jsonnet: Node exporter init collectors must be privileged

dmidecode (used by the VM type detection) requires access to /dev/mem which requires privileged. Only the init container gets that permission. Blocks being able to read physical machine BIOS info.
openshift · Feb 6, 2020 · e4714f3 · e4714f3
1 parent 406d03c
commit e4714f3
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 4 deletions.
diff --git a/assets/node-exporter/daemonset.yaml b/assets/node-exporter/daemonset.yaml
@@ -91,6 +91,7 @@ spec:
         name: init-textfile
         resources: {}
         securityContext:
+          privileged: true
           runAsUser: 0
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:

diff --git a/assets/node-exporter/security-context-constraints.yaml b/assets/node-exporter/security-context-constraints.yaml
@@ -2,6 +2,7 @@ allowHostDirVolumePlugin: true
 allowHostNetwork: true
 allowHostPID: true
 allowHostPorts: true
+allowPrivilegedContainer: true
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:

diff --git a/jsonnet/node-exporter.jsonnet b/jsonnet/node-exporter.jsonnet
@@ -45,6 +45,7 @@ local tlsVolumeName = 'node-exporter-tls';
         allowHostNetwork: true,
         allowHostPID: true,
         allowHostPorts: true,
+        allowPrivilegedContainer: true,
         apiVersion: 'security.openshift.io/v1',
         kind: 'SecurityContextConstraints',
         metadata: {
@@ -90,6 +91,7 @@ local tlsVolumeName = 'node-exporter-tls';
                   image: $._config.imageRepos.nodeExporter + ':' + $._config.versions.nodeExporter,
                   resources: {},
                   securityContext: {
+                    privileged: true,
                     runAsUser: 0,
                   },
                   terminationMessagePolicy: 'FallbackToLogsOnError',

diff --git a/pkg/manifests/bindata.go b/pkg/manifests/bindata.go