contrib/kube-prometheus: ne rbacproxy listen podip

This commit adjusts the RBAC proxy for the node-exporter DaemonSet to only listen on the Pod IP. It also adjusts the ports used by the node-exporter Pod so that both containers are listening on 9100. The actual node-exporter listens on 127.0.0.1:9100, while the RBAC proxy listens on <PODIP>:9100. This ensures that port 9101 is not taken on the host networking namespace.

contrib/kube-prometheus: ne rbacproxy listen podip
43bb0569 · Lucas Serven · 0dec594c · 43bb0569
Commit 43bb0569 authored 6 years ago by Lucas Serven
--- a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
@@ -58,6 +58,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
      local containerVolumeMount = container.volumeMountsType;
      local podSelector = daemonset.mixin.spec.template.spec.selectorType;
      local toleration = daemonset.mixin.spec.template.spec.tolerationsType;
+      local containerEnv = container.envType;

      local podLabels = { app: 'node-exporter' };

@@ -82,7 +83,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
      local nodeExporter =
        container.new('node-exporter', $._config.imageRepos.nodeExporter + ':' + $._config.versions.nodeExporter) +
        container.withArgs([
-          '--web.listen-address=127.0.0.1:9101',
+          '--web.listen-address=127.0.0.1:9100',
          '--path.procfs=/host/proc',
          '--path.sysfs=/host/sys',

@@ -96,15 +97,25 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
        container.mixin.resources.withRequests({ cpu: '102m', memory: '180Mi' }) +
        container.mixin.resources.withLimits({ cpu: '102m', memory: '180Mi' });

+      local ip = containerEnv.fromFieldPath('IP', 'status.podIP');
      local proxy =
        container.new('kube-rbac-proxy', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
        container.withArgs([
-          '--secure-listen-address=:9100',
-          '--upstream=http://127.0.0.1:9101/',
+          '--secure-listen-address=$(IP):9100',
+          '--upstream=http://127.0.0.1:9100/',
        ]) +
+        // Keep `hostPort` here, rather than in the node-exporter container
+        // because Kubernetes mandates that if you define a `hostPort` then
+        // `containerPort` must match. In our case, we are splitting the
+        // host port and container port between the two containers.
+        // We'll keep the port specification here so that the named port
+        // used by the service is tied to the proxy container. We *could*
+        // forgo declaring the host port, however it is important to declare
+        // it so that the scheduler can decide if the pod is schedulable.
        container.withPorts(containerPort.new(9100) + containerPort.withHostPort(9100) + containerPort.withName('https')) +
        container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
-        container.mixin.resources.withLimits({ cpu: '20m', memory: '40Mi' });
+        container.mixin.resources.withLimits({ cpu: '20m', memory: '40Mi' }) +
+        container.withEnv([ip]);

      local c = [nodeExporter, proxy];