Rancher2.7 权限设置问题

Rancher 2.x
1

Rancher Server 设置

  • Rancher 版本:2.7
  • 安装选项 (Docker install/Helm Chart): rke2

问题描述:
我希望创建一个角色,只能查看pod的日志、配置、状态等信息。
在以下截图的红框位置中,如果是管理员,则有一个“指标”的选项,能够看到CPU、内存等监控图。
但是目前我添加的角色并没有这个信息,请问应该如何配置权限才能看到“指标”。

图片
图片1500×581 32.9 KB

图片
图片1195×424 14.4 KB

当前只读角色权限配置信息如下
administrative: false
apiVersion: management.cattle.io/v3
builtin: false
clusterCreatorDefault: false
context: cluster
description: null
displayName: 开发人员
external: false
hidden: false
kind: RoleTemplate
locked: false
metadata:
annotations:
cleanup.cattle.io/rtUpgradeCluster: “true”
field.cattle.io/creatorId: user-2rx5s
lifecycle.cattle.io/create.mgmt-auth-roletemplate-lifecycle: “true”
creationTimestamp: “2023-04-03T07:04:39Z”
finalizers:

  • controller.cattle.io/mgmt-auth-roletemplate-lifecycle
    generateName: rt-
    generation: 48
    labels:
    cattle.io/creator: norman
    managedFields:
  • apiVersion: management.cattle.io/v3
    fieldsType: FieldsV1
    fieldsV1:
    f:metadata:
    f:annotations:
    f:lifecycle.cattle.io/create.mgmt-auth-roletemplate-lifecycle: {}
    f:finalizers:
    .: {}
    v:“controller.cattle.io/mgmt-auth-roletemplate-lifecycle”: {}
    manager: rancher
    operation: Update
    time: “2023-04-03T07:04:39Z”
  • apiVersion: management.cattle.io/v3
    fieldsType: FieldsV1
    fieldsV1:
    f:administrative: {}
    f:builtin: {}
    f:clusterCreatorDefault: {}
    f:context: {}
    f:description: {}
    f:displayName: {}
    f:external: {}
    f:hidden: {}
    f:locked: {}
    f:metadata:
    f:annotations:
    .: {}
    f:cleanup.cattle.io/rtUpgradeCluster: {}
    f:field.cattle.io/creatorId: {}
    f:generateName: {}
    f:labels:
    .: {}
    f:cattle.io/creator: {}
    f:projectCreatorDefault: {}
    f:roleTemplateNames: {}
    f:rules: {}
    manager: Go-http-client
    operation: Update
    time: “2023-04-03T07:06:24Z”
    name: rt-jhtbx
    resourceVersion: “22842959”
    uid: 9586d318-e9c6-4a9a-bbf8-357f348b91a5
    projectCreatorDefault: false
    roleTemplateNames:
    rules:
  • apiGroups:
    • “”
      nonResourceURLs:
      resourceNames:
      resources:
    • namespaces
      verbs:
    • list
    • watch
    • get
  • apiGroups:
    • “”
      nonResourceURLs:
      resourceNames:
      resources:
    • pods
      verbs:
    • list
    • watch
    • get
  • apiGroups:
    • “”
      nonResourceURLs:
      resourceNames:
      resources:
    • services
      verbs:
    • list
    • watch
    • get
  • apiGroups:
    • apps
      nonResourceURLs:
      resourceNames:
      resources:
    • daemonsets
      verbs:
    • list
    • watch
    • get
  • apiGroups:
    • apps
      nonResourceURLs:
      resourceNames:
      resources:
    • deployments
      verbs:
    • list
    • watch
    • get
  • apiGroups:
    • networking.k8s.io
      nonResourceURLs:
      resourceNames:
      resources:
    • ingresses
      verbs:
    • list
    • watch
    • get
2

查看pod监控指标除了对相关资源有访问权限,还需要开启部分监控资源的权限,才可以查看到对应的数据,以下是一个示例的参考。

rules:
  - apiGroups:
      - ''
    resources:
      - pods
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apps
    resources:
      - daemonsets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apps
    resources:
      - statefulsets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - monitoring.coreos.com
    resources:
      - servicemonitors
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apps
    resources:
      - replicasets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - services/proxy
    verbs:
      - get
      - list
      - watch
      - create
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - catalog.cattle.io
    resources:
      - apps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - monitoring.coreos.com
    resources:
      - podmonitors
    verbs:
      - get
      - list
      - watch
3

你好,很抱歉这么晚回复你。谢谢你的答案,但是我参照你的设置,添加如下两个权限
image
添加后,虽然左侧导航栏中,出现了“监控”选项,但是在pod页面,仍然没有“指标”

image
image794×595 26.7 KB

4

只加podmonitors与servicemonitors这两个是不够的,要访问监控页面还需要service/proxy等资源的访问权限,你可以使用我的例子创建一个新的role试一下

5

谢谢我添加了如下权限,彻底解决了问题。值得注意的是,这里一定要有create和update。
image