Multitenancy using namespaces on FlashArray
Summary and Key concepts
Summaryโ
This article provides an overview of how Portworx can enhance Kubernetes' multitenant model by adding resource access control for application volumes. While Kubernetes namespaces help isolate resources, Portworx strengthens this model by securing volume access using authentication tokens stored in each tenantโs namespace. This approach ensures that volume access is controlled and authenticated, providing a more secure multitenant environment. The solution is supported specifically for deployments using CSI (Container Storage Interface).
Kubernetes Conceptsโ
- Namespaces: Used for isolating resources in Kubernetes and securing tenant-specific volumes.
- Secrets: Stores sensitive data, such as authentication tokens, to control access to storage volumes.
- CSI (Container Storage Interface): A standardized interface used by Kubernetes to provision and manage storage.
Portworx Conceptsโ
- PX-Security: Portworx's security framework that integrates with Kubernetes CSI to provide token-based authentication for storage volumes.
Overview
Kubernetes provides a great way to isolate account resources using namespaces, but you may want a more secure multitenant solution. Portworx can greatly enhance the multitenant model by providing resource access control for application volumes.
The following reference architecture provides a model where volume access is authenticated using tokens stored in the secret of the namespace of the tenant.
This solution is currently supported in CSI only.