Secure PostgreSQL Traffic Management with CloudNativePG and Cilium

In this blog post, we will see how to integrate Cilium and CloudNativePG to enhance PostgreSQL network security in a Kubernetes environment.

What is Cilium?

Cilium is an eBPF-based Kubernetes networking solution that operates within the Linux kernel. It provides fast, secure, and intelligent communication between Kubernetes Pods by replacing traditional iptables-based networking with eBPF.

Key Features of Cilium:

Network Security: Advanced L3-L7 security policies for precise traffic control.

Service Observability: Enables monitoring and analyzing traffic.

Service Mesh Alternative: Provides advanced networking without sidecars using eBPF.

Some Use Cases:

• High-performance networking in Kubernetes clusters
• Microservice security with network policies
• Service mesh optimization
• Real-time traffic monitoring with Hubble
• Secure multi-cloud and hybrid environments

Installing Cilium

You can use CiliumCLI to install and manage Cilium like this:

CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
cilium install --version 1.17.1        

Cilium can be installed on environments like Helm, GKE, AKS, and Minikube. For other installation methods, please refer to the documentation.

To verify the installation, you can check the Cilium pods with the following command:

kubectl get pods -n kube-system | grep cilium        

Also you can check with "cilium status --wait" command like this:

You can display the Cilium configuration with the following command:

cilium config view        

Installing CloudNativePG

You can install the latest operator manifest for this minor release as follows:

kubectl apply --server-side -f \
  https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.25/releases/cnpg-1.25.1.yaml        

With the my-pg-cluster.yaml file, you can create a CloudNativePG cluster named my-postgres. Additionally, a secret has been created for the user:

apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: my-postgres
  namespace: default
spec:
  instances: 3
  storage:
    size: 1Gi
  enableSuperuserAccess: true
  superuserSecret:
    name: my-postgres-superuser        

You can create the CloudnativePG cluster with the kubectl apply -f my-pg-cluster.yaml command. And you can check the cluster"s Pods using the below command:

If you want to use superuser secrets(like me), you need to enable superUser access as above, see the section on the API Reference page for more information.

Securing PostgreSQL Traffic with Cilium

We will define a CiliumNetworkPolicy that controls incoming traffic to PostgreSQL Pods.

You can create CiliumNetworkPolicy to restrict PostgreSQL access to specific Pods based on labels with the following pg-networkpolicy.yaml YAML configuration:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: postgres-policy
  namespace: default
spec:
  endpointSelector:
    matchLabels:
     cnpg.io/cluster: my-postgres
  ingress:
    - fromEndpoints:
        - matchLabels:
            role: backend
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP        

This policy allows only Pods labeled role: backend to access PostgreSQL. It grants ingress access via TCP port 5432 from any Pod with the label role: backend to any Pod labeled cnpg.io/cluster=my-postgres. This ensures that only backend applications can connect to the database while restricting access from unauthorized Pods.

You can create the policy like this:

kubectl apply -f pg-networkpolicy.yaml        

You can verify the created Cilium Network Policies using the command:

 kubectl get ciliumnetworkpolicies        

To verify that the Cilium policy is working correctly, we can test the connection using the following command. If the connection is successful, it confirms that the policy allows traffic from Pods labeled role=backend to the PostgreSQL cluster (cnpg.io/cluster=my-postgres).

kubectl run test-pg-backend --rm -it --image=postgres --labels="role=backend" -- psql -h my-postgres-rw -U postgres        

You can first test the connection without the role=backend label and observe that the connection is denied. Then, after adding the correct label, you can verify that the policy works as expected.

In this guide, we restricted PostgreSQL traffic to only authorized Pods, ensuring a more secure and controlled database access model.

For more detailed information, you can look at the CloudNativePG and Cilium documentation.

Thank you for reading !