Erforderliche Berechtigungen für die Migrate to Containers

Dieses Thema bietet allgemeine Informationen zu den Berechtigungen, die zum Ausführen verschiedener Migrate to Containers-Komponenten erforderlich sind.

RBAC für bestimmte Komponenten

Die folgenden API-Definitionen zeigen die erforderlichen RBAC-Regeln, die im Rahmen der Installation des M2C-Verarbeitungsclusters hinzugefügt werden.

Zertifikate bereitstellen

Stellt die Webhook-Zertifikate für migrationsbezogene CRDs bereit.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: controllers-deploy-cert-role
 rules:
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - patch
  - get
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - patch
  - get
  - list
- apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests
  verbs:
  - get
  - create
  - list
  - delete
  - watch
- apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests/approval
  verbs:
  - update
- apiGroups:
  - certificates.k8s.io
  resourceNames:
  - kubernetes.io/kubelet-serving
  resources:
  - signers
  verbs:
  - approve
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - get
  - patch
- apiGroups:
  - ""
  resourceNames:
  - extension-apiserver-authentication
  resources:
  - configmaps
  verbs:
  - get 

Migrate to Containers-Controller

Die Controller verwalten den Lebenszyklus der migrationsbezogenen CRDs und stellen Aufgaben-Pods für den eigentlichen Migrationsvorgang bereit.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  creationTimestamp: null
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: controllers-manager-role
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pod
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - pods/status
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryflows/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryresults
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryresults/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoverytasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoverytasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactsflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactsflows/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxplugins
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxplugins/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactrepositories
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactrepositories/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactsrepositories
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactsrepositories/status
  verbs:
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - discoverytasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - discoverytasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactsflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactsflows/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - imagerepositories
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - linuxdiscoveryreports
  verbs:
  - create
  - get
  - list
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - migrations
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - migrations/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - replicatingvms
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - replicatingvms/finalizers
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - replicatingvms/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourceproviders
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourceproviders/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourcesnapshots
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourcesnapshots/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactsflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactsflows/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactstaskprogresses
  verbs:
  - create
  - get
  - list
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveries
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveries/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveryresults
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveryresults/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifacts
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifacts/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
  - get
  - list
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - create
  - get
  - list
  - update
  - watch
- apiGroups:
  - vm.cluster.gke.io
  resources:
  - vmruntimes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: controllers-proxy-role
rules:
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create

CSI-Treiber

Die CSI-Treiberkomponente verbindet die Migrationsaufgaben mit dem ursprünglichen VM-Speicher (virtuelle Maschine).

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-controller-role-vls
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - watch
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-csi-external-attacher
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments/status
  verbs:
  - patch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-csi-external-provisioner
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-driver-registrar-role
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - update
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-node-healthcheck-role
rules:
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - list
  - get
  - update
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-controller-role-vls
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - watch
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-csi-external-attacher
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments/status
  verbs:
  - patch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-csi-external-provisioner
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-driver-registrar-role
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - update
  - patch