Design
Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization design
Container Storage Modules (CSM) for Authorization is part of the open-source suite of Kubernetes storage enablers for Dell products.
CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers. It does this by deploying a proxy between the CSI driver and the storage system to enforce role-based access and usage rules.
Storage administrators of compatible storage platforms will be able to apply quota and RBAC rules that instantly and automatically restrict cluster tenants usage of storage resources. Users of storage through CSM for Authorization do not need to have storage admin root credentials to access the storage system.
Kubernetes administrators will have an interface to create, delete, and manage roles/groups that storage rules may be applied. Administrators and/or users may then generate authentication tokens that may be used by tenants to use storage with proper access policies being automatically enforced.
The following diagram shows a high-level overview of CSM for Authorization with a tenant-app
that is using a CSI driver to perform storage operations through the CSM for Authorization proxy-server
to access the a Dell storage system. All requests from the CSI driver will contain the token for the given tenant that was granted by the Storage Administrator.
Feature | PowerFlex | PowerMax | PowerScale | Unity XT | PowerStore |
---|---|---|---|---|---|
Ability to set storage quota limits to ensure k8s tenants are not overconsuming storage | Yes | Yes | No (natively supported) | No | No |
Ability to create access control policies to ensure k8s tenant clusters are not accessing storage that does not belong to them | Yes | Yes | No (natively supported) | No | No |
Ability to shield storage credentials from Kubernetes administrators ensuring credentials are only handled by storage admins | Yes | Yes | Yes | No | No |
NOTE: PowerScale OneFS implements its own form of Role-Based Access Control (RBAC). CSM for Authorization does not enforce any role-based restrictions for PowerScale. To configure RBAC for PowerScale, refer to the PowerScale OneFS documentation.
Authorization consists of two main components - the Authorization Sidecar and the Authorization Proxy Server. The Authorization Sidecar is bundled with the CSI driver, and the Authorization Proxy Server validates access to storage platforms.
Users should always install or upgrade to the Authorization proxy server and sidecar from the same release. This practice helps ensure optimal performance and compatibility, avoiding potential issues from version discrepancies.
NOTE: If the number of controller pods deployed by the CSI driver matches the number of scheduled nodes in your cluster, Authorization may not be able to inject properly into the driver’s controller pod. To resolve this, please refer to our troubleshooting guide on the topic.
The CSM for Authorization CLI can be executed in the context of the following roles:
Storage Administrators can perform the following operations within CSM for Authorization
Tenants of CSM for Authorization can use the token provided by the Storage Administrators in their storage requests.
Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization design
Methods to backup and restore CSM Authorization
Configure CSM Authorization
Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization CLI
Troubleshooting guide
Dell Container Storage Modules (CSM) release notes for authorization