Home / Articles / Where Memory Lives: Introducing PostgreSQL to a Kubernetes Cluster
Essay January 27, 2026

Where Memory Lives: Introducing PostgreSQL to a Kubernetes Cluster

This essay explores what changes when a Kubernetes cluster is asked to carry memory instead of just traffic. By introducing PostgreSQL as an authoritative, on-prem database with deliberate replication, it shows how trust is earned not through features or automation, but through systems that survive disturbance without losing their place.

There's a quiet line you cross when you add a database to a Kubernetes cluster.


Up to this point, everything you've been running has been forgiving. Services can restart. Pods can be rescheduled. Containers can disappear and come back without anyone noticing. You can make mistakes, learn from them, and tell yourself you're getting smarter. And often, you are.


But a database changes the tone of the system.


A database is where memory lives. And memory doesn't reset cleanly.


When you introduce PostgreSQL into a cluster that already has redundant ingress and replicated storage, you're crossing into different territory. You're no longer orchestrating processes that can be recreated on the fly. You're making a promise: that what was written yesterday will still be there tomorrow, even if something fails in between. That promise can't be faked with clever abstractions. It has to be earned, carefully, by letting the system prove it can carry truth without lying to itself.


That's why this step matters. Not because PostgreSQL is special—it isn't—but because it's the first time the cluster is asked to carry something that has real, irreversible consequences if you get it wrong.


If you've followed the arc of this series, you already understand what "boring" means.


You've learned that a single-node cluster is deceptive. You've added a second node and watched the system reveal what's actually replicated and what isn't. You've made ingress redundant without getting confused about how traffic moves. You've introduced shared storage and learned that storage failures are slow and quiet, not dramatic.


PostgreSQL belongs here because it tightens the feedback loop even further.


You can restart a stateless service and call it resilience. You restart a database and find out whether you understood what you built.


Before we talk about PostgreSQL itself, it's important to name what we're *not* doing.


We're not building a globally replicated, multi-region database stretched across on-prem and cloud.


We're not outsourcing authority to a managed service that abstracts away what's actually happening.


We're not pretending that PostgreSQL becomes "cloud-native" just because it's running inside a pod.


What we're doing is smaller, and more honest: introducing a single authoritative PostgreSQL instance running on your on-prem hardware, backed by the replicated storage you've already built, with asynchronous cloud replicas that exist for disaster recovery, not for load balancing.


This matters because it's the first time the hybrid architecture from earlier articles becomes concrete. Your data lives where you decided it lives. The cloud is insurance, not primary. Ownership remains local.


That clarity is what allows the system to stay boring even as it becomes more powerful.


At a structural level, PostgreSQL in Kubernetes looks straightforward.


A StatefulSet manages the database pod, ensuring it stays running and that restarts are orchestrated cleanly. Unlike a Deployment, a StatefulSet gives the database a stable name and a stable disk, so restarts don't feel like reincarnation—postgres-0 comes back as postgres-0, attached to the same volume, with the same network identity. A PersistentVolumeClaim mounts the replicated storage you've already set up, providing the durable disk space where PostgreSQL stores its data. A Service exposes the database internally, so applications inside the cluster can reach it.


Credentials are stored in a Kubernetes Secret instead of being baked into images or configuration files. The secret is mounted as a volume at runtime, allowing the database to read its credentials without exposing them.


There's no magic in any of this. Every piece exists for a reason you can explain to another operator without hand-waving. You can point to where the data lives. You can see what happens when the pod is deleted. You can tell the difference between a restart and a loss.


What matters isn't that the database is running. What matters is that its behavior is legible.


But here's where the decision you made earlier—to keep data authoritative on-prem with cloud as backup—becomes important.


PostgreSQL doesn't tolerate ambiguity about where truth lives. It's not going to pretend that cloud replicas are equal to the on-prem instance. It's not going to do split-brain recovery or magical failover.


What it will do is this: it will run on your hardware, persist to your storage, and let you control exactly how and when data moves to the cloud.


That control is what keeps the system honest.


The replication architecture is intentionally simple and specific. The on-prem PostgreSQL instance is authoritative. Asynchronous physical streaming replication—not logical replication with its analytics and multi-writer complexity, but simple continuous transaction log shipping—sends changes to cloud replicas, keeping them updated but always subordinate. They can answer queries if you explicitly point applications at them, but they will never be promoted to primary without explicit human action.


