tencent cloud

Feedback

Instructions for Installing Components in the TKE Cluster

Last updated: 2024-07-23 18:11:09

    Overview

    This document describes the features, use permissions, and resource consumption of various components installed in the user's TKE cluster during the TKE Integration process of TMP.

    proxy-agent

    Component Overview

    The TKE cluster has independent network environment. Therefore, the proxy-agent is deployed within the cluster to provide access proxies for collection components outside the cluster. On one hand, external collection components discover resources within the cluster through the proxy-agent service; on the other hand, they scrape metrics through the proxy-agent and write them to the time series storage of the Prometheus instance.

    Resource Objects Deployed in the Cluster

    Namespace
    Kubernetes Object Name
    Type
    Resource Amount
    Description
    <Prometheus instance ID>
    proxy-agent
    Deployment
    0.25C256Mi*2
    Collection proxy
    <Prometheus instance ID>
    <Prometheus instance ID>
    ServiceAccount
    -
    Permission carrier
    -
    <Prometheus instance ID>
    ClusterRole
    -
    Collection permissions related
    -
    <Prometheus instance ID>-crb
    ClusterRoleBinding
    -
    Collection permissions related

    Component Permission Description

    Permission Scenarios

    Feature
    Involved Objects
    Involved Operation Permissions
    Collection configuration management
    scrapeconfigs,servicemonitors,podmonitors,probes,configmaps,secrets,namespaces
    get/list/watch
    Service discovery
    services,endpoints,nodes,pods,ingresses
    get/list/watch
    Scraping some system component metrics
    nodes/metrics,nodes/proxy,pods/proxy
    get/list/watch
    Scraping metrics with RBAC authentication
    /metrics,/metrics/cadvisor
    get

    Permission Definition

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: prom-instance
    rules:
    - apiGroups:
    - monitoring.coreos.com
    resources:
    - scrapeconfigs
    - servicemonitors
    - podmonitors
    - probes
    - prometheuses
    - prometheusrules
    verbs:
    - get
    - list
    - watch
    - apiGroups:
    - ""
    resources:
    - namespaces
    - configmaps
    - secrets
    - nodes
    - services
    - endpoints
    - pods
    verbs:
    - get
    - list
    - watch
    - apiGroups:
    - networking.k8s.io
    resources:
    - ingresses
    verbs:
    - get
    - list
    - watch
    - apiGroups: [ "" ]
    resources:
    - nodes/metrics
    - nodes/proxy
    - pods/proxy
    verbs:
    - get
    - list
    - watch
    - nonResourceURLs: [ "/metrics", "/metrics/cadvisor" ]
    verbs:
    - get

    tke-kube-state-metrics

    Component Overview

    tke-kube-state-metrics uses the open-source component kube-state-metrics, listens to the cluster's API server, and generates status metrics for various objects within the cluster.

    Resource Objects Deployed in the Cluster

    Namespace
    Kubernetes Object Name
    Type
    Resource Amount
    Description
    kube-system
    tke-kube-state-metrics
    Statefulset
    0.5C512Mi
    Collection program
    kube-system
    tke-kube-state-metrics
    ServiceAccount
    -
    Permission carrier
    -
    tke-kube-state-metrics
    ClusterRole
    -
    Collection permissions related
    -
    tke-kube-state-metrics
    ClusterRoleBinding
    -
    Collection permissions related
    kube-system
    tke-kube-state-metrics
    Service
    -
    Collection agent corresponding service, for service discovery use
    kube-system
    tke-kube-state-metrics
    ServiceMonitor
    -
    Collection configuration
    kube-system
    tke-kube-state-metrics
    Role
    -
    Shard collection permission related
    kube-system
    tke-kube-state-metrics
    RoleBinding
    -
    Shard collection permission related

    Component Permission Description

    Permission Scenarios

    Feature
    Involved Objects
    Involved Operation Permissions
    Listening to the status of various resources in the cluster
    Most Kubernetes resources
    list/watch
    Get the shard number of the collection pod
    statefulsets, pods
    get

    Permission Definition

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: tke-kube-state-metrics
    rules:
    - apiGroups:
    - ""
    resources:
    - configmaps
    - secrets
    - nodes
    - pods
    - services
    - serviceaccounts
    - resourcequotas
    - replicationcontrollers
    - limitranges
    - persistentvolumeclaims
    - persistentvolumes
    - namespaces
    - endpoints
    verbs:
    - list
    - watch
    - apiGroups:
    - apps
    resources:
    - statefulsets
    - daemonsets
    - deployments
    - replicasets
    verbs:
    - list
    - watch
    - apiGroups:
    - batch
    resources:
    - cronjobs
    - jobs
    verbs:
    - list
    - watch
    - apiGroups:
    - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
    - list
    - watch
    - apiGroups:
    - authentication.k8s.io
    resources:
    - tokenreviews
    verbs:
    - create
    - apiGroups:
    - authorization.k8s.io
    resources:
    - subjectaccessreviews
    verbs:
    - create
    - apiGroups:
    - policy
    resources:
    - poddisruptionbudgets
    verbs:
    - list
    - watch
    - apiGroups:
    - certificates.k8s.io
    resources:
    - certificatesigningrequests
    verbs:
    - list
    - watch
    - apiGroups:
    - storage.k8s.io
    resources:
    - storageclasses
    - volumeattachments
    verbs:
    - list
    - watch
    - apiGroups:
    - admissionregistration.k8s.io
    resources:
    - mutatingwebhookconfigurations
    - validatingwebhookconfigurations
    verbs:
    - list
    - watch
    - apiGroups:
    - networking.k8s.io
    resources:
    - networkpolicies
    - ingresses
    verbs:
    - list
    - watch
    - apiGroups:
    - coordination.k8s.io
    resources:
    - leases
    verbs:
    - list
    - watch
    - apiGroups:
    - rbac.authorization.k8s.io
    resources:
    - clusterrolebindings
    - clusterroles
    - rolebindings
    - roles
    verbs:
    - list
    - watch
    ---
    kind: Role
    metadata:
    name: tke-kube-state-metrics
    namespace: kube-system
    rules:
    - apiGroups:
    - ""
    resources:
    - pods
    verbs:
    - get
    - apiGroups:
    - apps
    resourceNames:
    - tke-kube-state-metrics
    resources:
    - statefulsets
    verbs:
    - get
    

    tke-node-exporter

    Component Overview

    tke-node-exporter uses the open-source project node_exporter, deployed on each node in the cluster to collect hardware and Unix-like operating system metrics.

    Resources Deployed in the Cluster

    Namespace
    Kubernetes Object Name
    Type
    Resource Amount
    Description
    kube-system
    tke-node-exporter
    DaemonSet
    0.1C180Mi*node amount
    Collection program
    kube-system
    tke-node-exporter
    Service
    -
    Collection program corresponding service, for service discovery use
    kube-system
    tke-node-exporter
    ServiceMonitor
    -
    Collection configuration

    Component Permission Description

    This component does not use any cluster permissions.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support