[Security Issue] 📢 Node Exporter DaemonSet Security Risk Report #4339
Description
📢 Node Exporter DaemonSet Security Risk Report
📂 Relevant Files and Links
- Local YAML provided (
DaemonSet: node-exporter, namespace:monitoring) - GitHub reference: m3db/m3 node-exporter-daemonset.yaml
📌 Summary of the Issue
The node-exporter DaemonSet
✅ uses hostNetwork: true
✅ uses hostPID: true
which allows the container to access the host’s network and process namespaces.
➡ If compromised, this can lead to node-wide takeover risks, opening severe security vulnerabilities.
🔍 Detailed Analysis
1️⃣ hostNetwork: true
- Shares the container with the host’s network namespace.
- Impact:
- Container can bind directly to the host’s IP and ports.
- Can access or sniff host network traffic.
- Risk:
- If compromised, an attacker can hijack services, sniff sensitive data, or perform lateral movement across the cluster.
2️⃣ hostPID: true
- Shares the container with the host’s process namespace.
- Impact:
- Container can list and observe all processes running on the host.
- Can access sensitive system-level process information.
- Risk:
- An attacker can perform reconnaissance, gather sensitive information, interfere with processes, or attempt privilege escalation.
⚠️ Security Risk Summary
| Risk Item | Description |
|---|---|
| hostNetwork | Host network exposure → risk of hijacking traffic, taking over ports, lateral movement. |
| hostPID | Host process exposure → risk of process monitoring, interference, and sensitive information leakage. |
| Combined Risk | When both are enabled, container compromise dramatically increases the likelihood of node takeover. |
🛠️ Recommended Actions
✅ Reassess Necessity
- Verify if
hostNetworkandhostPIDare strictly necessary; disable if not.
✅ Strengthen Pod Security
- Keep
runAsNonRoot: true. - Remove
privileged: trueand unnecessary Linux capabilities. - Apply seccomp, AppArmor, or SELinux profiles.
✅ Minimize Host Exposure
- Reduce unnecessary port and network bindings.
- Use Kubernetes NetworkPolicy to limit pod-to-pod and pod-to-service communication.
✅ Maintain Image Security
- Regularly update and patch container images.
- Use signed and verified images; run regular vulnerability scans.
📂 References
- Kubernetes Pod Security Standards
- Risks of hostNetwork and hostPID
- Prometheus Node Exporter Security Best Practices
- GitHub m3db/m3 node-exporter-daemonset.yaml
❗ Summary
The use of hostNetwork and hostPID in the node-exporter DaemonSet greatly expands the attack surface, posing serious threats to Kubernetes node security.
Unless strictly necessary, these settings should be disabled; if required, they must be paired with robust security controls to ensure cluster safety.