[kube-prometheus-stack] Help needed: node exporter violate PodSecurity

[Sispheor]

Hello there 👋,

I've deployed the prom stack. Everything is fine except the node exporter daemonset. Here is the log:

W0906 10:54:57.616580  638566 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), allowPrivilegeEscalation != false (container "node-exporter" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-exporter" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "proc", "sys", "root" use restricted volume type "hostPath"), seccompProfile (pod or container "node-exporter" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Release "prometheus" has been upgraded. Happy Helming!

I tried to add a privileged security context label to my values but still no luck

nodeExporter:
  enabled: true
  operatingSystems:
    linux:
      enabled: true
    darwin:
      enabled: true
  podLabels:
    pod-security.kubernetes.io/enforce: privileged

The help upgrade output give a warning

helm upgrade -f config/prometheus.yml prometheus prometheus-community/kube-prometheus-stack -n prometheus
W0906 10:54:57.616580  638566 warnings.go:70] would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), allowPrivilegeEscalation != false (container "node-exporter" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-exporter" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "proc", "sys", "root" use restricted volume type "hostPath"), seccompProfile (pod or container "node-exporter" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

I'm running a K8S deployed via Talos

+ kubectl version
Client Version: v1.31.0
Kustomize Version: v5.4.2
Server Version: v1.30.3

Thanks for any help !

[Sispheor]

OK, this label needs to be actually placed at namespace level. It works like this. But I would have preferred to give perms only to the deamonset...

[zeritti]

OK, this label needs to be actually placed at namespace level. It works like this. But I would have preferred to give perms only to the deamonset...

You would have to use a different implementation of the pod security with support for exceptions, e.g. by means of policies (Kyverno, Gatekeeper). On the other hand, Node exporter can run in the restricted PSS profile but you'd have to give up some of its functionality, e.g. no host path mount, no host network, etc. and hence, unavailability of the corresponding metrics. Its security context can and should be made more restrictive, though.