Enabling Authorization


Before proceeding with this installation, please review the Security model used by Portworx.

Enabling authorization

The following will be a cluster level interruption event while all the nodes in the system come back online with security enabled.

To enable authorization you must simply edit your Portworx yaml configuration to add the appropriate information. You must first create a Kubernetes Secret which holds the values of the environment variables. Then populate the environment variables required from your Secret. Here is an example of how to setup an environment variable from a Secret:

  • Create a secret:
kubectl create secret generic mysecret \
  --from-literal=system-secret='RmlqRSfh9'
  • Then we can access the key as follows:
...
  - name: "PORTWORX_AUTH_SYSTEM_KEY"
    valueFrom:
      secretKeyRef:
        name: mysecret
        key: system-key
...

Example

The following example shows how to enable Portworx authorization to verify self-signed tokens. The example uses a shared secret to validate tokens from an issuer called myissuer.

  • Save the sensitive information in a secret
kubectl create secret generic mysecret \
  --from-literal=system-secret='RmlqRSfh9' \
  --from-literal=shared-secret='hnuiUDFHf' \
  --from-literal=stork-secret='hn23nfsFD'
  • The Portworx yaml configuration would look like this:
...
  name: stork
  env:
    - name: "PX_SHARED_SECRET"
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: stork-secret

...
  name: portworx
  args:
  [..."--jwt-issuer", "myissuer", ...]
  env:
    - name: "PORTWORX_AUTH_JWT_SHAREDSECRET"
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: shared-secret
    - name: "PORTWORX_AUTH_SYSTEM_KEY"
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: system-key
    - name: "PORTWORX_AUTH_STORK_KEY"
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: stork-secret
...

You will now need to apply the change to update the Stork Deployment and the Portworx DaemonSet. Wait until the update is complete and all pods are ready with 1/1.



Last edited: Wednesday, Jun 19, 2019