Fine grained network policies to access StackGres Cluster services
Problem to solve
Configure network policies to access StackGres cluster services
Further details
Usually an pg_hba.conf
is used to configure from where a connection is allowed. With Kubernetes this is handled by network policies that allow to express from where a connect is allowed with legacy IPs or using namespaces and Pod selectors.
Proposal
Update CRD StackGresCluster
adding following structure:
spec:
...
accessNetworkPolicies:
# array of NetworkPolicyPeer taken from https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#networkpolicypeer-v1-networking-k8s-io
- ipBlock: # can not be set if any of namespaceSelector or podSelector are set
cidr: <string>
except: [ <string>, ... ]
namespaceSelector:
matchExpressions:
- key: <string>
operator: <string>
values: [ <string>, ... ]
matchLabels: <object>
podSelector:
matchExpressions:
- key: <string>
operator: <string>
values: [ <string>, ... ]
matchLabels: <object>
- ...
The accessNetworkPolicies
field will be enforced by a network policy (see also #305) and specify which host have access to the cluster.
Edited by Alvaro Hernandez