概述
proxy-agent
组件介绍
由于 TKE 集群有独立的网络环境,proxy-agent 部署在集群内为集群外的采集组件提供访问代理。外部采集组件一方面通过 proxy-agent 服务发现集群内的资源,另一方面通过 proxy-agent 抓取指标并写到 Prometheus 实例的时序存储中。
部署在集群内的资源对象
Namespace | kubernetes 对象名称 | 类型 | 资源量 | 说明 |
<Prometheus 实例 ID> | proxy-agent | Deployment | 0.25C256Mi*2 | 采集代理 |
<Prometheus 实例 ID> | <Prometheus 实例 ID> | ServiceAccount | - | 权限载体 |
- | <Prometheus 实例 ID> | ClusterRole | - | 采集权限相关 |
- | <Prometheus 实例 ID>-crb | ClusterRoleBinding | - | 采集权限相关 |
组件权限说明
权限场景
功能 | 涉及对象 | 涉及操作权限 |
采集配置管理 | scrapeconfigs,servicemonitors,podmonitors,probes,configmaps,secrets,namespaces | get/list/watch |
服务发现 | services,endpoints,nodes,pods,ingresses | get/list/watch |
部分系统组件指标抓取 | nodes/metrics,nodes/proxy,pods/proxy | get/list/watch |
带 RBAC 鉴权的指标抓取 | /metrics,/metrics/cadvisor | get |
权限定义
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: prom-instancerules:- apiGroups:- monitoring.coreos.comresources:- scrapeconfigs- servicemonitors- podmonitors- probes- prometheuses- prometheusrulesverbs:- get- list- watch- apiGroups:- ""resources:- namespaces- configmaps- secrets- nodes- services- endpoints- podsverbs:- get- list- watch- apiGroups:- networking.k8s.ioresources:- ingressesverbs:- get- list- watch- apiGroups: [ "" ]resources:- nodes/metrics- nodes/proxy- pods/proxyverbs:- get- list- watch- nonResourceURLs: [ "/metrics", "/metrics/cadvisor" ]verbs:- get
tke-kube-state-metrics
组件介绍
部署在集群内的资源对象
Namespace | kubernetes 对象名称 | 类型 | 资源量 | 说明 |
kube-system | tke-kube-state-metrics | Statefulset | 0.5C512Mi | 采集程序 |
kube-system | tke-kube-state-metrics | ServiceAccount | - | 权限载体 |
- | tke-kube-state-metrics | ClusterRole | - | 采集权限相关 |
- | tke-kube-state-metrics | ClusterRoleBinding | - | 采集权限相关 |
kube-system | tke-kube-state-metrics | Service | - | 采集程序对应服务,供服务发现使用 |
kube-system | tke-kube-state-metrics | ServiceMonitor | - | 采集配置 |
kube-system | tke-kube-state-metrics | Role | - | 分片采集权限相关 |
kube-system | tke-kube-state-metrics | RoleBinding | - | 分片采集权限相关 |
组件权限说明
权限场景
功能 | 涉及对象 | 涉及操作权限 |
监听集群内各种资源的状态 | 绝大部分 Kubernetes 资源 | list/watch |
获取采集 Pod 所在分片序号 | statefulsets,pods | get |
权限定义
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: tke-kube-state-metricsrules:- apiGroups:- ""resources:- configmaps- secrets- nodes- pods- services- serviceaccounts- resourcequotas- replicationcontrollers- limitranges- persistentvolumeclaims- persistentvolumes- namespaces- endpointsverbs:- list- watch- apiGroups:- appsresources:- statefulsets- daemonsets- deployments- replicasetsverbs:- list- watch- apiGroups:- batchresources:- cronjobs- jobsverbs:- list- watch- apiGroups:- autoscalingresources:- horizontalpodautoscalersverbs:- list- watch- apiGroups:- authentication.k8s.ioresources:- tokenreviewsverbs:- create- apiGroups:- authorization.k8s.ioresources:- subjectaccessreviewsverbs:- create- apiGroups:- policyresources:- poddisruptionbudgetsverbs:- list- watch- apiGroups:- certificates.k8s.ioresources:- certificatesigningrequestsverbs:- list- watch- apiGroups:- storage.k8s.ioresources:- storageclasses- volumeattachmentsverbs:- list- watch- apiGroups:- admissionregistration.k8s.ioresources:- mutatingwebhookconfigurations- validatingwebhookconfigurationsverbs:- list- watch- apiGroups:- networking.k8s.ioresources:- networkpolicies- ingressesverbs:- list- watch- apiGroups:- coordination.k8s.ioresources:- leasesverbs:- list- watch- apiGroups:- rbac.authorization.k8s.ioresources:- clusterrolebindings- clusterroles- rolebindings- rolesverbs:- list- watch---kind: Rolemetadata:name: tke-kube-state-metricsnamespace: kube-systemrules:- apiGroups:- ""resources:- podsverbs:- get- apiGroups:- appsresourceNames:- tke-kube-state-metricsresources:- statefulsetsverbs:- get
tke-node-exporter
组件介绍
部署在集群内的资源
Namespace | kubernetes 对象名称 | 类型 | 资源量 | 说明 |
kube-system | tke-node-exporter | DaemonSet | 0.1C180Mi*node数量 | 采集程序 |
kube-system | tke-node-exporter | Service | - | 采集程序对应服务,供服务发现使用 |
kube-system | tke-node-exporter | ServiceMonitor | - | 采集配置 |
组件权限说明
该组件不使用任何集群权限。
