Migrate to Containers에 필요한 권한
이 주제에서는 다양한 Migrate for Containers 구성요소를 실행하는 데 필요한 권한을 간략하게 설명합니다.
특정 구성요소의 RBAC
다음 API 정의는 M2C 처리 클러스터 설치 중에 추가된 필요한 RBAC 규칙을 보여줍니다.
인증서 배포
마이그레이션 관련 CRD의 웹훅 인증서를 프로비저닝합니다.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: controllers-deploy-cert-role
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- patch
- get
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- patch
- get
- list
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- create
- list
- delete
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
verbs:
- update
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/kubelet-serving
resources:
- signers
verbs:
- approve
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- patch
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
Migrate to Containers 컨트롤러
컨트롤러는 마이그레이션 관련 CRD의 수명 주기를 관리하고 실제 마이그레이션을 수행하기 위한 태스크 포드를 프로비저닝합니다.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
creationTimestamp: null
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: controllers-manager-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- create
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- list
- watch
- apiGroups:
- ""
resources:
- pod
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- apiGroups:
- ""
resources:
- pods/status
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoveryflows
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoveryflows/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoveryresults
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoveryresults/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoverytasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxdiscoverytasks/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxgenerateartifactsflows
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxgenerateartifactsflows/status
verbs:
- get
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxgenerateartifactstasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxgenerateartifactstasks/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxplugins
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- appxplugins/status
verbs:
- get
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- artifactrepositories
verbs:
- get
- list
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- artifactrepositories/status
verbs:
- get
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- artifactsrepositories
verbs:
- get
- list
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- artifactsrepositories/status
verbs:
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- discoverytasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- discoverytasks/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- generateartifactsflows
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- generateartifactsflows/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- generateartifactstasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- generateartifactstasks/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- imagerepositories
verbs:
- get
- list
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- linuxdiscoveryreports
verbs:
- create
- get
- list
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- migrations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- migrations/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- replicatingvms
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- replicatingvms/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- replicatingvms/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- sourceproviders
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- sourceproviders/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- sourcesnapshots
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- sourcesnapshots/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- vmgenerateartifactsflows
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- vmgenerateartifactsflows/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- vmgenerateartifactstaskprogresses
verbs:
- create
- get
- list
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- vmgenerateartifactstasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- vmgenerateartifactstasks/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsdiscoveries
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsdiscoveries/status
verbs:
- get
- patch
- update
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsdiscoveryresults
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsdiscoveryresults/status
verbs:
- get
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsgenerateartifacts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsgenerateartifacts/status
verbs:
- get
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsgenerateartifactstasks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- anthos-migrate.cloud.google.com
resources:
- windowsgenerateartifactstasks/status
verbs:
- get
- patch
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- create
- get
- list
- update
- watch
- apiGroups:
- vm.cluster.gke.io
resources:
- vmruntimes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: controllers-proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
CSI 드라이버
CSI 드라이버 구성요소는 원래 가상 머신(VM) 스토리지에 마이그레이션 태스크를 연결합니다.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: csi-vlsdisk-controller-role-vls
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- watch
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: csi-vlsdisk-csi-external-attacher
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments/status
verbs:
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: csi-vlsdisk-csi-external-provisioner
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: csi-vlsdisk-driver-registrar-role
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- list
- watch
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: csi-vlsdisk-node-healthcheck-role
rules:
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- list
- get
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: v2k-generic-csi-controller-role-vls
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- watch
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: v2k-generic-csi-csi-external-attacher
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments/status
verbs:
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: v2k-generic-csi-csi-external-provisioner
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
migrate-for-anthos-component: deployment-processing
labels:
migrate-for-anthos: component
migrate-for-anthos-version: v1.11.0
name: v2k-generic-csi-driver-registrar-role
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- list
- watch
- create
- update
- patch