.To install IBM Cloud Pak® for Security, you must configure a suitable storage class in the cluster. The configuration must be supported by one or more persistent volumes of suitable size.
The integration capabilities that are provided in IBM Cloud Pak® for Security use persistent storage to provide reliable and resilient storage of state data. The cluster administrator must provide appropriate storage classes that meet the requirements of the OpenShift environment.
Persistence is enabled by default in IBM Cloud Pak for Security, so persistent volumes are required; you must have physical volumes available, backed up by a suitable file system.
By definition, block storage implies RWO (ReadWriteOnce) access mode and does not support RWX (ReadWriteMany) or ROX (ReadOnlyMany). Block storage provides the best performance for storage, but it forces RWO access mode in the node.
IBM Cloud Pak for Security does not support Network File System (NFS). Red Hat® OpenShift® Container Platform and IBM Cloud Pak® foundational services do not have a nfs-dynamic provisioner.
IBM Cloud Pak foundational services requires block or file storage.
Note: IBM Cloud Pak for Security is validated only with dynamic provisioning.
For Linux on x86 hardware, the following recommended storage providers have been validated across all the capabilities of IBM Cloud Pak for Security:
For more information, see IBM Storage Suite for IBM Cloud Paks documentation .
Important:
If you are using VMWare vSphere and RHOCS, CPU and RAM requirements must be incremented in line with the resource requirements in the IBM Storage Suite for IBM Cloud Paks documentation .
The IBM Storage Suite components are not supported by the IBM Cloud Pak for Security support team. You must ensure that you have an appropriate support arrangement for these components. So, if an issue is identified with the storage, you can engage directly with the storage provider for support.
To provide protection for data at rest, use volume encryption for your chosen storage.
For each of the cloud environment providers that are supported by Cloud Pak for Security, the storage options that are validated for Cloud Pak for Security are detailed in Table 1.
Table 1. Validated block storage options
| Cloud provider | Storage type | Access mode | Storage provider | Recommended reclaim policy | Min. IOPS | Storage class validated on Cloud Pak for Security | Encryption supported on the supported storage class* |
|---|---|---|---|---|---|---|---|
| Amazon Web Services (AWS) | Block | RWO | AWS | Retain | 10 IOPS/GB | gp2, gp2-csi, ocs-storagecluster-ceph-rbd | Yes |
| IBM Cloud® (Classic) | Block | RWO | IBM Cloud | Retain | 10 IOPS/GB | ibmc-block-gold | Yes |
| IBM Cloud® (VPC2) | Block | RWO | IBM Cloud | Retain | 10 IOPS/GB | ibmc-vpc-block-10iops-tier, portworx-shared-sc | Yes |
| Microsoft Azure | Block | RWO | Azure Disk | Retain | 10 IOPS/GB | managed-premium | Yes |
| VMware | Block | RWO | RHOCS 4.7, VSphere Volume |
Retain | 10 IOPS/GB | ocs-storagecluster-ceph-rbd, vsphere-storage-block vsphere-volume(thin) |
Yes |
Table 2. Validated file storage options
| Cloud provider | Storage type | Access mode | Storage provider | Recommended reclaim policy | Min. IOPS | Storage class validated on Cloud Pak for Security | Encryption supported on the supported storage class* |
|---|---|---|---|---|---|---|---|
| Amazon Web Services (AWS) | File | RWO | AWS | Retain | 10 IOPS/GB | ocs-storagecluster-cephfs | Yes |
| IBM Cloud® | File | RWO | IBM Cloud | Retain | 10 IOPS/GB | ibmc-file-gold-gid, portworx-fs | Yes |
Note: On IBM Cloud (ROKS), you can use the gid storage classes: ibmc-file-bronze-gid, ibmc-file-silver-gid, and ibmc-file-gold-gid. For more information about gold, silver, and bronze storage, see Storage class reference.
*If your disks are not encrypted by default by your cloud provider, you can ensure that your data within Cloud Pak for Security is stored securely by encrypting your disks. If you use Linux® Unified Key Setup-on-disk-format (LUKS) for this purpose, before you install Cloud Pak for Security, enable LUKS and format the disks with the XFS file system.
1:1 mapping exists between deployment replicas and the underlying Persistent Volume Claims (PVCs). For example, a CouchDB deployment that has three replicas has three underlying PVCs.
For more information about Kubernetes persistent volumes, see Persistent Volumes .
Run the following command to confirm the default storage class:
oc get storageclass | grep default
You must set only one default storage class in the Red Hat OpenShift environment. If you have more than one default storage class set, to unset one of the storage classes, run the following command:
oc patch storageclass <storage-class-name> -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "false"}}}'
When you update the values.conf file to install Cloud Pak for Security, set the default storage class as the value for the storageClass parameter.
In an IBM Cloud environment, the minimal PVC size that is enforced is 20 GB for the standard storage class ibmc-block-gold. For more information, see IBM Cloud documentation .
In IBM Cloud environments, IBM Cloud Pak for Security requires one or more persistent volumes of suitable size as shown in Table 2.
Table 2. Recommended storage sizing for IBM Cloud
| Storage capability | Storage type | Access mode | Deployment replicasxStorage per replica | Recommended storage |
|---|---|---|---|---|
| Arango | Block | RWO | 5x20 GB | 100 GB |
| Backup and restore | Block | RWO | 1x100 GB | 100 GB* |
| CouchDB | Block | RWO | 3x60 GB | 180 GB |
| Elastic | Block | RWO | 4x20 GB | 80 GB |
| etcd | Block | RWO | 3x20 GB | 60 GB |
| MinIO | Block | RWO | 4x20 GB | 80 GB |
| Postgres | Block | RWO | 150 GB (Case Management), 150 GB (Risk Manager), 20 GB (Threat Investigator(Beta)), 100 GB (CAR), 100 GB (ATK) |
520 GB |
| RabbitMQ | Block | RWO | 3x20 GB | 60 GB |
*For the Backup and Restore pod, instead of using the defaults specified in the table, you can provision your own storage. For more information, see Creating the backup and restore PVC.
In a Red Hat OpenShift Container Platform environment where you do not have a managed cluster from a cloud provider, Cloud Pak for Security requires one or more persistent volumes of suitable size as shown in Table 3.
Table 3. Recommended storage sizing for unmanaged Red Hat OpenShift environments
| Storage capability | Storage type | Access mode | Deployment replicasxStorage required per replica | Recommended storage |
|---|---|---|---|---|
| Arango | Block | RWO | 5x20 GB | 100 GB |
| Backup and Restore | Block | RWO | 1x100 GB | 100 GB* |
| CouchDB | Block | RWO | 3x60 GB | 180 GB |
| Elastic | Block | RWO | 4x20 GB | 80 GB |
| etcd | Block | RWO | 3x1 GB | 3 GB |
| MinIO | Block | RWO | 4x10 GB | 40 GB |
| Postgres | Block | RWO | 150 GB (Case Management), 150 GB (Risk Manager), 20 GB (Threat Investigator(Beta)), 100 GB (CAR), 100 GB (ATK) |
520 GB |
| RabbitMQ | Block | RWO | 3x5 GB | 15 GB |
*For the backup and Restore pod, instead of using the defaults specified in the table, you can provision your own storage. For more information, see Creating the backup and restore PVC.