用户在使用云监控-容器洞察时,会在集群中部署 Prometheus Agent 进行数据采集。Agent 部署后,会在集群中下发 ClusterRole 授予 Prometheus Operator 所需要的资源读权限和限定 Namespace 的工作负载操作权限。本文对 ClusterRole 进行说明。
权限说明
ClusterRole:cms-prometheus-operator-cluster-role(非托管场景) / cms-prometheus-operator-managed-role(托管场景)。
权限作用:授予 Prometheus Operator 所需资源的读权限、部分限定资源的操作权限,用于服务发现等操作。
权限清单:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cms-prometheus-operator-cluster-role rules: - apiGroups: - monitoring.coreos.com resources: - alertmanagers - prometheuses - prometheuses/finalizers - alertmanagers/finalizers - servicemonitors - podmonitors - prometheusrules - probes verbs: - '*' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - "create" - "update" - "get" - "list" - apiGroups: - "" resources: - nodes/metrics - nodes/proxy verbs: - get - list - watch - nonResourceURLs: - /metrics verbs: - get - apiGroups: [""] resources: - nodes - pods - resourcequotas - replicationcontrollers verbs: ["list", "watch", "get"] - apiGroups: [""] resources: ["services","endpoints"] verbs: ["get", "list", "watch", "create", "update"] - apiGroups: ["batch"] resources: - cronjobs - jobs verbs: ["list", "watch", "get"] - apiGroups: ["policy"] resources: - poddisruptionbudgets verbs: ["list", "watch", "get"] - apiGroups: ["apps"] resources: ["services","endpoints"] verbs: ["get", "list", "watch", "create", "update"] - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - create - update - apiGroups: ["apps"] resources: ["services/proxy"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["services/proxy"] verbs: ["get", "list", "watch"]Role:cms-prometheus-operator-role。
权限作用:授予 Prometheus Operator 需要的限定 Namespace 和资源的工作负载操作权限。
权限清单:
kind: Role metadata: name: cms-prometheus-operator-role namespace: {{ .Release.Namespace }} rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - delete - deletecollection - patch - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: ["apps"] resources: - deployments - replicasets resourceNames: [\"{{ template "fullname" . }}\"] verbs: - get - list - watch - update - patch - apiGroups: [""] resources: ["services","endpoints"] resourceNames: ["kubelet"] verbs: ["get", "list", "watch", "create", "update"]ClusterRole:cms-kube-meta-role(托管场景)/ cms-kube-meta-managed-role(托管场景)。
权限作用:授予 kube-state-metrics 以及 Entity Collector 组件需要的资源读取权限。
权限清单:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cms-kube-meta-role rules: - apiGroups: [""] resources: - configmaps - nodes - pods - services - resourcequotas - replicationcontrollers - limitranges - persistentvolumeclaims - persistentvolumes - namespaces - endpoints verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: - daemonsets - deployments - replicasets - ingresses verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: - daemonsets - deployments - replicasets - statefulsets verbs: ["get", "list", "watch"] - apiGroups: ["batch"] resources: - cronjobs - jobs verbs: ["get", "list", "watch"] - apiGroups: ["autoscaling"] resources: - horizontalpodautoscalers verbs: ["get", "list", "watch"] - apiGroups: ["policy"] resources: - poddisruptionbudgets verbs: ["get", "list", "watch"] - apiGroups: ["certificates.k8s.io"] resources: - certificatesigningrequests verbs: ["get", "list", "watch"] - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - storageclasses - volumeattachments verbs: - get - list - watch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - get - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch
相关文档
云监控在对容器集群进行观测时,也需要涉及相关容器集群的管控权限,具体可参考容器集群面向云监控管控服务授权说明。
该文章对您有帮助吗?