Using an external PostgreSQL database

For Kaspersky Container Security, you can use PostgreSQL databases included in the solution or your own PostgreSQL databases. To install an external PostgreSQL database that does not work with the Kaspersky Container Security schema, you must create a separate user. You can do this by installing the Helm Chart package with the schema parameters specified for the external PostgreSQL database.

To use an external PostgreSQL database:

  1. Specify the following in the values.yaml configuration file:

    --set default.postgresql.external="true"

    --set configmap.infraconfig.envs.postgres_host="<IP address or FQDN of PostgresSQL DBMS>"

    --set configmap.infraconfig.envs.postgres_port="<port for connection to PostgresSQL DBMS; by default, port 5432 is used>"

    --set configmap.infraconfig.envs.postgres_db_name="name of the database created by the PostgresSQL DBMS administrator, api is used by default>"

  2. Ask the PostgreSQL DBMS administrator to clarify the requirements for the DBMS server certificates verification. Kaspersky Container Security supports the following verification modes:
    • --set configmap.infraconfig.envs.postgres_verify_level= "disable” – the server certificate is not verified.
    • --set configmap.infraconfig.envs.postgres_verify_level= "require” – the certificate is required, the solution trusts any certificate without any further verification.
    • --set configmap.infraconfig.envs.postgres_verify_level= "verify-ca” – the certificate is required, the solution checks that the certificate is issued by a trusted CA (Certificate Authority).
    • --set configmap.infraconfig.envs.postgres_verify_level= "verify-full” – the certificate is required, the solution verifies that the certificate is issued by a trusted CA and contains the correct IP address or FQDN.
  3. If you need to verify the certificate of an external PostgresSQL DBMS, do the following:
    1. Upload the public part of the CA certificate to the folder with the Helm Chart package using the certs/pgsql-ca.crt mask.
    2. Specify the following verification parameter: --set configmap.infraconfig.envs.postgres_root_ca_path="/etc/ssl/certs/pgsql-ca.crt".
    3. Uncomment the secret.cert-pgsql-ca section in the values.yaml configuration file to create the secret.

To create a user with a custom schema for an external PostgreSQL database:

  1. Run the following command to create a separate namespace for the external PostgreSQL database:

    kubectl create ns kcspg

    where kcspg is the namespace for the external PostgreSQL database.

  2. To deploy an external PostgreSQL database:
    1. Specify the parameters for deploying the external PostgreSQL database in the pg.yaml configuration file.

      Parameters for deploying the external PostgreSQL database

      The parameters specify the password of the database. You must then specify this password in the infraconfig section of the values.yaml configuration file, which is part of the Helm Chart package included in the distribution kit of the solution.

    2. Run the following command:

      kubectl apply -f pg.yaml -n kcspg

    The name of this external database is formed as follows:

    <pod_name>.<namespace name>.<service>.cluster.local

    For example, postgres.kcspg.svc.cluster.local

  3. To deploy a Service object in a cluster:
    1. Specify the Service object deployment parameters in the svc.yaml configuration file.

      Parameters for deploying the Service object in a cluster

    2. Run the following command:

      kubectl apply -f svc.yaml -n kcspg

  4. To create a user, a schema, and a user-schema relation:
    1. Using the postgres element expanded at step 2b, log in to the pod.
    2. Start the psql interactive terminal:

      psql -h localhost -U postgres -d api

    3. Run the following commands:

      CREATE ROLE kks LOGIN PASSWORD 'kks' NOINHERIT CREATEDB;

      CREATE SCHEMA kks AUTHORIZATION kks;

      GRANT USAGE ON SCHEMA kks TO PUBLIC;

  5. In the values.yaml configuration file, specify the necessary parameters to use an external PostgreSQL database.

    Parameters in the values.yaml file

    The values of the parameters specified in values.yaml must match the values of corresponding parameters in the pg.yaml and svc.yaml configuration files.

  6. Start a solution update.

    Example of commands to create a user with an external PostgreSQL database

Page top