POSTGRES_PASSWORD 被忽略并且可以在没有或使用任何密码的情况下访问数据库
POSTGRES_PASSWORD ignored and can access DB without or with any password
正如标题所说,我正在设置一个 POSTGRES_PASSWORD 并在使用 Skaffold 启动集群后(--port-forward 以便我可以使用 pgAdmin 访问数据库),我可以访问数据库
有或没有正确的密码。 POSTGRES_DB 和 POSTGRES_USER 按预期工作。
我在 Docker Hub for Postgres 的文档中看到:
Note 1: The PostgreSQL image sets up trust authentication locally so you may notice a password is not required when connecting from localhost (inside the same container). However, a password will be required if connecting from a different host/container.
我认为 --port-forward 可能是罪魁祸首,因为它注册为 localhost。
如何防止这种行为?
我想我担心的是有人可以访问我的笔记本电脑并且可以轻松连接到数据库。
这是我的 postgres.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres-deployment
spec:
replicas: 1
selector:
matchLabels:
component: postgres
template:
metadata:
labels:
component: postgres
spec:
containers:
- name: postgres
image:testproject/postgres
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB
value: dev
- name: POSTGRES_USER
value: dev
- name: POSTGRES_PASSWORD
value: qwerty
volumeMounts:
- name: postgres-storage
mountPath: /var/lib/postgresql/data
subPath: postgres
volumes:
- name: postgres-storage
persistentVolumeClaim:
claimName: postgres-storage
---
apiVersion: v1
kind: Service
metadata:
name: postgres-cluster-ip-service
spec:
type: ClusterIP
selector:
component: postgres
ports:
- port: 5432
targetPort: 5432
和 skaffold.yaml:
apiVersion: skaffold/v1beta15
kind: Config
build:
local:
push: false
artifacts:
- image: testproject/postgres
docker:
dockerfile: ./db/Dockerfile.dev
sync:
manual:
- src: "***/*.sql"
dest: .
- image: testproject/server
docker:
dockerfile: ./server/Dockerfile.dev
sync:
manual:
- src: "***/*.py"
dest: .
deploy:
kubectl:
manifests:
- k8s/ingress.yaml
- k8s/postgres.yaml
- k8s/server.yaml
Dockerfile.dev也是:
FROM postgres:11-alpine
EXPOSE 5432
COPY ./db/*.sql /docker-entrypoint-initdb.d/
好的,重新阅读 postgres Docker docs 并发现了这个:
POSTGRES_INITDB_ARGS
This optional environment variable can be used to send arguments to postgres initdb. The value is a space separated string of arguments as postgres initdb would expect them. This is useful for adding functionality like data page checksums: -e POSTGRES_INITDB_ARGS="--data-checksums".
这把我带到了 initdb docs:
--auth=authmethod
This option specifies the authentication method for local users used in pg_hba.conf (host and local lines). Do not use trust unless you trust all local users on your system. trust is the default for ease of installation.
这让我看到了 Authentication Methods 文档:
19.3.2. Password Authentication
The password-based authentication methods are md5 and password. These methods operate similarly except for the way that the password is sent across the connection, namely MD5-hashed and clear-text respectively.
If you are at all concerned about password "sniffing" attacks then md5 is preferred. Plain password should always be avoided if possible. However, md5 cannot be used with the db_user_namespace feature. If the connection is protected by SSL encryption then password can be used safely (though SSL certificate authentication might be a better choice if one is depending on using SSL).
PostgreSQL database passwords are separate from operating system user passwords. The password for each database user is stored in the pg_authid system catalog. Passwords can be managed with the SQL commands CREATE USER and ALTER ROLE, e.g., CREATE USER foo WITH PASSWORD 'secret'. If no password has been set up for a user, the stored password is null and password authentication will always fail for that user.
长话短说,我刚刚做了这个,现在只需要实际密码:
env:
...
- name: POSTGRES_INITDB_ARGS
value: "-A md5"
正如标题所说,我正在设置一个 POSTGRES_PASSWORD 并在使用 Skaffold 启动集群后(--port-forward 以便我可以使用 pgAdmin 访问数据库),我可以访问数据库
有或没有正确的密码。 POSTGRES_DB 和 POSTGRES_USER 按预期工作。
我在 Docker Hub for Postgres 的文档中看到:
Note 1: The PostgreSQL image sets up
trustauthentication locally so you may notice a password is not required when connecting fromlocalhost(inside the same container). However, a password will be required if connecting from a different host/container.
我认为 --port-forward 可能是罪魁祸首,因为它注册为 localhost。
如何防止这种行为?
我想我担心的是有人可以访问我的笔记本电脑并且可以轻松连接到数据库。
这是我的 postgres.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres-deployment
spec:
replicas: 1
selector:
matchLabels:
component: postgres
template:
metadata:
labels:
component: postgres
spec:
containers:
- name: postgres
image:testproject/postgres
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB
value: dev
- name: POSTGRES_USER
value: dev
- name: POSTGRES_PASSWORD
value: qwerty
volumeMounts:
- name: postgres-storage
mountPath: /var/lib/postgresql/data
subPath: postgres
volumes:
- name: postgres-storage
persistentVolumeClaim:
claimName: postgres-storage
---
apiVersion: v1
kind: Service
metadata:
name: postgres-cluster-ip-service
spec:
type: ClusterIP
selector:
component: postgres
ports:
- port: 5432
targetPort: 5432
和 skaffold.yaml:
apiVersion: skaffold/v1beta15
kind: Config
build:
local:
push: false
artifacts:
- image: testproject/postgres
docker:
dockerfile: ./db/Dockerfile.dev
sync:
manual:
- src: "***/*.sql"
dest: .
- image: testproject/server
docker:
dockerfile: ./server/Dockerfile.dev
sync:
manual:
- src: "***/*.py"
dest: .
deploy:
kubectl:
manifests:
- k8s/ingress.yaml
- k8s/postgres.yaml
- k8s/server.yaml
Dockerfile.dev也是:
FROM postgres:11-alpine
EXPOSE 5432
COPY ./db/*.sql /docker-entrypoint-initdb.d/
好的,重新阅读 postgres Docker docs 并发现了这个:
POSTGRES_INITDB_ARGS
This optional environment variable can be used to send arguments to
postgres initdb. The value is a space separated string of arguments aspostgres initdbwould expect them. This is useful for adding functionality like data page checksums:-e POSTGRES_INITDB_ARGS="--data-checksums".
这把我带到了 initdb docs:
--auth=authmethod
This option specifies the authentication method for local users used in pg_hba.conf (host and local lines). Do not use trust unless you trust all local users on your system. trust is the default for ease of installation.
这让我看到了 Authentication Methods 文档:
19.3.2. Password Authentication
The password-based authentication methods are
md5andpassword. These methods operate similarly except for the way that the password is sent across the connection, namely MD5-hashed and clear-text respectively.If you are at all concerned about password "sniffing" attacks then
md5is preferred. Plainpasswordshould always be avoided if possible. However,md5cannot be used with thedb_user_namespacefeature. If the connection is protected by SSL encryption then password can be used safely (though SSL certificate authentication might be a better choice if one is depending on using SSL).PostgreSQL database passwords are separate from operating system user passwords. The password for each database user is stored in the
pg_authidsystem catalog. Passwords can be managed with the SQL commandsCREATE USERandALTER ROLE, e.g.,CREATE USER foo WITH PASSWORD 'secret'. If no password has been set up for a user, the stored password is null and password authentication will always fail for that user.
长话短说,我刚刚做了这个,现在只需要实际密码:
env:
...
- name: POSTGRES_INITDB_ARGS
value: "-A md5"