Permisos necesarios para Migrate to Containers

En este tema, se proporciona información de alto nivel sobre los permisos necesarios para ejecutar varios componentes de Migrate to Containers.

RBAC para componentes específicos

Las siguientes definiciones de la API muestran las reglas de RBAC necesarias que se agregan como parte de la instalación del clúster de procesamiento de M2C.

Implementa certificados

Aprovisiona los certificados de webhook para las CRD relacionadas con la migración.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: controllers-deploy-cert-role
 rules:
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - patch
  - get
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - patch
  - get
  - list
- apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests
  verbs:
  - get
  - create
  - list
  - delete
  - watch
- apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests/approval
  verbs:
  - update
- apiGroups:
  - certificates.k8s.io
  resourceNames:
  - kubernetes.io/kubelet-serving
  resources:
  - signers
  verbs:
  - approve
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - get
  - patch
- apiGroups:
  - ""
  resourceNames:
  - extension-apiserver-authentication
  resources:
  - configmaps
  verbs:
  - get 

Controladores de Migrate to Containers

Los controladores administran el ciclo de vida de las CRD relacionadas con la migración y aprovisionan los Pods de tareas para realizar la migración real.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  creationTimestamp: null
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: controllers-manager-role
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pod
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - pods/status
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryflows/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryresults
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryresults/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoverytasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoverytasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactsflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactsflows/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxplugins
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxplugins/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactrepositories
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactrepositories/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactsrepositories
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactsrepositories/status
  verbs:
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - discoverytasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - discoverytasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactsflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactsflows/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - imagerepositories
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - linuxdiscoveryreports
  verbs:
  - create
  - get
  - list
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - migrations
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - migrations/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - replicatingvms
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - replicatingvms/finalizers
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - replicatingvms/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourceproviders
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourceproviders/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourcesnapshots
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourcesnapshots/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactsflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactsflows/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactstaskprogresses
  verbs:
  - create
  - get
  - list
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveries
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveries/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveryresults
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveryresults/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifacts
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifacts/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
  - get
  - list
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - create
  - get
  - list
  - update
  - watch
- apiGroups:
  - vm.cluster.gke.io
  resources:
  - vmruntimes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: controllers-proxy-role
rules:
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create

Controlador de CSI

El componente del controlador de CSI conecta las tareas de migración con el almacenamiento original de la máquina virtual (VM).

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-controller-role-vls
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - watch
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-csi-external-attacher
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments/status
  verbs:
  - patch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-csi-external-provisioner
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-driver-registrar-role
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - update
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-node-healthcheck-role
rules:
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - list
  - get
  - update
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-controller-role-vls
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - watch
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-csi-external-attacher
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments/status
  verbs:
  - patch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-csi-external-provisioner
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-driver-registrar-role
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - update
  - patch