Set up the StorageClass on GCP Anthos
Summary and Key concepts
Summary
This article describes how to configure a Portworx CSI (Container Storage Interface) StorageClass
that enables tenants to create volumes using tokens stored in Kubernetes secrets. The StorageClass
references the tenant's token stored in their namespace for three types of CSI operations: volume provisioning, mounting/unmounting, and volume expansion. The token ensures that the storage operations are secured and authorized per tenant. By using the placeholder ${pvc.namespace}
, the CSI controller dynamically retrieves the correct secret from the tenant's namespace, ensuring secure access to Portworx resources.
Kubernetes Concepts
- StorageClass: Defines how dynamic storage provisioning is done in Kubernetes, including Portworx volumes.
- CSI (Container Storage Interface): Standardized interface for container storage that allows Kubernetes to interact with various storage systems like Portworx.
- Secret: Used to store sensitive data, such as authentication tokens, for securely managing Portworx operations.
- PersistentVolumeClaim (PVC): A request for storage by a Kubernetes user, which is tied to the tenant’s namespace and secured via a secret.
Portworx Concepts
- CSI Operations: Operations such as
provision
,node-publish
, andcontroller-expand
supported by Portworx for managing volume lifecycle actions like provisioning, mounting, and resizing.
StorageClass for CSI
The following CSI StorageClass enables your tenants to create volumes using their token stored in a secret in their namespace.
When using CSI, the storage class references the secret for the three types of supported operations:
-
provision
-
node-publish (mount/unmount)
-
controller-expand
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: px-storage
provisioner: pxd.portworx.com
parameters:
repl: "1"
csi.storage.k8s.io/provisioner-secret-name: px-user-token
csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}
csi.storage.k8s.io/node-publish-secret-name: px-user-token
csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace}
csi.storage.k8s.io/controller-expand-secret-name: px-user-token
csi.storage.k8s.io/controller-expand-secret-namespace: ${pvc.namespace}
allowVolumeExpansion: true
Note the value ${pvc.namespace}
. This will ensure that the CSI controller gets the appropriate token, which is tied to the namespace of the PVC.