Kubernetes provides a great way to isolate account resources using namespaces, but you may want a more secure multitenant solution. Portworx can greatly enhance the multitenant model by providing resource access control for application volumes.
The following reference architecture provides a model where volume access is authenticated using tokens stored in the secret of the namespace of the tenant.
This solution is currently supported in CSI only.
- You must be running Portworx version 2.1 or greater on Kubernetes
- You must have Operator version 1.4 or greater
📄️ Step 1: Enable security in Portworx
📄️ Step 2: Generate multitenant tokens
Now that the system is up and running, you can create tokens.
📄️ Step 3: Set up the StorageClass
The following CSI StorageClass enables your tenants to create volumes using their token stored in a secret in their namespace.