Security Application Workspaces on Portworx and Pure Storage FlashArray

Secure Application Workspaces on Portworx and Pure Storage FlashArray - Part 1

Secure Application Workspaces (SAW) for container-based applications leverage Pure Storage’s Secure Multi-Tenancy (SMT) to create a comprehensive solution for isolating and controlling access to Kubernetes workloads. This setup allows for effective separation between Kubernetes clusters and also isolates container-based workloads from other types of workloads.

Secure Application Workspaces are built on Pure Storage’s SMT, designed to provide varying levels of isolation for different user groups. SMT enables isolation to ensure storage space, performance guarantees, and even network separation. Additionally, it facilitates administrative partitioning for purposes like auditing, reporting, and cost management. In the past, achieving workload isolation required dedicating an entire FlashArray to each tenant, leading to high costs and operational complexities. SMT now offers a more efficient way to prevent “data leakage” across tenant boundaries while keeping costs down.

Pure Storage’s high availability and performance make it an ideal platform for multi-tenant environments. With non-disruptive hardware upgrades, Pure Storage minimizes downtime across generations. Quality of Service (QoS) controls further ensure that each tenant receives fair access to resources.

While SMT can benefit various applications, it’s particularly valuable in Kubernetes environments, which have unique challenges. Kubernetes workloads are often provisioned automatically via API by developers and platform engineers. For this reason, Portworx integration with SMT is crucial to support workload isolation, maintain resource limits, and ensure security for Kubernetes clusters sharing a single FlashArray.

FlashArray Secure Multi-Tenancy

Let’s start with an introduction to FlashArray Secure Multi-Tenancy. This feature provides isolation for different consumers of a FlashArray. By providing quotes, isolation, and resource guarantees to different groups using our array, we ensure that our all of our consumers get what they need without being able to see each other’s resources.

At a high level, a Pure storage administrator creates a Realm. A realm is a boundary that will contain:

• QoS policies
• Resource limits
• Users
• Network interfaces (either physical or VLAN interfaces)
• Volumes

A realm can be thought of as a tenant within a FlashArray.

At a minimum, multi-tenant systems should provide the end customer with an interface to provision resources, but multi-tenancy has a few additional requirements:

Availability

A multi-tenant system outage disrupts all consumers. Multi-tenancy requires the resilience to system and environmental failure that Pure’s high availability, non-disruptive upgrades, and demonstrated six “nines” of system availability across its entire installed base deliver.

Isolation

In single-tenant systems, storage administrators use network connections and access permissions to isolate applications’ data resources as necessary. With multi-tenancy, preventing “data leakage” across consumer boundaries is a necessary system capability.

Performance

Many storage systems provide quality of service (QoS) controls that can be applied to minimize application “resource hogging.” In multi-tenant systems, consumers require this capability for their resources, but providers must also be able to regulate each consumer’s overall resource consumption.

Delegation

Some systems implement roles that define administrator capabilities. Multi-tenant systems must be able to delegate storage management roles to consumers and reserve system management roles for providers.

Reporting

Most storage systems can report utilization and performance at the device, device group, and/or system levels. Multi-tenant systems just be able to report these usage metrics to each consumer, as well as to providers at the overall system level.

Utilization

In multi-tenant systems, providers need tools that allow them to efficiently allocate resources and monitor utilization for cost-effective utilization of system resources.

Portworx by Pure Storage

Let’s move on to an overview of Portworx. Portworx provides a software defined storage management layer for Kubernetes infrastructure. Portworx installs within a Kubernetes environment and provides a slew of features including (but not limited to!):

• Dynamic provisioning and failover
• Multi-zone HA
• Async and Sync replication solutions
• App I/O control and storage automation
• Encryption

Secure Application Workspaces uses two Portworx features specifically:

CloudDrives

Clouddrives provides a way to automate back-end storage provisioning. Portworx uses a pool of disks that are attached to Kubernetes worker nodes. Portworx will then provision persistent volumes (PVs) to the end user applications using the container storage interface (CSI). This allows many PVs to be provisioned on top of fewer, larger disks. Of course we may still need more space as our applications continue to grow. This can be easily accomplished by adding additional disks to our storage cluster. Clouddrives automates the provisioning and management of block devices and can even automate their management. Clouddrives supports automated provisioning with Pure Storage FlashArray’s.

FlashArray Direct Access Volumes

Another feature we will be covering in this article as it relates to Secure Application Workspaces is FlashArray Direct Access Volumes (FADA). Similar to the above Clouddrives, FADA automates the provisioning and management of FlashArray volumes, but instead of putting them in a storage pool, the container accesses the volume directly.

Both of these features have one thing in common: they automatically provision volumes on a FlashArray. Giving away that level of access and control of a FlashArray to a Kubernetes cluster can introduce a host of headaches to your storage administrator. A simple error in a provisioning pipeline could chew up storage resources, causing other consumers of the array to be starved for resources. Secure Application Workspaces solves this problem.

Conclusion

Implementing Secure Application Workspaces (SAW) with Portworx and Pure Storage FlashArray offers a powerful solution for managing multi-tenancy in Kubernetes environments. By leveraging features like Pure Storage’s Secure Multi-Tenancy (SMT) and Portworx’s automated volume provisioning through Clouddrives and FlashArray Direct Access Volumes (FADA), you can efficiently isolate workloads, enforce security policies, and maintain resource allocation for different tenants.

The process of configuring SAW involves setting up realms, pods, and roles within the FlashArray, creating the necessary Kubernetes secrets, and ensuring correct network and multipath configurations. While the steps outlined in this blog provide a practical guide for setting up the environment, it’s important to consider your specific use case and ensure all requirements are met for smooth integration. By following these procedures, you’ll be able to harness the benefits of secure and scalable storage management in a multi-tenant Kubernetes architecture, ensuring that each tenant has the resources and isolation they need without compromising the integrity of the system.

To learn how to configure Secure Application Workpaces, check out part 2 of this series.