PDS Security


Portworx Data Services (PDS) uses a shared responsibility model for security. This means that Portworx secures certain components, but you must ensure the security of other components:

  • Portworx secures the SaaS portion of PDS known as the control plane.

  • You must secure components in the data plane.

Secure the data plane

You’re responsible for securing the following components in the data plane:

  • Target clusters: You provide the Kubernetes target clusters and are responsible for keeping them secure and up to date.

  • Backup targets: You provide the object stores used as backup targets and are responsible for keeping them secure.

  • Data service deployments: Portworx deploys certain components onto your target cluster, but ensures the integrity of these components when they’re deployed. Specifically, Portworx deploys the following:

    • Docker images

    • Operators and agents Portworx that manage your applications

Control access to data services

When PDS deploys a data service to your cluster, it creates an initial set of credentials. You are responsible for managing access to the data service from this point, including adding more users.

Connections

You can install the PDS Helm chart to initiate connection from the target cluster to the control plane. PDS agent connects to the PDS API server, Teleport agent connects to the Teleport API server. Teleport creates a reverse tunnel to facilitate proxy connections from the PDS control plane to the Kubernetes API server of a target cluster.

You can terminate connections by deleting the PDS agent and Teleport agent deployments.

Operations

This section explains how PDS manages the target cluster, backup, and data service deployment operations.

Target Cluster Management

The target cluster management is done in PDS by a secure reverse tunnel and Kubernetes proxy.

Target cluster auto-configuration

When you install PDS Helm chart, the PDS agent starts, registers the cluster at PDS API server, retrieves configuration details and reconfigures the following third-party components:

  • Teleport agent to create a secure proxy for Kubernetes API access.

  • Prometheus to push metrics to the PDS control plane.

  • External DNS to provide DNS endpoint for data service deployments through the AWS Route 53.

Access to Kubernetes API

When the Teleport agent is configured by the PDS agent, it creates an encrypted reverse tunnel from the target cluster to the PDS control plane. This tunnel acts as Kubernetes API proxy to provide the PDS control plane with access to the Kubernetes API server in the target cluster.

The PDS control plane is authenticated as the teleport:pds-system Kubernetes group with rights according to Role Based Access Control (RBAC) installed by PDS Helm chart:

  • pds-control-plane and pds-control-plane-portworx-api cluster roles

  • pds-control-plane and pds-control-plane-portworx-api cluster role bindings

The benefits of this approach are:

  • No open ingress ports are required in the target cluster.

  • Only open egress ports 443 and 3024 are required in the target cluster.

  • Self-registration and auto-configuration of the target cluster.

Backup target set-up

This action is initiated when you add a new backup target or deployment target to PDS. The PDS control plane synchronizes backup target credentials, which are needed for cloud backups of data services. The PDS API worker:

  1. Asks the Teleport API server to provide short-time credentials for a specific target cluster.

  2. Connects through the Teleport Kubernetes proxy to the Kubernetes API server of the target cluster.

  3. Calls the Portworx Service API to store the cloud credentials.

NOTE: The cloud credentials in the PDS control plane are encrypted at rest.

Data service deployment

This occurs when you create or update a data service deployment using the PDS UI or API:

  1. PDS API worker asks Teleport API Server to provide short-time credentials for a particular target cluster.

  2. PDS API worker connects through the Teleport Kubernetes proxy to the Kubernetes API server of the target cluster.

  3. PDS API worker creates or updates a custom resource according to the data service type. For example, Cassandra, PostgreSQL, and so on.

  4. PDS deployments operator reconciles the service custom resource by creating or updating a corresponding Database CR.

  5. PDS deployments operator reconciles the database CR by creating native Kubernetes resources such as StatefulSet, Service, Role, Rolebinding, and so on.

Ad-hoc data service backup

This action is initiated when you trigger an ad-hoc backup in the PDS UI:

  1. PDS API worker asks Teleport API Server to provide short-time credentials for a particular target cluster.

  2. PDS API worker connects through the Teleport Kubernetes proxy to the Kubernetes API server of the target cluster.

  3. PDS API worker creates a Backup CR.

  4. PDS Backups Operator reconciles the Backup CR by creating a Job to execute a backup script of a particular data service.

  5. When the backup script finishes, PDS Backups Operator creates a volume snapshot of type cloudsnap.

  6. Stork uploads the snapshot to a corresponding backup target.

Scheduled data service backup

This action is initiated when you add or change a backup policy to data service deployment in the PDS UI:

  1. PDS API worker asks Teleport API Server to provide short-time credentials for a particular target cluster.

  2. PDS API worker connects through the Teleport Kubernetes proxy to the Kubernetes API server of the target cluster.

  3. PDS API worker creates a Backup CR.

  4. PDS Backups Operator reconciles the Backup CR by creating a CronJob resource to create Jobs resources according to the schedule.

  5. When a Job is created, it executes a backup script of a particular data service.

  6. When the backup script finishes, PDS Backups Operator creates a volume snapshot of type cloudsnap.

  7. Stork uploads the snapshot to a corresponding backup target.

Network communication

This section describes network communication between target cluster and control plane.

  • All network connections are egress from the target cluster. Therefore, no open ingress ports are required.

  • All network connections are encrypted (TLS or SSH) and authenticated.

  • Requests from the control plane to the target cluster don’t establish their own connections but are tunneled through an existing Teleport connection.

Target

Domain

Ports

Protocols

Authentication

PDS API server

prod.pds.portworx.com

443

HTTPS

Bearer token

Cortex

prod.pds.portworx.com

443

HTTPS

Bearer token

Teleport server

prod-teleport.pds.portworx.com

443, 3024

HTTPS, gRPC, SSH

Join token, node certificate

PDS domain names are the approved destinations for outgoing PDS connections. The IP addresses are not guaranteed to be stable. If you want to whitelist IP addresses, then it is needed to monitor the IP addresses for the DNS records and adjust the IP whitelist accordingly.

Security configurations

The PDS agent and Teleport agent are the two paths for accessing PDS services. Both require authentication, encrypt communications, and are continuously monitored to detect suspicious events.

Access through proxy servers

PDS, currently, does not support access through proxy servers.

Encryption

All communication between a target cluster and the control plane is encrypted in transit. Sensitive data stored in the PDS control plane. For example, backup target credentials such as Amazon S3, Azure, and GCP are encrypted at rest in the PDS database.



Last edited: Thursday, Dec 1, 2022