diff --git a/kube/3-deploy/1-core/db/pg/clusters/default/cluster.yaml b/kube/3-deploy/1-core/db/pg/clusters/default/cluster.yaml
index c302d255..b8cda78c 100644
--- a/kube/3-deploy/1-core/db/pg/clusters/default/cluster.yaml
+++ b/kube/3-deploy/1-core/db/pg/clusters/default/cluster.yaml
@@ -26,16 +26,16 @@ spec:
       wal:
         compression: bzip2
         maxParallel: 8
-      destinationPath: s3://pg-default-v1/
+      destinationPath: s3://pg-default/
       endpointURL: http://rook-ceph-rgw-${CLUSTER_NAME_LOWER}.rook-ceph.svc:6953
       serverName: pg-default-v1
       s3Credentials:
         accessKeyId:
           name: pg-default-s3
-          key: AccessKey
+          key: AWS_ACCESS_KEY_ID
         secretAccessKey:
           name: pg-default-s3
-          key: SecretKey
+          key: AWS_SECRET_ACCESS_KEY
 
 #  # RECOVERY
 #  bootstrap:
diff --git a/kube/3-deploy/1-core/db/pg/clusters/default/netpol.yaml b/kube/3-deploy/1-core/db/pg/clusters/default/netpol.yaml
index 272dd394..9521fbab 100644
--- a/kube/3-deploy/1-core/db/pg/clusters/default/netpol.yaml
+++ b/kube/3-deploy/1-core/db/pg/clusters/default/netpol.yaml
@@ -51,3 +51,5 @@ spec:
       toPorts:
         - ports:
             - port: "6953"
+    - toEntities:
+        - kube-apiserver
diff --git a/kube/3-deploy/1-core/db/pg/clusters/default/s3.yaml b/kube/3-deploy/1-core/db/pg/clusters/default/s3.yaml
index d33322e7..3652251a 100644
--- a/kube/3-deploy/1-core/db/pg/clusters/default/s3.yaml
+++ b/kube/3-deploy/1-core/db/pg/clusters/default/s3.yaml
@@ -1,9 +1,9 @@
 ---
-apiVersion: ceph.rook.io/v1
-kind: CephObjectStoreUser
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
 metadata:
   name: pg-default-s3
   namespace: pg
 spec:
-  store: biohazard
-  displayName: "pg-default"
+  bucketName: "pg-default"
+  storageClassName: "rgw-${CLUSTER_NAME_LOWER}"