m3
m3 copied to clipboard
Published
20 hours ago β’
m3db
m3db
[Security Issue] π’ Node Exporter DaemonSet Security Risk Report
π’ Node Exporter DaemonSet Security Risk Report
π Relevant Files and Links
- Local YAML provided (
DaemonSet: node-exporter, namespace:monitoring) - GitHub reference: m3db/m3 node-exporter-daemonset.yaml
π Summary of the Issue
The node-exporter DaemonSet
β
uses hostNetwork: true
β
uses hostPID: true
which allows the container to access the hostβs network and process namespaces.
β‘ If compromised, this can lead to node-wide takeover risks, opening severe security vulnerabilities.
π Detailed Analysis
1οΈβ£ hostNetwork: true
- Shares the container with the hostβs network namespace.
- Impact:
- Container can bind directly to the hostβs IP and ports.
- Can access or sniff host network traffic.
- Risk:
- If compromised, an attacker can hijack services, sniff sensitive data, or perform lateral movement across the cluster.
2οΈβ£ hostPID: true
- Shares the container with the hostβs process namespace.
- Impact:
- Container can list and observe all processes running on the host.
- Can access sensitive system-level process information.
- Risk:
- An attacker can perform reconnaissance, gather sensitive information, interfere with processes, or attempt privilege escalation.
β οΈ Security Risk Summary
| Risk Item | Description |
|---|---|
| hostNetwork | Host network exposure β risk of hijacking traffic, taking over ports, lateral movement. |
| hostPID | Host process exposure β risk of process monitoring, interference, and sensitive information leakage. |
| Combined Risk | When both are enabled, container compromise dramatically increases the likelihood of node takeover. |
π οΈ Recommended Actions
β Reassess Necessity
- Verify if
hostNetworkandhostPIDare strictly necessary; disable if not.
β Strengthen Pod Security
- Keep
runAsNonRoot: true. - Remove
privileged: trueand unnecessary Linux capabilities. - Apply seccomp, AppArmor, or SELinux profiles.
β Minimize Host Exposure
- Reduce unnecessary port and network bindings.
- Use Kubernetes NetworkPolicy to limit pod-to-pod and pod-to-service communication.
β Maintain Image Security
- Regularly update and patch container images.
- Use signed and verified images; run regular vulnerability scans.
π References
- Kubernetes Pod Security Standards
- Risks of hostNetwork and hostPID
- Prometheus Node Exporter Security Best Practices
- GitHub m3db/m3 node-exporter-daemonset.yaml
β Summary
The use of hostNetwork and hostPID in the node-exporter DaemonSet greatly expands the attack surface, posing serious threats to Kubernetes node security.
Unless strictly necessary, these settings should be disabled; if required, they must be paired with robust security controls to ensure cluster safety.
