Freigeben über


Integrierte Azure-Rollen für Container

In diesem Artikel werden die integrierten Azure-Rollen in der Kategorie "Container" aufgeführt.

AcrDelete

Löschen von Repositorys, Tags oder Manifesten aus einer Containerregistrierung

Weitere Informationen

Aktionen BESCHREIBUNG
Microsoft.ContainerRegistry/registries/artifacts/delete Löschen von Artefakten aus einer Containerregistrierung.
NotActions
keine
DataActions
keine
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr delete",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/artifacts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrDelete",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrImageSigner

Pushen oder Pullen vertrauenswürdiger Images in einer Containerregistrierung, die für Inhaltsvertrauen aktiviert ist

Weitere Informationen

Aktionen BESCHREIBUNG
Microsoft.ContainerRegistry/registries/sign/write Pushen/Pullen von Inhaltsvertrauen-Metadaten für eine Containerregistrierung
NotActions
keine
DataActions
Microsoft.ContainerRegistry/registries/trustedCollections/write Ermöglicht das Pushen oder Veröffentlichen von vertrauenswürdigen Sammlungen mit Containerregistrierungsinhalten. Dies ähnelt der Aktion „Microsoft.ContainerRegistry/registries/sign/write“, aber es handelt sich um eine Datenaktion.
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr image signer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
  "name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/sign/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/trustedCollections/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrImageSigner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPull

Pullen von Artefakten aus einer Containerregistrierung

Weitere Informationen

Aktionen BESCHREIBUNG
Microsoft.ContainerRegistry/registries/pull/read Pullen oder Abrufen von Images aus einer Containerregistrierung
NotActions
keine
DataActions
keine
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr pull",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPull",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPush

Pushen oder Pullen von Artefakten in einer Containerregistrierung

Weitere Informationen

Aktionen BESCHREIBUNG
Microsoft.ContainerRegistry/registries/pull/read Pullen oder Abrufen von Images aus einer Containerregistrierung
Microsoft.ContainerRegistry/registries/push/write Pushen oder Schreiben von Images in eine Containerregistrierung
NotActions
keine
DataActions
keine
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr push",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
  "name": "8311e382-0749-4cb8-b61a-304f252e45ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/push/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPush",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineReader

Pullen von Images in Quarantäne aus einer Containerregistrierung

Weitere Informationen

Aktionen BESCHREIBUNG
Microsoft.ContainerRegistry/registries/quarantine/read Pullen oder Abrufen von Images in Quarantäne aus einer Containerregistrierung
NotActions
keine
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read Ermöglicht das Pullen oder Abrufen der unter Quarantäne gestellten Artefakte aus der Containerregistrierung. Dies ähnelt „Microsoft.ContainerRegistry/registries/quarantine/read“, aber es handelt sich um eine Datenaktion.
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
  "name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineReader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineWriter

Pushen oder Pullen von Images in Quarantäne in einer Containerregistrierung

Weitere Informationen

Aktionen BESCHREIBUNG
Microsoft.ContainerRegistry/registries/quarantine/read Pullen oder Abrufen von Images in Quarantäne aus einer Containerregistrierung
Microsoft.ContainerRegistry/registries/quarantine/write Schreiben/Ändern des Quarantänezustands von unter Quarantäne gestellten Images
NotActions
keine
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read Ermöglicht das Pullen oder Abrufen der unter Quarantäne gestellten Artefakte aus der Containerregistrierung. Dies ähnelt „Microsoft.ContainerRegistry/registries/quarantine/read“, aber es handelt sich um eine Datenaktion.
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write Ermöglicht das Schreiben oder Aktualisieren des Quarantänezustands von unter Quarantäne gestellten Artefakten. Dies ähnelt der Aktion „Microsoft.ContainerRegistry/registries/quarantine/write“, aber es handelt sich um eine Datenaktion.
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data writer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read",
        "Microsoft.ContainerRegistry/registries/quarantine/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineWriter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Benutzerrolle für Azure Arc-aktivierte Kubernetes-Cluster

Aktion zum Auflisten der Anmeldeinformationen eines Clusterbenutzers.

