Enabling Authorization


Before proceeding with this document, please review the Security model used by Portworx.

NOTE: For a step by step setup of guide of how to enable Portworx authorization, please see Securing your Portworx system.

Enabling authorization

The following will be a cluster level interruption event while all the nodes in the system come back online with security enabled.

To enable authorization you must simply edit your Portworx yaml configuration to add the appropriate information. You must first create a Kubernetes Secret which holds the values of the environment variables. Then populate the environment variables required from your Secret. Here is an example of how to setup an environment variable from a Secret:

  • Create a secret:
kubectl create secret generic mysecret \
  --from-literal=system-secret='RmlqRSfh9'
  • Then we can access the key as follows:
...
  - name: "PORTWORX_AUTH_SYSTEM_KEY"
    valueFrom:
      secretKeyRef:
        name: mysecret
        key: system-secret
...

Example

The following example shows how to enable Portworx authorization to verify self-signed tokens. The example uses a shared secret to validate tokens from an issuer called myissuer.

  • Save the sensitive information in a secret
kubectl create secret generic mysecret \
  --from-literal=system-secret='RmlqRSfh9' \
  --from-literal=shared-secret='hnuiUDFHf' \
  --from-literal=stork-secret='hn23nfsFD'
  • The Portworx yaml configuration would look like this:
...
  name: stork
  env:
    - name: "PX_SHARED_SECRET"
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: stork-secret

...
  name: portworx
  args:
  [..."-jwt_issuer", "myissuer", ...]
  env:
    - name: "PORTWORX_AUTH_JWT_SHAREDSECRET"
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: shared-secret
    - name: "PORTWORX_AUTH_SYSTEM_KEY"
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: system-secret
    - name: "PORTWORX_AUTH_STORK_KEY"
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: stork-secret
...

You will now need to apply the change to update the Stork deployment and the Portworx DaemonSet. Wait until the update is complete and all pods are ready with 1/1.

Upgrading to Authorization enabled

Prior to 2.6, users must be certain that all PVCs have user tokens secrets associated with them. If this is not the case, Kubernetes users will not be able to use any Portworx PVCs or create new ones. This means that in order to upgrade to auth enabled without any disruption, the admin must add token secrets to all PVCs.

Starting with Portworx 2.6+, upgrading from auth disabled to auth enabled will not cause any issues for Kubernetes end users. This is because the system guest role will allow Kubernetes users to create and use public volumes. However, users are encouraged to make their volumes private by adding authorization to their PVCs.

Once the admin has ensured all necessary volumes are private and users are comfortable with PX Security, the guest role may be disabled to tighten security even further.



Last edited: Wednesday, Aug 26, 2020