissions.
     #secure: "true" # Uncomment this line to encrypt all PVCs associated with this `StorageClass`
   volumeBindingMode: WaitForFirstConsumer
   allowedTopologies:
     - matchLabelExpressions:
         - key: topology.portworx.io/rack
           values:
             - rack-0
             - rack-1

2. Apply this YAML to your cluster to create the StorageClass:

   kubectl apply -f sc.yaml 

   storageclass.storage.k8s.io/sc-fa-direct-access created

Create a PVC

1. To create a PVC, define the specifications and reference the StorageClass you previously created by specifying its name in the spec.storageClassName field.

   • (Optional) metadata.annotations.px/secure:: If encryption is not enabled in the StorageClass and you want to enable it for a specific PVC, set this to true to enable encryption on a PVC. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.

   Example PVC specification:

   kind: PersistentVolumeClaim
   apiVersion: v1
   metadata:
     name: pure-claim-block
     annotations:
       #px/secure: "true"  # Uncomment this line to encrypt only this PVC.
     labels:
       app: nginx
   spec:
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
         storage: 20Gi
     storageClassName: sc-fa-direct-access

   Save this YAML in a file pvc.yaml.

2. Apply this YAML to your cluster:

   kubectl apply -f pvc.yaml 

   persistentvolumeclaim/pure-claim-block created

Mount a PVC to a pod

After creating PVCs, the storage becomes available for your application. You can use the storage by mounting and attaching the PVC to the application pod.

1. Create a Pod and specify the PVC name in the persistentVolumeClaim.claimName field. Here is an example pod specification:

   kind: Pod
   apiVersion: v1
   metadata:
     name: nginx-pod
     labels:
       app: nginx
   spec:
     volumes:
     - name: pure-vol
       persistentVolumeClaim:
         claimName: pure-claim-block
     containers:
     - name: nginx
       image: nginx
       volumeMounts:
       - name: pure-vol
         mountPath: /data
       ports:
       - containerPort: 80

2. To control pod scheduling based on node labels, add the nodeAffinity field to the Pod specification. For example:

   spec:
     affinity:
       nodeAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
             - key: topology.portworx.io/zone
               operator: In
               values:
               - zone-0
             - key: topology.portworx.io/region
               operator: In
               values:
               - region-0

Verify pod status

Once the pod configuration is applied, monitor the pod’s status with:

watch kubectl get pods 

Wait for the STATUS to show as Running for a pod. Once the pod is running, you can verify that it is connected as a host for the volume.

(Optional) Encrypt FADA volumes

PX-CSI supports encryption for FADA volumes. To encrypt FADA volumes, create a cluster-wide encryption key and enable encryption in the StorageClass or PVC manifest.

note

Encryption is not supported for FADA raw block volumes.

Create a cluster-wide secret key for encryption

To ensure consistent and secure encryption of PersistentVolumeClaims (PVCs), use a cluster-wide encryption key. This guarantees that all encrypted PVCs in the cluster adhere to a uniform and secure encryption standard. Follow these steps to create the key:

1. Create a Kubernetes Secret for the encryption key:

   kubectl -n <namespace> create secret generic px-vol-encryption \
   --from-literal=cluster-wide-secret-key=<value>

2. Configure Portworx CSI to use cluster-wide-secret-key as the default encryption key for all volumes:

   PX_POD=$(kubectl get pods -l name=portworx -n <namespace> -o jsonpath='{.items[0].metadata.name}')
   kubectl exec $PX_POD -n <namespace> -- /opt/pwx/bin/pxctl secrets set-cluster-key \
   --secret cluster-wide-secret-key

note

• PX-CSI checks for the cluster-wide encryption key in the Portworx namespace by default. If you create it in a different namespace, set the PX_SECRETS_NAMESPACE environment variable in the StorageCluster manifest to specify the correct namespace.
• If you modify a Kubernetes Secret after creating a cluster-wide encryption key, use the --overwrite flag in the command above to update the key.

Enable encryption

After creating the cluster-wide secret key, follow one of the options below to encrypt FADA volumes:

• To encrypt all PVCs associated with a StorageClass, enable encryption by setting the secure parameter to true in the StorageClass specification.
• To encrypt a specific PVC, add the annotation px/secure: "true" in the PVC specification.