Skip to main content
Version: 3.2

PX-Security in airgapped bare metal

Summary and Key concepts

Summary:

This article provides a guide to enable Role-Based Access Control (RBAC) functionality within PX-Security on an existing Portworx cluster. It explains how to enable security by following the recommended Operator-based installation process, which automatically configures necessary security parameters. The guide also touches on how to generate a new cluster token if using disaster recovery or data migration, and it explains the implications of enabling RBAC on the use of pxctl commands. Additionally, it provides an overview of security parameters for configuring JSON Web Token (JWT) authentication.

Kubernetes Concepts:

Portworx Concepts:

This page guides you to enable the RBAC functionality of PX-Security on an existing Kubernetes cluster. If you are installing a new cluster via the recommended Portworx Operator, see enable security in Portworx.

Enable RBAC an existing cluster

If you already have a working Portworx cluster and wish to enhance security by enabling RBAC, you will need to enable it for the entire Portworx cluster.

Follow the steps for the Operator-based installation

(Optionally) Generate a new cluster token.

If you use Disaster Recovery functionality or are using data-migrating functionality between Kubernetes clusters, run the following command to generate a new cluster token after these operations, as the token will have changed that is used for for pairing and migrating your clusters:

pxctl cluster token reset

You will then need to update any other clusters' clusterpair objects with the new token.

Implications on pxctl

The pxctl command will also be secured. As a result, you may need to perform extra steps to run pxctl commands.

Security parameter overview

The following parameters are utilized and required by PX-Security. In the Operator-based installation, here are the parameters that are automatically created for you, but they can be manually changed if needed.

Configuration

For non-sensitive information, you can use command-line parameters with the following arguments:

NameDescription
-jwt_issuer <issuer>JSON Web Token issuer (e.g. openstorage.io). This is the token issuer for your self-signed tokens. It must match the iss value in token claims
-jwt_rsa_pubkey_file <file path>JSON Web Token RSA Public file path
-jwt_ecds_pubkey_file <file path>JSON Web Token ECDS Public file path
-username_claim <claim>Name of the claim in the token to be used as the unique ID of the user (<claim> can be sub, email or name, default: sub)