From e1a2ba455f46fa782cbe41928025a365a5f13c4d Mon Sep 17 00:00:00 2001 From: William P Date: Tue, 13 May 2025 11:36:29 -0400 Subject: [PATCH] monitoring: add node exporter --- .../nodeExporter-clusterRole.yaml | 22 ++++ .../nodeExporter-clusterRoleBinding.yaml | 17 +++ .../node-exporter/nodeExporter-daemonset.yaml | 121 ++++++++++++++++++ .../nodeExporter-networkPolicy.yaml | 29 +++++ .../node-exporter/nodeExporter-service.yaml | 20 +++ .../nodeExporter-serviceAccount.yaml | 11 ++ 6 files changed, 220 insertions(+) create mode 100644 system-apps/monitoring/node-exporter/nodeExporter-clusterRole.yaml create mode 100644 system-apps/monitoring/node-exporter/nodeExporter-clusterRoleBinding.yaml create mode 100644 system-apps/monitoring/node-exporter/nodeExporter-daemonset.yaml create mode 100644 system-apps/monitoring/node-exporter/nodeExporter-networkPolicy.yaml create mode 100644 system-apps/monitoring/node-exporter/nodeExporter-service.yaml create mode 100644 system-apps/monitoring/node-exporter/nodeExporter-serviceAccount.yaml diff --git a/system-apps/monitoring/node-exporter/nodeExporter-clusterRole.yaml b/system-apps/monitoring/node-exporter/nodeExporter-clusterRole.yaml new file mode 100644 index 0000000..4e689a8 --- /dev/null +++ b/system-apps/monitoring/node-exporter/nodeExporter-clusterRole.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 1.9.1 + name: node-exporter +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/system-apps/monitoring/node-exporter/nodeExporter-clusterRoleBinding.yaml b/system-apps/monitoring/node-exporter/nodeExporter-clusterRoleBinding.yaml new file mode 100644 index 0000000..4ed4bd8 --- /dev/null +++ b/system-apps/monitoring/node-exporter/nodeExporter-clusterRoleBinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 1.9.1 + name: node-exporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-exporter +subjects: +- kind: ServiceAccount + name: node-exporter + namespace: monitoring diff --git a/system-apps/monitoring/node-exporter/nodeExporter-daemonset.yaml b/system-apps/monitoring/node-exporter/nodeExporter-daemonset.yaml new file mode 100644 index 0000000..e4be35b --- /dev/null +++ b/system-apps/monitoring/node-exporter/nodeExporter-daemonset.yaml @@ -0,0 +1,121 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 1.9.1 + name: node-exporter + namespace: monitoring +spec: + selector: + matchLabels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: node-exporter + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 1.9.1 + spec: + automountServiceAccountToken: true + containers: + - args: + - --web.listen-address=127.0.0.1:9100 + - --path.sysfs=/host/sys + - --path.rootfs=/host/root + - --path.udev.data=/host/root/run/udev/data + - --no-collector.wifi + - --no-collector.hwmon + - --no-collector.btrfs + - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|run/k3s/containerd/.+|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/) + - --collector.netclass.ignored-devices=^(veth.*|[a-f0-9]{15})$ + - --collector.netdev.device-exclude=^(veth.*|[a-f0-9]{15})$ + image: quay.io/prometheus/node-exporter:v1.9.1 + name: node-exporter + resources: + limits: + cpu: 250m + memory: 180Mi + requests: + cpu: 102m + memory: 180Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - SYS_TIME + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /host/sys + mountPropagation: HostToContainer + name: sys + readOnly: true + - mountPath: /host/root + mountPropagation: HostToContainer + name: root + readOnly: true + - args: + - --secure-listen-address=[$(IP)]:9100 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --upstream=http://127.0.0.1:9100/ + env: + - name: IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay.io/brancz/kube-rbac-proxy:v0.19.1 + name: kube-rbac-proxy + ports: + - containerPort: 9100 + hostPort: 9100 + name: https + resources: + limits: + cpu: 20m + memory: 40Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + hostNetwork: true + hostPID: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + serviceAccountName: node-exporter + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /sys + name: sys + - hostPath: + path: / + name: root + updateStrategy: + rollingUpdate: + maxUnavailable: 10% + type: RollingUpdate diff --git a/system-apps/monitoring/node-exporter/nodeExporter-networkPolicy.yaml b/system-apps/monitoring/node-exporter/nodeExporter-networkPolicy.yaml new file mode 100644 index 0000000..4d45160 --- /dev/null +++ b/system-apps/monitoring/node-exporter/nodeExporter-networkPolicy.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 1.9.1 + name: node-exporter + namespace: monitoring +spec: + egress: + - {} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ports: + - port: 9100 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus + policyTypes: + - Egress + - Ingress diff --git a/system-apps/monitoring/node-exporter/nodeExporter-service.yaml b/system-apps/monitoring/node-exporter/nodeExporter-service.yaml new file mode 100644 index 0000000..448362e --- /dev/null +++ b/system-apps/monitoring/node-exporter/nodeExporter-service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 1.9.1 + name: node-exporter + namespace: monitoring +spec: + clusterIP: None + ports: + - name: https + port: 9100 + targetPort: https + selector: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus diff --git a/system-apps/monitoring/node-exporter/nodeExporter-serviceAccount.yaml b/system-apps/monitoring/node-exporter/nodeExporter-serviceAccount.yaml new file mode 100644 index 0000000..e08271b --- /dev/null +++ b/system-apps/monitoring/node-exporter/nodeExporter-serviceAccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 1.9.1 + name: node-exporter + namespace: monitoring