PostgreSQL security

Namespace access

By default, PostgreSQL can be accessed only from the namespace it was issued. To access PostgreSQL from other namespaces the service must be configured.

apiVersion: vshn.appcat.vshn.io/v1
kind: VSHNPostgreSQL
metadata:
  name: postgres-app1-prod
  namespace: prod-app
spec:
  parameters:
    security:
      allowedNamespaces:
        - postgres-prod (1)
      allowAllNamespaces: false (2)
  writeConnectionSecretToRef:
    name: postgres-creds-connection

1	List of namespaces to be allowed to access PostgreSQL
2	Allows access to PostgreSQL from any namespace in the cluster. Supersedes `allowedNamespaces` if true.

Namespace RBAC

On APPUiO Cloud, every member of the same organization to which the claim namespace belongs to has limited access to the namespace for debugging and port-fowarding.

On APPUiO Managed, we don’t have this construct and no RBAC rules are deployed by default.

However, it is possible to specify a list of Groups or Users that should have that limited access to the namespace. This can be done using the two fields allowedGroups and allowedUsers:

apiVersion: vshn.appcat.vshn.io/v1
kind: VSHNPostgreSQL
metadata:
  name: postgres-app1-prod
  namespace: prod-app
spec:
  parameters:
    security:
      allowedGroups:  (1)
        - my-dev-engineers
        - my-support-engineers
      allowedUsers:  (2)
        - my-special-user
  writeConnectionSecretToRef:
    name: postgres-creds-connection

1	List of groups to be allowed limited access to the PostgreSQL namespace
2	List of users to be allowed limited access to the PostgreSQL namespace

Network Policies

By default, PostgreSQL is not accessible from outside the cluster. To allow access from outside the cluster, a .spec.parameters.network must be configured, for example:

apiVersion: vshn.appcat.vshn.io/v1
kind: VSHNPostgreSQL
metadata:
  name: postgres-app1-prod
  namespace: prod-app
spec:
  parameters:
    network:
      ipFilter: (1)
      - 0.0.0.0/0
      serviceType: LoadBalancer (2)
  writeConnectionSecretToRef:
    name: postgres-creds-connection

1	List of IP addresses to be allowed to access PostgreSQL, defaults to `0.0.0.0/0`
2	Type of service to be created, defaults to `ClusterIP`