Step 3: Set up the StorageClass in ARO
Summary and Key concepts
Summary
This article describes how to configure a Portworx CSI (Container Storage Interface) StorageClass that enables tenants to create volumes using tokens stored in Kubernetes secrets. The StorageClass references the tenant's token stored in their namespace for three types of CSI operations: volume provisioning, mounting/unmounting, and volume expansion. The token ensures that the storage operations are secured and authorized per tenant. By using the placeholder ${pvc.namespace}, the CSI controller dynamically retrieves the correct secret from the tenant's namespace, ensuring secure access to Portworx resources.
Kubernetes Concepts
- StorageClass: Defines how dynamic storage provisioning is done in Kubernetes, including Portworx volumes.
- CSI (Container Storage Interface): Standardized interface for container storage that allows Kubernetes to interact with various storage systems like Portworx.
- Secret: Used to store sensitive data, such as authentication tokens, for securely managing Portworx operations.
- PersistentVolumeClaim (PVC): A request for storage by a Kubernetes user, which is tied to the tenant’s namespace and secured via a secret.
Portworx Concepts
- CSI Operations: Operations such as provision,node-publish, andcontroller-expandsupported by Portworx for managing volume lifecycle actions like provisioning, mounting, and resizing.
StorageClass for CSI
The following CSI StorageClass enables your tenants to create volumes using their token stored in a secret in their namespace.
When using CSI, the storage class references the secret for the three types of supported operations:
- 
provision 
- 
node-publish (mount/unmount) 
- 
controller-expand apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
 name: px-storage
 provisioner: pxd.portworx.com
 parameters:
 repl: "1"
 csi.storage.k8s.io/provisioner-secret-name: px-user-token
 csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}
 csi.storage.k8s.io/node-publish-secret-name: px-user-token
 csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace}
 csi.storage.k8s.io/controller-expand-secret-name: px-user-token
 csi.storage.k8s.io/controller-expand-secret-namespace: ${pvc.namespace}
 allowVolumeExpansion: true
Note the value ${pvc.namespace}. This will ensure that the CSI controller gets the appropriate token, which is tied to the namespace of the PVC.