Join Log in
Score:0
Marvin avatar Server

How can I configure pg_hba.conf in kubernetes deployment when the ip address of client pods is not known?

ph flag
Marvin

Suppose I have two backends be1, be2 deployed in pods that use a postgres server in a pod, and I want to use pg_hba.conf to constrain access for better security, like:

hostssl db1  db1user    be1-headless.default.svc.cluster.local  md5
hostssl db2  db2user    be2-headless.default.svc.cluster.local  md5

I created headless services as well as clusterIP services for the backends, since a headless service has the IP of the pod - where the connection will come FROM. Postgres reverse resolves the ip address for connections, and compares to the entries in pg_hba.conf. Unfortunately while be1-headless.default.svc.cluster.local resolves to (say) 10.0.0.3, the correct ip address where be1 runs, 10.0.0.3 reverse resolves to 10-0-0-1.be1-headless.default.svc.cluster.local which doesn't match the pg_hba.conf.

Is there any way for a pod's ip address to be reverse resolvable to a DNS name that can be known in advance? Another service we are using has a similar way of allowing connections (by ip or hostname filters).

I made a simple set of three resources to demonstrate this, sample-pod.yaml:

    apiVersion: v1
    kind: Pod
    metadata: { name: echo, labels: { unique: "xxxx" } }
    spec:
      containers:
        - name: echo
          image: alpine:3.16
          command: ["sleep", "100000"]
    ---
    apiVersion: v1
    kind: Service
    metadata: { name: echo-service }
    spec:
      selector: { unique: "xxxx" }
      ports: [{ protocol: TCP, port: 8080 }]
    ---
    apiVersion: v1
    kind: Service
    metadata: { name: echo-headless }
    spec:
      clusterIP: None
      selector: { unique: "xxxx" }
      ports: [{ protocol: TCP, port: 8080 }]

    $ kubectl create ns myns
    namespace/myns created

    $ kubectl apply -n myns -f sample-pod.yaml
    pod/echo created
    service/echo-service created
    service/echo-headless created
    $ kubectl exec -it -n myns pods/echo -- ash
    / # nslookup echo-headless.myns.svc.cluster.local | tail -3
    Name:   echo-headless.myns.svc.cluster.local
    Address: 10.1.1.240

    / # nslookup 10.1.1.240 | tail -3
    240.1.1.10.in-addr.arpa name = 10-1-1-240.echo-headless.myns.svc.cluster.local
    240.1.1.10.in-addr.arpa name = 10-1-1-240.echo-service.myns.svc.cluster.local

    / # hostname -i
    10.1.1.240

The lookup and reverse resolution for the "echo-service" ClusterIP service works, but the ip address is a virtual endpoint for connections TO the "echo-service", not where connections would come from.

I'm currently mounting the predefined pg_hba.conf as a ConfigMap. This is using Kubernetes 1.25, using Docker Desktop on a Mac in this example. I thought a headless service would work since the docs say it is bound directly to the ip address of the pod.

164
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.