New probe types
postgres — SQL assertions
Run a single SQL statement against a PostgreSQL database and validate the result with CEL. Defaults to a read-only transaction that rolls back, so probes have no side-effects.
- name: database-responds
type: postgres
dsn: "{{ database.DATABASE_URL }}"
query: "select count(*) as n from orders where status = 'pending'"
validate:
pattern: "data.success == true && data.rows[0].n >= 0"postgres-grants — effective privilege checks
Verify that your database access controls are actually enforced. Uses PostgreSQL's has_*_privilege family of functions so role membership, PUBLIC grants, and inheritance are all accounted for — not just raw ACL arrays.
- name: billing-schema-is-team-only
type: postgres-grants
dsn: "{{ database.DATABASE_URL }}"
rules:
- name: non-billing-roles-cannot-use-billing
mode: deny
roles:
login: true
exclude-member-of: [team_billing]
objects:
type: schema
names: [billing]
privileges: [USAGE, CREATE]Both probe types are supported via NetworkAssertion in Kubernetes and via the netcheck postgres CLI command. Grant checks are config/NetworkAssertion-only (multi-rule by nature).
Security note
DSNs are redacted from probe output by default. The PostgreSQL probe docs include a least-privilege setup guide — in particular, avoid superuser DSNs: COPY ... TO PROGRAM can execute shell commands on the database server even inside a read-only transaction.
Other changes
tcp.py: timestamp fields are now timezone-aware UTC (matchedhttp,dns, andpostgres)- Operator CRD doc comment updated to list all supported probe types
Upgrade notes
No breaking changes. psycopg[binary]>=3,<4 is a new dependency of the netcheck Python package (pulled in automatically via pip/uv). The Kubernetes operator image is unchanged — postgres probes run inside the existing probe container.