[prometheus-node-exporter] Add optional initContainers for permission fixes

henrichter · henrichter · commit d4025430fb05 · 2026-02-20T00:23:56.000+01:00
Signed-off-by: henrichter &lt;hr.richterhenry@gmail.com&gt;
diff --git a/charts/prometheus-node-exporter/Chart.yaml b/charts/prometheus-node-exporter/Chart.yaml
@@ -6,7 +6,7 @@ keywords:
   - prometheus
   - exporter
 type: application
-version: 4.51.1
+version: 4.52.0
 # renovate: github=prometheus/node_exporter
 appVersion: 1.10.2
 home: https://github.com/prometheus/node_exporter/
diff --git a/charts/prometheus-node-exporter/templates/daemonset.yaml b/charts/prometheus-node-exporter/templates/daemonset.yaml
@@ -38,26 +38,55 @@ spec:
       {{- with .Values.priorityClassName }}
       priorityClassName: {{ . }}
       {{- end }}
+      {{- $fixes := .Values.permissionInitContainers.fixes -}}
+      {{- $fixesEnabled := or $fixes.rapl $fixes.slabinfo (not (empty .Values.permissionInitContainers.extraCommands)) -}}
+      {{- if or .Values.extraInitContainers $fixesEnabled }}
       initContainers:
-      {{- if .Values.extraInitContainers }}
-      {{- toYaml .Values.extraInitContainers | nindent 8 }}
-      {{- end }}
-        - name: chown-powercap
-          image: busybox:latest
-          command: ["/bin/sh", "-c"]
-          args:
+        {{- if .Values.extraInitContainers }}
+        {{- toYaml .Values.extraInitContainers | nindent 8 }}
+        {{- end }}
+        {{- if $fixesEnabled }}
+        - name: permission-fix
+          {{- if .Values.permissionInitContainers.image.sha }}
+          image: "{{ .Values.global.imageRegistry | default .Values.permissionInitContainers.image.registry}}/{{ .Values.permissionInitContainers.image.repository }}:{{ .Values.permissionInitContainers.image.tag }}@sha256:{{ .Values.permissionInitContainers.image.sha }}"
+          {{- else }}
+          image: "{{ .Values.global.imageRegistry | default .Values.permissionInitContainers.image.registry}}/{{ .Values.permissionInitContainers.image.repository }}:{{ .Values.permissionInitContainers.image.tag }}"
+          {{- end }}
+          imagePullPolicy: {{ .Values.permissionInitContainers.image.pullPolicy }}
+          securityContext:
+            {{- toYaml .Values.permissionInitContainers.securityContext | nindent 12 }}
+          command:
+            - /bin/sh
+            - -c
             - |
-              if [ -d /host/sys/devices/virtual/powercap ]; then
-                find /host/sys/devices/virtual/powercap -name energy_uj -exec chown root:{{ .Values.securityContext.runAsGroup }} {} + -exec chmod g+r -R {} +;
+              {{- if $fixes.rapl }}
+              powercap_path="/host/sys/devices/virtual/powercap"
+              if [ -d "$powercap_path" ]; then
+                find "$powercap_path" -name energy_uj -exec chown root:{{ .Values.securityContext.runAsGroup }} {} + -exec chmod g+r -R {} +
               fi
-          securityContext:
-            runAsUser: 0
-            runAsNonRoot: false
-            privileged: true
+              {{- end }}
+              {{- if $fixes.slabinfo }}
+              slabinfo_path="/host/proc/slabinfo"
+              if [ -f "$slabinfo_path" ]; then
+                chown root:{{ .Values.securityContext.runAsGroup }} "$slabinfo_path" && chmod g+r "$slabinfo_path"
+              fi
+              {{- end }}
+              {{- range .Values.permissionInitContainers.extraCommands }}
+              {{ . }}
+              {{- end }}
           volumeMounts:
+            {{- if $fixes.rapl }}
             - name: sys
               mountPath: /host/sys
               readOnly: false
+            {{- end }}
+            {{- if $fixes.slabinfo }}
+            - name: proc
+              mountPath: /host/proc
+              readOnly: false
+            {{- end }}
+        {{- end }}
+      {{- end }}
       serviceAccountName: {{ include "prometheus-node-exporter.serviceAccountName" . }}
       {{- with .Values.terminationGracePeriodSeconds }}
       terminationGracePeriodSeconds: {{ . }}
diff --git a/charts/prometheus-node-exporter/values.yaml b/charts/prometheus-node-exporter/values.yaml
@@ -543,6 +543,23 @@ sidecarHostVolumeMounts: []
 ##
 extraInitContainers: []
 
+permissionInitContainers:
+  image:
+    registry: quay.io
+    repository: prometheus/busybox
+    tag: latest
+    sha: ""
+    pullPolicy: IfNotPresent
+  securityContext:
+    privileged: true
+    runAsUser: 0
+    runAsGroup: 0
+    runAsNonRoot: false
+  fixes:
+    rapl: false
+    slabinfo: false
+  extraCommands: []
+
 ## Liveness probe
 ##
 livenessProbe:
