Portworx Documentation has moved to https://docs.portworx.com
Portworx Enterprise version 2.13 has reached end of life and end of extended maintenance. Refer to the release support policy doc here.
Upgrade to the latest version of Portworx Enterprise for continued support. Documentation for the latest version of Portworx Enterprise can be found here.

Use pxctl with security enabled


Once a storage cluster with PX-Security enabled is running, a cluster admin must set up a pxctl context on each node in order to interact with the system.

The following steps will guide an Operator-based storage admin to setup pxctl contexts on each node.

  1. Retrieve the admin token from the namespace in which Portworx was installed and store it in th

    ADMIN_TOKEN=$(kubectl -n kube-system get secret px-admin-token --template='{{index .data "auth-token" | base64decode}}')
  2. Find the Portworx pod that is running on the node in which the admin wants to interact with:

    K8_NODE_NAME=kubernetes-worker-3.mylab.lan # must match what appears in output of kubectl get nodes
    PX_POD=$(kubectl -n kube-system get pods -l name=portworx -o jsonpath='{.items[?(@.spec.nodeName == "'K8_NODE_NAME'")].metadata.name}')
  3. Save the admin token in the pxctl context for that pod:

    kubectl -n kube-system exec -ti $PX_POD -- /opt/pwx/bin/pxctl context create admin --token=$ADMIN_TOKEN
  4. Use kubectl exec to access the Portworx container and perform any pxctl operations:

    kubectl -n kube-system exec -ti $PX_POD -- /opt/pwx/bin/pxctl status
Note: This pxctl context will need to be refreshed every time the token expires. This is 24 hours by default, but this default can be changed. See customizing security for more information.


Last edited: Tuesday, May 16, 2023