From fb92a6dbe06dbae2737d139839d064a5228fe7e8 Mon Sep 17 00:00:00 2001
From: ArthurSens <arthursens2005@gmail.com>
Date: Wed, 2 Feb 2022 22:56:43 +0000
Subject: [PATCH] Document better why we use hostPort on node-exporter

Signed-off-by: ArthurSens <arthursens2005@gmail.com>
---
 docs/security.md                                           | 2 +-
 jsonnet/kube-prometheus/components/node-exporter.libsonnet | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/docs/security.md b/docs/security.md
index 0de52547..de9c13f5 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -6,6 +6,6 @@ The scan can be run locally via `make kubescape`.
 While we aim for best practices in terms of security by default, due to the nature of the project, we are required to make the exceptions in the following components:
 
 #### node-exporter
-* Host Port is set. https://hub.armo.cloud/docs/c-0044 is not relevant since node-exporter is considered as a core platform component running as a DaemonSet.
+* Host Port is set. [Kubernetes already sets a Host Port by default when Host Network is enabled.](https://github.com/kubernetes/kubernetes/blob/1945829906546caf867992669a0bfa588edf8be6/pkg/apis/core/v1/defaults.go#L402-L411). Since nothing can be done here, we configure it to our preference port.
 * Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics.
 * Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics.
diff --git a/jsonnet/kube-prometheus/components/node-exporter.libsonnet b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
index c9dd2d2f..2b0e45ff 100644
--- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
@@ -201,6 +201,12 @@ function(params) {
       // used by the service is tied to the proxy container. We *could*
       // forgo declaring the host port, however it is important to declare
       // it so that the scheduler can decide if the pod is schedulable.
+      //
+      // Although hostPort might not seem necessary, kubernetes adds it anyway
+      // when running with 'hostNetwork'. We might as well make sure it works
+      // the way we want.
+      //
+      // See also: https://github.com/kubernetes/kubernetes/blob/1945829906546caf867992669a0bfa588edf8be6/pkg/apis/core/v1/defaults.go#L402-L411
       ports: [
         { name: 'https', containerPort: ne._config.port, hostPort: ne._config.port },
       ],
-- 
GitLab