sort | weight | title | menu | aliases | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|
3 |
3 |
Security |
|
|
To run in a cluster the operator needs certain permissions, you can see them in this directory:
role.yaml
file - basic set of cluster roles for launching an operator.leader_election_role.yaml
file - set of roles with permissions to do leader election (is necessary to run the operator in several replicas for high availability).
Also, you can use single-namespace mode with minimal permissions, see this section for details.
Also in the same directory are files with a set of separate permissions to view or edit operator resources to organize fine-grained access:
- file
<RESOURCE_NAME>_viewer_role.yaml
- permissions for viewing (get
,list
andwatch
) some resource of vmoperator. - file
<RESOURCE_NAME>_editor_role.yaml
- permissions for editing (create
,delete
,patch
,update
anddeletecollection
) some resource of vmoperator (also includes viewing permissions).
For instance, vmalert_editor_role.yaml
file contain permission
for editing vmagent
custom resources.
VictoriaMetrics operator provides several security features, such as PodSecurityPolicies, PodSecurityContext.
PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25.
If your Kubernetes version is under v1.25 and want to use PodSecurityPolicy, you can set env VM_PSPAUTOCREATEENABLED: "true"
in operator, it will create serviceAccount for each cluster resource and binds default PodSecurityPolicy
to it.
Default psp:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: vmagent-example-vmagent
spec:
allowPrivilegeEscalation: false
fsGroup:
rule: RunAsAny
hostNetwork: true
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- persistentVolumeClaim
- secret
- emptyDir
- configMap
- projected
- downwardAPI
- nfs
User may also override default pod security policy with setting: spec.podSecurityPolicyName: "psp-name"
.
VictoriaMetrics operator will add default Security Context to managed pods and containers if env EnableStrictSecurity: "true"
is set.
The following SecurityContext will be applied:
-
RunAsNonRoot: true
-
RunAsUser/RunAsGroup/FSGroup: 65534
'65534' refers to 'nobody' in all the used default images like alpine, busybox.
If you're using customize image, please make sure '65534' is a valid uid in there or specify SecurityContext.
-
FSGroupChangePolicy: &onRootMismatch
If KubeVersion>=1.20, use
FSGroupChangePolicy="onRootMismatch"
to skip the recursive permission change when the root of the volume already has the correct permissions -
SeccompProfile: {type: RuntimeDefault}
Use
RuntimeDefault
seccomp profile by default, which is defined by the container runtime, instead of using the Unconfined (seccomp disabled) mode.
- AllowPrivilegeEscalation: false
- ReadOnlyRootFilesystem: true
- Capabilities: {drop: [all]}
Also SecurityContext
can be configured with spec setting. It may be useful for mounted volumes, with VMSingle
for example:
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMSingle
metadata:
name: vmsingle-f
namespace: monitoring-system
spec:
retentionPeriod: "2"
removePvcAfterDelete: true
securityContext:
runAsUser: 1000
fsGroup: 1000
runAsGroup: 1000
extraArgs:
dedup.minScrapeInterval: 10s
storage:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 25Gi
resources:
requests:
cpu: "0.5"
memory: "512Mi"
limits:
cpu: "1"
memory: "1512Mi"