Aktionen BESCHREIBUNG
Microsoft.Resources/deployments/write Erstellt oder aktualisiert eine Bereitstellung.
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action Listet clusterUser-Anmeldeinformationen auf (Vorschau)
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Insights/alertRules/* Erstellen und Verwalten einer klassischen Metrikwarnung
Microsoft.Support/* Erstellen und Aktualisieren eines Supporttickets
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action Listet clusterUser-Anmeldeinformationen auf.
NotActions
keine
DataActions
keine
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credentials action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes-Administrator

Ermöglicht Ihnen das Verwalten aller Ressourcen unter einem Cluster/Namespace, außer das Aktualisieren oder Löschen von Ressourcenkontingenten und Namespaces.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Insights/alertRules/* Erstellen und Verwalten einer klassischen Metrikwarnung
Microsoft.Resources/deployments/write Erstellt oder aktualisiert eine Bereitstellung.
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.Support/* Erstellen und Aktualisieren eines Supporttickets
NotActions
keine
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Liest controllerrevisions.
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write Schreibt localsubjectaccessreviews.
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Liest events.
Microsoft.Kubernetes/connectedClusters/events/read Liest events.
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read Liest limitranges.
Microsoft.Kubernetes/connectedClusters/namespaces/read Liest namespaces.
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Liest resourcequotas.
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes-Clusteradministrator

Ermöglicht Ihnen das Verwalten aller Ressourcen im Cluster.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Insights/alertRules/* Erstellen und Verwalten einer klassischen Metrikwarnung
Microsoft.Resources/deployments/write Erstellt oder aktualisiert eine Bereitstellung.
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.Support/* Erstellen und Aktualisieren eines Supporttickets
NotActions
keine
DataActions
Microsoft.Kubernetes/connectedClusters/*
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Anzeigeberechtigter für Azure Arc Kubernetes

Ermöglicht Ihnen das Anzeigen aller Ressourcen im Cluster/Namespace mit Ausnahme von Geheimnissen.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Insights/alertRules/* Erstellen und Verwalten einer klassischen Metrikwarnung
Microsoft.Resources/deployments/write Erstellt oder aktualisiert eine Bereitstellung.
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.Support/* Erstellen und Aktualisieren eines Supporttickets
NotActions
keine
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Liest controllerrevisions.
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read Liest daemonsets.
Microsoft.Kubernetes/connectedClusters/apps/deployments/read Liest deployments.
Microsoft.Kubernetes/connectedClusters/apps/replicasets/read Liest replicasets.
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read Liest statefulsets.
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read Liest horizontalpodautoscalers.
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read Liest cronjobs.
Microsoft.Kubernetes/connectedClusters/batch/jobs/read Liest jobs.
Microsoft.Kubernetes/connectedClusters/configmaps/read Liest configmaps.
Microsoft.Kubernetes/connectedClusters/endpoints/read Liest endpoints.
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Liest events.
Microsoft.Kubernetes/connectedClusters/events/read Liest events.
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read Liest daemonsets.
Microsoft.Kubernetes/connectedClusters/extensions/deployments/read Liest deployments.
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read Liest ingresses.
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read Liest networkpolicies.
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read Liest replicasets.
Microsoft.Kubernetes/connectedClusters/limitranges/read Liest limitranges.
Microsoft.Kubernetes/connectedClusters/namespaces/read Liest namespaces.
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read Liest ingresses.
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read Liest networkpolicies.
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read Liest persistentvolumeclaims.
Microsoft.Kubernetes/connectedClusters/pods/read Liest pods.
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read Liest poddisruptionbudgets.
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read Liest replicationcontrollers.
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read Liest replicationcontrollers.
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Liest resourcequotas.
Microsoft.Kubernetes/connectedClusters/serviceaccounts/read Liest serviceaccounts.
Microsoft.Kubernetes/connectedClusters/services/read Liest services.
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view all resources in cluster/namespace, except secrets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
  "name": "63f0a09d-1495-4db4-a681-037d84835eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
        "Microsoft.Kubernetes/connectedClusters/configmaps/read",
        "Microsoft.Kubernetes/connectedClusters/endpoints/read",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
        "Microsoft.Kubernetes/connectedClusters/pods/read",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
        "Microsoft.Kubernetes/connectedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Viewer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Schreibberechtigter für Azure Arc Kubernetes

Mit dieser Rolle können Sie alle Elemente im Cluster oder Namespace aktualisieren, mit Ausnahme von Rollen (Clusterrollen) und Rollenbindungen (Clusterrollenbindungen).

