Cloud Monitor Container Insight deploys a Prometheus Agent to your cluster to collect data. After the agent is deployed, a ClusterRole is created to grant the Prometheus Operator read permissions for resources and operation permissions for workloads within a specific namespace. This topic describes the required permissions.
Permissions
ClusterRole: cms-prometheus-operator-cluster-role (for self-managed scenarios) / cms-prometheus-operator-managed-role (for managed scenarios).
Purpose: Grants the Prometheus Operator read permissions for required resources and operation permissions for a limited set of resources. These permissions are used for operations such as service discovery.
Permission checklist:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cms-prometheus-operator-cluster-role rules: - apiGroups: - monitoring.coreos.com resources: - alertmanagers - prometheuses - prometheuses/finalizers - alertmanagers/finalizers - servicemonitors - podmonitors - prometheusrules - probes verbs: - '*' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - "create" - "update" - "get" - "list" - apiGroups: - "" resources: - nodes/metrics - nodes/proxy verbs: - get - list - watch - nonResourceURLs: - /metrics verbs: - get - apiGroups: [""] resources: - nodes - pods - resourcequotas - replicationcontrollers verbs: ["list", "watch", "get"] - apiGroups: [""] resources: ["services","endpoints"] verbs: ["get", "list", "watch", "create", "update"] - apiGroups: ["batch"] resources: - cronjobs - jobs verbs: ["list", "watch", "get"] - apiGroups: ["policy"] resources: - poddisruptionbudgets verbs: ["list", "watch", "get"] - apiGroups: ["apps"] resources: ["services","endpoints"] verbs: ["get", "list", "watch", "create", "update"] - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - create - update - apiGroups: ["apps"] resources: ["services/proxy"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["services/proxy"] verbs: ["get", "list", "watch"]Role: cms-prometheus-operator-role.
Purpose: Grants the Prometheus Operator operation permissions for workloads within a specific namespace and resource.
Permission checklist:
kind: Role metadata: name: cms-prometheus-operator-role namespace: {{ .Release.Namespace }} rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - delete - deletecollection - patch - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: ["apps"] resources: - deployments - replicasets resourceNames: [\"{{ template "fullname" . }}\"] verbs: - get - list - watch - update - patch - apiGroups: [""] resources: ["services","endpoints"] resourceNames: ["kubelet"] verbs: ["get", "list", "watch", "create", "update"]ClusterRole: cms-kube-meta-role (for self-managed scenarios) / cms-kube-meta-managed-role (for managed scenarios).
Purpose: Grants the kube-state-metrics and Entity Collector components the required read permissions for resources.
Permission checklist:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cms-kube-meta-role rules: - apiGroups: [""] resources: - configmaps - nodes - pods - services - resourcequotas - replicationcontrollers - limitranges - persistentvolumeclaims - persistentvolumes - namespaces - endpoints verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: - daemonsets - deployments - replicasets - ingresses verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: - daemonsets - deployments - replicasets - statefulsets verbs: ["get", "list", "watch"] - apiGroups: ["batch"] resources: - cronjobs - jobs verbs: ["get", "list", "watch"] - apiGroups: ["autoscaling"] resources: - horizontalpodautoscalers verbs: ["get", "list", "watch"] - apiGroups: ["policy"] resources: - poddisruptionbudgets verbs: ["get", "list", "watch"] - apiGroups: ["certificates.k8s.io"] resources: - certificatesigningrequests verbs: ["get", "list", "watch"] - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - storageclasses - volumeattachments verbs: - get - list - watch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - get - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch
References
Cloud Monitor also requires management permissions for container clusters. For more information, see Service access authorization for Cloud Monitor management of container clusters.