Skip to main content
Version: 3.1

PX-Security on Kubernetes clusters

This page guides you to enable the RBAC functionality of PX-Security on an existing Kubernetes cluster. If you are installing a new cluster via the recommended Portworx Operator, see enable security in Portworx.

Enable RBAC an existing cluster

If you already have a working Portworx cluster and wish to enhance security by enabling RBAC, you will need to enable it for the entire Portworx cluster.

Follow the steps for the Operator-based installation

(Optionally) Generate a new cluster token.

If you use Disaster Recovery functionality or are using data-migrating functionality between Kubernetes clusters, run the following command to generate a new cluster token after these operations, as the token will have changed that is used for for pairing and migrating your clusters:

pxctl cluster token reset

You will then need to update any other clusters' clusterpair objects with the new token.

Implications on pxctl

The pxctl command will also be secured. As a result, you may need to perform extra steps to run pxctl commands.

Security parameter overview

The following parameters are utilized and required by PX-Security. In the Operator-based installation, here are the parameters that are automatically created for you, but they can be manually changed if needed.


For non-sensitive information, you can use command-line parameters with the following arguments:

-jwt_issuer <issuer>JSON Web Token issuer (e.g. This is the token issuer for your self-signed tokens. It must match the iss value in token claims
-jwt_rsa_pubkey_file <file path>JSON Web Token RSA Public file path
-jwt_ecds_pubkey_file <file path>JSON Web Token ECDS Public file path
-username_claim <claim>Name of the claim in the token to be used as the unique ID of the user (<claim> can be sub, email or name, default: sub)
Was this page helpful?