VictoriaMetrics/docs/operator/security.md

---
sort: 12
weight: 12
title: Security
menu:
  docs:
    parent: "operator"
    weight: 12
aliases:
- /operator/security.html
---

# Security

VictoriaMetrics operator provides several security features, such as [PodSecurityPolicies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/), [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).


## PodSecurityPolicy.

 By default, operator creates serviceAccount for each cluster resource and binds default `PodSecurityPolicy` to it.

 Default psp:
```yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: vmagent-example-vmagent
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    rule: RunAsAny
  hostNetwork: true
  requiredDropCapabilities:
  - ALL
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - persistentVolumeClaim
  - secret
  - emptyDir
  - configMap
  - projected
  - downwardAPI
  - nfs
```

 This behaviour may be disabled with env variable passed to operator:
 ```yaml
 - name: VM_PSPAUTOCREATEENABLED
   value: "false"
```

 User may also override default pod security policy with setting: `spec.podSecurityPolicyName: "psp-name"`.
 

## PodSecurityContext

 `PodSecurityContext` can be configured with spec setting. It may be useful for mounted volumes, with `VMSingle` for example:
 
```yaml
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMSingle
metadata:
  name: vmsingle-f
  namespace: monitoring-system
spec:
  retentionPeriod: "2"
  removePvcAfterDelete: true
  securityContext:
      runAsUser: 1000
      fsGroup: 1000
      runAsGroup: 1000
  extraArgs:
    dedup.minScrapeInterval: 10s
  storage:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 25Gi
  resources:
    requests:
      cpu: "0.5"
      memory: "512Mi"
    limits:
      cpu: "1"
      memory: "1512Mi"

```
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			`---`
			`sort: 12`
docs: prepare operator docs to migration Signed-off-by: Artem Navoiev <tenmozes@gmail.com> 2023-01-11 16:38:18 +01:00			`weight: 12`
			`title: Security`
			`menu:`
			`docs:`
			`parent: "operator"`
			`weight: 12`
			`aliases:`
			`- /operator/security.html`
Created Operator folder in docs (#2034) * Created Operator folder in docs Transferred Operator documentation * Removed Contributing and Release * Changed sort numbering * Renamed folder Operator -> operator * 1 1 * Name change Operator -> operator * Removed colon symbol * Useful links transformed to links style * "updated at..." is no longer a header * delete manager patch.yaml * delete kustomization.yaml * removed part with links * community and contributions part removed * Delete readme * Docs navigation removed 2022-01-21 11:05:58 +01:00			`---`

			`# Security`

			`VictoriaMetrics operator provides several security features, such as [PodSecurityPolicies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/), [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).`


			`## PodSecurityPolicy.`

			By default, operator creates serviceAccount for each cluster resource and binds default `PodSecurityPolicy` to it.

			`Default psp:`
			```yaml
			`apiVersion: policy/v1beta1`
			`kind: PodSecurityPolicy`
			`metadata:`
			`name: vmagent-example-vmagent`
			`spec:`
			`allowPrivilegeEscalation: false`
			`fsGroup:`
			`rule: RunAsAny`
			`hostNetwork: true`
			`requiredDropCapabilities:`
			`- ALL`
			`runAsUser:`
			`rule: RunAsAny`
			`seLinux:`
			`rule: RunAsAny`
			`supplementalGroups:`
			`rule: RunAsAny`
			`volumes:`
			`- persistentVolumeClaim`
			`- secret`
			`- emptyDir`
			`- configMap`
			`- projected`
			`- downwardAPI`
			`- nfs`
			```

			`This behaviour may be disabled with env variable passed to operator:`
			```yaml
			`- name: VM_PSPAUTOCREATEENABLED`
			`value: "false"`
			```

			User may also override default pod security policy with setting: `spec.podSecurityPolicyName: "psp-name"`.


			`## PodSecurityContext`

			`PodSecurityContext` can be configured with spec setting. It may be useful for mounted volumes, with `VMSingle` for example:

			```yaml
			`apiVersion: operator.victoriametrics.com/v1beta1`
			`kind: VMSingle`
			`metadata:`
			`name: vmsingle-f`
			`namespace: monitoring-system`
			`spec:`
			`retentionPeriod: "2"`
			`removePvcAfterDelete: true`
			`securityContext:`
			`runAsUser: 1000`
			`fsGroup: 1000`
			`runAsGroup: 1000`
			`extraArgs:`
			`dedup.minScrapeInterval: 10s`
			`storage:`
			`accessModes:`
			`- ReadWriteOnce`
			`resources:`
			`requests:`
			`storage: 25Gi`
			`resources:`
			`requests:`
			`cpu: "0.5"`
			`memory: "512Mi"`
			`limits:`
			`cpu: "1"`
			`memory: "1512Mi"`

			```