TLS for Postgres on Kubernetes: OpenSSL CVE-2021-3450 Edition

To configure TLS for PostgreSQL on Kubernetes while addressing the implications of OpenSSL CVE-2021-3450, follow these steps. This guide ensures secure communication between clients and the PostgreSQL database, leveraging Kubernetes Secrets and OpenSSL.

Overview of CVE-2021-3450

CVE-2021-3450 introduced stricter certificate validation in OpenSSL, preventing improper certificates from bypassing x509 checks. PostgreSQL uses OpenSSL for TLS and certificate-based authentication. With this update, certificates must strictly adhere to x509 standards, impacting setups that previously used improperly configured certificates.

Steps to Configure TLS for PostgreSQL on Kubernetes

1. Prerequisites

Before starting:

• Install the Kubernetes CLI (`kubectl`).

• Ensure a PostgreSQL Operator (e.g., Crunchy Data PGO) is deployed in your Kubernetes cluster.

• Verify OpenSSL version is updated to at least to avoid vulnerabilities related to CVE-2021-3450.

2. Generate Certificates

You need a Certificate Authority (CA), a server TLS key, and a server certificate.

2.1 Generate the CA

Run the following command to create an ECDSA-based CA:

This generates (private key) and (CA certificate).

2.2 Generate the Server Key and Certificate Signing Request (CSR)

Run the following commands:

Replace and with your PostgreSQL service name and namespace.

2.3 Sign the Server Certificate

Sign the CSR using your CA:

This generates , which is signed by your CA.

3. Create Kubernetes Secrets

Store the generated certificates and keys as Kubernetes Secrets.

3.1 Create a Secret for the CA

3.2 Create a TLS Secret for the Server

These Secrets will be mounted into PostgreSQL Pods by the operator.

4. Deploy a TLS-enabled PostgreSQL Cluster

Use your PostgreSQL Operator (e.g., Crunchy Data PGO) to deploy a cluster with TLS enabled.

Example Command:

The flag enforces that all connections use TLS.

5. Connect to PostgreSQL Using TLS

To connect securely, ensure your client uses the CA certificate for verification.

Example Connection:

Replace placeholders with appropriate values for your setup.

Key Considerations

1. Certificate Validation: Ensure certificates comply with x509 standards due to stricter checks introduced by OpenSSL CVE-2021-3450.

2. TLS Protocols: Use at least TLSv1.2, preferably TLSv1.3, for secure communication.

3. Secrets Management: Use Kubernetes Secrets to securely store and manage sensitive data like certificates and keys.

4. Certificate Rotation: Regularly rotate certificates to maintain security compliance.

By following these steps, you can securely deploy PostgreSQL with TLS on Kubernetes while mitigating risks associated with CVE-2021-3450.

Sources: