Storage considerations

To install IBM® Guardium Insights, you must have a supported file storage system on your Red Hat® OpenShift® cluster.

As you plan your system, remember that not all services support all types of storage. For complete information on the storage types supported by each service, see Storage requirements.

Review the following sections to determine what storage is right for you:

What storage options are supported for the platform?
What storage options are supported on my cloud deployment environment?
What storage options are supported on the version of Red Hat OpenShift Container Platform that I am running?
What storage options are supported on my hardware?
License requirements
Storage classes
Data replication for high availability
Backup and restore
Encryption of data at rest
Network and I/O requirements
Resource requirements
Guardium Insights configuration guidance

What storage options are supported for the platform?

Guardium Insights supports dynamic storage provisioning. A Red Hat OpenShift cluster administrator must properly configure storage before Guardium Insights is installed.

As you plan your system, remember that not all services support all types of storage. For complete information on the storage types supported by each service, see Storage requirements.

If the services that you want to install don't support the same type of storage, you can have a mixture of different storage types on your cluster.

Guardium Insights supports and is optimized for several types of persistent storage:

Storage option	Version	Notes
OpenShift Data Foundation (formerly called OpenShift Container Storage)	Version: 4.6 or later	Available in the IBM Storage Suite for IBM Cloud® Ensure that you install a version of OpenShift Data Foundation that is compatible with the version of Red Hat OpenShift Container Platform that you are running. For details, see https://access.redhat.com/articles/4731161.
OpenShift Data Foundation as a Service	Not applicable	Contact IBM Support for assistance. OpenShift Data Foundation as a Service is available as part of a special agreement between AWS and IBM Guardium Insights Product Managers. Contact the Product Management team for assistance.
IBM Spectrum® Fusion	Version 2.2.0 or later fixes	Available in either: IBM Spectrum Fusion IBM Storage Suite for IBM Guardium Insights
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface)	Version 5.1.3.x or later fixes CSI Version 2.5.x or later fixes	Available in either: IBM Spectrum Fusion IBM Storage Suite for IBM Guardium Insights
Portworx	Version 2.9.1 or later fixes
NFS	Version 3 or 4 The latest version is recommend.
Amazon Elastic Block Store (EBS)	Not applicable	Your environment must also include EFS storage.
Amazon Elastic File System (EFS)	Not applicable	It is recommended that you use both EBS and EFS storage.
IBM Cloud Block Storage	Not applicable	Your environment must also include IBM Cloud File Storage.
IBM Cloud File Storage	Not applicable	It is recommended that you use both IBM Cloud Block Storage and IBM Cloud File Storage storage.

Note: The preceding storage options have been evaluated by IBM. However, you should run the Guardium Insights storage validation tool on your Red Hat OpenShift cluster to:

Evaluate whether the storage on your cluster is sufficient for use with Guardium Insights.
Assess storage provided by other vendors. This tool does not guarantee support for other types of storage. You can use other storage environments at your own risk.

What storage options are supported on my cloud deployment environment?

Some storage options are supported only on a specific deployment environment. Ensure that you select a storage option that works on your chosen cloud deployment environment.

For clusters hosted on third-party infrastructure, such as IBM Cloud or Amazon Web Services, it is recommended that you use storage that is native to the infrastructure, if possible.

Restriction: Some services support a subset of the storage options that are supported by the platform. For details, see Storage requirements.

Deployment environment	Managed OpenShift	Self-managed OpenShift
On-premises	IBM Cloud Satellite supports the following storage options: OpenShift Data Foundation Portworx	The following storage options are supported on bare metal and VMware infrastructure: OpenShift Data Foundation IBM Spectrum Fusion IBM Spectrum Scale Container Native Portworx NFS
IBM Cloud	Red Hat OpenShift on IBM Cloud supports the following storage options: Portworx	The following storage options are supported on classic IBM Cloud infrastructure: IBM Cloud File Storage IBM Cloud Block Storage Portworx NFS The following storage options are supported on VPC IBM Cloud infrastructure: Portworx NFS
Amazon Web Services (AWS)	Red Hat OpenShift Service on AWS (ROSA) supports the following storage options: Amazon Elastic Block Store (EBS) Amazon Elastic File System (EFS) OpenShift Data Foundation as a Service Contact IBM Support to set up OpenShift Data Foundation as a Service. OpenShift Data Foundation as a Service is available as part of a special agreement between AWS and IBM Guardium Insights Product Managers. Contact the Product Management team for assistance.	The following storage options are supported on AWS infrastructure: OpenShift Data Foundation Amazon Elastic Block Store (EBS) Amazon Elastic File System (EFS) Portworx NFS
Microsoft Azure	Azure Red Hat OpenShift (ARO) supports the following storage options: OpenShift Data Foundation	The following storage options are supported on Microsoft Azure infrastructure: OpenShift Data Foundation Portworx NFS, specifically Microsoft Azure locally redundant Premium SSD storage
Google Cloud	Managed OpenShift on Google Cloud is not supported.	The following storage options are supported on Google Cloud infrastructure: OpenShift Data Foundation Portworx NFS

What storage options are supported on the version of Red Hat OpenShift Container Platform that I am running?

