You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Rancher version: Affects all rancher-monitoring (v2) chart versions
Describe the bug
Open ports can be observed for 9796 (node-exporter) and 10011, 10012, etc. (push-proxy-clients) when running scans on a cluster with the rancher-monitoring chart installed
Expected Result
These ports are not needed for external access and should be bound only on internal interfaces or disabled
Additional context
node-exporter appears to be solved with the value prometheus-node-exporter.hostNetwork: false, testing shows the prometheus targets are UP and scraping successfully with this applied.
The addition of hostPort is generated automatically by Kubernetes when hostNetwork: true is set, as such when upgrading an existing monitoring v2 node-exporter (to set hostNetwork: false) it will in fact continue to be accessible on the host network namespace. The daemonset will either need to be re-created or modified directly to remove hostPort
SURE-3198
The text was updated successfully, but these errors were encountered:
PR is out for review, @MKlimuszka@SheilaghM I have left this in To Triage to identify / confirm that we can commit to the v2.6.4 milestone for merging / testing this issue. Feel free to move it to In Review if it has been triaged!
Rancher Server Setup
Describe the bug
Open ports can be observed for 9796 (node-exporter) and 10011, 10012, etc. (push-proxy-clients) when running scans on a cluster with the rancher-monitoring chart installed
Expected Result
These ports are not needed for external access and should be bound only on internal interfaces or disabled
Additional context
prometheus-node-exporter.hostNetwork: false
, testing shows the prometheus targets are UP and scraping successfully with this applied.Note
The addition of
hostPort
is generated automatically by Kubernetes whenhostNetwork: true
is set, as such when upgrading an existing monitoring v2 node-exporter (to sethostNetwork: false
) it will in fact continue to be accessible on the host network namespace. The daemonset will either need to be re-created or modified directly to removehostPort
SURE-3198
The text was updated successfully, but these errors were encountered: