Before proceeding with this document, please review the Security model used by Portworx.
To enable authorization you must simply edit your Portworx
to add the appropriate information. You must first create a Kubernetes Secret which holds the values of the environment variables. Then populate the environment variables required from your Secret. Here is an example of how to
setup an environment variable from a Secret:
- Create a secret:
kubectl create secret generic mysecret \ --from-literal=system-secret='RmlqRSfh9'
- Then we can access the key as follows:
... - name: "PORTWORX_AUTH_SYSTEM_KEY" valueFrom: secretKeyRef: name: mysecret key: system-secret ...
The following example shows how to enable Portworx authorization to verify
self-signed tokens. The example uses a shared secret to validate tokens from an
- Save the sensitive information in a secret
kubectl create secret generic mysecret \ --from-literal=system-secret='RmlqRSfh9' \ --from-literal=shared-secret='hnuiUDFHf' \ --from-literal=stork-secret='hn23nfsFD'
- The Portworx
yamlconfiguration would look like this:
... name: stork env: - name: "PX_SHARED_SECRET" valueFrom: secretKeyRef: name: mysecret key: stork-secret ... name: portworx args: [..."-jwt_issuer", "myissuer", ...] env: - name: "PORTWORX_AUTH_JWT_SHAREDSECRET" valueFrom: secretKeyRef: name: mysecret key: shared-secret - name: "PORTWORX_AUTH_SYSTEM_KEY" valueFrom: secretKeyRef: name: mysecret key: system-secret - name: "PORTWORX_AUTH_STORK_KEY" valueFrom: secretKeyRef: name: mysecret key: stork-secret ...
You will now need to apply the change to update the Stork deployment and the Portworx DaemonSet. Wait until the update is complete and all pods are ready
Upgrading to Authorization enabled
Prior to 2.6, users must be certain that all PVCs have user tokens secrets associated with them. If this is not the case, Kubernetes users will not be able to use any Portworx PVCs or create new ones. This means that in order to upgrade to
auth enabled without any disruption, the admin must add token secrets to all PVCs.
Starting with Portworx 2.6+, upgrading from
auth disabled to
auth enabled will not cause any issues for Kubernetes end users. This is because the system guest role will allow Kubernetes users to create and use public volumes. However, users are encouraged to make their volumes private by adding authorization to their PVCs.
Once the admin has ensured all necessary volumes are private and users are comfortable with PX Security, the guest role may be disabled to tighten security even further.