Multitenancy using namespaces on FlashArray

Summary and Key concepts

Summary

This article provides an overview of how Portworx can enhance Kubernetes' multitenant model by adding resource access control for application volumes. While Kubernetes namespaces help isolate resources, Portworx strengthens this model by securing volume access using authentication tokens stored in each tenant’s namespace. This approach ensures that volume access is controlled and authenticated, providing a more secure multitenant environment. The solution is supported specifically for deployments using CSI (Container Storage Interface).

Kubernetes Concepts

• Namespaces: Used for isolating resources in Kubernetes and securing tenant-specific volumes.
• Secrets: Stores sensitive data, such as authentication tokens, to control access to storage volumes.
• CSI (Container Storage Interface): A standardized interface used by Kubernetes to provision and manage storage.

Portworx Concepts

• PX-Security: Portworx's security framework that integrates with Kubernetes CSI to provide token-based authentication for storage volumes.

Overview

Kubernetes provides a great way to isolate account resources using namespaces, but you may want a more secure multitenant solution. Portworx can greatly enhance the multitenant model by providing resource access control for application volumes.

The following reference architecture provides a model where volume access is authenticated using tokens stored in the secret of the namespace of the tenant.

note

This solution is currently supported in CSI only.

---

📄️ Step 1: Enable security in Portworx

📄️ Step 2: Generate multitenant tokens

📄️ Step 3: Set up the StorageClass

📄️ Example application