search

linkerd / linkerd2

Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.
https://linkerd.io
Apache License 2.0
10.59k stars 1.27k forks source link

can`t inject node-exporter #11245

Closed Nello-Angelo closed 1 year ago

Nello-Angelo commented 1 year ago

What is the issue?

can`t inject node-exporter

How can it be reproduced?

install node-exporter from chart

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: vm-prometheus-node-exporter
  namespace: victoria-vm
  labels:
    app.kubernetes.io/component: metrics
    app.kubernetes.io/instance: vm
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: prometheus-node-exporter
    app.kubernetes.io/part-of: prometheus-node-exporter
    app.kubernetes.io/version: 1.4.0
    helm.sh/chart: prometheus-node-exporter-4.7.1
    jobLabel: node-exporter
    k8slens-edit-resource-version: v1
  annotations:
    deprecated.daemonset.template.generation: '6'
    meta.helm.sh/release-name: vm
    meta.helm.sh/release-namespace: victoria-vm
spec:
  selector:
    matchLabels:
      app.kubernetes.io/instance: vm
      app.kubernetes.io/name: prometheus-node-exporter
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/component: metrics
        app.kubernetes.io/instance: vm
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: prometheus-node-exporter
        app.kubernetes.io/part-of: prometheus-node-exporter
        app.kubernetes.io/version: 1.4.0
        helm.sh/chart: prometheus-node-exporter-4.7.1
        jobLabel: node-exporter
      annotations:
        cluster-autoscaler.kubernetes.io/safe-to-evict: 'true'
        kubectl.kubernetes.io/restartedAt: '2023-08-11T23:00:14Z'
        linkerd.io/inject: enabled
    spec:
      volumes:
        - name: proc
          hostPath:
            path: /proc
            type: ''
        - name: sys
          hostPath:
            path: /sys
            type: ''
        - name: root
          hostPath:
            path: /
            type: ''
      containers:
        - name: node-exporter
          image: quay.io/prometheus/node-exporter:v1.4.0
          args:
            - '--path.procfs=/host/proc'
            - '--path.sysfs=/host/sys'
            - '--path.rootfs=/host/root'
            - '--web.listen-address=[$(HOST_IP)]:9100'
            - >-
              --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)
            - >-
              --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$
          ports:
            - name: metrics
              hostPort: 9100
              containerPort: 9100
              protocol: TCP
          env:
            - name: HOST_IP
              value: 0.0.0.0
          resources: {}
          volumeMounts:
            - name: proc
              readOnly: true
              mountPath: /host/proc
            - name: sys
              readOnly: true
              mountPath: /host/sys
            - name: root
              readOnly: true
              mountPath: /host/root
              mountPropagation: HostToContainer
          livenessProbe:
            httpGet:
              path: /
              port: 9100
              scheme: HTTP
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /
              port: 9100
              scheme: HTTP
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: IfNotPresent
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      serviceAccountName: vm-prometheus-node-exporter
      serviceAccount: vm-prometheus-node-exporter
      automountServiceAccountToken: false
      hostNetwork: true
      hostPID: true
      securityContext:
        runAsUser: 65534
        runAsGroup: 65534
        runAsNonRoot: true
        fsGroup: 65534
      schedulerName: default-scheduler
      tolerations:
        - operator: Exists
          effect: NoSchedule
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 0
  revisionHistoryLimit: 10

Logs, error output, etc

-

output of linkerd check -o short

-

Environment

kubernetes - 1.25.8 OS - debian 11 linkerd - stable-2.13.5

Possible solution

-

Additional context

-

Would you like to work on fixing this bug?

no

Nello-Angelo commented 1 year ago

i have also loki stack and i collect logs with vector. With vector i have not such problem

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: vector
  namespace: loki
  labels:
    app.kubernetes.io/component: Agent
    app.kubernetes.io/instance: vector
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: vector
    app.kubernetes.io/version: 0.31.0-distroless-libc
    helm.sh/chart: vector-0.23.0
    k8slens-edit-resource-version: v1
  annotations:
    deprecated.daemonset.template.generation: '7'
    meta.helm.sh/release-name: vector
    meta.helm.sh/release-namespace: loki
spec:
  selector:
    matchLabels:
      app.kubernetes.io/component: Agent
      app.kubernetes.io/instance: vector
      app.kubernetes.io/name: vector
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/component: Agent
        app.kubernetes.io/instance: vector
        app.kubernetes.io/name: vector
        vector.dev/exclude: 'true'
      annotations:
        checksum/config: ef8d6179360a03ee10ec8839058147a4c46573f4cd62a514aa11ec56596a4a74
        kubectl.kubernetes.io/restartedAt: '2023-08-09T17:20:59Z'
        linkerd.io/inject: enabled
    spec:
      volumes:
        - name: config
          projected:
            sources:
              - configMap:
                  name: vector
            defaultMode: 420
        - name: data
          hostPath:
            path: /var/lib/vector
            type: ''
        - name: var-log
          hostPath:
            path: /var/log/
            type: ''
        - name: var-lib
          hostPath:
            path: /var/lib/
            type: ''
        - name: procfs
          hostPath:
            path: /proc
            type: ''
        - name: sysfs
          hostPath:
            path: /sys
            type: ''
      containers:
        - name: vector
          image: timberio/vector:0.31.0-distroless-libc
          args:
            - '--config-dir'
            - /etc/vector/
          ports:
            - name: api
              containerPort: 8686
              protocol: TCP
          env:
            - name: VECTOR_SELF_NODE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: spec.nodeName
            - name: VECTOR_SELF_POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
            - name: VECTOR_SELF_POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: PROCFS_ROOT
              value: /host/proc
            - name: SYSFS_ROOT
              value: /host/sys
            - name: VECTOR_LOG
              value: info
          resources:
            limits:
              cpu: '10'
              memory: 10Gi
            requests:
              cpu: 200m
              memory: 256Mi
          volumeMounts:
            - name: data
              mountPath: /var/local/lib/vector/
            - name: config
              readOnly: true
              mountPath: /etc/vector/
            - name: var-log
              readOnly: true
              mountPath: /var/log/
            - name: var-lib
              readOnly: true
              mountPath: /var/lib
            - name: procfs
              readOnly: true
              mountPath: /host/proc
            - name: sysfs
              readOnly: true
              mountPath: /host/sys
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: IfNotPresent
      restartPolicy: Always
      terminationGracePeriodSeconds: 60
      dnsPolicy: ClusterFirst
      serviceAccountName: vector
      serviceAccount: vector
      securityContext: {}
      schedulerName: default-scheduler
      tolerations:
        - operator: Exists
          effect: NoSchedule
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 0
  revisionHistoryLimit: 10
alpeb commented 1 year ago

The problem with the node-exporter DaemonSet is that it uses host networking. The proxy is designed to work under a pod's networking namespace, so the proxy-injector will ignore any workload that uses host networking.

Nello-Angelo commented 1 year ago

ok thanks

JadKHaddad commented 1 year ago

any workaround?

Nello-Angelo commented 1 year ago

No sorry, i dont no, host netns needs exporter