[kube-prometheus-stack] Help needed: node exporter violate PodSecurity
Hello there 👋,
I've deployed the prom stack. Everything is fine except the node exporter daemonset. Here is the log:
W0906 10:54:57.616580 638566 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), allowPrivilegeEscalation != false (container "node-exporter" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-exporter" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "proc", "sys", "root" use restricted volume type "hostPath"), seccompProfile (pod or container "node-exporter" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Release "prometheus" has been upgraded. Happy Helming!
I tried to add a privileged security context label to my values but still no luck
nodeExporter:
enabled: true
operatingSystems:
linux:
enabled: true
darwin:
enabled: true
podLabels:
pod-security.kubernetes.io/enforce: privileged
The help upgrade output give a warning
helm upgrade -f config/prometheus.yml prometheus prometheus-community/kube-prometheus-stack -n prometheus
W0906 10:54:57.616580 638566 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), allowPrivilegeEscalation != false (container "node-exporter" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-exporter" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "proc", "sys", "root" use restricted volume type "hostPath"), seccompProfile (pod or container "node-exporter" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
I'm running a K8S deployed via Talos
+ kubectl version
Client Version: v1.31.0
Kustomize Version: v5.4.2
Server Version: v1.30.3
Thanks for any help !
OK, this label needs to be actually placed at namespace level. It works like this. But I would have preferred to give perms only to the deamonset...
OK, this label needs to be actually placed at namespace level. It works like this. But I would have preferred to give perms only to the deamonset...
You would have to use a different implementation of the pod security with support for exceptions, e.g. by means of policies (Kyverno, Gatekeeper). On the other hand, Node exporter can run in the restricted PSS profile but you'd have to give up some of its functionality, e.g. no host path mount, no host network, etc. and hence, unavailability of the corresponding metrics. Its security context can and should be made more restrictive, though.
This is still the case for more recent K8s Versions, and no viable option has been provided really. the main dilemma is :
- PodSecurityPolicy (PSP) has been deprecated since Kubernetes v1.21 and was fully removed in v1.25.
- That Pod Security Admission (PSA) mechanism most refer to is a namespace scoped which is too open
Error creating: pods "prometheus-prometheus-node-exporter-xxx" is forbidden: violates PodSecurity "baseline:latest": host namespaces
(hostNetwork=true, hostPID=true), hostPath volumes (volumes "proc", "sys", "root"), hostPort
(container "node-exporter" uses hostPort 9100)
The needed solution would allow a specific Pod (like node-exporter) to run with hostNetwork: true, hostPID: true with pod granular privilege so It can still scrape full host metrics?
On the other hand disabling the options might not make node-exporter relevant
🔒 hostNetwork: false Implication: The pod won't use the host's network stack.
- Effect on metrics:
- Cannot access host-level network interfaces.
- May miss network I/O stats that are only visible from the host (e.g. eth0, wlan0).
Metrics collected are limited to the container network namespace.
🔒 hostPID: false Implication: The pod won’t see the host's process IDs.
- Effect on metrics:
-
Node Exporter can't see all system processes, only those in the pod’s namespace.
-
This affects per-process metrics like:
- CPU/memory usage by system daemons (e.g. kubelet, containerd)
- Total number of system processes.
-