TKE 集群内安装组件说明

最近更新时间:2024-10-25 18:14:02

我的收藏

概述

本文介绍 Prometheus 监控服务在 集成容器服务 过程中在用户 TKE 集群内安装的各个组件的功能,使用权限和占用资源。

proxy-agent

组件介绍

由于 TKE 集群有独立的网络环境,proxy-agent 部署在集群内为集群外的采集组件提供访问代理。外部采集组件一方面通过 proxy-agent 服务发现集群内的资源,另一方面通过 proxy-agent 抓取指标并写到 Prometheus 实例的时序存储中。

部署在集群内的资源对象

Namespace
kubernetes 对象名称
类型
资源量
说明
<Prometheus 实例 ID>
proxy-agent
Deployment
0.25C256Mi*2
采集代理
<Prometheus 实例 ID>
<Prometheus 实例 ID>
ServiceAccount
-
权限载体
-
<Prometheus 实例 ID>
ClusterRole
-
采集权限相关
-
<Prometheus 实例 ID>-crb
ClusterRoleBinding
-
采集权限相关
<Prometheus 实例 ID>
<Prometheus 实例 ID>
Role
-
外部集群额外管理权限
<Prometheus 实例 ID>
<Prometheus 实例 ID>-rb
RoleBinding
-
外部集群额外管理权限

组件权限说明

权限场景

功能
涉及对象
涉及操作权限
采集配置管理
scrapeconfigs,servicemonitors,podmonitors,probes,configmaps,secrets,namespaces
get/list/watch
服务发现
services,endpoints,nodes,pods,ingresses
get/list/watch
部分系统组件指标抓取
nodes/metrics,nodes/proxy,pods/proxy
get/list/watch
带 RBAC 鉴权的指标抓取
/metrics,/metrics/cadvisor
get

外部 Kubernetes 集群额外权限场景

功能
涉及对象
涉及操作权限
采集配置管理
scrapeconfigs,servicemonitors,podmonitors, probes
*(all)
管理采集专用 namespace
<Prometheus 实例 ID>/*
*(all)

权限定义

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prom-instance
rules:
- apiGroups:
- monitoring.coreos.com
resources:
- scrapeconfigs
- servicemonitors
- podmonitors
- probes
- prometheuses
- prometheusrules
verbs:
- get
- list
- watch
# 外部 Kubernetes 集群使用
# - *
- apiGroups:
- ""
resources:
- namespaces
- configmaps
- secrets
- nodes
- services
- endpoints
- pods
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups: [ "" ]
resources:
- nodes/metrics
- nodes/proxy
- pods/proxy
verbs:
- get
- list
- watch
- nonResourceURLs: [ "/metrics", "/metrics/cadvisor" ]
verbs:
- get
---
# 外部 Kubernetes 集群使用
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: prom-instance namespace: prom-instance rules: - apiGroups: [ "", "extensions", "apps" ] resources: [ "*" ] verbs: [ "*" ]

tke-kube-state-metrics

组件介绍

tke-kube-state-metrics 使用开源组件 kube-state-metrics,监听集群的 API server,生成集群内各种对象的状态指标。

部署在集群内的资源对象

Namespace
kubernetes 对象名称
类型
资源量
说明
kube-system
tke-kube-state-metrics
Statefulset
0.5C512Mi
采集程序
kube-system
tke-kube-state-metrics
ServiceAccount
-
权限载体
-
tke-kube-state-metrics
ClusterRole
-
采集权限相关
-
tke-kube-state-metrics
ClusterRoleBinding
-
采集权限相关
kube-system
tke-kube-state-metrics
Service
-
采集程序对应服务,供服务发现使用
kube-system
tke-kube-state-metrics
ServiceMonitor
-
采集配置
kube-system
tke-kube-state-metrics
Role
-
分片采集权限相关
kube-system
tke-kube-state-metrics
RoleBinding
-
分片采集权限相关

组件权限说明

权限场景

功能
涉及对象
涉及操作权限
监听集群内各种资源的状态
绝大部分 Kubernetes 资源
list/watch
获取采集 Pod 所在分片序号
statefulsets,pods
get

权限定义

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tke-kube-state-metrics
rules:
- apiGroups:
- ""
resources:
- configmaps
- secrets
- nodes
- pods
- services
- serviceaccounts
- resourcequotas
- replicationcontrollers
- limitranges
- persistentvolumeclaims
- persistentvolumes
- namespaces
- endpoints
verbs:
- list
- watch
- apiGroups:
- apps
resources:
- statefulsets
- daemonsets
- deployments
- replicasets
verbs:
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- list
- watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- list
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
- volumeattachments
verbs:
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
- ingresses
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- rolebindings
- roles
verbs:
- list
- watch
---
kind: Role
metadata:
name: tke-kube-state-metrics
namespace: kube-system
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resourceNames:
- tke-kube-state-metrics
resources:
- statefulsets
verbs:
- get


tke-node-exporter

组件介绍

tke-node-exporter 使用开源项目 node_exporter,部署在集群内的每个 Node 上,用来采集硬件和类Unix操作系统指标。

部署在集群内的资源

Namespace
kubernetes 对象名称
类型
资源量
说明
kube-system
tke-node-exporter
DaemonSet
0.1C180Mi*node数量
采集程序
kube-system
tke-node-exporter
Service
-
采集程序对应服务,供服务发现使用
kube-system
tke-node-exporter
ServiceMonitor
-
采集配置

组件权限说明

该组件不使用任何集群权限。