正如标题所说,我正在设置一个 POSTGRES_PASSWORD
在使用 Skaffold 启动集群后(--port-forward
开启,以便我可以使用 pgAdmin 访问数据库),我可以访问数据库
有或没有正确的密码。 POSTGRES_DB
和 POSTGRES_USER
按预期工作。
我在 Docker Hub for Postgres 的文档中看到:
Note 1: The PostgreSQL image sets up
trust
authentication locally so you may notice a password is not required when connecting fromlocalhost
(inside the same container). However, a password will be required if connecting from a different host/container.
我认为
--port-forward
可能是罪魁祸首,因为它注册为 localhost
.无论如何要防止这种行为?
我想担心的是有人可以访问我的笔记本电脑并且可以轻松连接到数据库。
这是我的
postgres.yaml
:apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres-deployment
spec:
replicas: 1
selector:
matchLabels:
component: postgres
template:
metadata:
labels:
component: postgres
spec:
containers:
- name: postgres
image:testproject/postgres
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB
value: dev
- name: POSTGRES_USER
value: dev
- name: POSTGRES_PASSWORD
value: qwerty
volumeMounts:
- name: postgres-storage
mountPath: /var/lib/postgresql/data
subPath: postgres
volumes:
- name: postgres-storage
persistentVolumeClaim:
claimName: postgres-storage
---
apiVersion: v1
kind: Service
metadata:
name: postgres-cluster-ip-service
spec:
type: ClusterIP
selector:
component: postgres
ports:
- port: 5432
targetPort: 5432
和
skaffold.yaml
:apiVersion: skaffold/v1beta15
kind: Config
build:
local:
push: false
artifacts:
- image: testproject/postgres
docker:
dockerfile: ./db/Dockerfile.dev
sync:
manual:
- src: "***/*.sql"
dest: .
- image: testproject/server
docker:
dockerfile: ./server/Dockerfile.dev
sync:
manual:
- src: "***/*.py"
dest: .
deploy:
kubectl:
manifests:
- k8s/ingress.yaml
- k8s/postgres.yaml
- k8s/server.yaml
Dockerfile.dev
也:FROM postgres:11-alpine
EXPOSE 5432
COPY ./db/*.sql /docker-entrypoint-initdb.d/
最佳答案
好的,重读 postgres
Docker docs并遇到了这个:
POSTGRES_INITDB_ARGS
This optional environment variable can be used to send arguments to
postgres initdb
. The value is a space separated string of arguments aspostgres initdb
would expect them. This is useful for adding functionality like data page checksums:-e POSTGRES_INITDB_ARGS="--data-checksums".
这把我带到了
initdb
docs :--auth=authmethod
This option specifies the authentication method for local users used in pg_hba.conf (host and local lines). Do not use trust unless you trust all local users on your system. trust is the default for ease of installation.
这把我带到了 Authentication Methods文档:
19.3.2. Password Authentication
The password-based authentication methods are
md5
andpassword
. These methods operate similarly except for the way that the password is sent across the connection, namely MD5-hashed and clear-text respectively.If you are at all concerned about password "sniffing" attacks then
md5
is preferred. Plainpassword
should always be avoided if possible. However,md5
cannot be used with thedb_user_namespace
feature. If the connection is protected by SSL encryption then password can be used safely (though SSL certificate authentication might be a better choice if one is depending on using SSL).PostgreSQL database passwords are separate from operating system user passwords. The password for each database user is stored in the
pg_authid
system catalog. Passwords can be managed with the SQL commandsCREATE USER
andALTER ROLE
, e.g.,CREATE USER foo WITH PASSWORD 'secret'
. If no password has been set up for a user, the stored password is null and password authentication will always fail for that user.
长话短说,我只是这样做了,现在只需要实际密码:
env:
...
- name: POSTGRES_INITDB_ARGS
value: "-A md5"
关于postgresql - POSTGRES_PASSWORD 被忽略并且可以在不使用或使用任何密码的情况下访问数据库,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59204896/