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Insights/alertRules/* Erstellen und Verwalten einer klassischen Metrikwarnung
Microsoft.Resources/deployments/write Erstellt oder aktualisiert eine Bereitstellung.
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.Support/* Erstellen und Aktualisieren eines Supporttickets
NotActions
keine
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Liest controllerrevisions.
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Liest events.
Microsoft.Kubernetes/connectedClusters/events/read Liest events.
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read Liest limitranges.
Microsoft.Kubernetes/connectedClusters/namespaces/read Liest namespaces.
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Liest resourcequotas.
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
  "name": "5b999177-9696-4545-85c7-50de3797e5a1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Container Storage-Mitwirkender

Installieren Sie Azure Container Storage, und verwalten Sie ihre Speicherressourcen. Enthält eine ABAC-Bedingung, um Rollenzuweisungen einzuschränken.

Aktionen Beschreibung
Microsoft.KubernetesConfiguration/extensions/write Hiermit wird eine Erweiterungsressource erstellt oder aktualisiert.
Microsoft.KubernetesConfiguration/extensions/read Hiermit wird die Erweiterungsinstanzressource abgerufen.
Microsoft.KubernetesConfiguration/extensions/delete Hiermit wird die Erweiterungsinstanzressource gelöscht.
Microsoft.KubernetesConfiguration/extensions/operations/read Hiermit wird der Status für einen asynchronen Vorgang abgerufen.
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Management/managementGroups/read Listet die Verwaltungsgruppen für den authentifizierten Benutzer auf.
Microsoft.Resources/deployments/* Erstellen und Verwalten einer Bereitstellung
Microsoft.Support/* Erstellen und Aktualisieren eines Supporttickets
NotActions
keine
DataActions
keine
NotDataActions
none
Aktionen
Microsoft.Authorization/roleAssignments/write Dient zum Erstellen einer Rollenzuweisung im angegebenen Bereich.
Microsoft.Authorization/roleAssignments/delete Dient zum Löschen einer Rollenzuweisung im angegebenen Bereich.
NotActions
keine
DataActions
keine
NotDataActions
none
Condition
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND (!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'}) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) Hinzufügen oder Entfernen von Rollenzuweisungen für die folgenden Rollen:
Azure Container Storage Operator
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and manage its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "permissions": [
    {
      "actions": [
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Container Storage Operator

Aktivieren Sie eine verwaltete Identität, um Azure Container Storage-Vorgänge auszuführen, z. B. virtuelle Computer verwalten und virtuelle Netzwerke verwalten.

Aktionen Beschreibung
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/asyncoperations/read Fragt den Status eines asynchronen Vorgangs ab.
Microsoft.Network/routeTables/join/action Verknüpft eine Routingtabelle. Nicht warnbar.
Microsoft.Network/networkSecurityGroups/join/action Verknüpft eine Netzwerksicherheitsgruppe. Nicht warnbar.
Microsoft.Network/virtualNetworks/write Erstellt ein virtuelles Netzwerk oder aktualisiert ein vorhandenes virtuelles Netzwerk.
Microsoft.Network/virtualNetworks/delete Löscht ein virtuelles Netzwerk.
Microsoft.Network/virtualNetworks/join/action Verknüpft ein virtuelles Netzwerk. Nicht warnbar.
Microsoft.Network/virtualNetworks/subnets/read Ruft eine Subnetzdefinition für virtuelle Netzwerke ab.
Microsoft.Network/virtualNetworks/subnets/write Erstellt ein Subnetz für virtuelle Netzwerke oder aktualisiert ein vorhandenes Subnetz für virtuelle Netzwerke.
Microsoft.Compute/virtualMachines/read Dient zum Abrufen der Eigenschaften eines virtuellen Computers.
Microsoft.Compute/virtualMachines/write Erstellt eine neue virtuelle Maschine oder aktualisiert eine vorhandene virtuelle Maschine
Microsoft.Compute/virtualMachineScaleSets/read Dient zum Abrufen der Eigenschaften einer VM-Skalierungsgruppe.
Microsoft.Compute/virtualMachineScaleSets/write Erstellt eine neue VM-Skalierungsgruppe oder aktualisiert eine bereits vorhandene.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write Aktualisiert die Eigenschaften eines virtuellen Computers in einer VM-Skalierungsgruppe.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read Ruft die Eigenschaften eines virtuellen Computers in einer VM-Skalierungsgruppe ab.
Microsoft.Resources/subscriptions/providers/read Ruft Ressourcenanbieter ab oder listet sie auf.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.Network/virtualNetworks/read Dient zum Abrufen der Definition des virtuellen Netzwerks.
NotActions
keine
DataActions
keine
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role required by a Managed Identity for Azure Container Storage operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/virtualMachineScaleSets/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Resources/subscriptions/providers/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Network/virtualNetworks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Container Storage Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure-Containerspeicherbesitzer

Installieren Sie Azure Container Storage, gewähren Sie Zugriff auf ihre Speicherressourcen, und konfigurieren Sie das Azure Elastic Storage Area Network (SAN). Enthält eine ABAC-Bedingung, um Rollenzuweisungen einzuschränken.

