To improve security and standardize permission management for container monitoring, the ClusterRole permission model for the Prometheus agent and Entity Collector components is updated. These changes affect both the control plane and data plane. The specific ClusterRole changes are detailed below.

Prometheus agent data plane changes

• Effective from V1.1.35, the following changes apply to the data plane permissions for the Prometheus agent:

The arms-prometheus-oper3 (ClusterRole) is renamed to cms-prometheus-operator-cluster-role (for self-managed scenarios) and cms-prometheus-operator-managed-role (for managed scenarios). The new role's access policy inherits from arms-prometheus-oper3. This policy grants the Prometheus Operator permissions to read resources and manage workloads (such as Deployments and Pods) in specific namespaces.

• The arms-pilot-prom-k8s (ClusterRole) is deprecated.
• The arms-pilot-prom-k8s-arms_config (Role) is renamed to cms-prometheus-operator-role. This role grants the Prometheus Operator permissions to manage workloads in a specific namespace.
• The arms-kube-state-metrics (ClusterRole) is renamed to cms-kube-meta-role (for self-managed scenarios) and cms-kube-meta-managed-role (for managed scenarios). The new role's access policy inherits from arms-kube-state-metrics. This policy grants kube-state-metrics permissions to read cluster resources.

Entity Collector data plane changes

Effective from v2.0.7, the following changes apply to the data plane permissions for the managed Entity Collector:

The entity-collector-manager-role (ClusterRole) is deprecated. The managed Entity Collector now shares a ClusterRole with kube-state-metrics: cms-kube-meta-role or cms-kube-meta-managed-role. This shared role grants the necessary read permissions on cluster resources to generate Meta Metrics and Entities.

Cloud Monitor Integration Center control plane changes

Effective November 10, 2025, the control plane permissions required by the Cloud Monitor Integration Center for container clusters are updated as follows:

A new, dedicated ClusterRole is added for the control plane permissions required by CloudLens for Container: cloudmonitor-cms-integrationforcs-clusterrole. The corresponding Alibaba Cloud service role is AliyunCmsIntegrationForCSRole. For more information, see Permissions for Cloud Monitor data collection in container clusters and Service access authorization for Cloud Monitor management services on container clusters.