avoid child open port and fix liveness probe on public worker nodes

[alexfouche]

On a k8s cluster with public worker node, the child daemonset will be available publicly on port 19999, since it runs with hostNetwork: true

From the Securing Netdata pages, and since there is a Netdata parent accessible from a ClusterIP service, it is possible to avoid that by setting :

child:
  configs:
    netdata:
      data: |
        [web]
          mode = none
(...)

Unfortunately this breaks the liveness and readiness probes.

So i am using

child:
  configs:
    netdata:
      data: |
        [web]
          bind to = localhost:19999
(...)

The issue i have is that the Helm values.yaml does not allow to set the httpGet.host: field, so that it can be set to 127.0.0.1

I tested by editing the daemonset livenessProbe and readinessProbe manually, and it works:

livenessProbe:
      httpGet:
        host: 127.0.0.1
        path: /api/v1/info
        port: http
        scheme: HTTP
(...)

Shouldn't it even be set by default for the Netdata child to not listen on all interfaces, since there will be the Netdata parent it streams to anyway ?

[ilyam8]

Unfortunately this breaks the liveness and readiness probes.

You can use livenessProbe exec - netdatacli ping. We use it for Docker health checks with disabled web server.