Security

Access control#

Roles#

To run in a cluster the operator needs certain permissions, you can see them in this directory:

• role.yaml file - basic set of cluster roles for launching an operator.
• leader_election_role.yaml file - set of roles with permissions to do leader election (is necessary to run the operator in several replicas for high availability).

Also, you can use single-namespace mode with minimal permissions, see this section for details.

Also in the same directory are files with a set of separate permissions to view or edit operator resources to organize fine-grained access:

• file <RESOURCE_NAME>_viewer_role.yaml - permissions for viewing (get, list and watch) some resource of vmoperator.
• file <RESOURCE_NAME>_editor_role.yaml - permissions for editing (create, delete, patch, update and deletecollection) some resource of vmoperator (also includes viewing permissions).

For instance, vmalert_editor_role.yaml file contain permission for editing vmagent custom resources.

Security policies#

VictoriaMetrics operator provides several security features, such as PodSecurityPolicies, PodSecurityContext.

PodSecurityPolicy#

PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25.

If your Kubernetes version is under v1.25 and want to use PodSecurityPolicy, you can set env VM_PSPAUTOCREATEENABLED: "true" in operator, it will create serviceAccount for each cluster resource and binds default PodSecurityPolicy to it.

Default psp:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: vmagent-example-vmagent
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    rule: RunAsAny
  hostNetwork: true
  requiredDropCapabilities:
  - ALL
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - persistentVolumeClaim
  - secret
  - emptyDir
  - configMap
  - projected
  - downwardAPI
  - nfs

User may also override default pod security policy with setting: spec.podSecurityPolicyName: "psp-name".

PodSecurityContext#

VictoriaMetrics operator will add default Security Context to managed pods and containers if env EnableStrictSecurity: "true" is set. The following SecurityContext will be applied:

Pod SecurityContext#

1. RunAsNonRoot: true

2. RunAsUser/RunAsGroup/FSGroup: 65534

   ‘65534’ refers to ’nobody’ in all the used default images like alpine, busybox.

   If you’re using customize image, please make sure ‘65534’ is a valid uid in there or specify SecurityContext.

3. FSGroupChangePolicy: &onRootMismatch

   If KubeVersion>=1.20, use FSGroupChangePolicy="onRootMismatch" to skip the recursive permission change when the root of the volume already has the correct permissions

4. SeccompProfile: {type: RuntimeDefault}

   Use RuntimeDefault seccomp profile by default, which is defined by the container runtime, instead of using the Unconfined (seccomp disabled) mode.

Container SecurityContext#

1. AllowPrivilegeEscalation: false
2. ReadOnlyRootFilesystem: true
3. Capabilities: {drop: [all]}

Also SecurityContext can be configured with spec setting. It may be useful for mounted volumes, with VMSingle for example:

apiVersion: operator.victoriametrics.com/v1beta1
kind: VMSingle
metadata:
  name: vmsingle-f
  namespace: monitoring-system
spec:
  retentionPeriod: "2"
  removePvcAfterDelete: true
  securityContext:
      runAsUser: 1000
      fsGroup: 1000
      runAsGroup: 1000
  extraArgs:
    dedup.minScrapeInterval: 10s
  storage:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 25Gi
  resources:
    requests:
      cpu: "0.5"
      memory: "512Mi"
    limits:
      cpu: "1"
      memory: "1512Mi"