From 43bb05692fe3c6f0acc42da5db68786ca5dbde6d Mon Sep 17 00:00:00 2001
From: Lucas Serven <lserven@gmail.com>
Date: Tue, 20 Nov 2018 17:53:42 +0100
Subject: [PATCH] contrib/kube-prometheus: ne rbacproxy listen podip
This commit adjusts the RBAC proxy for the node-exporter DaemonSet to
only listen on the Pod IP. It also adjusts the ports used by the
node-exporter Pod so that both containers are listening on 9100. The
actual node-exporter listens on 127.0.0.1:9100, while the RBAC proxy
listens on <PODIP>:9100. This ensures that port 9101 is not taken on
the host networking namespace.
---
.../node-exporter/node-exporter.libsonnet | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
index 8ac3d73e..3524e11a 100644
--- a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
@@ -58,6 +58,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local containerVolumeMount = container.volumeMountsType;
local podSelector = daemonset.mixin.spec.template.spec.selectorType;
local toleration = daemonset.mixin.spec.template.spec.tolerationsType;
+ local containerEnv = container.envType;
local podLabels = { app: 'node-exporter' };
@@ -82,7 +83,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local nodeExporter =
container.new('node-exporter', $._config.imageRepos.nodeExporter + ':' + $._config.versions.nodeExporter) +
container.withArgs([
- '--web.listen-address=127.0.0.1:9101',
+ '--web.listen-address=127.0.0.1:9100',
'--path.procfs=/host/proc',
'--path.sysfs=/host/sys',
@@ -96,15 +97,25 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
container.mixin.resources.withRequests({ cpu: '102m', memory: '180Mi' }) +
container.mixin.resources.withLimits({ cpu: '102m', memory: '180Mi' });
+ local ip = containerEnv.fromFieldPath('IP', 'status.podIP');
local proxy =
container.new('kube-rbac-proxy', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([
- '--secure-listen-address=:9100',
- '--upstream=http://127.0.0.1:9101/',
+ '--secure-listen-address=$(IP):9100',
+ '--upstream=http://127.0.0.1:9100/',
]) +
+ // Keep `hostPort` here, rather than in the node-exporter container
+ // because Kubernetes mandates that if you define a `hostPort` then
+ // `containerPort` must match. In our case, we are splitting the
+ // host port and container port between the two containers.
+ // We'll keep the port specification here so that the named port
+ // used by the service is tied to the proxy container. We *could*
+ // forgo declaring the host port, however it is important to declare
+ // it so that the scheduler can decide if the pod is schedulable.
container.withPorts(containerPort.new(9100) + containerPort.withHostPort(9100) + containerPort.withName('https')) +
container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
- container.mixin.resources.withLimits({ cpu: '20m', memory: '40Mi' });
+ container.mixin.resources.withLimits({ cpu: '20m', memory: '40Mi' }) +
+ container.withEnv([ip]);
local c = [nodeExporter, proxy];
--
GitLab