PVCs and Stork with Authorization

Creating volumes

Portwox authorization provides a method of protection for creating volumes through Kubernetes. Users must provide a token when requesting volumes. These tokens must be saved in a Secret, normally in the same namespace as the PVC.

The key in the Secret which holds the token must be named auth-token.

Then the annotations of the PVC can be used to point to the secret holding the token. The following table shows the annotation keys used to point to the secret:

Name Description
openstorage.io/auth-secret-name Name of the secret which has the token
openstorage.io/auth-secret-namespace Optional key which contains the namespace of the secret reference by auth-secret-name. If omitted, the namespace of the PVC will be used as default

Here is an example:

  • Create a secret with the token:
kubectl create secret generic px-secret \
  -n default --from-literal=auth-token=ey..hs
  • Create a PVC request for a 2Gi volume with the appropriate authorization:
kind: PersistentVolumeClaim
apiVersion: v1
  name: pvc-auth
    volume.beta.kubernetes.io/storage-class: portworx-sc
    openstorage.io/auth-secret-name: px-secret
    openstorage.io/auth-secret-namespace: default
    - ReadWriteOnce
      storage: 2Gi


When using CRDs consumed by Stork, you must use the same authorization model described above for the PVCs. Here is an example:

apiVersion: volumesnapshot.external-storage.k8s.io/v1
kind: VolumeSnapshot
  name: mysql-snap1
    openstorage.io/auth-secret-name: px-secret
    openstorage.io/auth-secret-namespace: default
  persistentVolumeClaimName: mysql-data


For more information on Kubernetes Secret which holds the environment variables See Kubernetes Secrets

Last edited: Friday, Aug 28, 2020