diff --git a/docs/security.md b/docs/security.md
index 0de52547bb116d88b7ea5fbf0e4f605a66118a07..de9c13f50ea57b4254d8c177739aacda0670660b 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -6,6 +6,6 @@ The scan can be run locally via `make kubescape`.
 While we aim for best practices in terms of security by default, due to the nature of the project, we are required to make the exceptions in the following components:
 
 #### node-exporter
-* Host Port is set. https://hub.armo.cloud/docs/c-0044 is not relevant since node-exporter is considered as a core platform component running as a DaemonSet.
+* Host Port is set. [Kubernetes already sets a Host Port by default when Host Network is enabled.](https://github.com/kubernetes/kubernetes/blob/1945829906546caf867992669a0bfa588edf8be6/pkg/apis/core/v1/defaults.go#L402-L411). Since nothing can be done here, we configure it to our preference port.
 * Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics.
 * Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics.
diff --git a/jsonnet/kube-prometheus/components/node-exporter.libsonnet b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
index c9dd2d2fc7c9c112b89b7f6ad9afd56b5ff3baa7..2b0e45ff1660af258a826b6dc93b502231367b22 100644
--- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
@@ -201,6 +201,12 @@ function(params) {
       // used by the service is tied to the proxy container. We *could*
       // forgo declaring the host port, however it is important to declare
       // it so that the scheduler can decide if the pod is schedulable.
+      //
+      // Although hostPort might not seem necessary, kubernetes adds it anyway
+      // when running with 'hostNetwork'. We might as well make sure it works
+      // the way we want.
+      //
+      // See also: https://github.com/kubernetes/kubernetes/blob/1945829906546caf867992669a0bfa588edf8be6/pkg/apis/core/v1/defaults.go#L402-L411
       ports: [
         { name: 'https', containerPort: ne._config.port, hostPort: ne._config.port },
       ],