Storage requirements

The integration capabilities in IBM Cloud Pak® for Security use persistent storage to provide reliable and resilient storage of state data. The cluster administrator must provide appropriate storage classes that meet the requirements of the respective OpenShift® environment.

To install IBM Cloud Pak for Security, you must configure a suitable storage class in the cluster. The configuration must be supported by one or more persistent volumes of suitable size.

Persistence is enabled by default in IBM Cloud Pak for Security. You must have physical volumes available, backed up by a suitable file system.

By definition, block storage implies RWO (ReadWriteOnce) access mode and does not support RWX (ReadWriteMany) or ROX (ReadOnlyMany). Block storage provides the best performance for storage, but it forces RWO access mode in the node.

IBM Cloud Pak for Security does not support Network File System (NFS). Red Hat® OpenShift Container Platform and IBM Cloud Pak foundational services do not have a nfs-dynamic provisioner.

IBM Cloud Pak foundational services requires block or file storage.

Suggested storage providers

For Linux® on x86 hardware, the following storage providers are validated across all the capabilities of IBM Cloud Pak for Security:

  • IBM Cloud® Block Storage and IBM Cloud File Storage
  • IBM® Storage Suite for IBM Cloud Paks. This suite of offerings includes the following validated storage options:
    • Red Hat OpenShift Container Storage (RHOCS) 4.2+, Block, File
    • IBM Spectrum® Scale Container Native CNSA 5.1.1.3+, CSI 2.3.0+
    • Red Hat Ceph® Storage
  • IBM Spectrum Fusion
  • Portworx Storage, version 2.5.5 or later
  • Red Hat OpenShift Container Storage (RHOCS) 4.2+, Block, File

For more information about these options, see the IBM Storage Suite for IBM Cloud Paks documentation.

Important:
  • If you are using VMWare vSphere and RHOCS, the CPU and RAM requirements must be incremented in line with the resource requirements in the IBM Storage Suite for IBM Cloud Paks documentation.
  • The IBM Storage Suite components are not supported by the IBM Cloud Pak for Security support team. You must ensure that you have an appropriate support arrangement with the storage provider for these components.
  • To provide protection for data at rest, use volume encryption for your chosen storage.

Validated storage options

For each of the cloud environment providers that are supported by IBM Cloud Pak for Security, the validated storage options are detailed in the following tables.

Table 1. Validated block storage options
Cloud provider Storage class Storage type Access mode Storage provider Recommended reclaim policy Min. IOPS Encryption supported on the storage class*
Amazon Web Services (AWS) gp2, gp2-csi, ocs-storagecluster-ceph-rbd Block RWO AWS Retain 10 IOPS/GB Yes
IBM Cloud (Classic) ibmc-block-gold Block RWO IBM Cloud Retain 10 IOPS/GB Yes
IBM Cloud (VPC2) ibmc-vpc-block-10iops-tier, portworx-shared-sc Block RWO IBM Cloud Retain 10 IOPS/GB Yes
IBM Spectrum Fusion ibm-spectrum-scale-sc Block RWO IBM Storage Retain 10 IOPS/GB Yes
Microsoft Azure managed-premium Block RWO Azure Disk Retain 10 IOPS/GB Yes
VMware ocs-storagecluster-ceph-rbd, vsphere-storage-blockvsphere-volume(thin) Block RWO RHOCS 4.7, VSphere Volume Retain 10 IOPS/GB Yes
Table 2. Validated file storage options
Cloud provider Storage class Storage type Access mode Storage provider Recommended reclaim policy Min. IOPS Encryption supported on the storage class*
Amazon Web Services (AWS) ocs-storagecluster-cephfs File RWO AWS Retain 10 IOPS/GB Yes
IBM Cloud ibmc-file-gold-gid, portworx-fs File RWO IBM Cloud Retain 10 IOPS/GB Yes
IBM Spectrum Fusion ibm-spectrum-scale-sc File RWO IBM Storage Retain 10 IOPS/GB Yes

* If your disks are not encrypted by default by your cloud provider, you can ensure that your data within Cloud Pak for Security is stored securely by encrypting your disks yourself. If you use Linux Unified Key Setup-on-disk-format (LUKS) for this purpose, enable LUKS and format the disks with the XFS file system before you install Cloud Pak for Security.

Tip: On IBM Cloud ROKS you can use the following gid storage classes:
  • ibmc-file-bronze-gid
  • ibmc-file-silver-gid
  • ibmc-file-gold-gid
For more information about gold, silver, and bronze storage, see Storage class reference.

1:1 mapping exists between deployment replicas and the underlying Persistent Volume Claims (PVCs). For example, a CouchDB deployment that has three replicas has three underlying PVCs.

For more information about Kubernetes persistent volumes, see Persistent Volumes.

Retrieving the default block storage class in your environment

You must set only one default storage class in the Red Hat OpenShift environment.

  • Confirm the default storage class by typing the following command:
    oc get storageclass | grep default
    
  • If you have more than one default storage class set, unset one of the storage classes by typing the following command:
    oc patch storageclass <storage-class-name> -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "false"}}}'
    

When you update the values.conf file to install IBM Cloud Pak for Security, set the default storage class as the value for the storageClass parameter.

IBM Cloud environment storage sizing

In an IBM Cloud environment, the minimal PVC size that is enforced is 20 GB for the standard ibmc-block-gold storage class. For more information, see IBM Cloud documentation.

In IBM Cloud environments, IBM Cloud Pak for Security requires one or more persistent volumes of suitable size, as shown in the following table.

Table 3. Recommended storage sizing for IBM Cloud
Storage capability Access mode Deployment replicasxStorage per replica Recommended storage
Backup and Restore RWO 1x500 GB 500 GB*
CouchDB RWO 3x60 GB 180 GB
Elastic RWO 3x20 GB 60 GB
etcd RWO 3x20 GB 60 GB
MinIO RWO 4x20 GB 80 GB
Postgres RWO 2x1 TB (default), 2x220 GB (Case Management) 2.44 TB
RabbitMQ RWO 3x20 GB 60 GB

*For the Backup and Restore pod, instead of using the defaults that are specified in the table, you can provision your own storage. For more information, see Creating the backup and restore PVC.

Unmanaged Red Hat OpenShift environment storage sizing

In a Red Hat OpenShift Container Platform environment where you do not have a managed cluster from a cloud provider, IBM Cloud Pak for Security requires one or more persistent volumes of suitable size, as shown in the following table.

Table 4. Recommended storage sizing for unmanaged Red Hat OpenShift environments
Storage capability Access mode Deployment replicasxStorage required per replica Recommended storage
Backup and Restore RWO 1x500 GB 500 GB*
CouchDB RWO 3x60 GB 180 GB
Elastic RWO 3x20 GB 60 GB
etcd RWO 3x1 GB 3 GB
MinIO RWO 4x10 GB 40 GB
Postgres RWO 2x1 TB (default), 2x220 GB (Case Management) 2.44 TB
RabbitMQ RWO 3x5 GB 15 GB

*For the Backup and Restore pod, instead of using the defaults that are specified in the table, you can provision your own storage. For more information, see Creating the backup and restore PVC.