Skip to main content
Version: 3.1

Step 3: Set up the StorageClass in Tanzu

Summary and Key concepts

Summary

This article describes how to configure a Portworx CSI (Container Storage Interface) StorageClass that enables tenants to create volumes using tokens stored in Kubernetes secrets. The StorageClass references the tenant's token stored in their namespace for three types of CSI operations: volume provisioning, mounting/unmounting, and volume expansion. The token ensures that the storage operations are secured and authorized per tenant. By using the placeholder ${pvc.namespace}, the CSI controller dynamically retrieves the correct secret from the tenant's namespace, ensuring secure access to Portworx resources.

Kubernetes Concepts

  • StorageClass: Defines how dynamic storage provisioning is done in Kubernetes, including Portworx volumes.
  • CSI (Container Storage Interface): Standardized interface for container storage that allows Kubernetes to interact with various storage systems like Portworx.
  • Secret: Used to store sensitive data, such as authentication tokens, for securely managing Portworx operations.
  • PersistentVolumeClaim (PVC): A request for storage by a Kubernetes user, which is tied to the tenant’s namespace and secured via a secret.

Portworx Concepts

  • CSI Operations: Operations such as provision, node-publish, and controller-expand supported by Portworx for managing volume lifecycle actions like provisioning, mounting, and resizing.

StorageClass for CSI

The following CSI StorageClass enables your tenants to create volumes using their token stored in a secret in their namespace.

When using CSI, the storage class references the secret for the three types of supported operations:

  • provision

  • node-publish (mount/unmount)

  • controller-expand

    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
    name: px-storage
    provisioner: pxd.portworx.com
    parameters:
    repl: "1"
    csi.storage.k8s.io/provisioner-secret-name: px-user-token
    csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}
    csi.storage.k8s.io/node-publish-secret-name: px-user-token
    csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace}
    csi.storage.k8s.io/controller-expand-secret-name: px-user-token
    csi.storage.k8s.io/controller-expand-secret-namespace: ${pvc.namespace}
    allowVolumeExpansion: true

Note the value ${pvc.namespace}. This will ensure that the CSI controller gets the appropriate token, which is tied to the namespace of the PVC.