tencent cloud

文档反馈

TKE 集群内安装组件说明

最后更新时间:2024-07-23 18:11:23

    概述

    本文介绍 Prometheus 监控服务在 集成容器服务 过程中在用户 TKE 集群内安装的各个组件的功能,使用权限和占用资源。

    proxy-agent

    组件介绍

    由于 TKE 集群有独立的网络环境,proxy-agent 部署在集群内为集群外的采集组件提供访问代理。外部采集组件一方面通过 proxy-agent 服务发现集群内的资源,另一方面通过 proxy-agent 抓取指标并写到 Prometheus 实例的时序存储中。

    部署在集群内的资源对象

    Namespace
    kubernetes 对象名称
    类型
    资源量
    说明
    <Prometheus 实例 ID>
    proxy-agent
    Deployment
    0.25C256Mi*2
    采集代理
    <Prometheus 实例 ID>
    <Prometheus 实例 ID>
    ServiceAccount
    -
    权限载体
    -
    <Prometheus 实例 ID>
    ClusterRole
    -
    采集权限相关
    -
    <Prometheus 实例 ID>-crb
    ClusterRoleBinding
    -
    采集权限相关

    组件权限说明

    权限场景

    功能
    涉及对象
    涉及操作权限
    采集配置管理
    scrapeconfigs,servicemonitors,podmonitors,probes,configmaps,secrets,namespaces
    get/list/watch
    服务发现
    services,endpoints,nodes,pods,ingresses
    get/list/watch
    部分系统组件指标抓取
    nodes/metrics,nodes/proxy,pods/proxy
    get/list/watch
    带 RBAC 鉴权的指标抓取
    /metrics,/metrics/cadvisor
    get

    权限定义

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: prom-instance
    rules:
    - apiGroups:
    - monitoring.coreos.com
    resources:
    - scrapeconfigs
    - servicemonitors
    - podmonitors
    - probes
    - prometheuses
    - prometheusrules
    verbs:
    - get
    - list
    - watch
    - apiGroups:
    - ""
    resources:
    - namespaces
    - configmaps
    - secrets
    - nodes
    - services
    - endpoints
    - pods
    verbs:
    - get
    - list
    - watch
    - apiGroups:
    - networking.k8s.io
    resources:
    - ingresses
    verbs:
    - get
    - list
    - watch
    - apiGroups: [ "" ]
    resources:
    - nodes/metrics
    - nodes/proxy
    - pods/proxy
    verbs:
    - get
    - list
    - watch
    - nonResourceURLs: [ "/metrics", "/metrics/cadvisor" ]
    verbs:
    - get

    tke-kube-state-metrics

    组件介绍

    tke-kube-state-metrics 使用开源组件 kube-state-metrics,监听集群的 API server,生成集群内各种对象的状态指标。

    部署在集群内的资源对象

    Namespace
    kubernetes 对象名称
    类型
    资源量
    说明
    kube-system
    tke-kube-state-metrics
    Statefulset
    0.5C512Mi
    采集程序
    kube-system
    tke-kube-state-metrics
    ServiceAccount
    -
    权限载体
    -
    tke-kube-state-metrics
    ClusterRole
    -
    采集权限相关
    -
    tke-kube-state-metrics
    ClusterRoleBinding
    -
    采集权限相关
    kube-system
    tke-kube-state-metrics
    Service
    -
    采集程序对应服务,供服务发现使用
    kube-system
    tke-kube-state-metrics
    ServiceMonitor
    -
    采集配置
    kube-system
    tke-kube-state-metrics
    Role
    -
    分片采集权限相关
    kube-system
    tke-kube-state-metrics
    RoleBinding
    -
    分片采集权限相关

    组件权限说明

    权限场景

    功能
    涉及对象
    涉及操作权限
    监听集群内各种资源的状态
    绝大部分 Kubernetes 资源
    list/watch
    获取采集 Pod 所在分片序号
    statefulsets,pods
    get

    权限定义

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: tke-kube-state-metrics
    rules:
    - apiGroups:
    - ""
    resources:
    - configmaps
    - secrets
    - nodes
    - pods
    - services
    - serviceaccounts
    - resourcequotas
    - replicationcontrollers
    - limitranges
    - persistentvolumeclaims
    - persistentvolumes
    - namespaces
    - endpoints
    verbs:
    - list
    - watch
    - apiGroups:
    - apps
    resources:
    - statefulsets
    - daemonsets
    - deployments
    - replicasets
    verbs:
    - list
    - watch
    - apiGroups:
    - batch
    resources:
    - cronjobs
    - jobs
    verbs:
    - list
    - watch
    - apiGroups:
    - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
    - list
    - watch
    - apiGroups:
    - authentication.k8s.io
    resources:
    - tokenreviews
    verbs:
    - create
    - apiGroups:
    - authorization.k8s.io
    resources:
    - subjectaccessreviews
    verbs:
    - create
    - apiGroups:
    - policy
    resources:
    - poddisruptionbudgets
    verbs:
    - list
    - watch
    - apiGroups:
    - certificates.k8s.io
    resources:
    - certificatesigningrequests
    verbs:
    - list
    - watch
    - apiGroups:
    - storage.k8s.io
    resources:
    - storageclasses
    - volumeattachments
    verbs:
    - list
    - watch
    - apiGroups:
    - admissionregistration.k8s.io
    resources:
    - mutatingwebhookconfigurations
    - validatingwebhookconfigurations
    verbs:
    - list
    - watch
    - apiGroups:
    - networking.k8s.io
    resources:
    - networkpolicies
    - ingresses
    verbs:
    - list
    - watch
    - apiGroups:
    - coordination.k8s.io
    resources:
    - leases
    verbs:
    - list
    - watch
    - apiGroups:
    - rbac.authorization.k8s.io
    resources:
    - clusterrolebindings
    - clusterroles
    - rolebindings
    - roles
    verbs:
    - list
    - watch
    ---
    kind: Role
    metadata:
    name: tke-kube-state-metrics
    namespace: kube-system
    rules:
    - apiGroups:
    - ""
    resources:
    - pods
    verbs:
    - get
    - apiGroups:
    - apps
    resourceNames:
    - tke-kube-state-metrics
    resources:
    - statefulsets
    verbs:
    - get
    

    tke-node-exporter

    组件介绍

    tke-node-exporter 使用开源项目 node_exporter,部署在集群内的每个 Node 上,用来采集硬件和类Unix操作系统指标。

    部署在集群内的资源

    Namespace
    kubernetes 对象名称
    类型
    资源量
    说明
    kube-system
    tke-node-exporter
    DaemonSet
    0.1C180Mi*node数量
    采集程序
    kube-system
    tke-node-exporter
    Service
    -
    采集程序对应服务,供服务发现使用
    kube-system
    tke-node-exporter
    ServiceMonitor
    -
    采集配置

    组件权限说明

    该组件不使用任何集群权限。
    联系我们

    联系我们,为您的业务提供专属服务。

    技术支持

    如果你想寻求进一步的帮助,通过工单与我们进行联络。我们提供7x24的工单服务。

    7x24 电话支持