This repository was archived by the owner on Dec 3, 2025. It is now read-only.
This repository was archived by the owner on Dec 3, 2025. It is now read-only.
Metrics container security context prevents access to WireGuard metrics #223
Description
The metrics container appears to be unable to access the necessary data to provide metrics.
When I k port-forward svc/wireguard-metrics-svc 9586:9586 and open http://localhost:9586/metrics I get only:
# HELP wireguard_sent_bytes_total Bytes sent to the peer
# TYPE wireguard_sent_bytes_total counter
# HELP wireguard_received_bytes_total Bytes received from the peer
# TYPE wireguard_received_bytes_total counter
# HELP wireguard_latest_handshake_seconds UNIX timestamp seconds of the last handshake
# TYPE wireguard_latest_handshake_seconds gauge
So I set --verbose "true" arg on metric container and got:
[2025-01-09T19:31:46Z TRACE prometheus_wireguard_exporter] wg show all dump stderr == Unable to access interface wg0: Operation not permitted
After a bit more of debugging, I figured out that the metric and agent containers have different security context configuration and run with different users:
# metrics
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
# agent
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
readOnlyRootFilesystem: trueAfter manually editing the deployment and removing the following part from metrics container configuration, the metrics start working:
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534This issue seems related with #170.
(I have first opened a discussion about this: #222.)