I have a Django app running in Kubernetes in GKE. And that django app connects to a static (non-containerized) postgresql server. As both of them are located in one zone, my django app uses internal IP to connect to database.
I want only my django app to request a connection to the postgresql database and deny connection for requests coming from other IPs.
To do that, in pg_hba.conf I did this:
host all all 14.133.0.0/24 md5Because all internal IPs start with 14.133. However, the requests are coming from pod IPs and thus requests for connection are denied.
An example for a Pod IP can be 14.4.123.32. So, if I do the following in pg_hba.conf, the problem will be fixed:
host all all 14.0.0.0/8 md5Another thing to note is that Pod IPs always change. So, this solution will break once the pod is updated.
What is the best practice to go about this?
Another thing to note is that Pod IPs always change. So, this solution will break once the pod is updated.
Why do you think this will break once the pod is updated? As long as your pod IP is in the range 14.0.0.0/8, it should work fine, unless you have defined an IP range larger than this.
The Pod IPs are defined by Container address range setting of your cluster, which you can configure via gcloud container clusters create ...... --cluster-ipv4-cidr=${SOME_IP_RANGE} when you are creating a cluster.