KubeDB

Run Production-Grade Databases on Kubernetes

arrow_forward

Stash

Backup and Recovery Solution for Kubernetes

arrow_forward

KubeVault

Run Production-Grade Vault on Kubernetes

arrow_forward

Voyager

Secure HAProxy Ingress Controller for Kubernetes

arrow_forward

ConfigSyncer

Kubernetes Configuration Syncer

arrow_forward

Guard

Kubernetes Authentication WebHook Server

arrow_forward
KubeDB simplifies Provision, Upgrade, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud
- task_altLower administrative burden
- task_altNative Kubernetes Support
- task_altPerformance
- task_altAvailability and durability
- task_altManageability
- task_altCost-effectiveness
- task_altSecurity
A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.
- task_altDeclarative API
- task_altBackup Kubernetes Volumes
- task_altBackup Database
- task_altMultiple Storage Support
- task_altDeduplication
- task_altData Encryption
- task_altVolume Snapshot
- task_altPolicy Based Backup
KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.
- task_altVault Kubernetes Deployment
- task_altAuto Initialization & Unsealing
- task_altVault Backup & Restore
- task_altConsume KubeVault Secrets with CSI
- task_altManage DB Users Privileges
- task_altStorage Backend
- task_altAuthentication Method
- task_altDatabase Secret Engine
Secure HAProxy Ingress Controller for Kubernetes
- task_altHTTP & TCP
- task_altSSL
- task_altPlatform support
- task_altHAProxy
- task_altPrometheus
- task_altLet's Encrypt
Kubernetes Configuration Syncer
- task_altConfiguration Syncer
Kubernetes Authentication WebHook Server
- task_altIdentity Providers
- task_altCLI
- task_altRBAC
RESOURCES

Blog

Docs

Webinars

Learn

Demos
RECENT NEWS/BLOG
See More arrow_forward
Webinar New

You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

New to KubeDB? Please start here.

RBAC Permissions for Postgres

If RBAC is enabled in clusters, some PostgreSQL specific RBAC permissions are required. These permissions are required for Leader Election process of PostgreSQL clustering.

Here is the list of additional permissions required by StatefulSet of Postgres:

Kubernetes Resource	Resource Names	Permission required
statefulsets	`{postgres-name}`	get
pods		list, patch
pods/exec		create
Postgreses		get
configmaps	`{postgres-name}`	get, update, create

Before You Begin

At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using kind.

Now, install KubeDB cli on your workstation and KubeDB operator in your cluster following the steps here.

To keep things isolated, this tutorial uses a separate namespace called demo throughout this tutorial.

$ kubectl create ns demo
namespace/demo created

Note: YAML files used in this tutorial are stored in docs/examples/postgres folder in GitHub repository kubedb/docs.

Create a PostgreSQL database

Below is the Postgres object created in this tutorial.

apiVersion: kubedb.com/v1alpha2
kind: Postgres
metadata:
  name: quick-postgres
  namespace: demo
spec:
  version: "13.2"
  storageType: Durable
  storage:
    storageClassName: "standard"
    accessModes:
    - ReadWriteOnce
    resources:
      requests:
        storage: 1Gi
  terminationPolicy: Delete

Create above Postgres object with following command

$ kubectl create -f https://github.com/kubedb/docs/raw/v2022.12.28/docs/examples/postgres/quickstart/quick-postgres.yaml
postgres.kubedb.com/quick-postgres created

When this Postgres object is created, KubeDB operator creates Role, ServiceAccount and RoleBinding with the matching PostgreSQL name and uses that ServiceAccount name in the corresponding StatefulSet.

Let’s see what KubeDB operator has created for additional RBAC permission

Role

KubeDB operator create a Role object quick-postgres in same namespace as Postgres object.

$ kubectl get role -n demo quick-postgres -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2022-05-31T05:20:19Z"
  labels:
    app.kubernetes.io/component: database
    app.kubernetes.io/instance: quick-postgres
    app.kubernetes.io/managed-by: kubedb.com
    app.kubernetes.io/name: postgreses.kubedb.com
  name: quick-postgres
  namespace: demo
  ownerReferences:
    - apiVersion: kubedb.com/v1alpha2
      blockOwnerDeletion: true
      controller: true
      kind: Postgres
      name: quick-postgres
      uid: c118d264-85b7-4140-bc3f-d459c58c0523
  resourceVersion: "367334"
  uid: e72f25a5-5945-4687-9e8f-8af33c1a6b13
rules:
  - apiGroups:
      - apps
    resourceNames:
      - quick-postgres
    resources:
      - statefulsets
    verbs:
      - get
  - apiGroups:
      - kubedb.com
    resourceNames:
      - quick-postgres
    resources:
      - postgreses
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
      - list
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - pods/exec
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - list
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
      - get
      - update
  - apiGroups:
      - policy
    resourceNames:
      - postgres-db
    resources:
      - podsecuritypolicies
    verbs:
      - use

ServiceAccount

KubeDB operator create a ServiceAccount object quick-postgres in same namespace as Postgres object.

$ kubectl get serviceaccount -n demo quick-postgres -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-05-31T05:20:19Z"
  labels:
    app.kubernetes.io/component: database
    app.kubernetes.io/instance: quick-postgres
    app.kubernetes.io/managed-by: kubedb.com
    app.kubernetes.io/name: postgreses.kubedb.com
  name: quick-postgres
  namespace: demo
  ownerReferences:
    - apiVersion: kubedb.com/v1alpha2
      blockOwnerDeletion: true
      controller: true
      kind: Postgres
      name: quick-postgres
      uid: c118d264-85b7-4140-bc3f-d459c58c0523
  resourceVersion: "367333"
  uid: 1a1db587-d5a6-4cfc-aa82-dc960b7e1f28

This ServiceAccount is used in StatefulSet created for Postgres object.

RoleBinding

KubeDB operator create a RoleBinding object quick-postgres in same namespace as Postgres object.

$ kubectl get rolebinding -n demo quick-postgres -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2022-05-31T05:20:19Z"
  labels:
    app.kubernetes.io/component: database
    app.kubernetes.io/instance: quick-postgres
    app.kubernetes.io/managed-by: kubedb.com
    app.kubernetes.io/name: postgreses.kubedb.com
  name: quick-postgres
  namespace: demo
  ownerReferences:
    - apiVersion: kubedb.com/v1alpha2
      blockOwnerDeletion: true
      controller: true
      kind: Postgres
      name: quick-postgres
      uid: c118d264-85b7-4140-bc3f-d459c58c0523
  resourceVersion: "367335"
  uid: 1fc9f872-8adc-4940-b93d-18f70bec38d5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: quick-postgres
subjects:
  - kind: ServiceAccount
    name: quick-postgres
    namespace: demo

This object binds Role quick-postgres with ServiceAccount quick-postgres.

Cleaning up

To cleanup the Kubernetes resources created by this tutorial, run:

kubectl patch -n demo pg/quick-postgres -p '{"spec":{"terminationPolicy":"WipeOut"}}' --type="merge"
kubectl delete -n demo pg/quick-postgres

kubectl delete ns demo

Improve This Page

KubeDB

Stash

KubeVault

Voyager

ConfigSyncer

Guard

RESOURCES

RECENT NEWS/BLOG

Elasticsearch

MariaDB

Memcached

MongoDB

MySQL

Percona XtraDB

PgBouncer

PostgreSQL

ProxySQL

Redis