- PVCs
- VolumeSnapshots
In the previous section, you created a StorageCluster
in the <px-namespace>
namespace with security enabled.
As a result, the operator has created the secret px-user-token
in that namespace. Now you can create a StorageClass which will instruct Portworx to authenticate all requests using the token in that secret.
Portworx validates requests to manage volumes using the token saved in the secret referenced by the StorageClass. As you create more StorageClasses, remember to reference the secret with the token to authenticate the requests. The example below demonstrates a StorageClass with token secrets added:
StorageClass for CSI
When using CSI, the StorageClass references the secret for the three types of supported operations: provision, node-publish (mount/unmount), and controller-expand.
-
Create the following
storageclass.yaml
file:apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: px-storage
provisioner: pxd.portworx.com
parameters:
repl: "1"
csi.storage.k8s.io/provisioner-secret-name: px-user-token
csi.storage.k8s.io/provisioner-secret-namespace: <px-namespace>
csi.storage.k8s.io/node-publish-secret-name: px-user-token
csi.storage.k8s.io/node-publish-secret-namespace: <px-namespace>
csi.storage.k8s.io/controller-expand-secret-name: px-user-token
csi.storage.k8s.io/controller-expand-secret-namespace: <px-namespace>
allowVolumeExpansion: true -
Apply the
storageclass.yaml
file:oc apply -f storageclass.yaml
StorageClass for non-CSI
For StorageClasses using the (now deprecated from Kubernetes v1.25 onward) in-tree Portworx driver, the approach to leverage PX-Security is as follows:
-
Create the following
storageclass.yaml
file:apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: px-storage
provisioner: pxd.portworx.com
parameters:
repl: "1"
openstorage.io/auth-secret-name: px-user-token
openstorage.io/auth-secret-namespace: <px-namespace>
allowVolumeExpansion: true -
Apply the
storageclass.yaml
file:oc apply -f storageclass.yaml
To create a VolumeSnapshot with PX-Security enabled, you can follow a similar approach to the one used for PVCs, ensuring that PX-Security is applied via the correct secret parameters.
Prerequisites
Ensure you have:
- Portworx installed and running on your OpenShift Bare Metal cluster.
- A valid
px-user-token
for PX-Security configured in thekube-system
namespace. - CSI snapshots enabled and VolumeSnapshot CRDs available.
To create VolumeSnapshots with PX-Security enabled:
-
A VolumeSnapshotClass defines how snapshots will be created using a specific storage driver. In this case, you will be using the Portworx CSI driver (
pxd.portworx.com
), with security tokens passed for PX-Security.Here is an example YAML manifest for a VolumeSnapshotClass with PX-Security:
kind: VolumeSnapshotClass
apiVersion: snapshot.storage.k8s.io/v1
metadata:
name: <example-snapclass>
driver: pxd.portworx.com
deletionPolicy: Delete
parameters:
csi.storage.k8s.io/snapshotter-secret-name: px-user-token
csi.storage.k8s.io/snapshotter-secret-namespace: kube-system
csi.storage.k8s.io/snapshotter-list-secret-name: px-user-token
csi.storage.k8s.io/snapshotter-list-secret-namespace: kube-system
csi.storage.k8s.io/group-snapshotter-secret-name: px-user-token
csi.storage.k8s.io/group-snapshotter-secret-namespace: kube-systemwhere:
secret-name
: Refers to the secret name containing the user token for creating snapshots.secret-namespace
: The namespace where the secret is stored, typically kube-system.deletionPolicy
: This defines the behavior when the snapshot is deleted. You can choose between Delete (the snapshot is also deleted from the storage system) and Retain (the snapshot is kept).
-
Once the VolumeSnapshotClass is created, you can create a snapshot of a PersistentVolumeClaim (PVC). Here's an example of how to create a VolumeSnapshot:
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshot
metadata:
name: <example-snapshot>
spec:
volumeSnapshotClassName: <example-snapclass>
source:
persistentVolumeClaimName: <example-pvc>In this example:
- The
volumeSnapshotClassName
must reference the VolumeSnapshotClass you created earlier. - The
persistentVolumeClaimName
should refer to the PVC you want to snapshot.
- The
-
After applying the above YAMLs, you can verify that the snapshot was created successfully using the following command:
kubectl get volumesnapshot
-
(Optional) If you wish to restore a PVC from the created snapshot, you can create a new PVC from the snapshot like the following. Note that you will need to use a storage class with PX-Security enabled.
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: <restored-pvc>
spec:
storageClassName: <storage-class-name>
dataSource:
name: <example-snapshot>
kind: VolumeSnapshot
apiGroup: snapshot.storage.k8s.io
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi