tencent cloud

PrevNext

文档反馈

请输入关键字

Recent Pages

文档
腾讯云可观测平台
    文档
    Download PDF

    TKE 集群内安装组件说明

    最后更新时间:2024-07-23 18:11:23
    下载PDF

      概述

      本文介绍 Prometheus 监控服务在 集成容器服务 过程中在用户 TKE 集群内安装的各个组件的功能,使用权限和占用资源。

      proxy-agent

      组件介绍

      由于 TKE 集群有独立的网络环境,proxy-agent 部署在集群内为集群外的采集组件提供访问代理。外部采集组件一方面通过 proxy-agent 服务发现集群内的资源,另一方面通过 proxy-agent 抓取指标并写到 Prometheus 实例的时序存储中。

      部署在集群内的资源对象

      Namespace
      kubernetes 对象名称
      类型
      资源量
      说明
      <Prometheus 实例 ID>
      proxy-agent
      Deployment
      0.25C256Mi*2
      采集代理
      <Prometheus 实例 ID>
      <Prometheus 实例 ID>
      ServiceAccount
      -
      权限载体
      -
      <Prometheus 实例 ID>
      ClusterRole
      -
      采集权限相关
      -
      <Prometheus 实例 ID>-crb
      ClusterRoleBinding
      -
      采集权限相关

      组件权限说明

      权限场景

      功能
      涉及对象
      涉及操作权限
      采集配置管理
      scrapeconfigs,servicemonitors,podmonitors,probes,configmaps,secrets,namespaces
      get/list/watch
      服务发现
      services,endpoints,nodes,pods,ingresses
      get/list/watch
      部分系统组件指标抓取
      nodes/metrics,nodes/proxy,pods/proxy
      get/list/watch
      带 RBAC 鉴权的指标抓取
      /metrics,/metrics/cadvisor
      get

      权限定义

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        name: prom-instance
      rules:
        - apiGroups:
            - monitoring.coreos.com
          resources:
            - scrapeconfigs
            - servicemonitors
            - podmonitors
            - probes
            - prometheuses
            - prometheusrules
          verbs:
            - get
            - list
            - watch
        - apiGroups:
            - ""
          resources:
            - namespaces
            - configmaps
            - secrets
            - nodes
            - services
            - endpoints
            - pods
          verbs:
            - get
            - list
            - watch
        - apiGroups:
            - networking.k8s.io
          resources:
            - ingresses
          verbs:
            - get
            - list
            - watch
        - apiGroups: [ "" ]
          resources:
            - nodes/metrics
            - nodes/proxy
            - pods/proxy
          verbs:
            - get
            - list
            - watch
        - nonResourceURLs: [ "/metrics", "/metrics/cadvisor" ]
          verbs:
            - get

      tke-kube-state-metrics

      组件介绍

      tke-kube-state-metrics 使用开源组件 kube-state-metrics,监听集群的 API server,生成集群内各种对象的状态指标。

      部署在集群内的资源对象

      Namespace
      kubernetes 对象名称
      类型
      资源量
      说明
      kube-system
      tke-kube-state-metrics
      Statefulset
      0.5C512Mi
      采集程序
      kube-system
      tke-kube-state-metrics
      ServiceAccount
      -
      权限载体
      -
      tke-kube-state-metrics
      ClusterRole
      -
      采集权限相关
      -
      tke-kube-state-metrics
      ClusterRoleBinding
      -
      采集权限相关
      kube-system
      tke-kube-state-metrics
      Service
      -
      采集程序对应服务,供服务发现使用
      kube-system
      tke-kube-state-metrics
      ServiceMonitor
      -
      采集配置
      kube-system
      tke-kube-state-metrics
      Role
      -
      分片采集权限相关
      kube-system
      tke-kube-state-metrics
      RoleBinding
      -
      分片采集权限相关

      组件权限说明

      权限场景

      功能
      涉及对象
      涉及操作权限
      监听集群内各种资源的状态
      绝大部分 Kubernetes 资源
      list/watch
      获取采集 Pod 所在分片序号
      statefulsets,pods
      get

      权限定义

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        name: tke-kube-state-metrics
      rules:
        - apiGroups:
            - ""
          resources:
            - configmaps
            - secrets
            - nodes
            - pods
            - services
            - serviceaccounts
            - resourcequotas
            - replicationcontrollers
            - limitranges
            - persistentvolumeclaims
            - persistentvolumes
            - namespaces
            - endpoints
          verbs:
            - list
            - watch
        - apiGroups:
            - apps
          resources:
            - statefulsets
            - daemonsets
            - deployments
            - replicasets
          verbs:
            - list
            - watch
        - apiGroups:
            - batch
          resources:
            - cronjobs
            - jobs
          verbs:
            - list
            - watch
        - apiGroups:
            - autoscaling
          resources:
            - horizontalpodautoscalers
          verbs:
            - list
            - watch
        - apiGroups:
            - authentication.k8s.io
          resources:
            - tokenreviews
          verbs:
            - create
        - apiGroups:
            - authorization.k8s.io
          resources:
            - subjectaccessreviews
          verbs:
            - create
        - apiGroups:
            - policy
          resources:
            - poddisruptionbudgets
          verbs:
            - list
            - watch
        - apiGroups:
            - certificates.k8s.io
          resources:
            - certificatesigningrequests
          verbs:
            - list
            - watch
        - apiGroups:
            - storage.k8s.io
          resources:
            - storageclasses
            - volumeattachments
          verbs:
            - list
            - watch
        - apiGroups:
            - admissionregistration.k8s.io
          resources:
            - mutatingwebhookconfigurations
            - validatingwebhookconfigurations
          verbs:
            - list
            - watch
        - apiGroups:
            - networking.k8s.io
          resources:
            - networkpolicies
            - ingresses
          verbs:
            - list
            - watch
        - apiGroups:
            - coordination.k8s.io
          resources:
            - leases
          verbs:
            - list
            - watch
        - apiGroups:
            - rbac.authorization.k8s.io
          resources:
            - clusterrolebindings
            - clusterroles
            - rolebindings
            - roles
          verbs:
            - list
            - watch
      ---
      kind: Role
      metadata:
        name: tke-kube-state-metrics
        namespace: kube-system
      rules:
        - apiGroups:
            - ""
          resources:
            - pods
          verbs:
            - get
        - apiGroups:
            - apps
          resourceNames:
            - tke-kube-state-metrics
          resources:
            - statefulsets
          verbs:
            - get
      

      tke-node-exporter

      组件介绍

      tke-node-exporter 使用开源项目 node_exporter,部署在集群内的每个 Node 上,用来采集硬件和类Unix操作系统指标。

      部署在集群内的资源

      Namespace
      kubernetes 对象名称
      类型
      资源量
      说明
      kube-system
      tke-node-exporter
      DaemonSet
      0.1C180Mi*node数量
      采集程序
      kube-system
      tke-node-exporter
      Service
      -
      采集程序对应服务,供服务发现使用
      kube-system
      tke-node-exporter
      ServiceMonitor
      -
      采集配置

      组件权限说明

      该组件不使用任何集群权限。
      联系我们

      联系我们,为您的业务提供专属服务。

      联系我们
      技术支持

      如果你想寻求进一步的帮助,通过工单与我们进行联络。我们提供7x24的工单服务。

      提交工单
      7x24 电话支持
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      隐私条款服务条款缓存条款