All Products
Search

This Product

    Cloud Monitor:Service access authorization for Cloud Monitor management services on container clusters

    Document Center

    Cloud Monitor:Service access authorization for Cloud Monitor management services on container clusters

    Last Updated:Nov 11, 2025

    To use the data integration features of the Cloud Monitor Integration Center with Container Service for Kubernetes (ACK), you must grant Cloud Monitor permissions to manage your cluster resources. This authorization is required only for management operations. You can revoke the permissions after the operations are complete without affecting data collection. For more information about how to revoke permissions, see Configure permissions to deny cloud products access to ACK clusters.

    Permissions

    Service role name: AliyunCmsIntegrationForCSRole.

    The authorization includes OpenAPI permissions and in-cluster ClusterRole permissions. OpenAPI permissions allow the Cloud Monitor service to obtain authorization to connect to the target cluster. ClusterRole permissions allow the Cloud Monitor service to deploy data collection probes and collection configuration resources to the cluster.

    Alibaba Cloud OpenAPI permissions

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cs:DescribeClusterInnerServiceKubeconfig",
        "adcp:GrantUserPermission",
        "adcp:DescribeHubClusterKubeconfig"
      ],
      "Resource": "*"
    }
  ]
}

    In-cluster ClusterRole permissions

    The Cloud Monitor management service uses the following ClusterRole to create the resources required by the probes. You can revoke the ClusterRole after the resources are created.

    The created resources typically reside only in the following namespaces:

    • arms-prom, kube-system, and cms-prom.

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cloudmonitor-cms-integrationforcs-clusterrole
rules:
  # Custom API groups (all resources and operations allowed), used to deliver observability extension configuration resources
  - apiGroups:
    - vector.oam.dev
    - o11y.aliyun.dev
    - monitoring.coreos.com
    - monitor.aliyun.com
    - log.alibabacloud.com
    - telemetry.alibabacloud.com
    resources:
    - '*'
    verbs:
    - '*'
  
  # Resources required for Exporter workload delivery, used to deliver probe workloads
  - apiGroups: [""]
    resources:
    - services
    - configmaps
    - serviceaccounts
    - namespaces
    - events
    - secrets
    verbs:
    - '*'

  # Application resources (all operations), used to deliver probe workloads
  - apiGroups: [apps, extensions]
    resources:
    - deployments
    - daemonsets
    - statefulsets
    verbs:
    - '*'

  # Network discovery resources, used for service discovery checks
  - apiGroups: [discovery.k8s.io]
    resources:
    - endpointslices
    verbs:
    - get
    - list
  - apiGroups: [""]
    resources:
    - node
    - pods
    - endpoints
    - services/proxy
    verbs:
    - get
    - list

  # API extension resources, used to install observability-related extension CRDs 
  - apiGroups: [apiextensions.k8s.io]
    resources:
    - customresourcedefinitions
    verbs:
    - create
    - list
    - get

  # RBAC resources, used to create the RBAC resources required by probes
  - apiGroups: [rbac.authorization.k8s.io]
    resources:
    - rolebindings
    - roles
    - clusterroles
    - clusterrolebindings
    verbs:
    - create
    - list
    - get

    References

    Cloud Monitor also requires data plane permissions to monitor container clusters. For more information, see Permissions for CloudMonitor data collection on container clusters.