Create and use FlashArray PVCs
After installing Portworx CSI to work with your FlashArray, you need to create PVCs to make storage available to your application.
Create a StorageClass
Create a StorageClass
with a specified storage type and performance settings. For FlashArray, set the backend type to "pure_block"
. You can also configure parameters like IOPS
and bandwidth
.
If you need the mount path to have 777
permissions, set parameters.allow_others
to true
in your StorageClass
. This setting grants read, write, and execute access to all users. Use with caution to avoid unintended access.
Example StorageClass specification:
- Without CSI topology
- With CSI topology
-
Create a new StorageClass to add parameters such as
IOPS
andbandwidth
, as shown below:- max_bandwidth The bandwidth limit must range between 1 MB/s and 512 GB/s.
- max_iops: The IOPS limit must range between 100 and 100 million.
- (Optional) secure: Set this to
true
to enable encryption on PVCs that reference this StorageClass. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: sc-fa-direct-access
provisioner: pxd.portworx.com
parameters:
backend: "pure_block"
#pure_fa_pod_name: "<fa-pod-name>" #Use this parameter to specify the Pure FlashArray pod within the realm defined in pure.json when using the secure multi-tenancy feature of FlashArray.
max_iops: "1000"
max_bandwidth: "1G"
#allow_others: true # Uncomment this line if you need the mount path to have 777 permissions.
#secure: "true" # Uncomment this line to encrypt all PVCs associated with this `StorageClass`
-
If you have enabled CSI topology, ensure you specify the
volumeBindingMode: WaitForFirstConsumer
parameter along withallowedTopologies
. ThevolumeBindingMode: WaitForFirstConsumer
delays volume binding until the Kubernetes scheduler selects a suitable node that matches theallowedTopologies
labels.- max_bandwidth The bandwidth limit must range between 1 MB/s and 512 GB/s.
- max_iops: The IOPS limit must range between 100 and 100 million.
- (Optional) secure: Set this to
true
to enable encryption on PVCs that reference this StorageClass. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: sc-fa-direct-access
provisioner: pxd.portworx.com
parameters:
backend: "pure_block"
#pure_fa_pod_name: "<fa-pod-name>" Use this parameter to specify the Pure FlashArray pod within the realm defined in pure.json when using the secure multi-tenancy feature of FlashArray.
max_bandwidth: "10G"
max_iops: "30000"
csi.storage.k8s.io/fstype: ext4
#allow_others: true # uncomment this line if you need the mount path to have 777 permissions.
#secure: "true" # Uncomment this line to encrypt all PVCs associated with this `StorageClass`
volumeBindingMode: WaitForFirstConsumer
allowedTopologies:
- matchLabelExpressions:
- key: topology.portworx.io/rack
values:
- rack-0
- rack-1
- Apply this YAML to your cluster to create the StorageClass:
kubectl apply -f sc.yaml
storageclass.storage.k8s.io/sc-fa-direct-access created
Create a PVC
-
To create a PVC, define the specifications and reference the StorageClass you previously created by specifying its name in the
spec.storageClassName
field.- (Optional)
metadata.annotations.px/secure:
: If encryption is not enabled in the StorageClass and you want to enable it for a specific PVC, set this totrue
to enable encryption on a PVC. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.
Example PVC specification:
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: pure-claim-block
annotations:
#px/secure: "true" # Uncomment this line to encrypt only this PVC.
labels:
app: nginx
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
storageClassName: sc-fa-direct-accessSave this YAML in a file
pvc.yaml
. - (Optional)
-
Apply this YAML to your cluster:
kubectl apply -f pvc.yaml
persistentvolumeclaim/pure-claim-block created
Mount a PVC to a pod
After creating PVCs, the storage becomes available for your application. You can use the storage by mounting and attaching the PVC to the application pod.
-
Create a Pod and specify the PVC name in the
persistentVolumeClaim.claimName
field. Here is an example pod specification:kind: Pod
apiVersion: v1
metadata:
name: nginx-pod
labels:
app: nginx
spec:
volumes:
- name: pure-vol
persistentVolumeClaim:
claimName: pure-claim-block
containers:
- name: nginx
image: nginx
volumeMounts:
- name: pure-vol
mountPath: /data
ports:
- containerPort: 80 -
To control pod scheduling based on node labels, add the
nodeAffinity
field to the Pod specification. For example:spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.portworx.io/zone
operator: In
values:
- zone-0
- key: topology.portworx.io/region
operator: In
values:
- region-0
Verify pod status
Once the pod configuration is applied, monitor the pod’s status with:
watch kubectl get pods
Wait for the STATUS
to show as Running
for a pod. Once the pod is running, you can verify that it is connected as a host for the volume.
(Optional) Encrypt FADA volumes
PX-CSI supports encryption for FADA volumes. To encrypt FADA volumes, create a cluster-wide encryption key and enable encryption in the StorageClass
or PVC
manifest.
Encryption is not supported for FADA raw block volumes.
Create a cluster-wide secret key for encryption
To ensure consistent and secure encryption of PersistentVolumeClaims (PVCs), use a cluster-wide encryption key. This guarantees that all encrypted PVCs in the cluster adhere to a uniform and secure encryption standard. Follow these steps to create the key:
-
Create a Kubernetes
Secret
for the encryption key:kubectl -n <namespace> create secret generic px-vol-encryption \
--from-literal=cluster-wide-secret-key=<value> -
Configure Portworx CSI to use
cluster-wide-secret-key
as the default encryption key for all volumes:PX_POD=$(kubectl get pods -l name=portworx -n <namespace> -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n <namespace> -- /opt/pwx/bin/pxctl secrets set-cluster-key \
--secret cluster-wide-secret-key
- PX-CSI checks for the cluster-wide encryption key in the Portworx namespace by default. If you create it in a different namespace, set the
PX_SECRETS_NAMESPACE
environment variable in theStorageCluster
manifest to specify the correct namespace. - If you modify a Kubernetes
Secret
after creating a cluster-wide encryption key, use the--overwrite
flag in the command above to update the key.
Enable encryption
After creating the cluster-wide secret key, follow one of the options below to encrypt FADA volumes:
- To encrypt all PVCs associated with a
StorageClass
, enable encryption by setting thesecure
parameter totrue
in theStorageClass
specification. - To encrypt a specific PVC, add the annotation
px/secure: "true"
in the PVC specification.