Skip to main content
Version: 3.2

AWS Marketplace

This topic provides instructions for installing Portworx via the Amazon Marketplace on EKS (Elastic Kubernetes Service). Follow the steps in this topic in order.

Prepare your EKS Cluster

Before you can install Portworx, you must configure AWS permissions:

Grant Portworx the needed AWS permissions

Portworx creates and attaches EBS volumes. As such, it needs the AWS permissions to do so. Below is a sample policy describing these permissions:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ec2",
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:ModifyVolume",
                "ec2:DetachVolume",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteTags",
                "ec2:DeleteVolume",
                "ec2:DescribeTags",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes",
                "ec2:DescribeInstances",
                "autoscaling:DescribeAutoScalingGroups"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DeleteInternetGateway",
            "Resource": [
                "arn:aws:iam::*:role/eksctl-*",
                "arn:aws:ec2:*:*:internet-gateway/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ec2:DeleteInternetGateway",
            "Resource": "arn:aws:iam::*:instance-profile/eksctl-*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:DeleteServiceLinkedRole",
                "iam:GetRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:instance-profile/eksctl-*",
                "arn:aws:iam::*:role/eksctl-*"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSubnet",
                "ec2:AttachInternetGateway",
                "ec2:DescribeSnapshots",
                "ec2:DeleteSnapshot",
                "ec2:DeleteRouteTable",
                "ec2:AssociateRouteTable",
                "ec2:DescribeInternetGateways",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:RevokeSecurityGroupEgress",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:UpdateAutoScalingGroup",
                "ec2:DeleteInternetGateway",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeRouteTables",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetLifecyclePolicy",
                "ecr:DescribeImageScanFindings",
                "ec2:ImportKeyPair",
                "ec2:DescribeLaunchTemplates",
                "ec2:CreateTags",
                "ecr:GetDownloadUrlForLayer",
                "ec2:CreateRouteTable",
                "cloudformation:*",
                "ec2:RunInstances",
                "ecr:GetAuthorizationToken",
                "ec2:DetachInternetGateway",
                "ec2:DisassociateRouteTable",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DescribeImageAttribute",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ec2:DeleteNatGateway",
                "ec2:DeleteVpc",
                "autoscaling:DeleteAutoScalingGroup",
                "eks:*",
                "ec2:CreateSubnet",
                "ec2:DescribeSubnets",
                "autoscaling:CreateAutoScalingGroup",
                "ec2:DescribeAddresses",
                "ec2:DeleteTags",
                "elasticfilesystem:*",
                "ec2:CreateNatGateway",
                "autoscaling:DescribeLaunchConfigurations",
                "ec2:CreateVpc",
                "ecr:ListTagsForResource",
                "ecr:ListImages",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeAvailabilityZones",
                "autoscaling:DescribeScalingActivities",
                "ec2:CreateSecurityGroup",
                "sts:DecodeAuthorizationMessage",
                "ec2:CreateSnapshot",
                "ec2:ModifyVpcAttribute",
                "ecr:DescribeRepositories",
                "ec2:ReleaseAddress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:DeleteLaunchTemplate",
                "ec2:DescribeTags",
                "ecr:GetLifecyclePolicyPreview",
                "ec2:DeleteRoute",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeNatGateways",
                "ec2:AllocateAddress",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeImages",
                "autoscaling:CreateLaunchConfiguration",
                "ec2:CreateLaunchTemplate",
                "autoscaling:DeleteLaunchConfiguration",
                "sts:Get*",
                "ec2:DescribeVpcs",
                "ec2:DeleteSecurityGroup",
                "ecr:GetRepositoryPolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": "iam:ListInstanceProfiles",
            "Resource": [
                "arn:aws:iam::*:instance-profile/eksctl-*",
                "arn:aws:iam::*:role/eksctl-*"
            ]
        }
    ]
}

Configure IAM permissions

You can configure the IAM permissions in multiple ways. Follow the steps most appropriate for you:

Configure with eksctl

If you created your cluster with eksctl this would be your best option. If you did not check out the section about configuring your cluster with AWS CLI or AWS Console

  1. Before you can create an IAMServiceAccount for Portworx, you must enable the IAM OIDC Provider for your EKS cluster. Make sure to replace <clustername> with your EKS cluster and change the region if you are not running in us-east-1

    eksctl utils associate-iam-oidc-provider --region=us-east-1 --cluster=<clustername> --approve

