Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[observability] node-exporter insufficient capabilities #8194

Closed
geropl opened this issue Feb 14, 2022 · 4 comments
Closed

[observability] node-exporter insufficient capabilities #8194

geropl opened this issue Feb 14, 2022 · 4 comments
Assignees
@fullmetalrooster
Labels
operations: observability This issue relates to the observability of Gitpod (metrics, logs, traces) type: bug Something isn't working

Comments

@geropl
Copy link
Member

geropl commented Feb 14, 2022

I see this error when deploying with-observability: https://werft.gitpod-dev.com/job/gitpod-build-gpl-tracing-disable-errors.7#deploy:deploy

Error: kubectl rollout status -n staging-gpl-tracing-disable-errors daemonset node-exporter exit with non-zero status code

kubectl describe ds node-exporter shows:

Warning  FailedCreate  13s (x15 over 31m)  daemonset-controller  Error creating: pods "node-exporter-" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.containers[0].securityContext.capabilities.add: Invalid value: "CAP_SYS_TIME": capability may not be added]

The PSP is there, but not namespaced (so overriden/re-used by every monitoring-satellite installation) and has

RequiredDropCapabilities:
- All

configured.
@geropl geropl added type: bug Something isn't working operations: observability This issue relates to the observability of Gitpod (metrics, logs, traces) labels Feb 14, 2022
@fullmetalrooster fullmetalrooster self-assigned this Feb 14, 2022
@ArthurSens
Copy link
Contributor

I believe this is an issue from upstream. We're making kube-prometheus adopt security best practices, like dropping unnecessary capabilities, but looks like we forgot to update the pod-security policies

@geropl geropl mentioned this issue Feb 14, 2022
Merged
3 tasks
@fullmetalrooster
Copy link
Contributor

Here is the PR that should fix the problem. prometheus-operator/kube-prometheus#1642

@ArthurSens
Copy link
Contributor

The fix should have been imported to previews here: gitpod-io/observability#88

I'll deploy in a new env just to test

@ArthurSens
Copy link
Contributor

Confirmed that it is running!
image

Repository owner moved this from In Progress to Done in ☁️ DevX by 🚚 Delivery and Operations Experience Team Feb 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fullmetalrooster fullmetalrooster

Labels
operations: observability This issue relates to the observability of Gitpod (metrics, logs, traces) type: bug Something isn't working
Projects
No open projects
☁️ DevX by 🚚 Delivery and Operations Experience Team
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fullmetalrooster @ArthurSens @geropl