PowerMax CSI Driver scenario query regarding Isolation Mechanism

Current example setup details as follows.

Unisphere Endpoint:
• For Site-1 - Dev/ Test/ PROD Unisphere Endpoint = https://xx.xx.xx.xx:8443
• For Site-2 - Dev/ Test/ PROD Unisphere Endpoint = https://xx.xx.xx.xx:8443
• A single Unisphere endpoint is used for Dev, Test, and Prod on each sites above.

User Account Scope:
• A single Unisphere user account (test-admin) with full admin PowerMax array access is used.
• This account has visibility and control across Dev, Test, and Prod storage.
• There are no dedicated Unisphere users per environment.

CSI Driver Deployment:
• Each environment (Dev, Test, Prod) runs on its own Kubernetes cluster.
o Dev → Dev_Cluster
o Test → Test_Cluster
o Prod → Prod_Cluster
• Each cluster would have its own CSI driver deployment, which is good practice.

Are my key observations on isolation of the CSI driver capability among the environments correct?

1. Primary Isolation Mechanism Today

• Isolation is currently enforced only through Port Groups.

• While this is valid, it relies heavily on correct CSI configuration.

2. Unisphere User Privilege

• Since the same Unisphere user has full array access, any misconfiguration in CSI (intentional or accidental) could allow:

o Dev workloads to attach to Test or Prod Port Groups.

• There is no RBAC guardrail at the native Unisphere level today.

Are there any possibilities for isolation from one env to another while provisioning PV/PVC

View All

No Events found!

Container Storage Modules

PowerMax CSI Driver scenario query regarding Isolation Mechanism

Was this post helpful?