kubernetes对象名称 | 类型 | 资源量 | Namespace |
tke-log-agent | Daemonset | 0.21C126M | kube-system |
cls-provisioner | Deployment | 0.1C64M | kube-system |
logconfigs.cls.cloud.tencent.com | CustomResourceDefinition | - | - |
cls-provisioner | ClusterRole | - | - |
cls-provisioner | ClusterRoleBinding | - | - |
cls-provisioner | ServiceAccount | - | kube-system |
tke-log-agent | ClusterRole | - | - |
tke-log-agent | ClusterRoleBinding | - | - |
tke-log-agent | ServiceAccount | - | kube-system |
功能 | 涉及对象 | 涉及操作权限 |
监听日志采集规则的变动 | logconfig/logconfigpro | watch/patch/get |
获取节点的 runtime 类型 | node | list/watch/get |
采集标准输出日志/容器内日志时需要采集特定 namespace 下的 pod 日志 | namespace/pod | list/watch/get |
采集容器内日志采集时需要获取容器日志的实际存储路径 | PV/PVC | list/watch/get |
| SC | get |
采集 workload 相关日志 | 工作负载 | list/watch/get |
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: tke-log-agentrules:- apiGroups: ["cls.cloud.tencent.com"]resources: ["logconfigs","logconfigpros"]verbs: ["list", "watch", "patch","get"]- apiGroups: [""]resources: ["pods", "namespaces", "nodes", "persistentvolumeclaims","configmaps","persistentvolumes"]verbs: ["list", "watch", "get"]- apiGroups: ["apps"]resources: ["daemonsets","replicasets","deployments","statefulsets"]verbs: ["list", "watch", "get"]- apiGroups: ["batch"]resources: ["jobs","cronjobs"]verbs: ["list", "watch", "get"]- apiGroups: ["storage.k8s.io"]resources: ["storageclasses"]verbs: ["get"]
功能 | 涉及对象 | 涉及操作权限 |
把 log config 的规则内容同步到 CLS 侧 | logconfig | list/watch/patch/update |
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: cls-provisionerrules:- apiGroups:- cls.cloud.tencent.comresources:- logconfigsverbs:- list- watch- patch- update- apiGroups:- '*'resources:- events- configmapsverbs:- create- patch- update
本页内容是否解决了您的问题?