Storage option	Version 4.6	Version 4.8	Version 4.10
OpenShift Data Foundation	✓	✓	✓
OpenShift Data Foundation as a Service			✓
IBM Spectrum Fusion		✓	✓
IBM Spectrum Scale Container Native		✓	✓
Portworx	✓	✓	✓
NFS	✓	✓	✓
Amazon Elastic Block Store (EBS)	✓	✓	✓
Amazon Elastic File System (EFS)	✓	✓	✓
IBM Cloud Block Storage	✓	✓	✓
IBM Cloud File Storage	✓	✓	✓

What storage options are supported on my hardware?

Storage option	x86-64	Power®	s390x
OpenShift Data Foundation	✓
OpenShift Data Foundation as a Service	✓
IBM Spectrum Fusion	✓
IBM Spectrum Scale Container Native	✓
Portworx	✓
NFS	✓	✓	✓
Amazon Elastic Block Store (EBS)	✓
Amazon Elastic File System (EFS)	✓
IBM Cloud Block Storage	✓		✓
IBM Cloud File Storage	✓		✓

License requirements

The following table lists whether you need a separate license to use each storage option. In some cases, your Guardium Insights purchase includes limited entitlements to the storage.

Important: The license information applies only to Guardium Insights Enterprise Edition.

Storage option	Details
OpenShift Data Foundation
OpenShift Data Foundation as a Service	Contact IBM Support.
IBM Spectrum Fusion
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface)	You can use IBM Spectrum Scale Container Native as part of IBM Spectrum Fusion.
Portworx	A separate license is required.
NFS	No license is required.
Amazon Elastic Block Store (EBS)	A separate subscription is required.
Amazon Elastic File System (EFS)	A separate subscription is required.
IBM Cloud Block Storage	A separate subscription is required.
IBM Cloud File Storage	A separate subscription is required. For details about the amount of storage you can use, see How many volumes can be ordered.

Storage classes

The person who installs Guardium Insights and the services on the cluster must know which storage classes to use during installation. The following table lists the required types of storage. When applicable, the table also lists the recommended storage classes to use and points to additional guidance on how to create the storage classes.

Storage option	Details
OpenShift Data Foundation	The recommended storage classes are automatically created when you install OpenShift Data Foundation. Guardium Insights uses the following storage classes: RWX file storage: RWO block storage:
OpenShift Data Foundation as a Service	The recommended storage classes are automatically created by OpenShift Data Foundation as a Service. Guardium Insights uses the following storage classes: RWX file storage: RWO block storage:
IBM Spectrum Fusion	.
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface)
Portworx	The recommended storage classes are listed in Creating Portworx storage classes.
NFS
Amazon Elastic Block Store (EBS)	Use either of the following RWO storage classes:
Amazon Elastic File System (EFS)
IBM Cloud Block Storage	Use the following RWO storage class:
IBM Cloud File Storage	Use either of the following RWX storage classes:

Data replication for high availability

Storage option	Details
OpenShift Data Foundation	Supported By default, all services use multiple replicas for high availability. OpenShift Data Foundation maintains each replica in a distinct availability zone.
OpenShift Data Foundation as a Service	All data on the persistent volumes is replicated across multiple availability zones by default. Cross-cluster asynchronous replication is not supported.
IBM Spectrum Fusion	Supported. Replication is supported and can be enabled within the Spectrum Scale Storage Cluster in a variety of ways, see Data Mirroring and Replication in the IBM Spectrum Scale documentation.
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface)	Supported. Replication is supported and can be enabled within the Spectrum Scale Storage Cluster in a variety of ways, see Data Mirroring and Replication in the IBM Spectrum Scale documentation.
Portworx
NFS	Replication support depends on your NFS server.
Amazon Elastic Block Store (EBS)	Supported When you create an EBS volume, it is automatically replicated within its Availability Zone to prevent data loss due to failure of any single hardware component.
Amazon Elastic File System (EFS)	Supported You can use EFS replication to create a replica of your EFS file system in the AWS Region of your choice. When you enable replication on an EFS file system, Amazon EFS automatically and transparently replicates the data and metadata on the source file system to the target file system. For details, see Amazon EFS replication.
IBM Cloud Block Storage	Supported You can create a snapshot schedule to automatically copy snapshots to a destination volume in a remote data center for Data replication. For details, see Replicating data in the IBM Cloud documentation.
IBM Cloud File Storage	Supported, but not enabled by default. You can enable replication from the IBM Cloud console. For details, see Replicating data.

