PX-Security on OCP bare metal clusters
This page guides you to enable the RBAC functionality of PX-Security on an existing Kubernetes cluster. If you are installing a new cluster via the recommended Portworx Operator, see enable security in Portworx.
Enable RBAC an existing cluster
If you already have a working Portworx cluster and wish to enhance security by enabling RBAC, you will need to enable it for the entire Portworx cluster.
Follow the steps for either the Operator-based installation.
(Optionally) Generate a new cluster token.
If you use Disaster Recovery functionality or are using data-migrating functionality between Kubernetes clusters, run the following command to generate a new cluster token after these operations, as the token will have changed that is used for for pairing and migrating your clusters:
pxctl cluster token reset
You will then need to update any other clusters' clusterpair objects with the new token.
Implications on pxctl
The pxctl command will also be secured. As a result, you may need to perform extra steps to run pxctl commands.
Security parameter overview
The following parameters are utilized and required by PX-Security. In the Operator-based installation, here are the parameters that are automatically created for you, but they can be manually changed if needed.
Configuration
For non-sensitive information, you can use command-line parameters with the following arguments:
| Name | Description |
|---|---|
-jwt_issuer <issuer> | JSON Web Token issuer (e.g. openstorage.io). This is the token issuer for your self-signed tokens. It must match the iss value in token claims |
-jwt_rsa_pubkey_file <file path> | JSON Web Token RSA Public file path |
-jwt_ecds_pubkey_file <file path> | JSON Web Token ECDS Public file path |
-username_claim <claim> | Name of the claim in the token to be used as the unique ID of the user (<claim> can be sub, email or name, default: sub) |