All Products
Search

This Product

    Cloud Monitor:Permissions for Cloud Monitor data collection in container clusters

    Document Center

    Cloud Monitor:Permissions for Cloud Monitor data collection in container clusters

    Last Updated:Jun 08, 2026

    Cloud Monitor Container Insight deploys a Prometheus Agent to collect metrics from your cluster. It creates Role-Based Access Control (RBAC) roles that grant the Prometheus Operator read access to cluster resources and operational access to workloads within its namespace. This topic lists the required permissions for each role.

    Permissions

    Cloud Monitor creates the following RBAC roles for data collection. ClusterRole permissions apply across all namespaces; Role permissions are namespace-scoped.

    cms-prometheus-operator-cluster-role (cluster-scoped)

    Used in self-managed scenarios. In managed scenarios, the equivalent role is cms-prometheus-operator-managed-role.

    This ClusterRole grants the Prometheus Operator full access to Prometheus Operator custom resources, read access to cluster resources, and limited write access for service discovery and reconciliation.

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cms-prometheus-operator-cluster-role
rules:
- apiGroups:
  - monitoring.coreos.com
  resources:
  - alertmanagers
  - prometheuses
  - prometheuses/finalizers
  - alertmanagers/finalizers
  - servicemonitors
  - podmonitors
  - prometheusrules
  - probes
  verbs:
  - '*'
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - "create"
  - "update"
  - "get"
  - "list"
- apiGroups:
  - ""
  resources:
  - nodes/metrics
  - nodes/proxy
  verbs:
  - get
  - list
  - watch
- nonResourceURLs:
  - /metrics
  verbs:
  - get
- apiGroups: [""]
  resources:
  - nodes
  - pods
  - resourcequotas
  - replicationcontrollers
  verbs: ["list", "watch", "get"]
- apiGroups: [""]
  resources: ["services","endpoints"]
  verbs: ["get", "list", "watch", "create", "update"]
- apiGroups: ["batch"]
  resources:
  - cronjobs
  - jobs
  verbs: ["list", "watch", "get"]
- apiGroups: ["policy"]
  resources:
  - poddisruptionbudgets
  verbs: ["list", "watch", "get"]
- apiGroups: ["apps"]
  resources: ["services","endpoints"]
  verbs: ["get", "list", "watch", "create", "update"]
- apiGroups:
    - discovery.k8s.io
  resources:
    - endpointslices
  verbs:
    - get
    - list
    - watch
    - create
    - update
- apiGroups: ["apps"]
  resources: ["services/proxy"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["services/proxy"]
  verbs: ["get", "list", "watch"]

    cms-prometheus-operator-role (namespace-scoped)

    This Role grants the Prometheus Operator operational access to workloads within its namespace. It allows the operator to manage ConfigMaps, read Pod state, and reconcile Deployments and Services needed for metrics collection.

    kind: Role
metadata:
  name: cms-prometheus-operator-role
  namespace: {{  .Release.Namespace }}
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
  - deletecollection
  - patch
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups: ["apps"]
  resources:
  - deployments
  - replicasets
  resourceNames: [\"{{ template "fullname" . }}\"]
  verbs:
  - get
  - list
  - watch
  - update
  - patch
- apiGroups: [""]
  resources: ["services","endpoints"]
  resourceNames: ["kubelet"]
  verbs: ["get", "list", "watch", "create", "update"]

    cms-kube-meta-role (cluster-scoped)

    Used in self-managed scenarios. In managed scenarios, the equivalent role is cms-kube-meta-managed-role.

    This ClusterRole grants kube-state-metrics and the Entity Collector read access to a broad set of cluster resources. These components use this access to generate Kubernetes object metrics and inventory data.

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cms-kube-meta-role
rules:
- apiGroups: [""]
  resources:
  - configmaps
  - nodes
  - pods
  - services
  - resourcequotas
  - replicationcontrollers
  - limitranges
  - persistentvolumeclaims
  - persistentvolumes
  - namespaces
  - endpoints
  verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
  resources:
  - daemonsets
  - deployments
  - replicasets
  - ingresses
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources:
  - daemonsets
  - deployments
  - replicasets
  - statefulsets
  verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
  resources:
  - cronjobs
  - jobs
  verbs: ["get", "list", "watch"]
- apiGroups: ["autoscaling"]
  resources:
  - horizontalpodautoscalers
  verbs: ["get", "list", "watch"]
- apiGroups: ["policy"]
  resources:
  - poddisruptionbudgets
  verbs: ["get", "list", "watch"]
- apiGroups: ["certificates.k8s.io"]
  resources:
    - certificatesigningrequests
  verbs: ["get", "list", "watch"]
- apiGroups:
    - certificates.k8s.io
  resources:
    - certificatesigningrequests
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - networking.k8s.io
  resources:
    - ingresses
    - networkpolicies
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - storage.k8s.io
  resources:
    - storageclasses
    - volumeattachments
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - admissionregistration.k8s.io
  resources:
    - mutatingwebhookconfigurations
    - validatingwebhookconfigurations
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - coordination.k8s.io
  resources:
    - leases
  verbs:
    - get
    - list
    - watch

    References

    Cloud Monitor also requires management permissions for container clusters. See Service access authorization for Cloud Monitor management of container clusters.