Aktionen Beschreibung
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/*
Microsoft.ElasticSan/elasticSans/volumeGroups/*
Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*
Microsoft.ElasticSan/locations/asyncoperations/read Fragt den Status eines asynchronen Vorgangs ab.
Microsoft.KubernetesConfiguration/extensions/write Hiermit wird eine Erweiterungsressource erstellt oder aktualisiert.
Microsoft.KubernetesConfiguration/extensions/read Hiermit wird die Erweiterungsinstanzressource abgerufen.
Microsoft.KubernetesConfiguration/extensions/delete Hiermit wird die Erweiterungsinstanzressource gelöscht.
Microsoft.KubernetesConfiguration/extensions/operations/read Hiermit wird der Status für einen asynchronen Vorgang abgerufen.
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Management/managementGroups/read Listet die Verwaltungsgruppen für den authentifizierten Benutzer auf.
Microsoft.Resources/deployments/* Erstellen und Verwalten einer Bereitstellung
Microsoft.Support/* Erstellen und Aktualisieren eines Supporttickets
NotActions
keine
DataActions
keine
NotDataActions
none
Aktionen
Microsoft.Authorization/roleAssignments/write Dient zum Erstellen einer Rollenzuweisung im angegebenen Bereich.
Microsoft.Authorization/roleAssignments/delete Dient zum Löschen einer Rollenzuweisung im angegebenen Bereich.
NotActions
keine
DataActions
keine
NotDataActions
none
Condition
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND (!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'}) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) Hinzufügen oder Entfernen von Rollenzuweisungen für die folgenden Rollen:
Azure Container Storage Operator
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and grants access to its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
  "name": "95de85bd-744d-4664-9dde-11430bc34793",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rolle des Azure Kubernetes-Flottenmanagers

Gewährt Lese-/Schreibzugriff auf Azure-Ressourcen, die von Azure Kubernetes Fleet Manager bereitgestellt werden, einschließlich Flotten, Flottenmitglieder, Flottenaktualisierungsstrategien, Flottenaktualisierungsläufe usw.

Aktionen Beschreibung
Microsoft.ContainerService/fleets/*
Microsoft.Resources/deployments/* Erstellen und Verwalten einer Bereitstellung
NotActions
keine
DataActions
keine
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/fleets/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

RBAC-Administrator von Azure Kubernetes Fleet Manager

Gewährt Lese-/Schreibzugriff auf Kubernetes-Ressourcen innerhalb eines Namespaces im flottenverwalteten Hubcluster – bietet Schreibberechtigungen für die meisten Objekte innerhalb eines Namespaces, mit Ausnahme des ResourceQuota-Objekts und des Namespaceobjekts selbst. Wenn Sie diese Rolle im Clusterumfang anwenden, wird der Zugriff auf alle Namespaces ermöglicht.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.ContainerService/fleets/read Fleet abrufen
Microsoft.ContainerService/fleets/listCredentials/action Fleet-Anmeldeinformationen auflisten
NotActions
keine
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Liest controllerrevisions.
Microsoft.ContainerService/fleets/apps/daemonsets/*
Microsoft.ContainerService/fleets/apps/deployments/*
Microsoft.ContainerService/fleets/apps/statefulsets/*
Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write Schreibt localsubjectaccessreviews.
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/fleets/batch/cronjobs/*
Microsoft.ContainerService/fleets/batch/jobs/*
Microsoft.ContainerService/fleets/configmaps/*
Microsoft.ContainerService/fleets/endpoints/*
Microsoft.ContainerService/fleets/events.k8s.io/events/read Liest events.
Microsoft.ContainerService/fleets/events/read Liest events.
Microsoft.ContainerService/fleets/extensions/daemonsets/*
Microsoft.ContainerService/fleets/extensions/deployments/*
Microsoft.ContainerService/fleets/extensions/ingresses/*
Microsoft.ContainerService/fleets/extensions/networkpolicies/*
Microsoft.ContainerService/fleets/limitranges/read Liest limitranges.
Microsoft.ContainerService/fleets/namespaces/read Liest namespaces.
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/fleets/persistentvolumeclaims/*
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/resourcequotas/read Liest resourcequotas.
Microsoft.ContainerService/fleets/secrets/*
Microsoft.ContainerService/fleets/serviceaccounts/*
Microsoft.ContainerService/fleets/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

