Use pxctl with security enabled in airgapped EKS
Summary and Key concepts
Summary:
This article guides administrators on how to set up pxctl
contexts for Portworx clusters with PX-Security enabled. It provides steps for retrieving an admin token and setting up the pxctl
context on individual nodes of a Kubernetes or OpenShift cluster. The process involves retrieving the admin token, finding the relevant Portworx pod, and executing commands within the Portworx container using kubectl
or oc
. Additionally, administrators are reminded that the pxctl
context must be refreshed whenever the token expires (24 hours by default) and are provided with a link to documentation on customizing token lifetimes.
Kubernetes Concepts:
Portworx Concepts:
Once a storage cluster with PX-Security enabled is running, a cluster admin must set up a pxctl
context on each node in order to interact with the system.
The following steps will guide an Operator-based storage admin to setup pxctl
contexts on each node.
-
Retrieve the admin token from the namespace in which Portworx was installed and store it in the
ADMIN_TOKEN
variable:ADMIN_TOKEN=$(kubectl -n <px-namespace> get secret px-admin-token --template='{{index .data "auth-token" | base64decode}}')
-
Find the Portworx pod that is running on the node in which the admin wants to interact with:
Find the node name.
kubectl get nodes
Now, save the node name in the variable.
K8_NODE_NAME=kubernetes-worker-3.mylab.lan
Once the node name is known, run the command below.
PX_POD=$(kubectl -n <px-namespace> get pods -l name=portworx -o jsonpath="{.items[?(@.spec.nodeName == '$K8_NODE_NAME')].metadata.name}")
-
Save the admin token in the
pxctl
context for that pod:kubectl -n <px-namespace> exec -ti $PX_POD -- /opt/pwx/bin/pxctl context create admin --token=$ADMIN_TOKEN
-
Use
kubectl exec
to access the Portworx container and perform anypxctl
operations:kubectl -n <px-namespace> exec -ti $PX_POD -- /opt/pwx/bin/pxctl status
This pxctl
context will need to be refreshed every time the token expires. This is 24 hours by default, but this default can be changed. See customizing security for more information.