PX-Security on Kubernetes clusters in AWS EKS
This page guides you to enable the RBAC functionality of PX-Security on an existing Kubernetes cluster. If you are installing a new cluster via the recommended Portworx Operator, see enable security in Portworx.
Enable RBAC an existing cluster
If you already have a working Portworx cluster and wish to enhance security by enabling RBAC, you will need to enable it for the entire Portworx cluster.
Follow the steps for the Operator-based installation.
(Optionally) Generate a new cluster token.
If you use Disaster Recovery functionality or are using data-migrating functionality between Kubernetes clusters, run the following command to generate a new cluster token after these operations, as the token will have changed that is used for for pairing and migrating your clusters:
pxctl cluster token reset
You will then need to update any other clusters' clusterpair objects with the new token.
Implications on pxctl
Security parameter overview
The following parameters are utilized and required by PX-Security. In the Operator-based installation, here are the parameters that are automatically created for you, but they can be manually changed if needed.
Configuration
For non-sensitive information, you can use command-line parameters with the following arguments:
| Name | Description |
|---|---|
-jwt_issuer <issuer> | JSON Web Token issuer (e.g. openstorage.io). This is the token issuer for your self-signed tokens. It must match the iss value in token claims |
-jwt_rsa_pubkey_file <file path> | JSON Web Token RSA Public file path |
-jwt_ecds_pubkey_file <file path> | JSON Web Token ECDS Public file path |
-username_claim <claim> | Name of the claim in the token to be used as the unique ID of the user (<claim> can be sub, email or name, default: sub) |