RBAC-Clusteradministrator von Azure Kubernetes Fleet Manager

Gewährt Lese-/Schreibzugriff auf alle Kubernetes-Ressourcen im Flotten-verwalteten Hubcluster.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.ContainerService/fleets/read Fleet abrufen
Microsoft.ContainerService/fleets/listCredentials/action Fleet-Anmeldeinformationen auflisten
NotActions
keine
DataActions
Microsoft.ContainerService/fleets/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

RBAC-Reader von Azure Kubernetes Fleet Manager

Gewährt schreibgeschützten Zugriff auf die meisten Kubernetes-Ressourcen innerhalb eines Namespaces im flottenverwalteten Hubcluster. Es ist nicht möglich, Rollen oder Rollenbindungen anzuzeigen. Diese Rolle lässt das Anzeigen von Geheimnissen nicht zu, da das Lesen des Inhalts von Geheimnissen den Zugriff auf ServiceAccount-Anmeldeinformationen im Namespace ermöglicht, was den API-Zugriff als beliebiges Dienstkonto im Namespace ermöglichen würde (eine Form von Berechtigungsausweitung). Wenn Sie diese Rolle im Clusterumfang anwenden, wird der Zugriff auf alle Namespaces ermöglicht.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.ContainerService/fleets/read Fleet abrufen
Microsoft.ContainerService/fleets/listCredentials/action Fleet-Anmeldeinformationen auflisten
NotActions
keine
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Liest controllerrevisions.
Microsoft.ContainerService/fleets/apps/daemonsets/read Liest daemonsets.
Microsoft.ContainerService/fleets/apps/deployments/read Liest deployments.
Microsoft.ContainerService/fleets/apps/statefulsets/read Liest statefulsets.
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read Liest horizontalpodautoscalers.
Microsoft.ContainerService/fleets/batch/cronjobs/read Liest cronjobs.
Microsoft.ContainerService/fleets/batch/jobs/read Liest jobs.
Microsoft.ContainerService/fleets/configmaps/read Liest configmaps.
Microsoft.ContainerService/fleets/endpoints/read Liest endpoints.
Microsoft.ContainerService/fleets/events.k8s.io/events/read Liest events.
Microsoft.ContainerService/fleets/events/read Liest events.
Microsoft.ContainerService/fleets/extensions/daemonsets/read Liest daemonsets.
Microsoft.ContainerService/fleets/extensions/deployments/read Liest deployments.
Microsoft.ContainerService/fleets/extensions/ingresses/read Liest ingresses.
Microsoft.ContainerService/fleets/extensions/networkpolicies/read Liest networkpolicies.
Microsoft.ContainerService/fleets/limitranges/read Liest limitranges.
Microsoft.ContainerService/fleets/namespaces/read Liest namespaces.
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read Liest ingresses.
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read Liest networkpolicies.
Microsoft.ContainerService/fleets/persistentvolumeclaims/read Liest persistentvolumeclaims.
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read Liest poddisruptionbudgets.
Microsoft.ContainerService/fleets/replicationcontrollers/read Liest replicationcontrollers.
Microsoft.ContainerService/fleets/replicationcontrollers/read Liest replicationcontrollers.
Microsoft.ContainerService/fleets/resourcequotas/read Liest resourcequotas.
Microsoft.ContainerService/fleets/serviceaccounts/read Liest serviceaccounts.
Microsoft.ContainerService/fleets/services/read Liest services.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
  "name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

