---
sort: 12
weight: 12
title: Security
menu:
  docs:
    parent: "operator"
    weight: 12
aliases:
- /operator/security.html
---

# Security

VictoriaMetrics operator provides several security features, such as [PodSecurityPolicies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/), [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).


## PodSecurityPolicy.

 By default, operator creates serviceAccount for each cluster resource and binds default `PodSecurityPolicy` to it.

 Default psp:
```yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: vmagent-example-vmagent
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    rule: RunAsAny
  hostNetwork: true
  requiredDropCapabilities:
  - ALL
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - persistentVolumeClaim
  - secret
  - emptyDir
  - configMap
  - projected
  - downwardAPI
  - nfs
```

 This behaviour may be disabled with env variable passed to operator:
 ```yaml
 - name: VM_PSPAUTOCREATEENABLED
   value: "false"
```

 User may also override default pod security policy with setting: `spec.podSecurityPolicyName: "psp-name"`.
 

## PodSecurityContext

 `PodSecurityContext` can be configured with spec setting. It may be useful for mounted volumes, with `VMSingle` for example:
 
```yaml
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMSingle
metadata:
  name: vmsingle-f
  namespace: monitoring-system
spec:
  retentionPeriod: "2"
  removePvcAfterDelete: true
  securityContext:
      runAsUser: 1000
      fsGroup: 1000
      runAsGroup: 1000
  extraArgs:
    dedup.minScrapeInterval: 10s
  storage:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 25Gi
  resources:
    requests:
      cpu: "0.5"
      memory: "512Mi"
    limits:
      cpu: "1"
      memory: "1512Mi"

```