• /
  • EnglishEspañolFrançais日本語한국어Português
  • Se connecterDémarrer

Privileged vs. unprivileged mode

The New Relic Kubernetes integration runs in privileged mode by default, enabling the Infrastructure Agent (running as a DaemonSet sidecar) to directly access the underlying host's information.

While this provides the most complete telemetry, some security policies (such as Pod Security Standards or OpenShift SCCs) may require you to run workloads in unprivileged mode.

Why privileged mode is required

The New Relic Infrastructure Agent is included in the Kubelet pod and requires low-level access to the node's operating system to collect deep system metrics.

Although the default value for privileged in the common library is false, this chart sets it to true by default (see values.yaml) to ensure the agent can:

  • Read the host's /proc and /sys filesystems.
  • Collect accurate CPU, memory, storage, and network statistics for the underlying host.
  • Gather full process lists and metadata that correlate infrastructure health with your Kubernetes objects.

Running in unprivileged mode

If your cluster security policy does not allow privileged in your pods' security context, you can disable it by setting privileged to false.

Impact on data collection

Important

Disabling privileged mode will result in the loss of host-level metrics and metadata.

When unprivileged, the Infrastructure Agent cannot see the host's resource usage. You will lose access to the standard host metrics, including:

  • SystemSample: Host-level CPU, memory, and load averages.
  • StorageSample: Disk usage and I/O for the node's filesystem.
  • NetworkSample: Physical network interface statistics.
  • ProcessSample: Data on processes running outside the New Relic container.

For a detailed list of exactly which attributes and metrics are unavailable in unprivileged mode, please refer to the Linux agent running modes documentation.

How to configure it

Update your custom values file to set the global privileged flag to false:

global:
  privileged: false

Windows in unprivileged mode

Standard Windows containers cannot directly access host infrastructure due to container isolation. HostProcess containers could provide this access but introduce additional security risks and are not currently used by the New Relic Kubernetes integration. Therefore, Windows DaemonSets run only in unprivileged mode; privileged mode is not supported for Windows nodes.

For more details on what metrics are collected in this mode, see Limitations to the Kubernetes integration for Windows.

Droits d'auteur © 2026 New Relic Inc.
RecrutementConditions de servicePolitique DMCAAvis de brevetAvis de confidentialitéCookiesLoi britannique sur l'esclavage

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.