Create and use FlashArray PVCs

After installing Portworx CSI to work with your FlashArray, you need to create PVCs to make storage available to your application.

Create a StorageClass

Create a StorageClass with a specified storage type and performance settings.

Block Storage

For FlashArray block storage, set the backend type to "pure_block". You can also configure parameters like IOPS and bandwidth.

important

If you need the mount path to have 777 permissions, set parameters.allow_others to true in your StorageClass. This setting grants read, write, and execute access to all users. Use with caution to avoid unintended access.

Example StorageClass specification:

1. Create a new StorageClass to add parameters such as IOPS and bandwidth, as shown below:

   • max_bandwidth The bandwidth limit must range between 1 MB/s and 512 GB/s.
   • max_iops: The IOPS limit must range between 100 and 100 million.
   • (Optional) secure: Set this to true to enable encryption on PVCs that reference this StorageClass. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.
   • allowedTopologies - Uses topology labels to select arrays with matching labels for volume placement.
   • volumeBindingMode: If you have enabled CSI topology, ensure you specify the volumeBindingMode: WaitForFirstConsumer parameter along with allowedTopologies. The volumeBindingMode: WaitForFirstConsumer delays volume binding until the Kubernetes scheduler selects a suitable node that matches the allowedTopologies labels.

   kind: StorageClass
   apiVersion: storage.k8s.io/v1
   metadata:
     name: sc-fa-direct-access
   provisioner: pxd.portworx.com
   parameters:
     backend: "pure_block"
     #pure_fa_pod_name: "<fa-pod-name>"  Use this parameter to specify the Pure FlashArray pod within the realm defined in pure.json when using the secure multi-tenancy feature of FlashArray.
     max_bandwidth: "10G"
     max_iops: "30000"
     #allow_others: true     # uncomment this line if you need the mount path to have 777 permissions.
     #secure: "true" # Uncomment this line to encrypt all PVCs associated with this `StorageClass`
   # Below lines are required only if you are using CSI topology
   volumeBindingMode: WaitForFirstConsumer
   allowedTopologies:
     - matchLabelExpressions:
       - key: topology.portworx.io/zone
         values:
           - <zone-1>
       - key: topology.portworx.io/region
         values:
           - <region-1>

2. Apply this YAML to your cluster to create the StorageClass:

   kubectl apply -f sc.yaml 

   storageclass.storage.k8s.io/sc-fa-direct-access created

File Systems

For FlashArray file services, set the backend type to "pure_fa_file". You can also configure parameters like quota policy and mount options.

note

Ensure that you have configured FlashArray to use file services. For more information, see Configure FlashArray file services

1. Define a StorageClass with the appropriate storage type and performance settings. For FlashArray file system, the backend type is pure_fa_file.

   Required parameters:

   • backend: "pure_fa_file" - Specifies that the volume is an FA file volume.
   • pure_nfs_policy - PX-CSI expects that the NFS policy is pre-created on FA setups. If the policy does not exist, the request will fail.
   • pure_fa_file_system - Specifies the file system where the volume needs to be placed. If the file system does not exist in the FlashArray setup, the volume create request fails.

   Optional parameters:

   • pure_quota_policy - If provided, associates the volume with a quota policy to enforce a size limit.
   • pure_nfs_endpoint - Used when there are multiple endpoints per array. Overrides the default NFSEndPoint specified in pure.json.
   • allowedTopologies - Uses topology labels to select arrays with matching labels for volume placement.
   • volumeBindingMode: If you have enabled CSI topology, ensure you specify the volumeBindingMode: WaitForFirstConsumer parameter along with allowedTopologies. The volumeBindingMode: WaitForFirstConsumer delays volume binding until the Kubernetes scheduler selects a suitable node that matches the allowedTopologies labels.
   • mountOptions - Overrides default mount options. Supports only TCP, not UDP. You can also specify multiple security options using the mountOptions.sec field . By default, NFS uses sec=auth_sys, but support is also available for Kerberos-based authentication options, including sec=krb5 (authentication only), sec=krb5i (authentication and integrity), and sec=krb5p (authentication, integrity, and encryption).

