tke-eni-agent
, tke-eni-ipamd
and tke-eni-ip-scheduler
.daemonset
. The responsibilities are described below.tke-route-eni
, tke-eni-ipamc
and other CNI plugins to the directory of CNI executive file of the node (it is set to /opt/cni/bin
by default)./etc/cni/net.d/
by default).deployment
. The responsibilities are described below.deployment
only in static IP address mode to act as an extension plugin for scheduling. The responsibilities are described below.Feature | Involved Object | Involved Operation Permission |
In the process of IP allocation, obtaining information related to pods and nodes is required. | pods, namespaces, and nodes | get/list/watch |
Obtaining the network configuration information | configmaps | get/list/watch |
Managing the relevant network extended resources of the nodes, such as tke.cloud.tencent.com/eni-ip, etc. | nodes/status | get/list/watch/patch |
Obtaining IP, Network Interface Card, and other network configuration details through a self-defined object, and collaborating with the eni-ipamd component | networking.tke.cloud.tencent.com groups | get/list/watch/delete/update |
Exposing the working status of components through events and information related to changes in the node network | events | get/list/watch/create/update/patch |
kind: ClusterRolemetadata:name: tke-eni-agentrules:- apiGroups: [""]resources:- pods- namespaces- nodes- configmapsverbs: ["list", "watch", "get"]- apiGroups: [""]resources:- nodes/statusverbs: ["list", "watch", "get", "patch"]- apiGroups: ["networking.tke.cloud.tencent.com"]resources:- underlayips- nodeeniconfigs- vpcipclaims- vpcips- vpcenisverbs: ["get", "list", "watch", "delete", "update"]- apiGroups: [""]resources:- eventsverbs: ["list", "watch", "get", "update", "patch", "create"]
Feature | Involved Object | Involved Operation Permission |
In the process of IP allocation, obtaining information related to pods and nodes is required. | pods, namespaces, nodes, and nodes/status | get/list/watch |
In the process of allocating IP to the super node's Pod, it is required to update the allocation information to the Pod's annotation. | pods | update/patch |
Under the global routing work pattern, it is required to write the podCIDR assigned to the node on the node's object. Simultaneously, when working in conjunction with the node's auto-scaling, it is required to update the node's conditions and taints. | nodes, and nodes/status | update/patch |
The multi-replica operation feature is based on LeaderElection, which requires read and write permissions for associated configmaps or endpoints, with operational information exposed via events. | configmaps, endpoints, and events | get/list/watch/create/update/patch |
When a Pod with a fixed IP is terminated, it is required to obtain its associated workload information to determine whether the fixed IP needs to be released. | statefulsets and deployments | get/list/watch |
Using custom objects to manage relevant network resources (Elastic Network Interface, IP, Security Group, etc.). | customresourcedefinitions | create/update/get |
| networking.tke.cloud.tencent.com apiGroups | get/list/watch/create/update/patch/delete |
It is required to obtain the native node-related information. | node.tke.cloud.tencent.com apiGroups | get/list/watch |
Registration of node-related capabilities requires collaboration with the Cilium component. | cilium.io apiGroups | get/list/watch/create/update/patch/delete |
apiVersion: rbac.authorization.k8s.io/v1# kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata:name: tke-eni-ipamdrules:- apiGroups: [""]resources:- pods- namespaces- nodes- nodes/statusverbs: ["list", "watch", "get", "patch", "update"]- apiGroups: [""]resources:- configmaps- endpoints- eventsverbs: ["get", "list", "watch", "update", "create", "patch"]- apiGroups: ["apps", "extensions"]resources:- statefulsets- deploymentsverbs: ["list", "watch", "get"]- apiGroups: ["apiextensions.k8s.io"]resources:- customresourcedefinitionsverbs: ["create", "update", "get"]- apiGroups: ["networking.tke.cloud.tencent.com"]resources:- staticipconfigs- underlayips- nodeeniconfigs- vpcipclaims- vpcips- eipclaims- vpcenisverbs: ["create", "update", "delete", "get", "list", "watch", "patch"]- apiGroups: ["node.tke.cloud.tencent.com"]resources:- machinesverbs: ["get", "list", "watch"]- apiGroups: [ "cilium.io" ]resources:- ciliumnodes- ciliumnodes/status- ciliumnodes/finalizersverbs: [ "create", "update", "delete", "get", "list", "watch", "patch" ]
Feature | Involved Object | Involved Operation Permission |
An expansion of bindVerb is required, to address the issue of IP allocation conflicts when binding the Pod concurrency. | pods/binding | get/list/watch/create/update/patch |
The multi-replica operation feature is based on LeaderElection, which requires read and write permissions for associated configmaps or endpoints, with operational information exposed via events. | configmaps,endpoints,events | get/list/watch/create/update/patch |
During scheduling expansion, it is required to obtain relevant information about pods and nodes. | pods,namespaces,nodes,nodes/status | get/list/watch |
During scheduling expansion, it is required to interact with the custom object of the component, thus ensuring the complete allocation of IPs and resolving the conflicts of IP allocation. | networking.tke.cloud.tencent.com groups | get/list/watch/update |
apiVersion: rbac.authorization.k8s.io/v1# kubernetes versions before 1.8.0 should use rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata:name: tke-eni-ip-schedulerrules:- apiGroups: [""]resources:- pods/bindingverbs: ["get", "list", "watch", "update", "create", "patch"]- apiGroups: [""]resources:- ["configmaps", "endpoints", "events"]verbs: ["get", "list", "watch", "update", "create", "patch"]- apiGroups: [""]resources:- ["pods", "namespaces", "nodes", "nodes/status"]verbs: ["list", "watch", "get"]- apiGroups: ["networking.tke.cloud.tencent.com"]resources:- ["nodeeniconfigs", "vpcipclaims", "vpcips"]verbs: ["get", "list", "watch", "update"]
Was this page helpful?