VictoriaMetrics - Security¶
Evaluation Context
VictoriaMetrics scales highly and must operate continuously within protected private VPC networks behind strict auth gateways.
1. Decision Matrix / RBAC¶
| Entity / Date | Context | Target / Status |
|---|---|---|
-metricsAuthKey |
Raw basic auth proxy for internal debugging flags. | Dynamically loaded via file/HTTPS secrets map. |
| Ingress Controllers | Basic auth secrets pushed directly to Nginx Ingress handling auth-realm. |
Standard method for mapping tenant access cleanly. |
| Operator Security Mode | The Kubernetes operator natively supports a useStrictSecurity node flag. |
Enforces non-root execution, drops sys-caps, restricts disk mutations. |
2. Threat Model & Tenant Isolation¶
Based on Context7 research:
- vmauth / vmgateway Interceptors: External access to vminsert or vmselect is highly dangerous natively. VictoriaMetrics demands you pipe all traffic through vmauth, assigning distinct authentication tokens via HTTP header ingestion to isolate distinct tenants. Without this wall, metrics contamination or denial of service is trivial.