📘 Description:
Based on recent discussion, the migration role should be separated from the main VM extended role. The migration role will primarily be used on the hub, while the extended VM role will remain for managed cluster operations. Additionally, MTV roles should be restricted to the mtv-integrations namespace to ensure proper isolation and limit unnecessary cluster-wide access.

🎯 Goals:

• Clearly separate responsibilities between hub and managed cluster roles.

• Restrict MTV-related permissions to the mtv-integrations namespace.

• Improve security and clarity of access control within ACM CNV integration.

📋 Tasks:

1. Create a new migration role dedicated to hub usage.

1. Retain the main vm-extended role for managed clusters only.

1. Restrict MTV roles to the mtv-integrations namespace.

1. Update role bindings, placements, and documentation accordingly.

1. Verify that role separation and namespace restriction do not impact existing VM or migration functionality.

✅ Acceptance Criteria:

• Hub and managed cluster roles are split and properly defined.

• Migration role is scoped to the hub.

• MTV roles are limited to the mtv-integrations namespace.

• No regression in VM or migration operations.

• Documentation reflects the role separation and namespace limitation.