1) You may have users outside a firewall that need access to an exposed port.
2) You may have several namespaces or federated services connecting to it.
3) You may not have the luxury of using the latest cloud native postgres images which people may be working on that handle (1) and (2) for you.
And now... for the ugliest hack ever
kubectl or docker exec -t -i into your postgres container
vi /var/lib/postgresql/data/pg_hba.conf`
After opening up your pg+_hba.conf file, you can add a kubernetes style IP accept like so:
`hostssl all all 192.168.0.0/16 cert clientcert=1`
# su postgres $ ./usr/local/bin/pg_ctl reload
The above snippet shows how to modify postgres permissions so a typical 16 bit subnet for a kubernetes cluster can access it using a client certificate.
If your namespace is well locked down (i.e. openshift) then you might be able to just get away with completely insecure postgres, and use "trust" instead of "cert clientcert=1" .
But don't tell anyone i told you that.
No comments:
Post a Comment