mirror of
https://github.com/puppetmaster/typhoon.git
synced 2024-12-26 17:49:32 +01:00
ffbacbccf7
* Add toleration to run node-exporter on controller nodes * Add HostToContainer mount propagation and security context group settings from upstream * Fix SELinux denied accessing /host/proc/1/mounts. The mounts file is has an SELinux type attribute init_t, but that won't allow running the node-exporter binary so we have to use spc_t. This should be more targeted at just the SELinux issue than making the Pod privileged * Remove excluded mount points and filesystem types, the defaults are https://github.com/prometheus/node_exporter/blob/v1.3.1/collector/filesystem_linux.go#L35 ``` caller=collector.go:169 level=error msg="collector failed" name=filesystem duration_seconds=0.000666766 err="open /host/proc/1/mounts: permission denied" ``` ``` [ 3664.880899] audit: type=1400 audit(1659639161.568:4400): avc: denied { search } for pid=28325 comm="node_exporter" name="1" dev="proc" ino=22542 scontext=system_u:system_r:container_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0 ```
80 lines
1.9 KiB
YAML
80 lines
1.9 KiB
YAML
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
name: node-exporter
|
|
namespace: monitoring
|
|
spec:
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
rollingUpdate:
|
|
maxUnavailable: 1
|
|
selector:
|
|
matchLabels:
|
|
name: node-exporter
|
|
phase: prod
|
|
template:
|
|
metadata:
|
|
labels:
|
|
name: node-exporter
|
|
phase: prod
|
|
spec:
|
|
serviceAccountName: node-exporter
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65534
|
|
runAsGroup: 65534
|
|
fsGroup: 65534
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
hostNetwork: true
|
|
hostPID: true
|
|
containers:
|
|
- name: node-exporter
|
|
image: quay.io/prometheus/node-exporter:v1.3.1
|
|
args:
|
|
- --path.procfs=/host/proc
|
|
- --path.sysfs=/host/sys
|
|
- --path.rootfs=/host/root
|
|
ports:
|
|
- name: metrics
|
|
containerPort: 9100
|
|
hostPort: 9100
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 50Mi
|
|
limits:
|
|
cpu: 200m
|
|
memory: 100Mi
|
|
securityContext:
|
|
seLinuxOptions:
|
|
type: spc_t
|
|
volumeMounts:
|
|
- name: proc
|
|
mountPath: /host/proc
|
|
readOnly: true
|
|
- name: sys
|
|
mountPath: /host/sys
|
|
readOnly: true
|
|
- name: root
|
|
mountPath: /host/root
|
|
mountPropagation: HostToContainer
|
|
readOnly: true
|
|
tolerations:
|
|
- key: node-role.kubernetes.io/controller
|
|
operator: Exists
|
|
- key: node-role.kubernetes.io/control-plane
|
|
operator: Exists
|
|
- key: node.kubernetes.io/not-ready
|
|
operator: Exists
|
|
volumes:
|
|
- name: proc
|
|
hostPath:
|
|
path: /proc
|
|
- name: sys
|
|
hostPath:
|
|
path: /sys
|
|
- name: root
|
|
hostPath:
|
|
path: /
|