From 72d3063bef6e8c4a93c1865a57f9a8be2b52ed16 Mon Sep 17 00:00:00 2001 From: Github Actions <133988544+victoriametrics-bot@users.noreply.github.com> Date: Thu, 7 Sep 2023 18:26:02 +0800 Subject: [PATCH] Automatic update operator docs from VictoriaMetrics/operator@9c461d2 (#4968) --- docs/operator/CHANGELOG.md | 1 + docs/operator/api.md | 4 ++-- docs/operator/vars.md | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/operator/CHANGELOG.md b/docs/operator/CHANGELOG.md index 3c109c0ad..932ba1a93 100644 --- a/docs/operator/CHANGELOG.md +++ b/docs/operator/CHANGELOG.md @@ -5,6 +5,7 @@ ### Fixes * [vmuser](https://docs.victoriametrics.com/operator/api.html#vmuser): [Enterprise] fixes ip_filters indent for url_prefix. Previously it wasn't possible to use ip_filters with multiple target refs +* [vmoperator](https://docs.victoriametrics.com/operator/): turn off `EnableStrictSecurity` by default. Before, upgrade operator to v0.36.0+ could fail components with volume attached, see [this issue](https://github.com/VictoriaMetrics/operator/issues/749) for details. ### Features diff --git a/docs/operator/api.md b/docs/operator/api.md index 66973cb06..b975a9076 100644 --- a/docs/operator/api.md +++ b/docs/operator/api.md @@ -1666,7 +1666,7 @@ Image defines docker image settings | Field | Description | Scheme | Required | | ----- | ----------- | ------ | -------- | -| acceptEULA | AcceptEULA accepts enterprise feature usage, must be set to true. otherwise backupmanager cannot be added to single/cluster version. https://victoriametrics.com/legal/eula/ | bool | true | +| acceptEULA | AcceptEULA accepts enterprise feature usage, must be set to true. otherwise backupmanager cannot be added to single/cluster version. https://victoriametrics.com/legal/esa/ | bool | true | | snapshotCreateURL | SnapshotCreateURL overwrites url for snapshot create | string | false | | snapshotDeleteURL | SnapShotDeleteURL overwrites url for snapshot delete | string | false | | concurrency | Defines number of concurrent workers. Higher concurrency may reduce backup duration (default 10) | *int32 | false | @@ -2007,7 +2007,6 @@ TargetRef describes target for user traffic forwarding. one of target types can | paths | Paths - matched path to route. | []string | false | | target_path_suffix | QueryParams []string `json:\"queryParams,omitempty\"` TargetPathSuffix allows to add some suffix to the target path It allows to hide tenant configuration from user with crd as ref. it also may contain any url encoded params. | string | false | | headers | Headers represent additional http headers, that vmauth uses in form of [\"header_key: header_value\"] multiple values for header key: [\"header_key: value1,value2\"] it's available since 1.68.0 version of vmauth | []string | false | -| ip_filters | IPFilters defines per target src ip filters supported only with enterprise version of vmauth https://docs.victoriametrics.com/vmauth.html#ip-filters | [VMUserIPFilters](#vmuseripfilters) | false | [Back to TOC](#table-of-contents) @@ -2060,6 +2059,7 @@ VMUserSpec defines the desired state of VMUser | bearerToken | BearerToken Authorization header value for accessing protected endpoint. | *string | false | | targetRefs | TargetRefs - reference to endpoints, which user may access. | [][TargetRef](#targetref) | true | | default_url | DefaultURLs backend url for non-matching paths filter usually used for default backend with error message | []string | false | +| ip_filters | IPFilters defines per target src ip filters supported only with enterprise version of vmauth https://docs.victoriametrics.com/vmauth.html#ip-filters | [VMUserIPFilters](#vmuseripfilters) | false | [Back to TOC](#table-of-contents) diff --git a/docs/operator/vars.md b/docs/operator/vars.md index b8b8df54b..44e215134 100644 --- a/docs/operator/vars.md +++ b/docs/operator/vars.md @@ -10,7 +10,7 @@ aliases: - /operator/vars.html --- # Auto Generated vars for package config - updated at Mon Sep 4 14:57:30 UTC 2023 + updated at Thu Sep 7 10:13:17 UTC 2023 | varible name | variable default value | variable required | variable description | @@ -127,4 +127,4 @@ aliases: | VM_PODWAITREADYINTERVALCHECK | 5s | false | - | | VM_PODWAITREADYINITDELAY | 10s | false | - | | VM_FORCERESYNCINTERVAL | 60s | false | configures force resync interval for VMAgent, VMAlert, VMAlertmanager and VMAuth. | -| VM_ENABLESTRICTSECURITY | true | false | EnableStrictSecurity will add default `securityContext` to pods and containers created by operatorDefault PodSecurityContext include:1. RunAsNonRoot: true2. RunAsUser/RunAsGroup/FSGroup: 65534'65534' refers to 'nobody' in all the used default images like alpine, busybox.If you're using customize image, please make sure '65534' is a valid uid in there or specify SecurityContext.3. FSGroupChangePolicy: &onRootMismatchIf KubeVersion>=1.20, use `FSGroupChangePolicy="onRootMismatch"` to skip the recursive permission changewhen the root of the volume already has the correct permissions4. SeccompProfile:type: RuntimeDefaultUse `RuntimeDefault` seccomp profile by default, which is defined by the container runtime,instead of using the Unconfined (seccomp disabled) mode.Default container SecurityContext include:1. AllowPrivilegeEscalation: false2. ReadOnlyRootFilesystem: true3. Capabilities:drop:- all | +| VM_ENABLESTRICTSECURITY | false | false | EnableStrictSecurity will add default `securityContext` to pods and containers created by operatorDefault PodSecurityContext include:1. RunAsNonRoot: true2. RunAsUser/RunAsGroup/FSGroup: 65534'65534' refers to 'nobody' in all the used default images like alpine, busybox.If you're using customize image, please make sure '65534' is a valid uid in there or specify SecurityContext.3. FSGroupChangePolicy: &onRootMismatchIf KubeVersion>=1.20, use `FSGroupChangePolicy="onRootMismatch"` to skip the recursive permission changewhen the root of the volume already has the correct permissions4. SeccompProfile:type: RuntimeDefaultUse `RuntimeDefault` seccomp profile by default, which is defined by the container runtime,instead of using the Unconfined (seccomp disabled) mode.Default container SecurityContext include:1. AllowPrivilegeEscalation: false2. ReadOnlyRootFilesystem: true3. Capabilities:drop:- allturn off `EnableStrictSecurity` by default, see https://github.com/VictoriaMetrics/operator/issues/749 for details |