RBAC-Writer von Azure Kubernetes Fleet Manager

Gewährt Lese-/Schreibzugriff auf die meisten Kubernetes-Ressourcen innerhalb eines Namespaces im flottenverwalteten Hubcluster. Diese Rolle lässt das Anzeigen oder Ändern von Rollen oder Rollenbindungen nicht zu. Diese Rolle ermöglicht jedoch den Zugriff auf Geheimnisse als beliebiges Dienstkonto im Namespace, sodass sie verwendet werden kann, um die API-Zugriffsebenen eines beliebigen ServiceAccount im Namespace zu erhalten.  Wenn Sie diese Rolle im Clusterumfang anwenden, wird der Zugriff auf alle Namespaces ermöglicht.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.ContainerService/fleets/read Fleet abrufen
Microsoft.ContainerService/fleets/listCredentials/action Fleet-Anmeldeinformationen auflisten
NotActions
keine
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Liest controllerrevisions.
Microsoft.ContainerService/fleets/apps/daemonsets/*
Microsoft.ContainerService/fleets/apps/deployments/*
Microsoft.ContainerService/fleets/apps/statefulsets/*
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/fleets/batch/cronjobs/*
Microsoft.ContainerService/fleets/batch/jobs/*
Microsoft.ContainerService/fleets/configmaps/*
Microsoft.ContainerService/fleets/endpoints/*
Microsoft.ContainerService/fleets/events.k8s.io/events/read Liest events.
Microsoft.ContainerService/fleets/events/read Liest events.
Microsoft.ContainerService/fleets/extensions/daemonsets/*
Microsoft.ContainerService/fleets/extensions/deployments/*
Microsoft.ContainerService/fleets/extensions/ingresses/*
Microsoft.ContainerService/fleets/extensions/networkpolicies/*
Microsoft.ContainerService/fleets/limitranges/read Liest limitranges.
Microsoft.ContainerService/fleets/namespaces/read Liest namespaces.
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/fleets/persistentvolumeclaims/*
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/resourcequotas/read Liest resourcequotas.
Microsoft.ContainerService/fleets/secrets/*
Microsoft.ContainerService/fleets/serviceaccounts/*
Microsoft.ContainerService/fleets/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Arc Cluster-Administratorrolle

Listet die Aktion für Anmeldeinformationen des Clusteradministrators auf.

Weitere Informationen

Aktionen Beschreibung
Microsoft.HybridContainerService/provisionedClusterInstances/read Ruft die mit dem verbundenen Cluster verknüpften Hybrid-AKS-Clusterinstanzen ab.
Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action Listet die Administratoranmeldeinformationen einer bereitgestellten Clusterinstanz auf, die nur im direkten Modus verwendet wird.
Microsoft.Kubernetes/connectedClusters/Read Liest connectedClusters.
NotActions
keine
DataActions
keine
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Arc Cluster-Benutzerrolle

Listet die Aktion für Anmeldeinformationen des Clusterbenutzer auf.

Weitere Informationen

Aktionen Beschreibung
Microsoft.HybridContainerService/provisionedClusterInstances/read Ruft die mit dem verbundenen Cluster verknüpften Hybrid-AKS-Clusterinstanzen ab.
Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action Listet die AAD-Benutzeranmeldeinformationen einer bereitgestellten Clusterinstanz auf, die nur im direkten Modus verwendet wird.
Microsoft.Kubernetes/connectedClusters/Read Liest connectedClusters.
NotActions
keine
DataActions
keine
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
  "name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes-Dienst arc-Mitwirkenderrolle

Gewährt Zugriff auf Azure Kubernetes Services-Hybridcluster mit Lese- und Schreibzugriff

