Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

node-exporter listens on all addresses #2166

Closed
NicolasT opened this issue Dec 27, 2019 · 5 comments
Closed

node-exporter listens on all addresses #2166

NicolasT opened this issue Dec 27, 2019 · 5 comments
Assignees
@TeddyAndrieux
Labels
kind:bug Something isn't working

Comments

@NicolasT
Copy link
Contributor

Similar to #2165, the Prometheus node-exporter listens on the workload-plane address of a node. It should only bind to the control-plane address.
@NicolasT NicolasT added kind:bug Something isn't working moonshot labels Dec 27, 2019
@alexandre-allard alexandre-allard self-assigned this Feb 4, 2020
@alexandre-allard
Copy link
Contributor

Not sure how we can achieve this as the node exporter is a daemonset, so we can't enforce the control plane IP.
We could set hostNetwork: false to not listen on each and every interfaces but in that case we end up with metrics having the Pod IP.

@alexandre-allard alexandre-allard added the state:question Further information is requested label Feb 4, 2020
@NicolasT
Copy link
Contributor Author

NicolasT commented Apr 6, 2020

Hmh, good point about the DaemonSet... We can pass the -web.listen-address option to node_exporter to make it listen to a single address only, but this likely won't accept a CIDR or something alike. So I guess only thing we can do is have an entrypoint for the container that, given the control-plane CIDR, calculates the host address to use, then exec node_exporter with the -web.listen-address set to said IP (and the desired port).

@alexandre-allard alexandre-allard removed the state:question Further information is requested label Apr 6, 2020
@TeddyAndrieux
Copy link
Collaborator

With nowadays node-exporter helm chart it seems possible by just setting listenOnAllInterfaces to false

apiVersion: apps/v1
kind: DaemonSet
[...]
spec:
  [...]
  template:
    [...]
    spec:
      [...]
      containers:
         [...]
            - --web.listen-address=$(HOST_IP):{{ .Values.service.port }}
         [...]
          env:
          - name: HOST_IP
            {{- if .Values.service.listenOnAllInterfaces }}
            value: 0.0.0.0
            {{- else }}
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.hostIP
            {{- end }}

And since in kubelet config we enforce node-ip to control plane IP, it should be ok

@gdemonet
Copy link
Contributor

gdemonet commented Mar 1, 2022

We should do the same with kube-proxy

TeddyAndrieux added a commit that referenced this issue Mar 16, 2022
@TeddyAndrieux
charts,salt: Make node-exporter only listening on node IP
e007fff 
NOTE: Node IP is set to Control Plane IP

Re-render the salt state using:
```
./charts/render.py prometheus-operator \
  charts/kube-prometheus-stack.yaml \
  charts/kube-prometheus-stack/ \
  --namespace metalk8s-monitoring \
  --service-config grafana \
  metalk8s-grafana-config \
  metalk8s/addons/prometheus-operator/config/grafana.yaml \
  metalk8s-monitoring \
  --service-config prometheus \
  metalk8s-prometheus-config \
  metalk8s/addons/prometheus-operator/config/prometheus.yaml \
  metalk8s-monitoring \
  --service-config alertmanager \
  metalk8s-alertmanager-config \
  metalk8s/addons/prometheus-operator/config/alertmanager.yaml \
  metalk8s-monitoring \
  --service-config dex \
  metalk8s-dex-config \
  metalk8s/addons/dex/config/dex.yaml.j2 metalk8s-auth \
  --drop-prometheus-rules charts/drop-prometheus-rules.yaml \
  --patch 'PrometheusRule,metalk8s-monitoring,prometheus-operator-kubernetes-system-kubelet,spec:groups:0:rules:1:for,"5m"' \
  > salt/metalk8s/addons/prometheus-operator/deployed/chart.sls
```

Fixes: #2166
@TeddyAndrieux TeddyAndrieux self-assigned this Mar 16, 2022
@TeddyAndrieux
Copy link
Collaborator

kube-proxy is not possible/easy to do today cf kubernetes/kubernetes#108737

@TeddyAndrieux TeddyAndrieux mentioned this issue Mar 16, 2022
Merged
@bert-e bert-e closed this as completed in 3015c80 Mar 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TeddyAndrieux TeddyAndrieux

Labels
kind:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@NicolasT @alexandre-allard @TeddyAndrieux @gdemonet