Skip to content

Commit 61ef5f7

Browse files
f41gh7f41gh7
committed
docs: update security doc
Mention hardening configuration Signed-off-by: f41gh7 <[email protected]>
1 parent 5119d24 commit 61ef5f7

File tree

1 file changed

+31
-35
lines changed

1 file changed

+31
-35
lines changed

docs/security.md

Lines changed: 31 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -37,50 +37,46 @@ for editing [`vmagent` custom resources](https://docs.victoriametrics.com/operat
3737

3838
## Security policies
3939

40-
VictoriaMetrics operator provides several security features, such as [PodSecurityPolicies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/),
41-
[PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
40+
VictoriaMetrics operator provides several security features. First of all, it's built-in hardening configuration.
4241

43-
### PodSecurityPolicy
42+
Environment variable `VM_ENABLESTRICTSECURITY=true` applies generic security options to the all created resources.
4443

45-
> PodSecurityPolicy was [deprecated](https://kubernetes.io/docs/concepts/security/pod-security-policy/) in Kubernetes v1.21, and removed from Kubernetes in v1.25.
44+
Such as `PodSecurityContext` and `SecurityContext` per `Container`
4645

47-
If your Kubernetes version is under v1.25 and want to use PodSecurityPolicy, you can set env `VM_PSPAUTOCREATEENABLED: "true"` in operator, it will create serviceAccount for each cluster resource and binds default `PodSecurityPolicy` to it.
46+
```yaml
47+
securityContext:
48+
// '65534' refers to 'nobody' in all the used default images like alpine, busybox.
49+
fsGroup: 65534
50+
fsGroupChangePolicy: OnRootMismatch
51+
runAsGroup: 65534
52+
runAsNonRoot: true
53+
runAsUser: 65534
54+
seccompProfile:
55+
type: RuntimeDefault
56+
```
57+
58+
59+
It's also possible to config strict security on resource basis:
4860
49-
Default psp:
5061
```yaml
51-
apiVersion: policy/v1beta1
52-
kind: PodSecurityPolicy
62+
apiVersion: operator.victoriametrics.com/v1beta1
63+
kind: VMSingle
5364
metadata:
54-
name: vmagent-example
65+
name: strict-security
66+
namespace: monitoring-system
5567
spec:
56-
allowPrivilegeEscalation: false
57-
fsGroup:
58-
rule: RunAsAny
59-
hostNetwork: true
60-
requiredDropCapabilities:
61-
- ALL
62-
runAsUser:
63-
rule: RunAsAny
64-
seLinux:
65-
rule: RunAsAny
66-
supplementalGroups:
67-
rule: RunAsAny
68-
volumes:
69-
- persistentVolumeClaim
70-
- secret
71-
- emptyDir
72-
- configMap
73-
- projected
74-
- downwardAPI
75-
- nfs
68+
retentionPeriod: "2"
69+
removePvcAfterDelete: true
70+
useStrictSecurity: true
71+
storage:
72+
accessModes:
73+
- ReadWriteOnce
74+
resources:
75+
requests:
76+
storage: 25Gi
7677
```
7778
78-
User may also override default pod security policy with setting: `spec.podSecurityPolicyName: "psp-name"`.
79-
80-
## PodSecurityContext
81-
82-
VictoriaMetrics operator will add default Security Context to managed pods and containers if env `EnableStrictSecurity: "true"` is set.
83-
The following SecurityContext will be applied:
79+
In addition, operator supports more granular per resource security configuration with [spec.securityContext](https://docs.victoriametrics.com/operator/api/#securitycontext) and [ContainerSecurityContext](https://docs.victoriametrics.com/operator/api/#containersecuritycontext)
8480
8581
### Pod SecurityContext
8682

0 commit comments

Comments
 (0)