Add default reject rule at the end in Postgres pg_hba.conf to ensure all connections must be explicitly allowed.

default reject at the end of pg_hba.conf is added to ensure all connections must be explicitly allowed. List of dependant users are added to allow connections are: 1. postgresql-admin 2. postgres 3. psql_exporter Change-Id: Ic7bd19e5eb4745b91d94d5a88851280054459547
2020-09-01 13:43:11 +05:30 · 2020-09-01 13:43:11 +05:30 · 982e3754a5
commit 982e3754a5
parent 96369491cb
1 changed files with 4 additions and 1 deletions
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@ -256,8 +256,11 @@ conf:
  debug: false
  pg_hba: |
    host all all 127.0.0.1/32 trust
-    host all all 0.0.0.0/0 md5
+    host all postgresql-admin 0.0.0.0/0 md5
+    host all postgres 0.0.0.0/0 md5
+    host all psql_exporter 0.0.0.0/0 md5
    local all all trust
+    host all all 0.0.0.0/0 reject

  postgresql:
    archive_mode: 'off'