Replies: 4 comments 1 reply
-
Cluster Config: apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: nextcloud-db
namespace: nextcloud
spec:
instances: 1
imageName: ghcr.io/cloudnative-pg/postgresql:15
bootstrap:
initdb:
import:
type: microservice
databases:
- nextcloud
source:
externalCluster: nextcloud
backup:
barmanObjectStore:
destinationPath: "s3://nextcloud-db/"
endpointURL: "http://minio.minio.svc.cluster.local:9000"
s3Credentials:
accessKeyId:
name: bucket
key: accesskey
secretAccessKey:
name: bucket
key: secretkey
wal:
compression: gzip
#encryption: AES256
data:
compression: gzip
#encryption: AES256
retentionPolicy: "90d"
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "1Gi"
cpu: "1"
storage:
size: 10Gi
externalClusters:
- name: nextcloud
connectionParameters:
host: nextcloud-postgresql.nextcloud.svc.cluster.local
user: nextcloud
dbname: nextcloud
password:
name: nextcloud-postgres
key: postgresql-password PS: Deleting all networkpolicies in the namespace solves the issue and the DB starts as expected |
Beta Was this translation helpful? Give feedback.
-
Hi @Nold360 This is not the DB calling the API it's the manager inside that needs to communicate the state of the instance to the Kubernetes API, it's not the database at all. You need to allow the communication in your network policy of the pods with the Kubernetes API, that's required and mandatory for the operator to work properly. I'm converting this into a discussion since it's not an issue |
Beta Was this translation helpful? Give feedback.
-
How the network policy will look like it's related to your own cluster implementation, it's not the same for every one, but if you're going to deny the access to the Kubernetes API, you just need to add an exception to that rule. Related to the documentation, probably you should look here https://cloudnative-pg.io/documentation/current/security/#network-policies |
Beta Was this translation helpful? Give feedback.
-
I wonder is something like: networkPolicy:
enabled: true
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
- port: 443
protocol: TCP Would work for permitting API server access... |
Beta Was this translation helpful? Give feedback.
-
Hi,
i'm running my cnpg in a namespace with NetworkPolicies in place. I tried allowing the IP (10.43.0.1:443) & namespace/port of the Kubeapi but nothing helps. Somehow the network connection doesn't even show up in cilium/hubble.
Any advice what i need to allow to make the DB work?
IMHO Somehow it's "not cool" that the DB calls the API directly, thought that's what the operator is for..
Example [non-working] NetPol:
Beta Was this translation helpful? Give feedback.
All reactions