This is not a limitation. It's a feature. It means you never wake up to discover that your cloud replica somehow became authoritative and is now out of sync with your on-prem system. It means failover requires a deliberate choice, not an automated one that might have been wrong.


Operators like CloudNativePG automate the orchestration of this replication. They watch the primary instance, manage replication lag, handle backup policies, and provide the tooling to promote a replica if you decide it's time. But promotion is explicit. The operator doesn't decide to fail over on your behalf.


That restraint is what makes hybrid architectures trustworthy.


The first real test of this setup comes the moment you stop treating the database gently.


You delete the PostgreSQL pod.


Kubernetes does what it always does: it schedules a replacement. The StatefulSet controller notices the missing pod and creates a new one. The PVC is remounted. PostgreSQL initializes and discovers that it has persistent data from the last run. It performs recovery—replaying transaction logs in order, checking consistency, ensuring every committed change made it to disk—and comes back online.


From the outside, it looks exactly like the system recovering from any other transient failure.


But this time, there's a question underneath the motion.


Did it remember?


If the volume was mounted correctly and the storage cluster didn't lose data, the answer is yes. Tables persist. Rows remain. Transaction history is intact. Nothing dramatic happens. And for the first time in this series, nothing happening carries weight.


Because now you're not just watching processes restart. You're watching memory survive interruption through a system that refuses to guess—one that replays what it knows happened, in order, until it's confident the story is consistent again.


That's a different kind of confidence.


This is also where assumptions you made earlier reveal themselves.


If the storage wasn't configured the way you thought it was, you'll find out here. If you misunderstood how volumes bind to StatefulSets, you'll find out here. If you leaned too hard on defaults without understanding them, you'll find out here.


PostgreSQL doesn't punish you for these mistakes. It just refuses to cover them up. It will complain about missing or corrupted data. It will refuse to start if the filesystem is inconsistent. It will expose failures that stateless services never had to acknowledge: network partitions that stale mounts can't recover from, partial writes that replication lag masquerades as success, crashes that demand proof of consistency before continuing.


That honesty is valuable.


It forces you to understand what you actually built before asking it to carry anything important. And it teaches you that systems handling state have different failure modes than systems handling traffic. State failures are quieter. They accumulate. They require attention to patterns, not just events.


Once the on-prem instance is running calmly, the question becomes: how do cloud replicas get created, and what are they for?


The answer depends on your risk tolerance and your recovery objective. Some operators use automated snapshots: the on-prem instance periodically sends a base backup to cloud storage, and cloud replicas recover from those snapshots and connect to the replication stream. Others use continuous archiving, sending WAL files to cloud storage and allowing replicas to rebuild from those archives.


The important part is that you choose explicitly. You decide how often snapshots happen. You decide where they go. You decide how long it would take to recover if the on-prem instance became unavailable.


That's what a recovery point objective actually means: not "how much data can we afford to lose," but "we have consciously decided this tradeoff and we understand what it means."


If you take snapshots every hour, you might lose up to an hour of transactions. If you do continuous archiving with synchronous replication to cloud storage, you might lose almost nothing, but you're paying a latency cost. Neither choice is wrong. Both choices have consequences you can explain.


That clarity is what keeps hybrid architectures from becoming disaster recovery theater.


It's tempting, at this point, to rush ahead.


You can add more replicas. You can implement automatic failover. You can do off-cluster backups. You can layer on point-in-time recovery and other enterprise features.


Those are all real concerns. They just aren't today's concern.


Right now, the cluster has learned something fundamental: how to carry memory without pretending it's disposable. The on-prem instance is stable. The storage is durable. The system survives restarts without lying to itself about state.


That's enough.


If there's a through-line in this series on Kubernetes for people who owned their infrastructure before the cloud existed, it's this: systems don't become trustworthy by accumulating features. They become trustworthy by surviving simple disturbances without losing their place.


PostgreSQL doesn't make your cluster more impressive. It makes it more honest.


It gives the system something it can't lie about. It gives you the ability to say, with confidence: my data lives on hardware I control, in storage I've built, backed up to cloud services I've chosen. If disaster strikes locally, I have a recovery plan. If the cloud fails, my primary system is unaffected.


That's the promise the hybrid architecture is built to keep.


The cluster can now speak to the outside world. It can stand up to node failures. And it can remember.


We'll let it do that steadily and calmly before asking it to do anything more.

Back to Articles