Skip to main content
Version: 3.1

In the previous section, you created a StorageCluster in the <px-namespace> namespace with security enabled.

As a result, the operator has created the secret px-user-token in that namespace. Now you can create a StorageClass which will instruct Portworx to authenticate all requests using the token in that secret.

Portworx validates requests to manage volumes using the token saved in the secret referenced by the StorageClass. As you create more StorageClasses, remember to reference the secret with the token to authenticate the requests. The example below demonstrates a StorageClass with token secrets added:

StorageClass for CSI

  1. Create the following storageclass.yaml file:

    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
    name: px-storage
    provisioner: pxd.portworx.com
    parameters:
    repl: "1"
    csi.storage.k8s.io/provisioner-secret-name: px-user-token
    csi.storage.k8s.io/provisioner-secret-namespace: <px-namespace>
    csi.storage.k8s.io/node-publish-secret-name: px-user-token
    csi.storage.k8s.io/node-publish-secret-namespace: <px-namespace>
    csi.storage.k8s.io/controller-expand-secret-name: px-user-token
    csi.storage.k8s.io/controller-expand-secret-namespace: <px-namespace>
    allowVolumeExpansion: true
  2. Apply the storageclass.yaml file:

    kubectl apply -f storageclass.yaml

StorageClass for non-CSI

For StorageClasses using the (now deprecated from Kubernetes v1.25 onward) in-tree Portworx driver, the approach to leverage PX-Security is as follows:

  1. Create the following storageclass.yaml file:

    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
    name: px-storage
    provisioner: pxd.portworx.com
    parameters:
    repl: "1"
    openstorage.io/auth-secret-name: px-user-token
    openstorage.io/auth-secret-namespace: <px-namespace>
    allowVolumeExpansion: true
  2. Apply the storageclass.yaml file:

    kubectl apply -f storageclass.yaml