  2. Now you can create the IAMServiceAccount with the appropriate permissions. (you need these permissions to send metering data to AWS) Make sure to change the namespace if you are not deploying in kube-system and make sure to replace <clustername> with your EKS cluster.

    eksctl create iamserviceaccount --name portworx-aws --namespace <px-namespace> --cluster <clustername> --attach-policy-arn arn:aws:iam::aws:policy/AWSMarketplaceMeteringFullAccess \
    --attach-policy-arn arn:aws:iam::aws:policy/AWSMarketplaceMeteringRegisterUsage --approve --override-existing-serviceaccounts

This will create an IAMServiceAccount on the AWS Console and will create a ServiceAcccount in the requested namespace, which we will pass to our helmchart in the next section

Configure with AWS CLI or AWS Console

You can configure IAM permissions through the AWS CLI or AWS Console. For instructions on configuring these permissions, refer to the Amazon documentation:

Use the correct namespace and serviceaccount you defined in the steps above.

Install

Once you've prepared your EKS cluster, you can install Portworx.

note

If you are not using instance privileges, you must also specify AWS environment variables in the Helm install parameters. Specify the following environment variables:

--set env="AWS_ACCESS_KEY_ID=<id>\,AWS_SECRET_ACCESS_KEY=<key>"

Add the Helm repository

Add the Portworx AWS Helm repository by running the following helm command:

helm repo add portworx https://raw.githubusercontent.com/portworx/aws-helm/master/stable

Install the helm chart from the repository

To install the chart with the release name my-release run the following commands substituting relevant values for your setup. Refer to the Helm chart configuration reference for information about the configurable parameters:

helm install my-release portworx/portworx --set storage.drives="type=gp2\,size=1000" --set serviceAccount="portworx-aws"

Specify each parameter using the --set key=value[,key=value] argument to helm install.

note
  • clusterName should be a unique name identifying your Portworx cluster. The default value is mycluster, but it is suggested to update it with your naming scheme.
  • storage.drives has been set to 1 TB, if you wish to have smaller storage drives please change that setting.

Upgrade or reconfigure Portworx

When Portworx releases new versions, you can upgrade it through Helm. You can also reconfigure Portworx through Helm by peforming upgrade operations, even if there is no new version to upgrade to. Perform the following steps to upgrade or reconfigure Portworx:

  1. Upgrade the Helm repository to make sure you have the latest version of the Helm chart by running the following helm command:

    helm repo update

  2. Upgrade or reconfigure Portworx by running the upgrade command and specifying the same options you used when you installed Portworx, or new options if you want to reconfigure Portworx. For Example:

    helm upgrade my-release portworx/portworx --set storage.drives="type=gp2\,size=1000" --set serviceAccount="portworx-aws"

Helm chart configuration reference

The following tables lists the configurable parameters of the Portworx chart and their default values.

ParameterDescription
awsProductPortworx Product Name, PX-ENTERPRISE or PX-ENTERPRISE-DR (Defaults to PX-ENTERPRISE)
clusterNamePortworx Cluster Name
namespaceNamespace in which to deploy Portworx.
storage.usefileSystemDriveShould Portworx use an unmounted drive even with a filesystem ?
storage.usedrivesAndPartitionsShould Portworx use the drives as well as partitions on the disk ?
storage.drivesSemi-colon separated list of drives to be used for storage (example: "/dev/sda;/dev/sdb"), to auto generate amazon disks use a list of drive specs (example: "type=gp2,size=150";type=io1,size=100,iops=2000"). Make sure you escape the commas
storage.journalDeviceJournal device for Portworx metadata
storage.maxStorageNodesPerZoneIndicates the maximum number of storage nodes per zone. If this number is reached, and a new node is added to the zone, Portworx doesn’t provision drives for the new node. Instead, Portworx starts the node as a compute-only node.
network.dataInterfaceName of the interface <ethX>
network.managementInterfaceName of the interface <ethX>
secretTypeSecrets store to be used can be aws-kms/k8s/none defaults to: k8s
envVarssemi-colon-separated list of environment variables that will be exported to portworx. (example: MYENV1=val1;MYENV2=val2)
serviceAcccountName of the created service account with required IAM permissions

Specify each parameter using the --set key=value[,key=value] argument to helm install.