postgresql - POSTGRES_PASSWORD 被忽略并且可以在不使用或使用任何密码的情况下访问数据库

Question

正如标题所说，我正在设置一个 POSTGRES_PASSWORD在使用 Skaffold 启动集群后(--port-forward 开启，以便我可以使用 pgAdmin 访问数据库)，我可以访问数据库
有或没有正确的密码。 POSTGRES_DB和 POSTGRES_USER按预期工作。

我在 Docker Hub for Postgres 的文档中看到:

Note 1: The PostgreSQL image sets up trust authentication locally so you may notice a password is not required when connecting from localhost (inside the same container). However, a password will be required if connecting from a different host/container.

我认为 --port-forward可能是罪魁祸首，因为它注册为 localhost .

无论如何要防止这种行为？

我想担心的是有人可以访问我的笔记本电脑并且可以轻松连接到数据库。

这是我的 postgres.yaml :

apiVersion: apps/v1
kind: Deployment
metadata:
  name: postgres-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      component: postgres
  template:
    metadata:
      labels:
        component: postgres
    spec:
      containers:
        - name: postgres
          image:testproject/postgres
          ports:
            - containerPort: 5432
          env: 
            - name: POSTGRES_DB
              value: dev
            - name: POSTGRES_USER
              value: dev
            - name: POSTGRES_PASSWORD
              value: qwerty
          volumeMounts:
            - name: postgres-storage
              mountPath: /var/lib/postgresql/data
              subPath: postgres
      volumes:
        - name: postgres-storage
          persistentVolumeClaim:
            claimName: postgres-storage
---
apiVersion: v1
kind: Service
metadata:
  name: postgres-cluster-ip-service
spec:
  type: ClusterIP
  selector:
    component: postgres
  ports:
    - port: 5432
      targetPort: 5432

和 skaffold.yaml :

apiVersion: skaffold/v1beta15
kind: Config
build:
  local:
    push: false
  artifacts:
    - image: testproject/postgres
      docker:
        dockerfile: ./db/Dockerfile.dev
      sync:
        manual:
          - src: "***/*.sql"
            dest: .
    - image: testproject/server
      docker:
        dockerfile: ./server/Dockerfile.dev
      sync:
        manual:
          - src: "***/*.py"
            dest: .
deploy:
  kubectl:
    manifests:
      - k8s/ingress.yaml 
      - k8s/postgres.yaml
      - k8s/server.yaml

Dockerfile.dev也:

FROM postgres:11-alpine
EXPOSE 5432
COPY ./db/*.sql /docker-entrypoint-initdb.d/

Answer 1

好的，重读 postgres Docker docs并遇到了这个:

POSTGRES_INITDB_ARGS

This optional environment variable can be used to send arguments to postgres initdb. The value is a space separated string of arguments as postgres initdb would expect them. This is useful for adding functionality like data page checksums: -e POSTGRES_INITDB_ARGS="--data-checksums".

这把我带到了 initdb docs :

--auth=authmethod

This option specifies the authentication method for local users used in pg_hba.conf (host and local lines). Do not use trust unless you trust all local users on your system. trust is the default for ease of installation.

这把我带到了 Authentication Methods文档:

19.3.2. Password Authentication

The password-based authentication methods are md5 and password. These methods operate similarly except for the way that the password is sent across the connection, namely MD5-hashed and clear-text respectively.

If you are at all concerned about password "sniffing" attacks then md5 is preferred. Plain password should always be avoided if possible. However, md5 cannot be used with the db_user_namespace feature. If the connection is protected by SSL encryption then password can be used safely (though SSL certificate authentication might be a better choice if one is depending on using SSL).

PostgreSQL database passwords are separate from operating system user passwords. The password for each database user is stored in the pg_authid system catalog. Passwords can be managed with the SQL commands CREATE USER and ALTER ROLE, e.g., CREATE USER foo WITH PASSWORD 'secret'. If no password has been set up for a user, the stored password is null and password authentication will always fail for that user.

长话短说，我只是这样做了，现在只需要实际密码:

env: 
  ...
  - name: POSTGRES_INITDB_ARGS
    value: "-A md5"