Running node-exporter on Kubernetes without Root Privileges

Bogdan · September 16, 2023, 12:19pm

We use node-exporter on Kubernetes (k8s) to monitor /dev/mapper devices. Unfortunately, node-exporter can only retrieve information about a device when it is running with root privileges, as indicated by the following securityContext configuration:

securityContext:
    runAsUser: 0

Without this configuration, we encounter the ‘node_filesystem_device_error’ with details like the device path, file system type (fstype), and mount point:

node_filesystem_device_error{device="/dev/mapper/3624a937010ed65ee4214591800042af7", fstype="ext4", mountpoint="/var/lib/kubelet/pods/7adbc046-d10e-41e7-b64a-774047217cd2/volumes/kubernetes.io~portworx-volume/pvc-3322b508-d83d-4f11-a570-30f606bdb53a"} 1

However, for security reasons, we want to avoid running node-exporter as the root user. Is there a possible solution to address this security concern?

stuart · September 16, 2023, 1:49pm

You can take a look at adding just the capabilities you need instead of running as root, but be aware that the node exporter does need a fair amount of privilege to do its work.

SuperQ · September 17, 2023, 7:36am

Technically the node_exporter should not need root for anything. It’s explicitly in the code policy that root should not be required for any feature.

However, some permissions/configuration may be required for some features.

In addition, monitoring PVCs is actually provided by kube-state-metrics. Monitoring them with the node_exporter is not correct.

Bogdan · September 28, 2023, 6:23pm

Thanks for the replies. This Move RO status before error return by metbog · Pull Request #2807 · prometheus/node_exporter · GitHub should help with our problem. Does anyone know when the new release of node_exporter will be out? Is there a schedule for it?