Backup and restore

Storage option	Details
OpenShift Data Foundation	Container Storage Interface support for snapshots and clones. Tight integration with Velero CSI plugin for Red Hat OpenShift Container Platform backup and recovery.
OpenShift Data Foundation as a Service	Contact IBM Support.
IBM Spectrum Fusion	IBM Spectrum Protect Plus is not supported for application-consistent backup and restore. For storage level backup, see Back up and restore in the IBM Spectrum Fusion documentation.
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface)	IBM Spectrum Protect Plus is not supported for application-consistent backup and restore. Use the IBM Spectrum Scale Container Storage Interface Volume snapshot as the primary backup and restore method and combine it with Container Backup Support provided by IBM Spectrum Protect Plus. Additionally, there are multiple methods you can use to backup the Spectrum Scale Storage Cluster. For details, see Data protection and disaster recovery in the IBM Spectrum Scale documentation.
Portworx	On-premises Limited support. IBM Cloud Supported with the Portworx Enterprise Disaster Recovery plan.
NFS	Limited support.
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
IBM Cloud Block Storage
IBM Cloud File Storage	Supported, but not enabled by default. For details, see Backing up and restoring data.

Encryption of data at rest

Storage option	Details
OpenShift Data Foundation	Supported. OpenShift Data Foundation uses Linux Unified Key System (LUKS) version 2 based encryption with a key size of 512 bits and the aes-xts-plain64 cipher. You must enable encryption for your whole cluster during cluster deployment to ensure encryption of data at rest. Encryption is disabled by default. Working with encrypted data incurs a small performance penalty. Support for FIPS cryptography By storing all data in volumes that use RHEL-provided disk encryption and enabling FIPS mode for your cluster, both data at rest and data in motion, or network data, are protected by FIPS Validated Modules in Process encryption. You can configure your cluster to encrypt the root filesystem of each node, as described in Customizing nodes.
OpenShift Data Foundation as a Service
IBM Spectrum Fusion	Supported For details, see Encryption in the IBM Spectrum Scale documentation.
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface)	Supported For details, see Encryption in the IBM Spectrum Scale documentation.
Portworx	Supported with Portworx Enterprise only. Portworx uses the LUKS format of dm-crypt and AES-256 as the cipher with xts-plain64 as the cipher mode. On-premises deployments Refer to Enabling Portworx volume encryption in the Portworx documentation. IBM Cloud deployments To protect the data in your Portworx volumes, encrypt the volumes with IBM Key Protect or Hyper Protect Crypto Services.
NFS	Check with your storage vendor on the steps to enable encryption of data at rest.
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
IBM Cloud Block Storage
IBM Cloud File Storage	Supported IBM Cloud File Storage supports provider-managed encryption of data at rest. This feature is only available in select data centers. All storage that is ordered in these data centers is automatically provisioned with encryption for data at rest. All snapshots and replicas of encrypted file storage are also encrypted by default in these select data centers.

Network and I/O requirements

Storage option	Details
OpenShift Data Foundation	Network requirements Your network must support a minimum of 10 Gbps. I/O requirements Each node must have at least one enterprise-grade SSD or NVMe device that meets the Disk requirements in the system requirements. For more information, see Planning your deployment in the OpenShift Data Foundation documentation. If SSD or NVMe aren't supported in your deployment environment, use an equivalent or better device.
OpenShift Data Foundation as a Service	Network requirements You must have sufficient network performance to meet the storage I/O requirements. I/O requirements For details, see Disk requirements in the system requirements.
IBM Spectrum Fusion	Network requirements You must have sufficient network performance to meet the storage I/O requirements. I/O requirements For details, see Disk requirements in the system requirements.
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface)	Network requirements You must have sufficient network performance to meet the storage I/O requirements. I/O requirements For details, see Disk requirements in the system requirements.
Portworx	Network requirements Your network must support a minimum of 10 Gbps. For details, see Prerequisites in the Portworx documentation. I/O requirements For details, see Disk requirements in the system requirements. For details on performance, see FIO performance in the Portworx documentation.
NFS	Network requirements You must have sufficient network performance to meet the storage I/O requirements. I/O requirements For details, see Disk requirements in the system requirements.
Amazon Elastic Block Store (EBS)	Network requirements You must have sufficient network performance to meet the storage I/O requirements. I/O requirements For details, see Disk requirements in the system requirements.
Amazon Elastic File System (EFS)	Network requirements You must have sufficient network performance to meet the storage I/O requirements. I/O requirements For details, see Disk requirements in the system requirements.
IBM Cloud Block Storage	Network requirements You must have sufficient network performance to meet the storage I/O requirements. I/O requirements For details, see Disk requirements in the system requirements.
IBM Cloud File Storage	Network requirements You must have sufficient network performance to meet the storage I/O requirements. For details, see Network connection in the IBM Cloud File Storage documentation. I/O requirements For details, see Disk requirements in the system requirements. The default I/O settings are typically lower than the minimums specified in the Disk requirements section. To improve the I/O performance for production environments, you must adjust the I/O settings. Contact IBM Software Support for guidance on how to adjust the settings according to Changing the size and IOPS of your existing storage device.