Weitere Informationen

Aktionen Beschreibung
Microsoft.HybridContainerService/Locations/operationStatuses/read read operationStatuses
Microsoft.HybridContainerService/Operations/read Lesevorgänge
Microsoft.HybridContainerService/kubernetesVersions/read Listet die unterstützten Kubernetes-Versionen vom zugrunde liegenden benutzerdefinierten Speicherort auf.
Microsoft.HybridContainerService/kubernetesVersions/write Platziert den Kubernetes-Versionsressourcentyp
Microsoft.HybridContainerService/kubernetesVersions/delete Löschen des Kubernetes-Versionsressourcentyps
Microsoft.HybridContainerService/provisionedClusterInstances/read Ruft die mit dem verbundenen Cluster verknüpften Hybrid-AKS-Clusterinstanzen ab.
Microsoft.HybridContainerService/provisionedClusterInstances/write Erstellt die bereitgestellte Hybrid-AKS-Clusterinstanz.
Microsoft.HybridContainerService/provisionedClusterInstances/delete Löscht die bereitgestellte Hybrid-AKS-Clusterinstanz.
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read Ruft die Agentpools in der bereitgestellten Hybrid-AKS-Clusterinstanz ab.
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write Aktualisiert den Agentpool in der bereitgestellten Hybrid-AKS-Clusterinstanz.
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete Löscht den Agentpool in der bereitgestellten Hybrid-AKS-Clusterinstanz.
Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read upgradeProfiles lesen
Microsoft.HybridContainerService/skus/read Listet die unterstützten VM-SKUs vom zugrunde liegenden benutzerdefinierten Speicherort auf.
Microsoft.HybridContainerService/skus/write Fügt den RESSOURCENtyp "VM-SKUs" ein.
Microsoft.HybridContainerService/skus/delete Löscht den Vm-Sku-Ressourcentyp.
Microsoft.HybridContainerService/virtualNetworks/read Listet die virtuellen Hybridnetzwerke nach Abonnement auf
Microsoft.HybridContainerService/virtualNetworks/write Patches für das virtuelle Hybridnetzwerk von AKS
Microsoft.HybridContainerService/virtualNetworks/delete Löscht das virtuelle Hybridnetzwerk AKS
Microsoft.ExtendedLocation/customLocations/deploy/action Berechtigungen zum Bereitstellen einer benutzerdefinierte Standortressource
Microsoft.ExtendedLocation/customLocations/read Ruft eine benutzerdefinierte Standortressource ab.
Microsoft.Kubernetes/connectedClusters/Read Liest connectedClusters.
Microsoft.Kubernetes/connectedClusters/Write Schreibt connectedClusters.
Microsoft.Kubernetes/connectedClusters/Delete Löscht connectedClusters.
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action Listet clusterUser-Anmeldeinformationen auf.
Microsoft.AzureStackHCI/clusters/read Ruft Cluster ab
NotActions
keine
DataActions
keine
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
  "name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/Locations/operationStatuses/read",
        "Microsoft.HybridContainerService/Operations/read",
        "Microsoft.HybridContainerService/kubernetesVersions/read",
        "Microsoft.HybridContainerService/kubernetesVersions/write",
        "Microsoft.HybridContainerService/kubernetesVersions/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
        "Microsoft.HybridContainerService/skus/read",
        "Microsoft.HybridContainerService/skus/write",
        "Microsoft.HybridContainerService/skus/delete",
        "Microsoft.HybridContainerService/virtualNetworks/read",
        "Microsoft.HybridContainerService/virtualNetworks/write",
        "Microsoft.HybridContainerService/virtualNetworks/delete",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.Kubernetes/connectedClusters/Read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/Delete",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
        "Microsoft.AzureStackHCI/clusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administratorrolle für Azure Kubernetes Service-Cluster

Listet die Aktion für Anmeldeinformationen des Clusteradministrators auf.

Weitere Informationen

Aktionen BESCHREIBUNG
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Listet die clusterAdmin-Anmeldeinformationen eines verwalteten Clusters auf.
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action Ruft ein Zugriffsprofil für verwaltete Cluster anhand des Rollennamens mithilfe der Liste der Anmeldeinformationen ab.
Microsoft.ContainerService/managedClusters/read Ruft einen verwalteten Cluster ab.
Microsoft.ContainerService/managedClusters/runcommand/action Führt einen vom Benutzer ausgegebenen Befehl auf einem Managed Kubernetes-Server aus.
NotActions
keine
DataActions
keine
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/runcommand/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Clusters Überwachungsbenutzer

Listet die Aktion zur Überwachung der Benutzeranmeldeinformationen auf.

Aktionen Beschreibung
Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action Listet die clusterMonitoringUser-Anmeldeinformationen eines verwalteten Clusters auf.
Microsoft.ContainerService/managedClusters/read Ruft einen verwalteten Cluster ab.
NotActions
keine
DataActions
keine
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster monitoring user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Monitoring User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Benutzerrolle für Azure Kubernetes Service-Cluster

Listet die Aktion für Anmeldeinformationen des Clusterbenutzer auf.

