Storage requirements
The integration capabilities in IBM Cloud Pak® for Security use persistent storage to provide reliable and resilient storage of state data. The cluster administrator must provide appropriate storage classes that meet the requirements of the respective OpenShift® environment.
To install IBM Cloud Pak for Security, you must configure a suitable storage class in the cluster. The configuration must be supported by one or more persistent volumes of suitable size.
Persistence is enabled by default in IBM Cloud Pak for Security. You must have physical volumes available, backed up by a suitable file system.
By definition, block storage implies RWO (ReadWriteOnce) access mode and does not support RWX (ReadWriteMany) or ROX (ReadOnlyMany). Block storage provides the best performance for storage, but it forces RWO access mode in the node.
IBM Cloud Pak for Security does not support Network File System (NFS). Red Hat® OpenShift Container Platform and IBM Cloud Pak foundational services do not have a nfs-dynamic provisioner.
IBM Cloud Pak foundational services requires block or file storage.
Suggested storage providers
For Linux® on x86 hardware, the following storage providers are validated across all the capabilities of IBM Cloud Pak for Security:
- IBM Cloud® Block Storage and IBM Cloud File Storage
- IBM® Storage Suite for IBM Cloud Paks. This suite of offerings includes the following validated storage options:
- Red Hat OpenShift Container Storage (RHOCS) 4.2+, Block, File
- IBM Spectrum® Scale Container Native CNSA 5.1.1.3+, CSI 2.3.0+
- Red Hat Ceph® Storage
- IBM Spectrum Fusion
- Portworx Storage, version 2.5.5 or later
- Red Hat OpenShift Container Storage (RHOCS) 4.2+, Block, File
For more information about these options, see the IBM Storage Suite for IBM Cloud Paks documentation.
- If you are using VMWare vSphere and RHOCS, the CPU and RAM requirements must be incremented in line with the resource requirements in the IBM Storage Suite for IBM Cloud Paks documentation.
- The IBM Storage Suite components are not supported by the IBM Cloud Pak for Security support team. You must ensure that you have an appropriate support arrangement with the storage provider for these components.
- To provide protection for data at rest, use volume encryption for your chosen storage.
Validated storage options
For each of the cloud environment providers that are supported by IBM Cloud Pak for Security, the validated storage options are detailed in the following tables.
| Cloud provider | Storage class | Storage type | Access mode | Storage provider | Recommended reclaim policy | Min. IOPS | Encryption supported on the storage class* |
|---|---|---|---|---|---|---|---|
| Amazon Web Services (AWS) | gp2, gp2-csi, ocs-storagecluster-ceph-rbd | Block | RWO | AWS | Retain | 10 IOPS/GB | Yes |
| IBM Cloud (Classic) | ibmc-block-gold | Block | RWO | IBM Cloud | Retain | 10 IOPS/GB | Yes |
| IBM Cloud (VPC2) | ibmc-vpc-block-10iops-tier, portworx-shared-sc | Block | RWO | IBM Cloud | Retain | 10 IOPS/GB | Yes |
| IBM Spectrum Fusion | ibm-spectrum-scale-sc | Block | RWO | IBM Storage | Retain | 10 IOPS/GB | Yes |
| Microsoft Azure | managed-premium | Block | RWO | Azure Disk | Retain | 10 IOPS/GB | Yes |
| VMware | ocs-storagecluster-ceph-rbd, vsphere-storage-blockvsphere-volume(thin) | Block | RWO | RHOCS 4.7, VSphere Volume | Retain | 10 IOPS/GB | Yes |
| Cloud provider | Storage class | Storage type | Access mode | Storage provider | Recommended reclaim policy | Min. IOPS | Encryption supported on the storage class* |
|---|---|---|---|---|---|---|---|
| Amazon Web Services (AWS) | ocs-storagecluster-cephfs | File | RWO | AWS | Retain | 10 IOPS/GB | Yes |
| IBM Cloud | ibmc-file-gold-gid, portworx-fs | File | RWO | IBM Cloud | Retain | 10 IOPS/GB | Yes |
| IBM Spectrum Fusion | ibm-spectrum-scale-sc | File | RWO | IBM Storage | Retain | 10 IOPS/GB | Yes |
* If your disks are not encrypted by default by your cloud provider, you can ensure that your data within Cloud Pak for Security is stored securely by encrypting your disks yourself. If you use Linux Unified Key Setup-on-disk-format (LUKS) for this purpose, enable LUKS and format the disks with the XFS file system before you install Cloud Pak for Security.
- ibmc-file-bronze-gid
- ibmc-file-silver-gid
- ibmc-file-gold-gid
1:1 mapping exists between deployment replicas and the underlying Persistent Volume Claims (PVCs). For example, a CouchDB deployment that has three replicas has three underlying PVCs.
For more information about Kubernetes persistent volumes, see Persistent Volumes.
Retrieving the default block storage class in your environment
You must set only one default storage class in the Red Hat OpenShift environment.
- Confirm the default storage class by typing the following command:
oc get storageclass | grep default - If you have more than one default storage class set, unset one of the storage classes by typing
the following
command:
oc patch storageclass <storage-class-name> -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "false"}}}'
When you update the values.conf file to install IBM Cloud Pak for Security, set the default storage class as the value for the storageClass parameter.
IBM Cloud environment storage sizing
In an IBM Cloud environment, the minimal PVC size that is enforced is 20 GB for the standard ibmc-block-gold storage class. For more information, see IBM Cloud documentation.
In IBM Cloud environments, IBM Cloud Pak for Security requires one or more persistent volumes of suitable size, as shown in the following table.
| Storage capability | Access mode | Deployment replicasxStorage per replica | Recommended storage |
|---|---|---|---|
| Backup and Restore | RWO | 1x500 GB | 500 GB* |
| CouchDB | RWO | 3x60 GB | 180 GB |
| Elastic | RWO | 3x20 GB | 60 GB |
| etcd | RWO | 3x20 GB | 60 GB |
| MinIO | RWO | 4x20 GB | 80 GB |
| Postgres | RWO | 2x1 TB (default), 2x220 GB (Case Management) | 2.44 TB |
| RabbitMQ | RWO | 3x20 GB | 60 GB |
*For the Backup and Restore pod, instead of using the defaults that are specified in the table, you can provision your own storage. For more information, see Creating the backup and restore PVC.
Unmanaged Red Hat OpenShift environment storage sizing
In a Red Hat OpenShift Container Platform environment where you do not have a managed cluster from a cloud provider, IBM Cloud Pak for Security requires one or more persistent volumes of suitable size, as shown in the following table.
| Storage capability | Access mode | Deployment replicasxStorage required per replica | Recommended storage |
|---|---|---|---|
| Backup and Restore | RWO | 1x500 GB | 500 GB* |
| CouchDB | RWO | 3x60 GB | 180 GB |
| Elastic | RWO | 3x20 GB | 60 GB |
| etcd | RWO | 3x1 GB | 3 GB |
| MinIO | RWO | 4x10 GB | 40 GB |
| Postgres | RWO | 2x1 TB (default), 2x220 GB (Case Management) | 2.44 TB |
| RabbitMQ | RWO | 3x5 GB | 15 GB |
*For the Backup and Restore pod, instead of using the defaults that are specified in the table, you can provision your own storage. For more information, see Creating the backup and restore PVC.