CLI
Starting with CSM 1.13, Authorization v1.x will be deprecated and will be officially discontinued by CSM 1.15 in September 2025. Please switch to Authorization v2.0 before then to avoid any issues. Migration steps are available here.
karavictl is a command-line interface (CLI) used to interact with and manage your Container Storage Modules (CSM) Authorization deployment. This document outlines all karavictl commands, their intended use, options that can be provided to alter their execution, and expected output from those commands.
If you feel that something is unclear or missing in this document, please open up an issue.
Command | Description |
---|---|
karavictl | karavictl is used to interact with CSM Authorization Server |
karavictl admin token | Generate admin tokens |
karavictl cluster-info | Display the state of resources within the cluster |
karavictl generate | Generate resources for use with CSM |
karavictl generate token | Generate tokens |
karavictl role | Manage role |
karavictl role get | Get role |
karavictl role list | List roles |
karavictl role create | Create one or more CSM roles |
karavictl role update | Update the quota of one or more CSM roles |
karavictl role delete | Delete role |
karavictl rolebinding | Manage role bindings |
karavictl rolebinding create | Create a rolebinding between role and tenant |
karavictl rolebinding delete | Delete a rolebinding between role and tenant |
karavictl storage | Manage storage systems |
karavictl storage get | Get details on a registered storage system |
karavictl storage list | List registered storage systems |
karavictl storage create | Create and register a storage system |
karavictl storage update | Update a registered storage system |
karavictl storage delete | Delete a registered storage system |
karavictl tenant | Manage tenants |
karavictl tenant create | Create a tenant resource within CSM |
karavictl tenant get | Get a tenant resource within CSM |
karavictl tenant list | Lists tenant resources within CSM |
karavictl tenant revoke | Get a tenant resource within CSM |
karavictl tenant delete | Deletes a tenant resource within CSM |
karavictl tenant update | Updates a tenant resource within CSM |
General Commands
karavictl
karavictl is used to interact with CSM Authorization Server
Synopsis
karavictl provides security, RBAC, and quota limits for accessing Dell storage products from Kubernetes clusters
Commands
admin Generate admin token for use with CSM Authorization
cluster-info Display the state of resources within the cluster
completion Generate the autocompletion script for the specified shell
generate Generate resources for use with Karavi
help Help about any command
role Manage roles
rolebinding Manage role bindings
storage Manage storage systems
tenant Manage tenants
Options
-h, --help Help for karavictl
-f, --admin-token Path to admin token file; required for all commands except `admin token` and `cluster-info`
--addr Address of the CSM Authorization Proxy Server; required for all commands except `admin token` and `cluster-info`
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
Outputs help text
karavictl admin token
Generate admin tokens
Synopsis
Generate admin token for use with CSM Authorization commands. The tokens output in YAML format, which can be saved in a file.
karavictl admin token [flags]
Required Flags
-n, --name Name of the admin
Optional Flags
-h, --help Help for token
-s, --jwt-signing-secret Specify JWT signing secret, or omit to use stdin
--refresh-token-expiration Expiration time of the refresh token, e.g. 48h (default 720h0m0s)
--access-token-expiration Expiration time of the access token, e.g. 1m30s (default 1m0s)
Output
$ karavictl admin token --name admin --access-token-expiration 30s --refresh-token-expiration 120m
$ Enter JWT Signing Secret: ***********
{
"Access": <ACCESS-TOKEN>,
"Refresh": <REFRESH-TOKEN>
}
Alternatively, one can supply JWT signing secret with command.
