使用者在使用CloudMonitor-容器洞察時,會在叢集中部署 Prometheus Agent 進行資料擷取。Agent 部署後,會在叢集中下發 ClusterRole 授予 Prometheus Operator 所需要的資源讀許可權和限定 Namespace 的工作負載操作許可權。本文對 ClusterRole 進行說明。
許可權說明
ClusterRole:cms-prometheus-operator-cluster-role(非託管情境) / cms-prometheus-operator-managed-role(託管情境)。
許可權作用:授予 Prometheus Operator 所需資源的讀許可權、部分限定資源的操作許可權,用於服務發現等操作。
許可權清單:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cms-prometheus-operator-cluster-role rules: - apiGroups: - monitoring.coreos.com resources: - alertmanagers - prometheuses - prometheuses/finalizers - alertmanagers/finalizers - servicemonitors - podmonitors - prometheusrules - probes verbs: - '*' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - "create" - "update" - "get" - "list" - apiGroups: - "" resources: - nodes/metrics - nodes/proxy verbs: - get - list - watch - nonResourceURLs: - /metrics verbs: - get - apiGroups: [""] resources: - nodes - pods - resourcequotas - replicationcontrollers verbs: ["list", "watch", "get"] - apiGroups: [""] resources: ["services","endpoints"] verbs: ["get", "list", "watch", "create", "update"] - apiGroups: ["batch"] resources: - cronjobs - jobs verbs: ["list", "watch", "get"] - apiGroups: ["policy"] resources: - poddisruptionbudgets verbs: ["list", "watch", "get"] - apiGroups: ["apps"] resources: ["services","endpoints"] verbs: ["get", "list", "watch", "create", "update"] - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - create - update - apiGroups: ["apps"] resources: ["services/proxy"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["services/proxy"] verbs: ["get", "list", "watch"]Role:cms-prometheus-operator-role。
許可權作用:授予 Prometheus Operator 需要的限定 Namespace 和資源的工作負載操作許可權。
許可權清單:
kind: Role metadata: name: cms-prometheus-operator-role namespace: {{ .Release.Namespace }} rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - delete - deletecollection - patch - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: ["apps"] resources: - deployments - replicasets resourceNames: [\"{{ template "fullname" . }}\"] verbs: - get - list - watch - update - patch - apiGroups: [""] resources: ["services","endpoints"] resourceNames: ["kubelet"] verbs: ["get", "list", "watch", "create", "update"]ClusterRole:cms-kube-meta-role(託管情境)/ cms-kube-meta-managed-role(託管情境)。
許可權作用:授予 kube-state-metrics 以及 Entity Collector 組件需要的資源讀取許可權。
許可權清單:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cms-kube-meta-role rules: - apiGroups: [""] resources: - configmaps - nodes - pods - services - resourcequotas - replicationcontrollers - limitranges - persistentvolumeclaims - persistentvolumes - namespaces - endpoints verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: - daemonsets - deployments - replicasets - ingresses verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: - daemonsets - deployments - replicasets - statefulsets verbs: ["get", "list", "watch"] - apiGroups: ["batch"] resources: - cronjobs - jobs verbs: ["get", "list", "watch"] - apiGroups: ["autoscaling"] resources: - horizontalpodautoscalers verbs: ["get", "list", "watch"] - apiGroups: ["policy"] resources: - poddisruptionbudgets verbs: ["get", "list", "watch"] - apiGroups: ["certificates.k8s.io"] resources: - certificatesigningrequests verbs: ["get", "list", "watch"] - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - storageclasses - volumeattachments verbs: - get - list - watch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - get - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch
相關文檔
CloudMonitor在對容器叢集進行觀測時,也需要涉及相關容器叢集的管控許可權,具體可參考容器叢集面向CloudMonitor管控服務授權說明。