Skip to content
This repository was archived by the owner on Dec 3, 2025. It is now read-only.
This repository was archived by the owner on Dec 3, 2025. It is now read-only.

Metrics container security context prevents access to WireGuard metrics #223

Description

@Blarc

The metrics container appears to be unable to access the necessary data to provide metrics.

When I k port-forward svc/wireguard-metrics-svc 9586:9586 and open http://localhost:9586/metrics I get only:

# HELP wireguard_sent_bytes_total Bytes sent to the peer
# TYPE wireguard_sent_bytes_total counter

# HELP wireguard_received_bytes_total Bytes received from the peer
# TYPE wireguard_received_bytes_total counter

# HELP wireguard_latest_handshake_seconds UNIX timestamp seconds of the last handshake
# TYPE wireguard_latest_handshake_seconds gauge

So I set --verbose "true" arg on metric container and got:

[2025-01-09T19:31:46Z TRACE prometheus_wireguard_exporter] wg show all dump stderr == Unable to access interface wg0: Operation not permitted

After a bit more of debugging, I figured out that the metric and agent containers have different security context configuration and run with different users:

# metrics
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    add:
    - NET_ADMIN
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsGroup: 65534
  runAsNonRoot: true
  runAsUser: 65534
  
# agent
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    add:
    - NET_ADMIN
  readOnlyRootFilesystem: true

After manually editing the deployment and removing the following part from metrics container configuration, the metrics start working:

readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534

This issue seems related with #170.
(I have first opened a discussion about this: #222.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions