Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[kube-prometheus-stack] Help needed: node exporter violate PodSecurity #4837

Open
Sispheor opened this issue Sep 6, 2024 · 2 comments
Open

[kube-prometheus-stack] Help needed: node exporter violate PodSecurity #4837

Sispheor opened this issue Sep 6, 2024 · 2 comments

Comments

@Sispheor
Copy link

Sispheor commented Sep 6, 2024

Hello there 👋,

I've deployed the prom stack. Everything is fine except the node exporter daemonset. Here is the log:

W0906 10:54:57.616580  638566 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), allowPrivilegeEscalation != false (container "node-exporter" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-exporter" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "proc", "sys", "root" use restricted volume type "hostPath"), seccompProfile (pod or container "node-exporter" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Release "prometheus" has been upgraded. Happy Helming!

I tried to add a privileged security context label to my values but still no luck

nodeExporter:
  enabled: true
  operatingSystems:
    linux:
      enabled: true
    darwin:
      enabled: true
  podLabels:
    pod-security.kubernetes.io/enforce: privileged

The help upgrade output give a warning

helm upgrade -f config/prometheus.yml prometheus prometheus-community/kube-prometheus-stack -n prometheus
W0906 10:54:57.616580  638566 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), allowPrivilegeEscalation != false (container "node-exporter" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-exporter" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "proc", "sys", "root" use restricted volume type "hostPath"), seccompProfile (pod or container "node-exporter" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

I'm running a K8S deployed via Talos

+ kubectl version
Client Version: v1.31.0
Kustomize Version: v5.4.2
Server Version: v1.30.3

Thanks for any help !
@Sispheor
Copy link
Author

Sispheor commented Sep 6, 2024

OK, this label needs to be actually placed at namespace level. It works like this. But I would have preferred to give perms only to the deamonset...

@zeritti zeritti changed the title Help needed: node exporter violate PodSecurity [kube-prometheus-stack] Help needed: node exporter violate PodSecurity Sep 13, 2024
@zeritti
Copy link
Member

zeritti commented Sep 13, 2024

OK, this label needs to be actually placed at namespace level. It works like this. But I would have preferred to give perms only to the deamonset...

You would have to use a different implementation of the pod security with support for exceptions, e.g. by means of policies (Kyverno, Gatekeeper). On the other hand, Node exporter can run in the restricted PSS profile but you'd have to give up some of its functionality, e.g. no host path mount, no host network, etc. and hence, unavailability of the corresponding metrics. Its security context can and should be made more restrictive, though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Sispheor @zeritti