   Example StorageClass YAML:

   kind: StorageClass
   apiVersion: storage.k8s.io/v1
   metadata:
     name: fa-file-sc
   provisioner: pxd.portworx.com
   parameters:
     backend: "pure_fa_file"
     pure_nfs_policy: "test-policy"
     pure_fa_file_system: "name01"
     pure_quota_policy: "100g_policy"
     pure_nfs_endpoint: <nfs-endpoints-of-fa>
   mountOptions:
     - nfsvers=3
     - tcp
     - sec=krb5
   # Below lines are required only if you are using CSI topology
   volumeBindingMode: WaitForFirstConsumer
   allowedTopologies:
     - matchLabelExpressions:
       - key: topology.portworx.io/zone
         values:
           - <zone-1>
       - key: topology.portworx.io/region
         values:
           - <region-1>

2. Apply this YAML to your cluster:

   kubectl apply -f sc.yaml

   storageclass.storage.k8s.io/fa-file-sc created

Create a PVC

1. To create a PVC, define the specifications and reference the StorageClass you previously created by specifying its name in the spec.storageClassName field.

   • (Optional) metadata.annotations.px/secure:: If encryption is not enabled in the StorageClass and you want to enable it for a specific PVC, set this to true to enable encryption on a PVC. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.

   Example PVC specification:

   kind: PersistentVolumeClaim
   apiVersion: v1
   metadata:
     name: pure-claim-block
     annotations:
       #px/secure: "true"  # Uncomment this line to encrypt only this PVC.
     labels:
       app: nginx
   spec:
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
         storage: 20Gi
     storageClassName: sc-fa-direct-access

   Save this YAML in a file pvc.yaml.

2. Apply this YAML to your cluster:

   kubectl apply -f pvc.yaml 

   persistentvolumeclaim/pure-claim-block created

Mount a PVC to a pod

After creating PVCs, the storage becomes available for your application. You can use the storage by mounting and attaching the PVC to the application pod.

1. Create a Pod and specify the PVC name in the persistentVolumeClaim.claimName field. Here is an example pod specification:

   kind: Pod
   apiVersion: v1
   metadata:
     name: nginx-pod
     labels:
       app: nginx
   spec:
     volumes:
     - name: pure-vol
       persistentVolumeClaim:
         claimName: pure-claim-block
     containers:
     - name: nginx
       image: nginx
       volumeMounts:
       - name: pure-vol
         mountPath: /data
       ports:
       - containerPort: 80

2. To control pod scheduling based on node labels, add the nodeAffinity field to the Pod specification. For example:

   spec:
     affinity:
       nodeAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
           - matchExpressions:
             - key: topology.portworx.io/zone
               operator: In
               values:
               - zone-0
             - key: topology.portworx.io/region
               operator: In
               values:
               - region-0

Verify pod status

Once the pod configuration is applied, monitor the pod’s status with:

watch kubectl get pods 

Wait for the STATUS to show as Running for a pod. Once the pod is running, you can verify that it is connected as a host for the volume.

(Optional) Encrypt FADA volumes

PX-CSI supports encryption for FADA volumes. To encrypt FADA volumes, create a cluster-wide encryption key and enable encryption in the StorageClass or PVC manifest.

note

Encryption is not supported for FADA raw block volumes.

Create a cluster-wide secret key for encryption

To ensure consistent and secure encryption of PersistentVolumeClaims (PVCs), use a cluster-wide encryption key. This guarantees that all encrypted PVCs in the cluster adhere to a uniform and secure encryption standard. Follow these steps to create the key:

1. Create a Kubernetes Secret for the encryption key:

   kubectl -n <namespace> create secret generic px-vol-encryption \
   --from-literal=cluster-wide-secret-key=<value>

2. Configure Portworx CSI to use cluster-wide-secret-key as the default encryption key for all volumes:

   PX_POD=$(kubectl get pods -l name=portworx -n <namespace> -o jsonpath='{.items[0].metadata.name}')
   kubectl exec $PX_POD -n <namespace> -- /opt/pwx/bin/pxctl secrets set-cluster-key \
   --secret cluster-wide-secret-key

note

• PX-CSI checks for the cluster-wide encryption key in the Portworx namespace by default. If you create it in a different namespace, set the PX_SECRETS_NAMESPACE environment variable in the StorageCluster manifest to specify the correct namespace.
• If you modify a Kubernetes Secret after creating a cluster-wide encryption key, use the --overwrite flag in the command above to update the key.

Enable encryption

After creating the cluster-wide secret key, follow one of the options below to encrypt FADA volumes:

• To encrypt all PVCs associated with a StorageClass, enable encryption by setting the secure parameter to true in the StorageClass specification.
• To encrypt a specific PVC, add the annotation px/secure: "true" in the PVC specification.