easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

contrib/kube-prometheus: ne rbacproxy listen podip

Browse Source 
This commit adjusts the RBAC proxy for the node-exporter DaemonSet to
only listen on the Pod IP. It also adjusts the ports used by the
node-exporter Pod so that both containers are listening on 9100. The
actual node-exporter listens on 127.0.0.1:9100, while the RBAC proxy
listens on <PODIP>:9100. This ensures that port 9101 is not taken on
the host networking namespace.
This commit is contained in:
Lucas Serven
2018-11-20 17:53:42 +01:00
parent 0dec594c41
commit 43bb05692f
1 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
View File

@@ -58,6 +58,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local containerVolumeMount = container.volumeMountsType;
local podSelector = daemonset.mixin.spec.template.spec.selectorType;
local toleration = daemonset.mixin.spec.template.spec.tolerationsType;
local containerEnv = container.envType;
local podLabels = { app: 'node-exporter' };
@@ -82,7 +83,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local nodeExporter =
container.new('node-exporter', $._config.imageRepos.nodeExporter + ':' + $._config.versions.nodeExporter) +
container.withArgs([
'--web.listen-address=127.0.0.1:9101',
'--web.listen-address=127.0.0.1:9100',
'--path.procfs=/host/proc',
'--path.sysfs=/host/sys',
@@ -96,15 +97,25 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
container.mixin.resources.withRequests({ cpu: '102m', memory: '180Mi' }) +
container.mixin.resources.withLimits({ cpu: '102m', memory: '180Mi' });
local ip = containerEnv.fromFieldPath('IP', 'status.podIP');
local proxy =
container.new('kube-rbac-proxy', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([
'--secure-listen-address=:9100',
'--upstream=http://127.0.0.1:9101/',
'--secure-listen-address=$(IP):9100',
'--upstream=http://127.0.0.1:9100/',
]) +
// Keep `hostPort` here, rather than in the node-exporter container
// because Kubernetes mandates that if you define a `hostPort` then
// `containerPort` must match. In our case, we are splitting the
// host port and container port between the two containers.
// We'll keep the port specification here so that the named port
// used by the service is tied to the proxy container. We *could*
// forgo declaring the host port, however it is important to declare
// it so that the scheduler can decide if the pod is schedulable.
container.withPorts(containerPort.new(9100) + containerPort.withHostPort(9100) + containerPort.withName('https')) +
container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
container.mixin.resources.withLimits({ cpu: '20m', memory: '40Mi' });
container.mixin.resources.withLimits({ cpu: '20m', memory: '40Mi' }) +
container.withEnv([ip]);
local c = [nodeExporter, proxy];