Default postgres instances don't reject connections without ssl

[bo0ts]

The documentation states that by default non-SSL connections are rejected. That does not seem to be the case for me, since the pg_hba.conf has line 7 which matches before the rejection.

apiVersion: acid.zalan.do/v1
kind: postgresql
metadata:
  name: test-cluster
  namespace: test
spec:
  numberOfInstances: 1
  teamId: test
  volume:
    size: 2Gi
  postgresql:
    parameters: {}
    version: "17"

Connection:

k port-forward pod/test-cluster-0 5432:5432
psql "host=localhost user=postgres sslmode=disable"

Log Output:

2025-11-04 13:44:51 UTC [281]: [2-1] 690a0353.119 0 postgres postgres [unknown] ::1 LOG:  connection authenticated: identity="postgres" method=md5 (/home/postgres/pgdata/pgroot/data/pg_hba.conf:7)

Line 7 in Question:

# Do not edit this file manually!
# It will be overwritten by Patroni!
local   all             all                                   trust
hostssl all             +zalandos          127.0.0.1/32       pam
host    all             all                127.0.0.1/32       md5
hostssl all             +zalandos          ::1/128            pam
host    all             all                ::1/128            md5 # Line 7
local   replication     standby                               trust
hostssl replication     standby            all                md5
hostnossl all           all                all                reject
hostssl all             +zalandos          all                pam
hostssl all             all                all                md5

• postgres-operator 1.14.0 on OKD 4.19