Skip to main content
Version: 3.2

Step 3: Customizing Security Setup for OpenShift with FlashArray

This document guides you through optionally customizing your Portworx Operator Security configuration further to fit specific needs.

Prerequisites

  • PX-Security enabled

Disable guest role access

note

Once the guest role is disabled, volumes created without a token will only be accessible with a token.

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: <px-namespace>
spec:
  security:
    enabled: true
    auth:
      guestAccess: 'Disabled'

Managing the guest role yourself

To enter managed mode, set the value of the spec.security.auth.guestAccess field to managed:

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: <px-namespace>
spec:
  security:
    enabled: true
    auth:
      guestAccess: 'Managed'

Changing token lifetime

By default, the token is valid for 24 hours. You can optionally specify a different JWT token lifetime. The Operator then generates a token with that token lifetime and refreshes it for the user accordingly.

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: <px-namespace>
spec:
  security:
    enabled: true
    auth:
      selfSigned:
        tokenLifetime: '4h'

Add a custom issuer, shared secret, and tokenLifetime to your StorageCluster

Add your issuer, tokenLifetime, and sharedSecret Kubernetes secret's name to the spec.security.auth.selfSigned object in your StorageCluster:

apiVersion: core.libopenstorage.org/v1
kind: StorageCluster
metadata:
  name: px-cluster
  namespace: <px-namespace>
spec:
  security:
    enabled: true
    auth:
      selfSigned:
        issuer: "portworx.com"
        sharedSecret: "px-shared-secret"
        tokenLifetime: "1h"