40 lines
984 B
YAML
40 lines
984 B
YAML
|
# 1. 权限配置
|
|||
|
|
apiVersion: v1
|
|||
|
|
kind: ServiceAccount
|
|||
|
|
metadata:
|
|||
|
|
name: otel-agent
|
|||
|
|
namespace: monitoring
|
|||
|
|
---
|
|||
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
|
kind: ClusterRole
|
|||
|
|
metadata:
|
|||
|
|
name: otel-agent-role
|
|||
|
|
rules:
|
|||
|
|
# 允许读取 Pod 和 Node 信息
|
|||
|
|
- apiGroups: [""]
|
|||
|
|
resources: ["nodes", "nodes/stats", "nodes/proxy", "pods", "services", "endpoints"]
|
|||
|
|
verbs: ["get", "watch", "list"]
|
|||
|
|
|
|||
|
|
# 允许读取 ReplicaSets,以便 k8sattributes 处理器解析 Deployment 名称
|
|||
|
|
- apiGroups: ["apps"]
|
|||
|
|
resources: ["replicasets"]
|
|||
|
|
verbs: ["get", "watch", "list"]
|
|||
|
|
|
|||
|
|
# 非资源型 URL 权限 (访问 Kubelet 统计接口)
|
|||
|
|
- nonResourceURLs: ["/metrics", "/metrics/cadvisor"]
|
|||
|
|
verbs: ["get"]
|
|||
|
|
---
|
|||
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
|
kind: ClusterRoleBinding
|
|||
|
|
metadata:
|
|||
|
|
name: otel-agent-binding
|
|||
|
|
subjects:
|
|||
|
|
- kind: ServiceAccount
|
|||
|
|
name: otel-agent
|
|||
|
|
namespace: monitoring
|
|||
|
|
roleRef:
|
|||
|
|
kind: ClusterRole
|
|||
|
|
name: otel-agent-role
|
|||
|
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
|
|