Resource requirements

This section describes the resource requirements for the various storage options.

For information about the minimum amount of storage that is required for your environment, see Storage requirements.

Important: Work with your IBM Sales representative to ensure that you have sufficient storage for the services that you plan to run on Guardium Insights and for your expected workload.

Storage Option	vCPU	Memory	Storage
OpenShift Data Foundation	10 vCPU per node on three initial nodes. 2 vCPU per node on any additional nodes For details, see Resource requirements.	24 GB of RAM on initial three nodes. 5 GB of RAM on any additional nodes. For details, see Resource requirements.	A minimum of three nodes. On each node, you must have at least one SSD or NVMe device. Each device should have at least 1TB of available storage. For details, see Storage device requirements.
OpenShift Data Foundation as a Service	Contact IBM Support.	Contact IBM Support.	Contact IBM Support.
IBM Spectrum Fusion	8 vCPU on each worker node to deploy IBM Spectrum Scale Container Native and IBM Spectrum Scale Container Storage Interface Driver. See the IBM Spectrum Scale Container Native hardware requirements.	16 GB of RAM on each worker node. For details, see the IBM Spectrum Scale Container Native requirements	1 TB or more of available space
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface)	8 vCPU on each worker node to deploy IBM Spectrum Scale Container Native and IBM Spectrum Scale Container Storage Interface Driver. See the IBM Spectrum Scale Container Native requirements.	16 GB of RAM on each worker node. For details, see the IBM Spectrum Scale Container Native requirements	1 TB or more of available space
Portworx	On-premises 4 vCPU on each storage node IBM Cloud For details see the following sections of Storing data on software-defined-storage (SDS) with Portworx: What worker node flavor in Red Hat OpenShift on IBM Cloud is the right one for Portworx? What if I want to run Portworx in a classic cluster with non-SDS worker nodes?	4 GB of RAM on each storage node	A minimum of three storage nodes. On each storage node, you must have: A minimum of 1 TB of raw, unformatted disk An additional 100 GB of raw, unformatted disk for a key-value database.
NFS	8 vCPU on the NFS server	32 GB of RAM on the NFS server	1 TB or more of available space
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
IBM Cloud Block Storage
IBM Cloud File Storage	Not applicable for managed services.	Not applicable for managed services	500 GB or more Storage is not automatically expanded and is created in smaller chunks. Increasing the size of the volumes improves I/O performance for production environments. Contact IBM Software Support as indicated in the preceding row. If you are running the Prometheus Cluster Monitoring stack on IBM Cloud, you might notice that pods consume more local storage. You can reduce the retention periods of your logs or you can configure logs to be saved in persistent storage instead of local storage. For more information, see Configuring the monitoring stack. To troubleshoot issues, see Worker nodes show status of disk pressure.

Additional documentation

Storage option	Documentation links
OpenShift Data Foundation	Guardium Insights configuration guidance For post-installation guidance, see . Troubleshooting Product documentation for Troubleshooting OpenShift Data Foundation 4.5
OpenShift Data Foundation as a Service	Guardium Insights configuration guidance For post-installation guidance, see .
IBM Spectrum Fusion	Guardium Insights configuration guidance For post-installation guidance, see . Troubleshooting For IBM Spectrum Scale, see Troubleshooting and support in the IBM Spectrum Scale Container Native documentation. For IBM Spectrum Scale Container Storage Interface, seeTroubleshooting and support in the IBM Spectrum Scale Container Storage Interface documentation.
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface)	Guardium Insights configuration guidance For post-installation guidance, see . Troubleshooting For IBM Spectrum Scale, see Troubleshooting and support in the IBM Spectrum Scale Container Native documentation. For IBM Spectrum Scale Container Storage Interface, seeTroubleshooting and support in the IBM Spectrum Scale Container Storage Interface documentation.
Portworx	Troubleshooting Troubleshoot Portworx on Kubernetes
NFS	Troubleshooting Refer to the documentation from your NFS provider.
Amazon Elastic Block Store (EBS)	Troubleshooting See the AWS documentation.
Amazon Elastic File System (EFS)	Troubleshooting Troubleshooting Amazon EFS in the AWS documentation.
IBM Cloud Block Storage	Troubleshooting Debugging Block Storage failures in the IBM Cloud documentation.
IBM Cloud File Storage	Troubleshooting Troubleshooting persistent storage