PVCs

In the previous section, you created a StorageCluster in the <px-namespace> namespace with security enabled.

As a result, the operator has created the secret px-user-token in that namespace. Now you can create a StorageClass which will instruct Portworx to authenticate all requests using the token in that secret.

Portworx validates requests to manage volumes using the token saved in the secret referenced by the StorageClass. As you create more StorageClasses, remember to reference the secret with the token to authenticate the requests. The example below demonstrates a StorageClass with token secrets added:

StorageClass for CSI

When using CSI, the StorageClass references the secret for the three types of supported operations: provision, node-publish (mount/unmount), and controller-expand.

1. Create the following storageclass.yaml file:

   apiVersion: storage.k8s.io/v1
   kind: StorageClass
   metadata:
     name: px-storage
   provisioner: pxd.portworx.com
   parameters:
     repl: "1"
     csi.storage.k8s.io/provisioner-secret-name: px-user-token
     csi.storage.k8s.io/provisioner-secret-namespace: <px-namespace>
     csi.storage.k8s.io/node-publish-secret-name: px-user-token
     csi.storage.k8s.io/node-publish-secret-namespace: <px-namespace>
     csi.storage.k8s.io/controller-expand-secret-name: px-user-token
     csi.storage.k8s.io/controller-expand-secret-namespace: <px-namespace>
   allowVolumeExpansion: true

2. Apply the storageclass.yaml file:

   oc apply -f storageclass.yaml

StorageClass for non-CSI

For StorageClasses using the (now deprecated from Kubernetes v1.25 onward) in-tree Portworx driver, the approach to leverage PX-Security is as follows:

1. Create the following storageclass.yaml file:

   apiVersion: storage.k8s.io/v1
   kind: StorageClass
   metadata:
     name: px-storage
   provisioner: pxd.portworx.com
   parameters:
     repl: "1"
     openstorage.io/auth-secret-name: px-user-token
     openstorage.io/auth-secret-namespace: <px-namespace>
   allowVolumeExpansion: true

2. Apply the storageclass.yaml file:

   oc apply -f storageclass.yaml

VolumeSnapshots

To create a VolumeSnapshot with PX-Security enabled, you can follow a similar approach to the one used for PVCs, ensuring that PX-Security is applied via the correct secret parameters.

Prerequisites

Ensure you have:

• Portworx installed and running on your OpenShift Bare Metal cluster.
• A valid px-user-token for PX-Security configured in the kube-system namespace.
• CSI snapshots enabled and VolumeSnapshot CRDs available.

To create VolumeSnapshots with PX-Security enabled:

1. A VolumeSnapshotClass defines how snapshots will be created using a specific storage driver. In this case, you will be using the Portworx CSI driver (pxd.portworx.com), with security tokens passed for PX-Security.

   Here is an example YAML manifest for a VolumeSnapshotClass with PX-Security:

   kind: VolumeSnapshotClass
   apiVersion: snapshot.storage.k8s.io/v1
   metadata:
     name: <example-snapclass>
   driver: pxd.portworx.com
   deletionPolicy: Delete
   parameters:
     csi.storage.k8s.io/snapshotter-secret-name: px-user-token
     csi.storage.k8s.io/snapshotter-secret-namespace: kube-system
     csi.storage.k8s.io/snapshotter-list-secret-name: px-user-token
     csi.storage.k8s.io/snapshotter-list-secret-namespace: kube-system
     csi.storage.k8s.io/group-snapshotter-secret-name: px-user-token
     csi.storage.k8s.io/group-snapshotter-secret-namespace: kube-system

   where:

   • secret-name: Refers to the secret name containing the user token for creating snapshots.
   • secret-namespace: The namespace where the secret is stored, typically kube-system.
   • deletionPolicy: This defines the behavior when the snapshot is deleted. You can choose between Delete (the snapshot is also deleted from the storage system) and Retain (the snapshot is kept).

2. Once the VolumeSnapshotClass is created, you can create a snapshot of a PersistentVolumeClaim (PVC). Here's an example of how to create a VolumeSnapshot:

   apiVersion: snapshot.storage.k8s.io/v1
   kind: VolumeSnapshot
   metadata:
     name: <example-snapshot>
   spec:
     volumeSnapshotClassName: <example-snapclass>
     source:
       persistentVolumeClaimName: <example-pvc>

   In this example:

   • The volumeSnapshotClassName must reference the VolumeSnapshotClass you created earlier.
   • The persistentVolumeClaimName should refer to the PVC you want to snapshot.

3. After applying the above YAMLs, you can verify that the snapshot was created successfully using the following command:

   kubectl get volumesnapshot

4. (Optional) If you wish to restore a PVC from the created snapshot, you can create a new PVC from the snapshot like the following. Note that you will need to use a storage class with PX-Security enabled.

   apiVersion: v1
   kind: PersistentVolumeClaim
   metadata:
     name: <restored-pvc>
   spec:
     storageClassName: <storage-class-name>
     dataSource:
       name: <example-snapshot>
       kind: VolumeSnapshot
       apiGroup: snapshot.storage.k8s.io
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
         storage: 10Gi