diff --git a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
index a6fb05875acfd6f828b7c6aa6f3418bd57d401e9..d26afefaf80cb5f05d8966758543fb8ba9a52dfb 100644
--- a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
@@ -79,11 +79,15 @@ local k = import 'github.com/ksonnet/ksonnet-lib/ksonnet.beta.4/k.libsonnet';
toleration.withOperator('Exists');
local procVolumeName = 'proc';
local procVolume = volume.fromHostPath(procVolumeName, '/proc');
- local procVolumeMount = containerVolumeMount.new(procVolumeName, '/host/proc');
+ local procVolumeMount = containerVolumeMount.new(procVolumeName, '/host/proc').
+ withMountPropagation('HostToContainer').
+ withReadOnly(true);
local sysVolumeName = 'sys';
local sysVolume = volume.fromHostPath(sysVolumeName, '/sys');
- local sysVolumeMount = containerVolumeMount.new(sysVolumeName, '/host/sys');
+ local sysVolumeMount = containerVolumeMount.new(sysVolumeName, '/host/sys').
+ withMountPropagation('HostToContainer').
+ withReadOnly(true);
local rootVolumeName = 'root';
local rootVolume = volume.fromHostPath(rootVolumeName, '/');
diff --git a/manifests/node-exporter-daemonset.yaml b/manifests/node-exporter-daemonset.yaml
index f99a1e58f1da47ac6c7974d1f645abbd6a0d24c5..bd1d21b571ba8bb6a6fcf8cecc1ed4cf94997282 100644
--- a/manifests/node-exporter-daemonset.yaml
+++ b/manifests/node-exporter-daemonset.yaml
@@ -36,11 +36,13 @@ spec:
memory: 180Mi
volumeMounts:
- mountPath: /host/proc
+ mountPropagation: HostToContainer
name: proc
- readOnly: false
+ readOnly: true
- mountPath: /host/sys
+ mountPropagation: HostToContainer
name: sys
- readOnly: false
+ readOnly: true
- mountPath: /host/root
mountPropagation: HostToContainer
name: root