Skip to main content
Version: 25.2.0

Create and use FlashArray PVCs

After installing Portworx CSI to work with your FlashArray, you need to create PVCs to make storage available to your application.

Create a StorageClass

Create a StorageClass with a specified storage type and performance settings. For FlashArray, set the backend type to "pure_block". You can also configure parameters like IOPS and bandwidth.

important

If you need the mount path to have 777 permissions, set parameters.allow_others to true in your StorageClass. This setting grants read, write, and execute access to all users. Use with caution to avoid unintended access.

Example StorageClass specification:

  1. Create a new StorageClass to add parameters such as IOPS and bandwidth, as shown below:

    • max_bandwidth The bandwidth limit must range between 1 MB/s and 512 GB/s.
    • max_iops: The IOPS limit must range between 100 and 100 million.
    • (Optional) secure: Set this to true to enable encryption on PVCs that reference this StorageClass. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.
    kind: StorageClass
    apiVersion: storage.k8s.io/v1
    metadata:
    name: sc-fa-direct-access
    provisioner: pxd.portworx.com
    parameters:
    backend: "pure_block"
    #pure_fa_pod_name: "<fa-pod-name>" #Use this parameter to specify the Pure FlashArray pod within the realm defined in pure.json when using the secure multi-tenancy feature of FlashArray.
    max_iops: "1000"
    max_bandwidth: "1G"
    #allow_others: true # Uncomment this line if you need the mount path to have 777 permissions.
    #secure: "true" # Uncomment this line to encrypt all PVCs associated with this `StorageClass`
  1. Apply this YAML to your cluster to create the StorageClass:
    kubectl apply -f sc.yaml 
    storageclass.storage.k8s.io/sc-fa-direct-access created

Create a PVC

  1. To create a PVC, define the specifications and reference the StorageClass you previously created by specifying its name in the spec.storageClassName field.

    • (Optional) metadata.annotations.px/secure:: If encryption is not enabled in the StorageClass and you want to enable it for a specific PVC, set this to true to enable encryption on a PVC. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.

    Example PVC specification:

    kind: PersistentVolumeClaim
    apiVersion: v1
    metadata:
    name: pure-claim-block
    annotations:
    #px/secure: "true" # Uncomment this line to encrypt only this PVC.
    labels:
    app: nginx
    spec:
    accessModes:
    - ReadWriteOnce
    resources:
    requests:
    storage: 20Gi
    storageClassName: sc-fa-direct-access

    Save this YAML in a file pvc.yaml.

  2. Apply this YAML to your cluster:

    kubectl apply -f pvc.yaml 
    persistentvolumeclaim/pure-claim-block created

Mount a PVC to a pod

After creating PVCs, the storage becomes available for your application. You can use the storage by mounting and attaching the PVC to the application pod.

  1. Create a Pod and specify the PVC name in the persistentVolumeClaim.claimName field. Here is an example pod specification:

    kind: Pod
    apiVersion: v1
    metadata:
    name: nginx-pod
    labels:
    app: nginx
    spec:
    volumes:
    - name: pure-vol
    persistentVolumeClaim:
    claimName: pure-claim-block
    containers:
    - name: nginx
    image: nginx
    volumeMounts:
    - name: pure-vol
    mountPath: /data
    ports:
    - containerPort: 80
  2. To control pod scheduling based on node labels, add the nodeAffinity field to the Pod specification. For example:

    spec:
    affinity:
    nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
    nodeSelectorTerms:
    - matchExpressions:
    - key: topology.portworx.io/zone
    operator: In
    values:
    - zone-0
    - key: topology.portworx.io/region
    operator: In
    values:
    - region-0

Verify pod status

Once the pod configuration is applied, monitor the pod’s status with:

watch kubectl get pods 

Wait for the STATUS to show as Running for a pod. Once the pod is running, you can verify that it is connected as a host for the volume.

(Optional) Encrypt FADA volumes

PX-CSI supports encryption for FADA volumes. To encrypt FADA volumes, create a cluster-wide encryption key and enable encryption in the StorageClass or PVC manifest.

note

Encryption is not supported for FADA raw block volumes.

Create a cluster-wide secret key for encryption

To ensure consistent and secure encryption of PersistentVolumeClaims (PVCs), use a cluster-wide encryption key. This guarantees that all encrypted PVCs in the cluster adhere to a uniform and secure encryption standard. Follow these steps to create the key:

  1. Create a Kubernetes Secret for the encryption key:

    kubectl -n <namespace> create secret generic px-vol-encryption \
    --from-literal=cluster-wide-secret-key=<value>
  2. Configure Portworx CSI to use cluster-wide-secret-key as the default encryption key for all volumes:

    PX_POD=$(kubectl get pods -l name=portworx -n <namespace> -o jsonpath='{.items[0].metadata.name}')
    kubectl exec $PX_POD -n <namespace> -- /opt/pwx/bin/pxctl secrets set-cluster-key \
    --secret cluster-wide-secret-key
note
  • PX-CSI checks for the cluster-wide encryption key in the Portworx namespace by default. If you create it in a different namespace, set the PX_SECRETS_NAMESPACE environment variable in the StorageCluster manifest to specify the correct namespace.
  • If you modify a Kubernetes Secret after creating a cluster-wide encryption key, use the --overwrite flag in the command above to update the key.

Enable encryption

After creating the cluster-wide secret key, follow one of the options below to encrypt FADA volumes:

  • To encrypt all PVCs associated with a StorageClass, enable encryption by setting the secure parameter to true in the StorageClass specification.
  • To encrypt a specific PVC, add the annotation px/secure: "true" in the PVC specification.