$ karavictl admin token --name admin --jwt-signing-secret secret --access-token-expiration 30s --refresh-token-expiration 120m
{
"Access": <ACCESS-TOKEN>,
"Refresh": <REFRESH-TOKEN>
}
karavictl cluster-info
Display the state of resources within the cluster
Synopsis
Prints table of resources within the cluster, including their readiness
karavictl cluster-info [flags]
Optional Flags
-h, --help Help for cluster-info
-w, --watch Watch for changes
Output
karavictl cluster-info
NAME READY UP-TO-DATE AVAILABLE AGE
tenant-service 1/1 1 1 59m
redis-primary 1/1 1 1 59m
proxy-server 1/1 1 1 59m
redis-commander 1/1 1 1 59m
storage-service 1/1 1 1 59m
role-service 1/1 1 1 59m
karavictl generate
Generate resources for use with CSM
Synopsis
Generates resources for use with CSM
karavictl generate [flags]
Optional Flags
-h, --help Help for generate
karavictl generate token
Generate tokens
Synopsis
Generate tokens for use with the CSI Driver when in proxy mode The tokens are output as a Kubernetes Secret resource, so the results may be piped directly to kubectl:
Example:
karavictl generate token --tenant Alice --admin-token admintoken.yaml --addr csm-authorization.host.com | kubectl apply -f -
Required Flags
-t, --tenant Name of the tenant
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for token
--insecure Skip certificate validation of the CSM Authorization Proxy Server
--access-token-expiration Expiration time of the access token, e.g. 1m30s (default 1m0s)
--refresh-token-expiration Expiration time of the refresh token, e.g. 48h (default 720h0m0s)
Output
karavictl generate token --tenant Alice --admin-token admintoken.yaml --addr csm-authorization.host.com
apiVersion: v1
data:
access: <ACCESS-TOKEN>
refresh: <REFRESH-TOKEN>
kind: Secret
metadata:
creationTimestamp: null
name: proxy-authz-tokens
type: Opaque
Usually, you will want to pipe the output to kubectl to apply the secret
karavictl generate token --tenant Alice --admin-token admintoken.yaml --addr csm-authorization.host.com | kubectl apply -f -
The token is read once when the driver pods are started and is not dynamically updated. If you are applying a new token in an existing driver installation, restart the driver pods for the new token to take effect.
kubectl -n <driver-namespace> rollout restart deploy/<driver>-controller
kubectl -n <driver-namespace> rollout restart ds/<driver>-node
karavictl role
Manage roles
Synopsis
Manage roles
karavictl role [flags]
Options
-h, --help Help for role
karavictl role get
Get role
Synopsis
Get role
karavictl role get [flags]
Required Flags
-n, --name Name of the role
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for get
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl role get CSISilver --admin-token admintoken.yaml --addr csm-authorization.host.com
{
"Name": "CSISilver",
"StorageSystem": "3000000000011111",
"PoolQuotas": [
{
"Pool": "mypool",
"Quota": "16 GB"
}
]
}
karavictl role list
List roles
Synopsis
List roles
karavictl role list [flags]
Required Flags
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for list
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl role list --admin-token admintoken.yaml --addr csm-authorization.host.com
{
"CSIGold": [
{
"storage_system_id": "3000000000011111",
"pool_quotas": [
{
"pool": "mypool",
"quota": 32000000
}
]
}
],
"CSISilver": [
{
"storage_system_id": "3000000000011111",
"pool_quotas": [
{
"pool": "mypool",
"quota": 16000000
}
]
}
]
}
karavictl role create
Create one or more CSM roles
Synopsis
Creates one or more CSM roles
karavictl role create [flags]
Required Flags
--role Role in the form <name>=<type>=<id>=<pool>=<quota>
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for create
--insecure Skip certificate validation of the CSM Authorization Proxy Server
NOTE:
- Setting the
quota
to 0 will not enforce storage quota
Output
karavictl role create --role=role-name=system-type=000000000001=mypool=200000000 --admin-token admintoken.yaml --addr csm-authorization.host.com
On success, there will be no output. You may run karavictl role get <role-name>
to confirm the creation occurred.
