mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-12-15 08:23:34 +01:00
8d238f1bc2
Signed-off-by: Artem Navoiev <tenmozes@gmail.com>
1.9 KiB
1.9 KiB
sort | weight | title | menu | aliases | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|
12 | 12 | Security |
|
|
Security
VictoriaMetrics operator provides several security features, such as PodSecurityPolicies, PodSecurityContext.
PodSecurityPolicy.
By default, operator creates serviceAccount for each cluster resource and binds default PodSecurityPolicy
to it.
Default psp:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: vmagent-example-vmagent
spec:
allowPrivilegeEscalation: false
fsGroup:
rule: RunAsAny
hostNetwork: true
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- persistentVolumeClaim
- secret
- emptyDir
- configMap
- projected
- downwardAPI
- nfs
This behaviour may be disabled with env variable passed to operator:
- name: VM_PSPAUTOCREATEENABLED
value: "false"
User may also override default pod security policy with setting: spec.podSecurityPolicyName: "psp-name"
.
PodSecurityContext
PodSecurityContext
can be configured with spec setting. It may be useful for mounted volumes, with VMSingle
for example:
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMSingle
metadata:
name: vmsingle-f
namespace: monitoring-system
spec:
retentionPeriod: "2"
removePvcAfterDelete: true
securityContext:
runAsUser: 1000
fsGroup: 1000
runAsGroup: 1000
extraArgs:
dedup.minScrapeInterval: 10s
storage:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 25Gi
resources:
requests:
cpu: "0.5"
memory: "512Mi"
limits:
cpu: "1"
memory: "1512Mi"