PostgreSQL security
Namespace access
By default, PostgreSQL can be accessed only from the namespace it was issued. To access PostgreSQL from other namespaces the service must be configured.
apiVersion: vshn.appcat.vshn.io/v1
kind: VSHNPostgreSQL
metadata:
name: postgres-app1-prod
namespace: prod-app
spec:
parameters:
security:
allowedNamespaces:
- postgres-prod (1)
allowAllNamespaces: false (2)
writeConnectionSecretToRef:
name: postgres-creds-connection
1 | List of namespaces to be allowed to access PostgreSQL |
2 | Allows access to PostgreSQL from any namespace in the cluster. Supersedes allowedNamespaces if true. |
Namespace RBAC
On APPUiO Cloud, every member of the same organization to which the claim namespace belongs to has limited access to the namespace for debugging and port-fowarding.
On APPUiO Managed, we don’t have this construct and no RBAC rules are deployed by default.
However, it is possible to specify a list of Groups
or Users
that should have that limited access to the namespace.
This can be done using the two fields allowedGroups
and allowedUsers
:
apiVersion: vshn.appcat.vshn.io/v1
kind: VSHNPostgreSQL
metadata:
name: postgres-app1-prod
namespace: prod-app
spec:
parameters:
security:
allowedGroups: (1)
- my-dev-engineers
- my-support-engineers
allowedUsers: (2)
- my-special-user
writeConnectionSecretToRef:
name: postgres-creds-connection
1 | List of groups to be allowed limited access to the PostgreSQL namespace |
2 | List of users to be allowed limited access to the PostgreSQL namespace |
Network Policies
By default, PostgreSQL is not accessible from outside the cluster. To allow access from outside the cluster, a .spec.parameters.network must be configured, for example:
apiVersion: vshn.appcat.vshn.io/v1
kind: VSHNPostgreSQL
metadata:
name: postgres-app1-prod
namespace: prod-app
spec:
parameters:
network:
ipFilter: (1)
- 0.0.0.0/0
serviceType: LoadBalancer (2)
writeConnectionSecretToRef:
name: postgres-creds-connection
1 | List of IP addresses to be allowed to access PostgreSQL, defaults to 0.0.0.0/0 |
2 | Type of service to be created, defaults to ClusterIP |