karavictl role update
Update the quota of one or more CSM roles
Synopsis
Updates the quota of one or more CSM roles
karavictl role update [flags]
Required Flags
--role Role in the form <name>=<type>=<id>=<pool>=<quota>
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for update
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl role update --role=role-name=system-type=000000000001=mypool=400000000 --admin-token admintoken.yaml
On success, there will be no output. You may run karavictl role get <role-name>
to confirm the update occurred.
karavictl role delete
Delete role
Synopsis
Delete role
karavictl role delete [flags]
Required Flags
--role Role in the form <name>=<type>=<id>=<pool>=<quota>
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl role delete --name CSISilver --admin-token admintoken.yaml --addr csm-authorization.host.com
On success, there will be no output. You may run karavictl role get <role-name>
to confirm the deletion occurred.
karavictl rolebinding
Manage role bindings
Synopsis
Management for role bindings
karavictl rolebinding [flags]
Options
-h, --help help for rolebinding
karavictl rolebinding create
Create a rolebinding between role and tenant
Synopsis
Creates a rolebinding between role and tenant
karavictl rolebinding create [flags]
Required Flags
-r, --role Role name
-t, --tenant Tenant name
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for create
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl rolebinding create --role CSISilver --tenant Alice --admin-token admintoken.yaml --addr csm-authorization.host.com
On success, there will be no output. You may run karavictl tenant get --name <tenant-name>
to confirm the rolebinding creation occurred.
karavictl rolebinding delete
Delete a rolebinding between role and tenant
Synopsis
Deletes a rolebinding between role and tenant
karavictl rolebinding delete [flags]
Required Flags
-r, --role Role name
-t, --tenant Tenant name
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl rolebinding delete --role CSISilver --tenant Alice --admin-token admintoken.yaml --addr csm-authorization.host.com
On success, there will be no output.
Storage Commands
karavictl storage
Manage storage systems
Synopsis
Manages storage systems
karavictl storage [flags]
Options
-h, --help Help for storage
karavictl storage get
Get details on a registered storage system.
Synopsis
Gets details on a registered storage system.
karavictl storage get [flags]
Required Flags
-s, --system-id System identifier (default "systemid")
-t, --type Type of storage system ("powerflex", "powermax", "powerscale")
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl storage get --type powerflex --system-id 3000000000011111 --admin-token admintoken.yaml --addr csm-authorization.host.com
{
"User": "admin",
"Password": "(omitted)",
"Endpoint": "https://1.1.1.1",
"Insecure": true
}
karavictl storage list
List registered storage systems.
Synopsis
Lists registered storage systems.
karavictl storage list [flags]
Required Flags
-t, --type Type of storage system ("powerflex", "powermax", "powerscale")
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl storage list --admin-token admintoken.yaml --addr csm-authorization.host.com
{
"storage": {
"powerflex": {
"3000000000011111": {
"Endpoint": "https://1.1.1.1",
"Insecure": true,
"Password": "(omitted)",
"User": "admin"
}
}
}
}
karavictl storage create
Create and register a storage system.
Synopsis
Creates and registers a storage system.
karavictl storage create [flags]
Required Flags
-e, --endpoint Endpoint of REST API gateway
-p, --password Password (default "****")
-s, --system-id System identifier (default "systemid")
-t, --type Type of storage system ("powerflex", "powermax")
-u, --user Username (default "admin")
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
-a, --array-insecure Skip certificate validation of the storage array
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl storage create --endpoint https://1.1.1.1 --insecure --array-insecure --system-id 3000000000011111 --type powerflex --user admin --password ******** --admin-token admintoken.yaml --addr csm-authorization.host.com
On success, there will be no output. You may run karavictl storage get --type <storage-system-type> --system-id <storage-system-id>
to confirm the creation occurred.
karavictl storage update
Update a registered storage system.
