Summary
The OTel Collector sidecar (added in #342) currently uses PGUSER/PGPASSWORD from the <cluster>-app secret (the CNPG application user) to connect to PostgreSQL. Following the principle of least privilege, the sidecar should use a dedicated monitoring user with only pg_monitor role access.
Motivation
- Least privilege: The monitoring sidecar only needs to run health-check queries and read
pg_stat_* views — it should not have application-level read/write access.
- Audit clarity: Monitoring queries would be attributable to a separate role in
pg_stat_activity.
- Future-proof:
pg_monitor already grants read access to all stats views, supporting richer metrics without needing superuser.
- Blast radius: If the OTel Collector is compromised, the attacker only gets read-only stats access.
Proposed Implementation
- Operator creates a dedicated
otel_monitor PostgreSQL role with pg_monitor grant
- Store credentials in a dedicated secret (e.g.,
<cluster>-otel-monitor)
- OTel sidecar reads from the dedicated secret instead of
<cluster>-app
Context
Raised by @xgerman in PR #342 review: #342 (comment)
Summary
The OTel Collector sidecar (added in #342) currently uses
PGUSER/PGPASSWORDfrom the<cluster>-appsecret (the CNPG application user) to connect to PostgreSQL. Following the principle of least privilege, the sidecar should use a dedicated monitoring user with onlypg_monitorrole access.Motivation
pg_stat_*views — it should not have application-level read/write access.pg_stat_activity.pg_monitoralready grants read access to all stats views, supporting richer metrics without needing superuser.Proposed Implementation
otel_monitorPostgreSQL role withpg_monitorgrant<cluster>-otel-monitor)<cluster>-appContext
Raised by @xgerman in PR #342 review: #342 (comment)