PostgreSQL
Otterize is able to create just-in-time username-and-password pairs for your service, providing them as a Kubernetes Secret that can be mounted to file or mapped to environment variables, as well as GRANTing access to databases and tables, based on ClientIntents (Intent-Based Access Control) declarations.
In addition, Otterize can map the access to your PostgreSQL database, showing you which service is accessing which database, table and which operation it's performing. This can be used to automatically generate the ClientIntents declarations.
Tutorials
To learn how to use the Intents Operator and Credentials Operator to enforce access using PostgreSQL GRANTs, or map access to your PostgreSQL database, try one of these quickstart tutorials.
How does Otterize work with PostgreSQL?
The Otterize credentials operator will create a unique PostgreSQL username-password combination for each service's use, exposed via a Kubernetes Secret. The service will use these credentials to connect to the database. ClientIntents will define the access required by that service. As the intents are applied, The Otterize intents operator will keep the database's list of users and GRANTs up to date so that the service is able to access it.
- To get started, your cluster must have Otterize deployed.
- You'll need to create a
PostgreSQLServerConfigin your cluster, providing a connection URL and admin-level credentials for Otterize to manage permissions in your database. Below is an examplePostgreSQLServerConfigresource.
apiVersion: k8s.otterize.com/v1alpha3
kind: PostgreSQLServerConfig
metadata:
name: postgres-tutorial-db # database instance name - should match the target in ClientIntents
namespace: otterize-tutorial-postgres
spec:
address: <PGHOST:PGPORT> # Your Postgres address
credentials:
# Username Otterize will connect with & configure permissions as; optional, can be omitted if using a secretRef
username: <PGUSER>
# Password for the above username; optional, can be omitted if using a secretRef
password: <PGPASSWORD>
# Secret containing the database credentials; optional, can be omitted if using the above username & password fields
secretRef:
# Name of the secret containing the database credentials; required
name: postgres-credentials
# Namespace where the secret is stored; optional, defaults to the namespace of the PostgreSQLServerConfig
namespace: otterize-tutorial-postgres
# Key in the secret containing the username; optional, defaults to 'username'
usernameKey: username
# Key in the secret containing the password; optional, defaults to 'password'
passwordKey: password
- Each service can request a username-password Secret to be created, by annotating the Pod with
credentials-operator.otterize.com/user-password-secret-name. Below is an example of that annotation and passing the generated credentials into a container with environmental variables.
apiVersion: apps/v1
kind: Deployment
metadata:
name: server
spec:
replicas: 1
selector:
matchLabels:
app: server
template:
metadata:
annotations:
credentials-operator.otterize.com/user-password-secret-name: server-creds
labels:
app: server
spec:
serviceAccountName: server
containers:
- name: server
imagePullPolicy: Always
image: 'supercool/my-example-container'
ports:
- containerPort: 80
env:
- name: DB_SERVER_USER
valueFrom:
secretKeyRef:
name: server-creds
key: username
- name: DB_SERVER_PASSWORD
valueFrom:
secretKeyRef:
name: server-creds
key: password
- Apply
ClientIntentsand the specified access will beGRANTed to the service in theClientIntents.
apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
name: client-intents-for-server
namespace: otterize-tutorial-postgres
spec:
service:
name: server
calls:
- name: postgres-tutorial-db # Same name as our PostgreSQLServerConfig metadata.name
type: database
databaseResources:
- databaseName: otterize-tutorial
table: public.example
operations:
- SELECT
- INSERT
- Done!