Required permissions for Migrate to Containers
This topic provides high level information on the permissions required to run various Migrate to Containers components.
RBAC for specific components
The following API definitions show that the required RBAC rules added as part of the M2C processing cluster installation.
Deploy Certificates
Provisions the webhooks certificates for migration-related CRDs.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: controllers-deploy-cert-role
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- patch
- get
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- patch
- get
- list
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- create
- list
- delete
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
verbs:
- update
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/kubelet-serving
resources:
- signers
verbs:
- approve
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- patch
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
Migrate to Containers Controllers
The controllers manage the lifecycle of the migration-related CRDs and provision task pods to perform the actual migration.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
creationTimestamp: null
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: controllers-manager-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- create
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- list
- watch
- apiGroups:
- ""
resources:
- pod
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- apiGroups:
- ""
resources:
- pods/status
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoveryflows
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoveryflows/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoveryresults
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoveryresults/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoverytasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoverytasks/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxgenerateartifactsflows
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxgenerateartifactsflows/status
verbs:
- get
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxgenerateartifactstasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxgenerateartifactstasks/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxplugins
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxplugins/status
verbs:
- get
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- artifactrepositories
verbs:
- get
- list
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- artifactrepositories/status
verbs:
- get
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- artifactsrepositories
verbs:
- get
- list
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- artifactsrepositories/status
verbs:
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- discoverytasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- discoverytasks/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- generateartifactsflows
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- generateartifactsflows/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- generateartifactstasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- generateartifactstasks/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- imagerepositories
verbs:
- get
- list
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- linuxdiscoveryreports
verbs:
- create
- get
- list
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- migrations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- migrations/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- replicatingvms
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- replicatingvms/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- replicatingvms/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- sourceproviders
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- sourceproviders/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- sourcesnapshots
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- sourcesnapshots/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- vmgenerateartifactsflows
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- vmgenerateartifactsflows/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- vmgenerateartifactstaskprogresses
verbs:
- create
- get
- list
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- vmgenerateartifactstasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- vmgenerateartifactstasks/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsdiscoveries
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsdiscoveries/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsdiscoveryresults
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsdiscoveryresults/status
verbs:
- get
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsgenerateartifacts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsgenerateartifacts/status
verbs:
- get
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsgenerateartifactstasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsgenerateartifactstasks/status
verbs:
- get
- patch
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- create
- get
- list
- update
- watch
- apiGroups:
- vm.cluster.gke.io
resources:
- vmruntimes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: controllers-proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
CSI Driver
The CSI driver component connects the migration tasks with the original virtual machine (VM) storage.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: csi-vlsdisk-controller-role-vls
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- watch
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: csi-vlsdisk-csi-external-attacher
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments/status
verbs:
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: csi-vlsdisk-csi-external-provisioner
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: csi-vlsdisk-driver-registrar-role
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- list
- watch
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: csi-vlsdisk-node-healthcheck-role
rules:
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- list
- get
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: v2k-generic-csi-controller-role-vls
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- watch
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: v2k-generic-csi-csi-external-attacher
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments/status
verbs:
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: v2k-generic-csi-csi-external-provisioner
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: v2k-generic-csi-driver-registrar-role
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- list
- watch
- create
- update
- patch