Synopsis
Updates a registered storage system.
karavictl storage update [flags]
Required Flags
-e, --endpoint Endpoint of REST API gateway
-p, --pass Password (default "****")
-s, --system-id System identifier (default "systemid")
-t, --type Type of storage system ("powerflex", "powermax")
-u, --user Username (default "admin")
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
-a, --array-insecure Skip certificate validation of the storage array
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl storage update --endpoint https://1.1.1.1 --insecure --array-insecure --system-id 3000000000011111 --type powerflex --user admin --password ******** --admin-token admintoken.yaml --addr csm-authorization.host.com
On success, there will be no output. You may run karavictl storage get --type <storage-system-type> --system-id <storage-system-id>
to confirm the update occurred.
karavictl storage delete
Delete a registered storage system.
Synopsis
Deletes a registered storage system.
karavictl storage delete [flags]
Required Flags
-s, --system-id System identifier (default "systemid")
-t, --type Type of storage system ("powerflex", "powermax")
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl storage delete --type powerflex --system-id 3000000000011111 --admin-token admintoken.yaml --addr csm-authorization.host.com
On success, there will be no output. You may run karavictl storage get --type <storage-system-type> --system-id <storage-system-id>
to confirm the deletion occurred.
Tenant Commands
karavictl tenant
Manage tenants
Synopsis
Management for tenants
karavictl tenant [flags]
Options
-h, --help help for tenant
karavictl tenant create
Create a tenant resource within CSM
Synopsis
Creates a tenant resource within CSM
karavictl tenant create [flags]
Required Flags
-n, --name Tenant name
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
-a, --approvesdc To allow/deny SDC approval requests (default true | This flag is only applicable to PowerFlex. This flag will Approve/Deny a tenant's SDC request)
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl tenant create --name Alice --admin-token admintoken.yaml --addr csm-authorization.host.com
On success, there will be no output. You may run karavictl tenant get --name <tenant-name>
to confirm the creation occurred.
karavictl tenant get
Get a tenant resource within CSM
Synopsis
Gets a tenant resource and its assigned roles within CSM
karavictl tenant get [flags]
Required Flags
-n, --name Tenant name
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl tenant get --name Alice --admin-token admintoken.yaml --addr csm-authorization.host.com
{
"name": "Alice"
"roles": "role-1,role-2"
}
karavictl tenant list
Lists tenant resources within CSM
Synopsis
Lists tenant resources within CSM
karavictl tenant list [flags]
Required Flags
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl tenant list --admin-token admintoken.yaml --addr csm-authorization.host.com
{
"tenants": [
{
"name": "Alice"
}
]
}
karavictl tenant revoke
Revokes access for a tenant
Synopsis
Revokes access to storage resources for a tenant
karavictl tenant revoke [flags]
Required Flags
-n, --name Tenant name
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-c, --cancel Cancel a previous tenant revocation
-h, --help Help for delete
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl tenant revoke --name Alice --admin-token admintoken.yaml --addr csm-authorization.host.com
On success, there will be no output.
karavictl tenant delete
Deletes a tenant resource within CSM
Synopsis
Deletes a tenant resource within CSM
karavictl tenant delete [flags]
Required Flags
-n, --name Tenant name
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl tenant delete --name Alice --admin-token admintoken.yaml --addr csm-authorization.host.com
On success, there will be no output. You may run karavictl tenant get --name <tenant-name>
to confirm the deletion occurred.
karavictl tenant update
Updates a tenant’s resource within CSM
Synopsis
Updates a tenant resource within CSM
karavictl tenant update [flags]
Required Flags
-n, --name Tenant name
-f, --admin-token Path to admin token file
--addr Address of the CSM Authorization Proxy Server
Optional Flags
-h, --help Help for delete
-a, --approvesdc To allow/deny SDC approval requests (default true | This flag is only applicable to PowerFlex. This flag will Approve/Deny a tenant's SDC request)
--insecure Skip certificate validation of the CSM Authorization Proxy Server
Output
karavictl tenant update --name Alice --approvesdc=false --admin-token admintoken.yaml --addr csm-authorization.host.com
On success, there will be no output. You may run karavictl tenant get --name <tenant-name>
to confirm the update was persisted.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.