René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"feat(monitoring): switch VLogs to cluster mode for secure tenant log isolation","articleBody":"## Problem\n\nPR #1971 proposes adding NetworkPolicy egress to VLogs pods so that nested cluster Fluent Bit instances can forward logs to the parent tenant's VLogs. However, VLogs in single-node mode exposes both write (`/insert/*`) and read (`/select/*`) endpoints on the same port (9428). If we open NetworkPolicy egress to VLogs, a child tenant would be able to query `/select/*` and read ALL logs stored in the parent tenant's VLogs — including logs from other tenants.\n\nThis is why PR #1971 cannot be merged as-is (see kvaps' comment about the security concern).\n\n**Note on metrics**: vminsert is architecturally write-only — it has no query endpoints. The existing NetworkPolicy egress to vminsert is secure. This issue is VLogs-specific.\n\n## Current State\n\n- VLogs is deployed via the deprecated `VLogs` CRD (`operator.victoriametrics.com/v1beta1`) in single-node mode\n- victoria-metrics-operator is at v0.55.0\n- VictoriaLogs image is v1.17.0\n- The `VLogs` CRD will become read-only after operator v0.61.0\n\n## Proposed Solution\n\nSwitch VLogs from single-node to **cluster mode** using the `VLCluster` CRD (introduced in operator v0.59.0):\n\n- **vlinsert** — write-only component, accepts logs from tenants\n- **vlselect** — read-only component, handles log queries\n- **vlstorage** — storage backend\n\nWith this architecture, tenant NetworkPolicy egress would target only vlinsert pods (write-only by design, with `-select.disable` flag). Tenants can ingest logs but cannot read them. This mirrors the existing vminsert/vmselect separation for metrics.\n\n### Prerequisites\n\n1. Upgrade victoria-metrics-operator from v0.55.0 to v0.59.0+ (current stable: v0.67.0)\n2. Migrate from deprecated `VLogs` CRD (v1beta1) to `VLCluster` CRD (v1)\n3. Update VictoriaLogs image to a cluster-capable version\n\nThis also addresses the upcoming `VLogs` CRD deprecation.\n\n### Alternative\n\nDeploy vmauth (VictoriaMetrics auth proxy) in front of single-node VLogs, routing only `/insert/*` paths to tenants. Simpler but adds an extra component without solving the CRD deprecation.\n\n## References\n\n- #1971 — PR that surfaced this issue (tenant log forwarding NetworkPolicy)\n- #1970 — Related bug report","author":{"url":"https://github.com/lexfrei","@type":"Person","name":"lexfrei"},"datePublished":"2026-02-08T22:29:13.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/2000/cozystack/issues/2000"}