helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard
verified publisher icon prometheus-community

[kube-prometheus-stack] Help needed: node exporter violate PodSecurity

Open Sispheor opened this issue 1 year ago • 2 comments

Hello there 👋,

I've deployed the prom stack. Everything is fine except the node exporter daemonset. Here is the log:

W0906 10:54:57.616580  638566 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), allowPrivilegeEscalation != false (container "node-exporter" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-exporter" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "proc", "sys", "root" use restricted volume type "hostPath"), seccompProfile (pod or container "node-exporter" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Release "prometheus" has been upgraded. Happy Helming!

I tried to add a privileged security context label to my values but still no luck

nodeExporter:
  enabled: true
  operatingSystems:
    linux:
      enabled: true
    darwin:
      enabled: true
  podLabels:
    pod-security.kubernetes.io/enforce: privileged

The help upgrade output give a warning

helm upgrade -f config/prometheus.yml prometheus prometheus-community/kube-prometheus-stack -n prometheus
W0906 10:54:57.616580  638566 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), allowPrivilegeEscalation != false (container "node-exporter" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-exporter" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "proc", "sys", "root" use restricted volume type "hostPath"), seccompProfile (pod or container "node-exporter" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

I'm running a K8S deployed via Talos

+ kubectl version
Client Version: v1.31.0
Kustomize Version: v5.4.2
Server Version: v1.30.3

Thanks for any help !

Sispheor avatar Sep 06 '24 09:09 Sispheor

OK, this label needs to be actually placed at namespace level. It works like this. But I would have preferred to give perms only to the deamonset...

Sispheor avatar Sep 06 '24 09:09 Sispheor

OK, this label needs to be actually placed at namespace level. It works like this. But I would have preferred to give perms only to the deamonset...

You would have to use a different implementation of the pod security with support for exceptions, e.g. by means of policies (Kyverno, Gatekeeper). On the other hand, Node exporter can run in the restricted PSS profile but you'd have to give up some of its functionality, e.g. no host path mount, no host network, etc. and hence, unavailability of the corresponding metrics. Its security context can and should be made more restrictive, though.

zeritti avatar Sep 13 '24 08:09 zeritti

This is still the case for more recent K8s Versions, and no viable option has been provided really. the main dilemma is :

  1. PodSecurityPolicy (PSP) has been deprecated since Kubernetes v1.21 and was fully removed in v1.25.
  2. That Pod Security Admission (PSA) mechanism most refer to is a namespace scoped which is too open
Error creating: pods "prometheus-prometheus-node-exporter-xxx" is forbidden: violates PodSecurity "baseline:latest": host namespaces 
(hostNetwork=true, hostPID=true), hostPath volumes (volumes "proc", "sys", "root"), hostPort 
(container "node-exporter" uses hostPort 9100)

The needed solution would allow a specific Pod (like node-exporter) to run with hostNetwork: true, hostPID: true with pod granular privilege so It can still scrape full host metrics?

On the other hand disabling the options might not make node-exporter relevant

🔒 hostNetwork: false Implication: The pod won't use the host's network stack.

  • Effect on metrics:
    • Cannot access host-level network interfaces.
    • May miss network I/O stats that are only visible from the host (e.g. eth0, wlan0).

Metrics collected are limited to the container network namespace.

🔒 hostPID: false Implication: The pod won’t see the host's process IDs.

  • Effect on metrics:

    • Node Exporter can't see all system processes, only those in the pod’s namespace.

    • This affects per-process metrics like:

      • CPU/memory usage by system daemons (e.g. kubelet, containerd)
      • Total number of system processes.

brokedba avatar May 01 '25 19:05 brokedba