Labs - Authentication

Looks like there’s a problem with this lab. Even when using the solutions, I am getting the same error.

Step Ten
Type Reason Age From Message

Warning ProvisioningFailed 5s (x5 over 60s) persistentvolume-controller Failed to provision volume with StorageClass “px-secure-sc”: rpc error: code = Unauthenticated desc = Request unauthenticated with bearer

I am not sure about your lab env, but based on persistentvolume-controller message adding the below a comment.
The portworx pvc controller’s role is to handle the create and delete the PVCs from Kubernetes and forward the request to the Portworx API.On most clusters, this is handled by the built-in controller manager that ships with Kubernetes. This is because we have a native driver in Kubernetes.Additional deployment of portworx-pvc-controller is needed in either of below 2 cases

  1. When the built-in controller manager is running on an isolated network: This is mostly seen in hosted installs like GKE on cloud, AKS etc where master nodes run on a different network. We also saw onprem Openshift 3.11 install master on an isolated network. Since the built-in controller manager runs on the master nodes, it cannot reach the Portworx API to create and delete volumes. And hence one needs to deploy it on the worker nodes
  2. When Portworx is not installed in kube-system namespace: The PVC controller only looks like the portworx-service in the kube-system namespace by default. So if Portworx is not installed in the kube-system namespace, it needs to be additionally deployed on the worker nodes. When running on the worker nodes, it will also attempt to talk to Portworx locally on the node where it’s running.

Note: Change the Kubernetes version in the URL matching to your cluster k8s version: and they try to install and redeploy your applications.

Let me know, how it goes.

I will take a look at this lab today to make sure it’s working correctly. Stay tuned.

@JohnWrightUK I was able to run through this lab today without issue. Let me walk through the steps I took so you can compare against your steps.

Makes sure and edit the portworx deamonset. Note the jwt issuer and example domain as well as the new environment variables.

Then also make sure to edit the stork deployment, note the new environment variable.

Then once your portworx pods are all healthy, produce the token and create the secret

Then your secure PVC should work.

Hope this helps.

1 Like


This looks to be working now. I think the instructions for Step 3 and Step 8 (potentially) have changed from when I posted this originally.

I wrongly combined the edits of the daemonset and deployment:

kubectl -n kube-system get ds portworx -o yaml > /root/px-spec.yaml

I made all the changes to this px-spec.yaml and applied them. I should have made seperate edits to the ds and deployment.

Thanks for the update on this!


No Problem!

Yes, we tried to improve the language in the lab as well given your feedback.


1 Like