_config+:: {
namespace: 'default',
versions+:: { nodeExporter: 'v1.0.1' },
imageRepos+:: { nodeExporter: '' },
nodeExporter+:: {
listenAddress: '',
port: 9100,
labels: {
'': 'node-exporter',
'': $._config.versions.nodeExporter,
selectorLabels: {
[labelName]: $._config.nodeExporter.labels[labelName]
for labelName in std.objectFields($._config.nodeExporter.labels)
if !std.setMember(labelName, [''])
nodeExporter+:: {
clusterRoleBinding: {
apiVersion: '',
kind: 'ClusterRoleBinding',
metadata: {
name: 'node-exporter',
roleRef: {
apiGroup: '',
kind: 'ClusterRole',
name: 'node-exporter',
subjects: [{
kind: 'ServiceAccount',
name: 'node-exporter',
namespace: $._config.namespace,
clusterRole: {
apiVersion: '',
kind: 'ClusterRole',
metadata: {
name: 'node-exporter',
rules: [
apiGroups: [''],
resources: ['tokenreviews'],
verbs: ['create'],
apiGroups: [''],
resources: ['subjectaccessreviews'],
verbs: ['create'],
local nodeExporter = {
name: 'node-exporter',
image: $._config.imageRepos.nodeExporter + ':' + $._config.versions.nodeExporter,
args: [
'--web.listen-address=' + std.join(':', [$._config.nodeExporter.listenAddress, std.toString($._config.nodeExporter.port)]),
volumeMounts: [
{ name: 'proc', mountPath: '/host/proc', mountPropagation: 'HostToContainer', readOnly: true },
{ name: 'sys', mountPath: '/host/sys', mountPropagation: 'HostToContainer', readOnly: true },
{ name: 'root', mountPath: '/host/root', mountPropagation: 'HostToContainer', readOnly: true },
resources: $._config.resources['node-exporter'],
local proxy = {
name: 'kube-rbac-proxy',
image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
args: [
'--secure-listen-address=[$(IP)]:' + $._config.nodeExporter.port,
'--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
'--upstream=' + $._config.nodeExporter.port + '/',
env: [
{ name: 'IP', valueFrom: { fieldRef: { fieldPath: 'status.podIP' } } },
// Keep `hostPort` here, rather than in the node-exporter container
// because Kubernetes mandates that if you define a `hostPort` then
// `containerPort` must match. In our case, we are splitting the
// host port and container port between the two containers.
// We'll keep the port specification here so that the named port
// used by the service is tied to the proxy container. We *could*
// forgo declaring the host port, however it is important to declare
// it so that the scheduler can decide if the pod is schedulable.
ports: [
{ name: 'https', containerPort: $._config.nodeExporter.port, hostPort: $._config.nodeExporter.port },
resources: $._config.resources['kube-rbac-proxy'],
securityContext: {
runAsUser: 65532,
runAsGroup: 65532,
runAsNonRoot: true,
2020-08-19 18:51:06 +00:00
apiVersion: 'apps/v1',
kind: 'DaemonSet',
metadata: {
name: 'node-exporter',
namespace: $._config.namespace,
labels: $._config.nodeExporter.labels,
spec: {
selector: { matchLabels: $._config.nodeExporter.selectorLabels },
updateStrategy: {
type: 'RollingUpdate',
rollingUpdate: { maxUnavailable: '10%' },
template: {
metadata: { labels: $._config.nodeExporter.labels },
spec: {
nodeSelector: { '': 'linux' },
tolerations: [{
operator: 'Exists',
containers: [nodeExporter, proxy],
volumes: [
{ name: 'proc', hostPath: { path: '/proc' } },
{ name: 'sys', hostPath: { path: '/sys' } },
{ name: 'root', hostPath: { path: '/' } },
serviceAccountName: 'node-exporter',
securityContext: {
runAsUser: 65534,
runAsNonRoot: true,
hostPID: true,
hostNetwork: true,
serviceAccount: {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: {
name: 'node-exporter',
namespace: $._config.namespace,
serviceMonitor: {
apiVersion: '',
kind: 'ServiceMonitor',
metadata: {
name: 'node-exporter',
namespace: $._config.namespace,
labels: $._config.nodeExporter.labels,
spec: {
jobLabel: '',
selector: {
matchLabels: $._config.nodeExporter.selectorLabels,
endpoints: [{
port: 'https',
scheme: 'https',
interval: '15s',
bearerTokenFile: '/var/run/secrets/',
relabelings: [
action: 'replace',
regex: '(.*)',
replacement: '$1',
sourceLabels: ['__meta_kubernetes_pod_node_name'],
targetLabel: 'instance',
tlsConfig: {
insecureSkipVerify: true,
service: {
apiVersion: 'v1',
kind: 'Service',
metadata: {
name: 'node-exporter',
namespace: $._config.namespace,
labels: $._config.nodeExporter.labels,
spec: {
ports: [
{ name: 'https', targetPort: 'https', port: $._config.nodeExporter.port },
selector: $._config.nodeExporter.selectorLabels,
clusterIP: 'None',
