Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rancher-monitoring node-exporter and pushprox-clients listen on hostNetwork #36140

Closed
dkeightley opened this issue Jan 13, 2022 · 2 comments
Closed

rancher-monitoring node-exporter and pushprox-clients listen on hostNetwork #36140

dkeightley opened this issue Jan 13, 2022 · 2 comments
Assignees
@aiyengar2 @ronhorton
Labels
area/monitoring feature/charts-monitoring-v2 internal team/area3
Milestone
v2.6.4

Comments

@dkeightley
Copy link
Contributor

Rancher Server Setup

  • Rancher version: Affects all rancher-monitoring (v2) chart versions

Describe the bug
Open ports can be observed for 9796 (node-exporter) and 10011, 10012, etc. (push-proxy-clients) when running scans on a cluster with the rancher-monitoring chart installed

# netstat -plant
tcp6       0      0 :::10011                :::*                    LISTEN      27772/pushprox-clie
tcp6       0      0 :::10012                :::*                    LISTEN      3503825/pushprox-cl
tcp6       0      0 :::10013                :::*                    LISTEN      3504218/pushprox-cl
tcp6       0      0 :::10014                :::*                    LISTEN      28088/pushprox-clie

Expected Result
These ports are not needed for external access and should be bound only on internal interfaces or disabled

Additional context

  • node-exporter appears to be solved with the value prometheus-node-exporter.hostNetwork: false, testing shows the prometheus targets are UP and scraping successfully with this applied.
  • push-proxy-clients can be solved with a chart adjustment, currently proposed in Disable pushprox client metrics by default charts#1689

Note

The addition of hostPort is generated automatically by Kubernetes when hostNetwork: true is set, as such when upgrading an existing monitoring v2 node-exporter (to set hostNetwork: false) it will in fact continue to be accessible on the host network namespace. The daemonset will either need to be re-created or modified directly to remove hostPort

SURE-3198
@aiyengar2 aiyengar2 self-assigned this Jan 13, 2022
@aiyengar2 aiyengar2 added this to the v2.6.4 milestone Jan 13, 2022
@aiyengar2 aiyengar2 mentioned this issue Jan 13, 2022
Merged
@aiyengar2
Copy link
Contributor

PR is out for review, @MKlimuszka @SheilaghM I have left this in To Triage to identify / confirm that we can commit to the v2.6.4 milestone for merging / testing this issue. Feel free to move it to In Review if it has been triaged!

@ronhorton ronhorton self-assigned this Jan 26, 2022
@zube zube bot removed the [zube]: To Triage label Jan 31, 2022
@ronhorton
Copy link

Pass Verified in 2.6-head Commit ID 93f3e13

  1. Created a downstream cluster
  2. got keys for node from UI
  3. installed net-tools on node
  4. ran netstat -plant

result:
the unused ports mentioned in https://github.com/rancher/rancher/issues/36140#issue-1102420026 are no longer exposed

Note: was able to reproduce this issue prior to installing rancher-monitoring:100.1.1+up19.0.3

@zube zube bot removed the [zube]: Done label Jun 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aiyengar2 aiyengar2

@ronhorton ronhorton

Labels
area/monitoring feature/charts-monitoring-v2 internal team/area3
Projects
None yet
Milestone
v2.6.4
Development

No branches or pull requests
5 participants
@deniseschannon @aiyengar2 @MKlimuszka @dkeightley @ronhorton