Permissões necessárias para o Migrate to Containers

Este tópico fornece informações de alto nível sobre as permissões necessárias para executar vários componentes do Migrate to Containers.

RBAC para componentes específicos

As definições da API a seguir mostram as regras do RBAC necessárias adicionadas como parte da instalação do cluster de processamento M2C.

Implantar certificados

Provisiona os certificados de webhooks para CRDs relacionados à migração.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: controllers-deploy-cert-role
 rules:
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - patch
  - get
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - patch
  - get
  - list
- apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests
  verbs:
  - get
  - create
  - list
  - delete
  - watch
- apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests/approval
  verbs:
  - update
- apiGroups:
  - certificates.k8s.io
  resourceNames:
  - kubernetes.io/kubelet-serving
  resources:
  - signers
  verbs:
  - approve
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - get
  - patch
- apiGroups:
  - ""
  resourceNames:
  - extension-apiserver-authentication
  resources:
  - configmaps
  verbs:
  - get 

Controladores do Migrate to Containers

Os controladores gerenciam o ciclo de vida dos CRDs relacionados à migração e provisionam pods de tarefas para realizar a migração.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  creationTimestamp: null
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: controllers-manager-role
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - create
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pod
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - pods/status
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryflows/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryresults
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoveryresults/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoverytasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxdiscoverytasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactsflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactsflows/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxgenerateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxplugins
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - appxplugins/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactrepositories
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactrepositories/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactsrepositories
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - artifactsrepositories/status
  verbs:
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - discoverytasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - discoverytasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactsflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactsflows/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - generateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - imagerepositories
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - linuxdiscoveryreports
  verbs:
  - create
  - get
  - list
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - migrations
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - migrations/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - replicatingvms
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - replicatingvms/finalizers
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - replicatingvms/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourceproviders
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourceproviders/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourcesnapshots
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - sourcesnapshots/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactsflows
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactsflows/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactstaskprogresses
  verbs:
  - create
  - get
  - list
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - vmgenerateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveries
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveries/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveryresults
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsdiscoveryresults/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifacts
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifacts/status
  verbs:
  - get
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifactstasks
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - anthos-migrate.cloud.google.com
  resources:
  - windowsgenerateartifactstasks/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
  - get
  - list
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - create
  - get
  - list
  - update
  - watch
- apiGroups:
  - vm.cluster.gke.io
  resources:
  - vmruntimes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: controllers-proxy-role
rules:
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create

Driver CSI

O componente do driver CSI conecta as tarefas de migração ao armazenamento original da máquina virtual (VM, na sigla em inglês).

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-controller-role-vls
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - watch
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-csi-external-attacher
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments/status
  verbs:
  - patch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-csi-external-provisioner
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-driver-registrar-role
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - update
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: csi-vlsdisk-node-healthcheck-role
rules:
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - list
  - get
  - update
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-controller-role-vls
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - watch
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-csi-external-attacher
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments/status
  verbs:
  - patch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-csi-external-provisioner
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    anthos-migrate.cloud.google.com/gcs-deployment-path-prefix: https://storage.googleapis.com/modernize-release/v1.11.0
    anthos-migrate.cloud.google.com/yaml-path: /deploy.yaml
    migrate-for-anthos-component: deployment-processing
  labels:
    migrate-for-anthos: component
    migrate-for-anthos-version: v1.11.0
  name: v2k-generic-csi-driver-registrar-role
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - update
  - patch