Authorization - v1.x
As of Container Storage Modules v1.15, Authorization v1.x will not be supported. Please migrate to Authorization v2.0 using the following guide.
The following diagram shows a high-level overview of Container Storage Modules for Authorization with a tenant-app that is using a CSI driver to perform storage operations through the Authorization proxy-server to access the a Dell storage system. All requests from the CSI driver will contain the token for the given tenant that was granted by the Storage Administrator.
Container Storage Modules Authorization Capabilities
| Feature | PowerStore | PowerScale | PowerFlex | PowerMax | Unity XT |
|---|---|---|---|---|---|
Ability to set storage quota limits to ensure k8s tenants are not over consuming storage |
No | No (natively supported) | Yes | Yes | No |
Ability to create access control policies to ensure k8s tenant clusters are not accessing storage that does not belong to them |
No | No (natively supported) | Yes | Yes | No |
Ability to shield storage credentials from Kubernetes administrators ensuring credentials are only handled by storage admins |
No | Yes | Yes | Yes | No |
NOTE: PowerScale OneFS implements its own form of Role-Based Access Control (RBAC). Authorization does not enforce any role-based restrictions for PowerScale. To configure RBAC for PowerScale, refer to the PowerScale OneFS documentation.
Authorization Components Support Matrix
Authorization consists of two main components - the Authorization Sidecar and the Authorization Proxy Server. The Authorization Sidecar is bundled with the CSI driver, and the Authorization Proxy Server validates access to storage platforms.
Users should always install or upgrade the Authorization proxy server and sidecar from the same release. This practice helps ensure optimal performance and compatibility, avoiding potential issues from version discrepancies.
Roles and Responsibilities
The Container Storage Modules for Authorization CLI can be executed in the context of the following roles:
- Storage Administrators
- Kubernetes Tenant Administrators
Storage Administrators
Storage Administrators can perform the following operations within Container Storage Modules for Authorization
- Tenant Management (create, get, list, delete, bind roles, unbind roles)
- Token Management (generate, revoke)
- Storage System Management (create, get, list, update, delete)
- Storage Access Roles Management (assign to a storage system with an optional quota)
Tenant Administrators
Tenants of Container Storage Modules for Authorization can use the token provided by the Storage Administrators in their storage requests.
Workflow
- Tenant Admin requests storage from a Storage Admin.
- Storage Admin uses Container Storage Modules Authorization CLI to:
a) Create a tenant resource.
b) Create a role permitting desired storage access.
c) Assign the role to the tenant and generate a token. - Storage Admin returns a token to the Tenant Admin.
- Tenant Admin inputs the Token into their Kubernetes cluster as a Secret.
- Tenant Admin updates CSI driver with Container Storage Modules Authorization sidecar module.
