All Products
Search

This Product

    Cloud Monitor:ClusterRole changes for CloudLens for Container components

    Document Center

    Cloud Monitor:ClusterRole changes for CloudLens for Container components

    Last Updated:Jun 23, 2026

    The ClusterRole permission model for the Prometheus agent and Entity Collector components is updated to improve security and standardize permission management for container monitoring.

    These changes affect both the control plane and data plane.

    Prometheus agent data plane changes

    Effective from V1.1.35, the following changes apply to the data plane permissions for the Prometheus agent:

    • The arms-prometheus-oper3 (ClusterRole) is renamed to cms-prometheus-operator-cluster-role (for self-managed scenarios) and cms-prometheus-operator-managed-role (for managed scenarios). The new role's access policy inherits from arms-prometheus-oper3. This policy grants the Prometheus Operator permissions to read resources and manage workloads (such as Deployments and Pods) in specific namespaces.

    • The arms-pilot-prom-k8s (ClusterRole) is deprecated.

    • The arms-pilot-prom-k8s-arms_config (Role) is renamed to cms-prometheus-operator-role. This role grants the Prometheus Operator permissions to manage workloads in a specific namespace.

    • The arms-kube-state-metrics (ClusterRole) is renamed to cms-kube-meta-role (for self-managed scenarios) and cms-kube-meta-managed-role (for managed scenarios). The new role's access policy inherits from arms-kube-state-metrics. This policy grants kube-state-metrics permissions to read cluster resources.

    Entity Collector data plane changes

    Effective from v2.0.7, the following changes apply to the data plane permissions for the managed Entity Collector:

    The entity-collector-manager-role (ClusterRole) is deprecated. The managed Entity Collector now shares a ClusterRole with kube-state-metricscms-kube-meta-role or cms-kube-meta-managed-role. This shared role grants the necessary read permissions on cluster resources to generate Meta Metrics and Entities.

    Cloud Monitor Integration Center control plane changes

    Effective November 10, 2025, the control plane permissions required by the Cloud Monitor Integration Center for container clusters are updated as follows:

    A new, dedicated ClusterRole is added for the control plane permissions required by CloudLens for Container: cloudmonitor-cms-integrationforcs-clusterrole. The corresponding Alibaba Cloud service role is AliyunCmsIntegrationForCSRole. For more information, see Permissions for Cloud Monitor data collection in container clusters and Service access authorization for Cloud Monitor management services on container clusters.