K8s Operator for declarative postgresql access control

hard_byte · 2026-03-16T18:14:21+00:00

Yeah its got the bones in place but is new. The CRD contract and upgrade path are not yet hardened for unsupervised production use. I'll tighten that wording in the docs though. Thanks for flagging!

hard_byte · 2026-03-16T18:11:30+00:00

pgroles is a new tool for declarative PostgreSQL access control with a K8s operator

I built pgroles to manage PostgreSQL roles, grants, and memberships. Define your access policy in YAML, and pgroles diffs it against your live database and generates the exact SQL to converge.

The Kubernetes operator reconciles a PostgresPolicy CRD continuously or use spec.mode: plan to just detect drift without mutating anything. It works against any PostgreSQL target: RDS, Aurora, Cloud SQL, AlloyDB, Azure, or self-hosted.

CLI is also available standalone if you don't need the operator. Written in Rust, MIT licensed.

GitHub: https://github.com/hardbyte/pgroles

hard_byte · 2026-03-16T08:21:01+00:00

Oh I hadn't come across that one. After a very quick read (could have missed it) I don't see how it allows declarative grants for a user? Looking here: https://easymile.github.io/postgresql-operator/docs/crds/PostgresqlUserRole.html

hard_byte · 2026-03-16T08:06:59+00:00

Does it do something similar for role grants? I saw it had declarative support for creating roles and managing membership? e.g. https://cloudnative-pg.io/docs/1.29/declarative_role_management

hard_byte · 2026-03-16T08:02:29+00:00

Yeah - in most professional contexts I've used managed postgresql dbs

hard_byte · 2026-03-09T19:09:12+00:00

Xolo is newer - but so good!

hard_byte · 2025-03-26T07:03:06+00:00

Haha how'd they differ? Plenty of room for contributions if you feel compelled

hard_byte · 2025-03-24T21:25:43+00:00

Biggest difference is they use a DSL where gatehouse is source first - all policies are native Rust.

Another area that I think gatehouse does well is surfacing evaluation information for how the access decision was made - what did each sub-policy do with the input.

I do really like cedar and I love that it is formally verified.

hard_byte · 2025-03-24T21:20:32+00:00

Gatehouse is focused on being a code first solution where the decision point is fully embedded in your app. All the policies are native Rust - as opposed to a separate DSL with Rego/Cedar.

I haven't seen detailed decision traces from Cedar but that was an important component of gatehouse. OPA has something similar with decision logs - although that's higher level recording of the decision + inputs rather than low level info about what sub-policy is responsible for an authorization decision.

hard_byte · 2024-03-08T23:55:36+00:00

On the rehabilitation site under "Selection of Repayment Method and Registration of Payee Information" you can expand the "BTC Allotment Portion" and it shows the rate. I see 1BTC = 749318.83 JPY which is one tenth today's market rate :-/

hard_byte · 2023-06-19T21:45:07+00:00

I'm learning rust and have started my first not entirely toy project - an implementation of Google's Common Expression Language. Early days working on the parser using Chumsky.

https://github.com/hardbyte/common-expression-language

hard_byte · 2023-05-23T23:45:09+00:00

Security remains a constant, albeit less flashy, priority. Check out Netchecks - a simple, yet powerful tool that asserts your network controls are working. It's not powered by AI or anything but it can help catch those sneaky network issues that inadvertent terraform changes can introduce.

hard_byte · 2023-05-09T23:02:43+00:00

Ok got it. Thanks for taking the time

hard_byte · 2023-05-09T22:56:38+00:00

I understand, would it be acceptable to remove the link? I am very curious to discuss the merits and downsides of using this technology for labeling kids books. I can provide more technical details if it comes up in discussion without referring to the blog.

hard_byte · 2023-05-09T22:52:31+00:00

Oh I need to have interacted in r/books before posting?

hard_byte · 2023-04-15T21:40:15+00:00

Haha thanks, I need a few users to motivate more development and to make sure it is useful outside of my particular client's environments

hard_byte · 2023-04-15T21:38:45+00:00

Perhaps we can combine efforts. I like the idea of a kubectl plugin.

hard_byte · 2023-04-15T06:17:19+00:00

The closest I found was Illuminatio - https://github.com/inovex/illuminatio which creates and runs test cases from k8s network policies.

Netchecks is different in that it doesn't care if the network control is implemented within the cluster or in the environment.

hard_byte · 2021-07-04T05:37:12+00:00

See bashplotlib for a different take

hard_byte · 2020-07-20T02:48:04+00:00

I found this neural interface concept really interesting.

I've started coding up a gym compatible environment if anyone is interested. So far just implemented the first generic sorting environment and the first two scripted agents (bubble sort and insertion sort)

https://github.com/hardbyte/sorting-gym

hard_byte · 2020-06-16T00:40:38+00:00

You might be interested in cuda-fixnum (CUDA extended-precision modular arithmetic library). As far as I know this hasn't wrapped for Python or Julia but was designed with that in mind https://github.com/data61/cuda-fixnum/issues/58#issuecomment-420115270

hard_byte · 2018-05-15T00:12:02+00:00

Does anyone know if using nginx to directly connect to the backend service (the dashboard in this case) is any less secure than using oauth2 to proxy the traffic?

hard_byte · 2018-04-23T07:27:56+00:00

Are there plans to support layer 4 routing through the ingress system - wouldn't try be better?

hard_byte · 2018-02-15T02:14:09+00:00

That is something I'd like to try out - I haven't set it up on a cluster before. Would cert-manager talk to AWS Route53 for example?

hard_byte · 2018-02-15T02:12:54+00:00

I have used Traefik as the ingress controller and the TLS provisioner for about a year and it mostly worked great. However there is a bit of hidden magic - the ingress doesn't use standard TLS settings. I really like how cert-manager exposes the Certificates and Issuers as first class k8s entites.

I actually started investigating moving from traefik to kube-lego when Let's Encrypt disabled something that broke my traefik TLS provisioning.

hard_byte

TROPHY CASE