Skip to main content

PostgreSQL

Otterize is able to create just-in-time username-and-password pairs for your service, providing them as a Kubernetes Secret that can be mounted to file or mapped to environment variables, as well as GRANTing access to databases and tables, based on ClientIntents (Intents-Based Access Control) declarations. In addition, Otterize can map the access to your PostgreSQL database, showing you which service is accessing which database, table and which operation it's performing. This can be used to automatically generate the ClientIntents declarations.

Unlike other access controls in Otterize, PostgreSQL support is exclusively available when using Otterize Cloud.

Tutorials

To learn how to use the Intents Operator and Credentials Operator to enforce access using PostgreSQL GRANTs, or map access to your PostgreSQL database, try one of these quickstart tutorials.

Just-in-time PostgreSQL Access
Learn how to manage just-in-time users and SQL GRANTs
Map PostgreSQL access
Learn how to use PostgreSQL audit logs to map access to your database

How does Otterize work with PostgreSQL?

Otterize Cloud will create a unique PostgreSQL username-password combination for each service's use, exposed via a Kubernetes Secret. The service will use these credentials to connect to the database. ClientIntents will define the access required by that service. As the intents are applied, Otterize Cloud will keep the database's list of users and GRANTs up to date so that the service is able to access it.

  1. To get started, your cluster must have Otterize Cloud installed.
  2. You’ll need to integrate your database by providing a connection URL and admin-level credentials to manage permissions in your database.
  3. Each service can request a username-password Secret to be created, by annotating the Pod with credentials-operator.otterize.com/user-password-secret-name. Below is an example of that annotation and passing the generated credentials into a container with environmental variables.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: server
  template:
    metadata:
      annotations:
        credentials-operator.otterize.com/user-password-secret-name: server-creds
      labels:
        app: server
    spec:
      serviceAccountName: server
      containers:
        - name: server
          imagePullPolicy: Always
          image: 'supercool/my-example-container'
          ports:
            - containerPort: 80
          env:
            - name: DB_SERVER_USER
              valueFrom:
                secretKeyRef:
                  name: server-creds
                  key: username
            - name: DB_SERVER_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: server-creds
                  key: password
  1. Apply ClientIntents and the specified access will be GRANTed to the service in the ClientIntents.
apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
  name: client-intents-for-server
  namespace: otterize-tutorial-postgres
spec:
  service:
    name: server
  calls:
    - name: otterize-tutorial-postgres # Same name as our integration
      type: database
      databaseResources:
        - databaseName: otterize-tutorial
          table: public.example
          operations:
            - SELECT
            - INSERT
  1. Done!