Kubernetes Secrets

Portworx can integrate with Kubernetes Secrets to store your encryption keys/secrets and credentials. This guide will help configure Portworx with Kubernetes Secrets. Kubernetes Secrets can then be used to store Portworx secrets for Volume Encryption and Cloud Credentials.

Configuring Kubernetes Secrets with Portworx

New installation

When generating the Portworx Kubernetes spec file on the Portworxspec generator page in PX-Central, select Kubernetes from the Secrets Store Type list under Advanced Settings. For more details on how to generate the Portworx spec for Kubernetes, click here.

Existing installation

Permissions to access secrets

Portworx stores credentials/secrets in a Kubernetes namespace called portworx. It needs permissions to access secrets under this namespace. If you have upgraded Portworx as explained in the Kubernetes section under Upgrades in the Reference topic, then you will not have to create the namespace and roles given below. If the following objects are missing, then create it using kubectl:

cat <<EOF | kubectl apply -f -
# Namespace to store credentials
apiVersion: v1
kind: Namespace
  name: portworx
# Role to access secrets under portworx namespace only
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
  name: px-role
  namespace: portworx
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "create", "update", "patch"]
# Allow portworx service account to access the secrets under the portworx namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
  name: px-role-binding
  namespace: portworx
- kind: ServiceAccount
  name: px-account
  namespace: kube-system
  kind: Role
  name: px-role
  apiGroup: rbac.authorization.k8s.io

Edit the Portworx DaemonSet

You will have to edit the Portworx DaemonSet to use Kubernetes secrets, so that all the new Portworx nodes will start using Kubernetes secrets.

kubectl edit daemonset portworx -n kube-system

Add the "-secret_type", "k8s" arguments to the portworx container in the daemonset. It should look something like this:

  - args:
    - -c
    - testclusterid
    - -s
    - /dev/sdb
    - -x
    - kubernetes
    - -secret_type
    - k8s
    name: portworx

Editing the daemonset will also restart all the Portworx pods.

Creating secrets with Kubernetes

The following section describes the key generation process with Portworx and Kubernetes which can be used for encrypting volumes.

Setting cluster wide secret key

A cluster wide secret key is a common key that can be used to encrypt all your volumes. First, let us create a cluster wide secret in Kubernetes using kubectl:

kubectl -n portworx create secret generic px-vol-encryption \

Note that the cluster wide secret has to reside in the px-vol-encryption secret under the portworx namespace.

Now you have to give Portworx the cluster wide secret key, that acts as the default encryption key for all volumes.

PX_POD=$(kubectl get pods -l name=portworx -n kube-system -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n kube-system -- /opt/pwx/bin/pxctl secrets set-cluster-key \
  --secret cluster-wide-secret-key

This command needs to be run just once for the cluster. If you have added the cluster secret key through config.json, the above command will overwrite it. Even on subsequent Portworx restarts, the cluster secret key in config.json will be ignored for the one set through the CLI.

(Optional) Authenticating with Kubernetes Secrets using the Portworx CLI

If you wish to quickly try Kubernetes secrets, you can authenticate Portworx with Kubernetes Secrets using the Portworx CLI. Run the following command:

PX_POD=$(kubectl get pods -l name=portworx -n kube-system -o jsonpath='{.items[0].metadata.name}')
kubectl exec $PX_POD -n kube-system -- /opt/pwx/bin/pxctl secrets k8s login
Important: You need to run this command on all your Portworx nodes, so that you could create and mount encrypted volumes on all nodes.

If the CLI is used to authenticate with Kubernetes Secrets, for every restart of the Portworx container it needs to be re-authenticated with Kubernetes Secrets by running the k8s login command on that node.

Using Kubernetes Secrets with Portworx

Last edited: Tuesday, Jan 26, 2021