Skip to main content
Version: 3.1

shared-customizing-security

Summary and Key concepts

Summary

This document explains how to further customize the security configuration of Portworx when using the Portworx Operator. It covers how to disable or manage the system guest role, which is enabled by default, allowing administrators to control access more strictly. The document also details how to customize the system guest role by enabling managed mode, allowing finer control over the role's configuration. Additionally, the guide covers changing the token lifetime for authentication tokens and configuring custom issuers and shared secrets to secure your cluster environment.

Kubernetes Concepts

  • Secret: Used for storing sensitive information like shared secrets.
  • Namespace: Represents the cluster's organizational boundary for the Portworx cluster configuration.

Portworx Concepts

  • StorageCluster: Custom resource used to define and manage a Portworx cluster.
  • PX-Security: Security feature that controls access to volumes and cluster resources.

This document guides you through optionally customizing your Portworx Operator Security configuration further to fit specific needs.

Prerequisites

  • PX-Security enabled

Disable guest role access

note

Once the guest role is disabled, volumes created without a token will only be accessible with a token.

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
name: px-cluster
namespace: <px-namespace>
spec:
security:
enabled: true
auth:
guestAccess: 'Disabled'

Managing the guest role yourself

To enter managed mode, set the value of the spec.security.auth.guestAccess field to managed:

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
name: px-cluster
namespace: <px-namespace>
spec:
security:
enabled: true
auth:
guestAccess: 'Managed'

Changing token lifetime

By default, the token is valid for 24 hours. You can optionally specify a different JWT token lifetime. The Operator then generates a token with that token lifetime and refreshes it for the user accordingly.

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
name: px-cluster
namespace: <px-namespace>
spec:
security:
enabled: true
auth:
selfSigned:
tokenLifetime: '4h'

Add a custom issuer, shared secret, and tokenLifetime to your StorageCluster

Add your issuer, tokenLifetime, and sharedSecret Kubernetes secret's name to the spec.security.auth.selfSigned object in your StorageCluster:

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
name: px-cluster
namespace: <px-namespace>
spec:
security:
enabled: true
auth:
selfSigned:
issuer: "portworx.com"
sharedSecret: "px-shared-secret"
tokenLifetime: "1h"