helmchart icon indicating copy to clipboard operation
helmchart copied to clipboard

Published 20 hours ago verified publisher icon netdata

avoid child open port and fix liveness probe on public worker nodes

Open alexfouche opened this issue 1 year ago • 1 comments

On a k8s cluster with public worker node, the child daemonset will be available publicly on port 19999, since it runs with hostNetwork: true

From the Securing Netdata pages, and since there is a Netdata parent accessible from a ClusterIP service, it is possible to avoid that by setting :

child:
  configs:
    netdata:
      data: |
        [web]
          mode = none
(...)

Unfortunately this breaks the liveness and readiness probes.

So i am using

child:
  configs:
    netdata:
      data: |
        [web]
          bind to = localhost:19999
(...)

The issue i have is that the Helm values.yaml does not allow to set the httpGet.host: field, so that it can be set to 127.0.0.1

I tested by editing the daemonset livenessProbe and readinessProbe manually, and it works:

livenessProbe:
      httpGet:
        host: 127.0.0.1
        path: /api/v1/info
        port: http
        scheme: HTTP
(...)

Shouldn't it even be set by default for the Netdata child to not listen on all interfaces, since there will be the Netdata parent it streams to anyway ?

alexfouche avatar Jan 16 '24 15:01 alexfouche