📢 Node Exporter DaemonSet Security Risk Report
📂 Relevant Files and Links
📌 Summary of the Issue
The node-exporter DaemonSet
✅ uses hostNetwork: true
✅ uses hostPID: true
which allows the container to access the host’s network and process namespaces.
➡ If compromised, this can lead to node-wide takeover risks, opening severe security vulnerabilities.
🔍 Detailed Analysis
1️⃣ hostNetwork: true
- Shares the container with the host’s network namespace.
- Impact:
- Container can bind directly to the host’s IP and ports.
- Can access or sniff host network traffic.
- Risk:
- If compromised, an attacker can hijack services, sniff sensitive data, or perform lateral movement across the cluster.
2️⃣ hostPID: true
- Shares the container with the host’s process namespace.
- Impact:
- Container can list and observe all processes running on the host.
- Can access sensitive system-level process information.
- Risk:
- An attacker can perform reconnaissance, gather sensitive information, interfere with processes, or attempt privilege escalation.
⚠️ Security Risk Summary
| Risk Item |
Description |
| hostNetwork |
Host network exposure → risk of hijacking traffic, taking over ports, lateral movement. |
| hostPID |
Host process exposure → risk of process monitoring, interference, and sensitive information leakage. |
| Combined Risk |
When both are enabled, container compromise dramatically increases the likelihood of node takeover. |
🛠️ Recommended Actions
✅ Reassess Necessity
- Verify if
hostNetwork and hostPID are strictly necessary; disable if not.
✅ Strengthen Pod Security
- Keep
runAsNonRoot: true.
- Remove
privileged: true and unnecessary Linux capabilities.
- Apply seccomp, AppArmor, or SELinux profiles.
✅ Minimize Host Exposure
- Reduce unnecessary port and network bindings.
- Use Kubernetes NetworkPolicy to limit pod-to-pod and pod-to-service communication.
✅ Maintain Image Security
- Regularly update and patch container images.
- Use signed and verified images; run regular vulnerability scans.
📂 References
❗ Summary
The use of hostNetwork and hostPID in the node-exporter DaemonSet greatly expands the attack surface, posing serious threats to Kubernetes node security.
Unless strictly necessary, these settings should be disabled; if required, they must be paired with robust security controls to ensure cluster safety.
📢 Node Exporter DaemonSet Security Risk Report
📂 Relevant Files and Links
DaemonSet: node-exporter, namespace:monitoring)📌 Summary of the Issue
The
node-exporterDaemonSet✅ uses
hostNetwork: true✅ uses
hostPID: truewhich allows the container to access the host’s network and process namespaces.
➡ If compromised, this can lead to node-wide takeover risks, opening severe security vulnerabilities.
🔍 Detailed Analysis
1️⃣ hostNetwork: true
2️⃣ hostPID: true
🛠️ Recommended Actions
✅ Reassess Necessity
hostNetworkandhostPIDare strictly necessary; disable if not.✅ Strengthen Pod Security
runAsNonRoot: true.privileged: trueand unnecessary Linux capabilities.✅ Minimize Host Exposure
✅ Maintain Image Security
📂 References
❗ Summary
The use of
hostNetworkandhostPIDin thenode-exporterDaemonSet greatly expands the attack surface, posing serious threats to Kubernetes node security.Unless strictly necessary, these settings should be disabled; if required, they must be paired with robust security controls to ensure cluster safety.