Security

Kubernetes RBAC

Install the requisite Operator RBAC resources, as a Kubernetes cluster admin user, by running a Makefile target:

make installrbac

This script creates the following RBAC resources on your Kubernetes cluster:

Setting Definition
Custom Resource Definitions pgbackups
pgclusters
pgpolicies
pgreplicas
pgtasks
pgupgrades
Cluster Roles pgopclusterrole
pgopclusterrolecrd
scheduler-sa
Cluster Role Bindings pgopclusterbinding
pgopclusterbindingcrd
scheduler-sa
Service Account scheduler-sa
postgres-operator
pgo-backrest
scheduler-sa
Roles pgo-role
pgo-backrest-role
Role Bindings pgo-backrest-role-binding

Operator RBAC

The conf/postgresql-operator/pgorole file is read at start up time when the operator is deployed to the Kubernetes cluster. This file defines the Operator roles whereby Operator API users can be authorized.

The conf/postgresql-operator/pgouser file is read at start up time also and contains username, password, and role information as follows:

username:password:pgoadmin
testuser:testpass:pgoadmin
readonlyuser:testpass:pgoreader

A user creates a .pgouser file in their $HOME directory to identify themselves to the Operator. An entry in .pgouser will need to match entries in the conf/postgresql-operator/pgouser file. A sample .pgouser file contains the following:

username:password

The users pgouser file can also be located at: /etc/pgo/pgouser or it can be found at a path specified by the PGOUSER environment variable.

The following list shows the current complete list of possible pgo permissions:

Permission Description
ApplyPolicy allow pgo apply
CreateBackup allow pgo backup
CreateCluster allow pgo create cluster
CreateFailover allow pgo failover
CreatePgbouncer allow pgo create pgbouncer
CreatePgpool allow pgo create pgpool
CreatePolicy allow pgo create policy
CreateSchedule allow pgo create schedule
CreateUpgrade allow pgo upgrade
CreateUser allow pgo create user
DeleteBackup allow pgo delete backup
DeleteCluster allow pgo delete cluster
DeletePgbouncer allow pgo delete pgbouncer
DeletePgpool allow pgo delete pgpool
DeletePolicy allow pgo delete policy
DeleteSchedule allow pgo delete schedule
DeleteUpgrade allow pgo delete upgrade
DeleteUser allow pgo delete user
DfCluster allow pgo df
Label allow pgo label
Load allow pgo load
Reload allow pgo reload
Restore allow pgo restore
ShowBackup allow pgo show backup
ShowCluster allow pgo show cluster
ShowConfig allow pgo show config
ShowPolicy allow pgo show policy
ShowPVC allow pgo show pvc
ShowSchedule allow pgo show schedule
ShowUpgrade allow pgo show upgrade
ShowWorkflow allow pgo show workflow
Status allow pgo status
TestCluster allow pgo test
UpdateCluster allow pgo update cluster
User allow pgo user
Version allow pgo version

If the user is unauthorized for a pgo command, the user will get back this response:

FATA[0000] Authentication Failed: 40

Making Security Changes

The Operator today requires you to make Operator security changes in the pgouser and pgorole files, and for those changes to take effect you are required to re-deploy the Operator:

make deployoperator

This will recreate the pgo-auth-secret Secret that stores these files and is mounted by the Operator during its initialization.

API Security

The Operator REST API is secured with keys stored in the pgo-auth-secret Secret. Adjust the default keys to meet your security requirements using your own keys. The pgo-auth-secret Secret is created when you run:

make deployoperator

The keys are generated when the RBAC script is executed by the cluster admin:

make installrbac