Weitere Informationen

Aktionen BESCHREIBUNG
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Listet die clusterUser-Anmeldeinformationen eines verwalteten Clusters auf.
Microsoft.ContainerService/managedClusters/read Ruft einen verwalteten Cluster ab.
NotActions
keine
DataActions
keine
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rolle „Mitwirkender“ für Azure Kubernetes Service

Gewährt Lese- und Schreibzugriff auf Azure Kubernetes Service-Cluster.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.ContainerService/locations/* Speicherorte lesen, die für ContainerService-Ressourcen verfügbar sind
Microsoft.ContainerService/managedClusters/* Erstellen und Verwalten eines verwalteten Clusters
Microsoft.ContainerService/managedclustersnapshots/* Erstellen und Verwalten einer verwalteten Clustermomentaufnahme
Microsoft.ContainerService/snapshots/* Erstellen und Verwalten einer Momentaufnahme
Microsoft.Insights/alertRules/* Erstellen und Verwalten einer klassischen Metrikwarnung
Microsoft.Resources/deployments/* Erstellen und Verwalten einer Bereitstellung
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
NotActions
keine
DataActions
keine
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Service clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerService/locations/*",
        "Microsoft.ContainerService/managedClusters/*",
        "Microsoft.ContainerService/managedclustersnapshots/*",
        "Microsoft.ContainerService/snapshots/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

RBAC-Administrator von Azure Kubernetes Service

Ermöglicht Ihnen das Verwalten aller Ressourcen unter einem Cluster/Namespace, außer das Aktualisieren oder Löschen von Ressourcenkontingenten und Namespaces.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Listet die clusterUser-Anmeldeinformationen eines verwalteten Clusters auf.
NotActions
keine
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions
Microsoft.ContainerService/managedClusters/resourcequotas/write Schreibt resourcequotas.
Microsoft.ContainerService/managedClusters/resourcequotas/delete Löscht resourcequotas.
Microsoft.ContainerService/managedClusters/namespaces/write Schreibt namespaces.
Microsoft.ContainerService/managedClusters/namespaces/delete Löscht namespaces.
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
  "name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/managedClusters/resourcequotas/write",
        "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
        "Microsoft.ContainerService/managedClusters/namespaces/write",
        "Microsoft.ContainerService/managedClusters/namespaces/delete"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

RBAC-Clusteradministrator von Azure Kubernetes Service

Ermöglicht Ihnen das Verwalten aller Ressourcen im Cluster.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Listet die clusterUser-Anmeldeinformationen eines verwalteten Clusters auf.
NotActions
keine
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

RBAC-Leser von Azure Kubernetes Service

Ermöglicht schreibgeschützten Zugriff, um die meisten Objekte in einem Namespace anzuzeigen. Es ist nicht möglich, Rollen oder Rollenbindungen anzuzeigen. Diese Rolle lässt das Anzeigen von Geheimnissen nicht zu, da das Lesen des Inhalts von Geheimnissen den Zugriff auf ServiceAccount-Anmeldeinformationen im Namespace ermöglicht, was den API-Zugriff als beliebiges Dienstkonto im Namespace ermöglichen würde (eine Form von Berechtigungsausweitung). Wenn Sie diese Rolle im Clusterumfang anwenden, wird der Zugriff auf alle Namespaces ermöglicht.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
NotActions
keine
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read Liest controllerrevisions.
Microsoft.ContainerService/managedClusters/apps/daemonsets/read Liest daemonsets.
Microsoft.ContainerService/managedClusters/apps/deployments/read Liest deployments.
Microsoft.ContainerService/managedClusters/apps/replicasets/read Liest replicasets.
Microsoft.ContainerService/managedClusters/apps/statefulsets/read Liest statefulsets.
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read Liest horizontalpodautoscalers.
Microsoft.ContainerService/managedClusters/batch/cronjobs/read Liest cronjobs.
Microsoft.ContainerService/managedClusters/batch/jobs/read Liest jobs.
Microsoft.ContainerService/managedClusters/configmaps/read Liest configmaps.
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read Liest Endpunktelizenzen
Microsoft.ContainerService/managedClusters/endpoints/read Liest endpoints.
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read Liest events.
Microsoft.ContainerService/managedClusters/events/read Liest events.
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read Liest daemonsets.
Microsoft.ContainerService/managedClusters/extensions/deployments/read Liest deployments.
Microsoft.ContainerService/managedClusters/extensions/ingresses/read Liest ingresses.
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read Liest networkpolicies.
Microsoft.ContainerService/managedClusters/extensions/replicasets/read Liest replicasets.
Microsoft.ContainerService/managedClusters/limitranges/read Liest limitranges.
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read Liest pods.
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read Liest nodes.
Microsoft.ContainerService/managedClusters/namespaces/read Liest namespaces.
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read Liest ingresses.
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read Liest networkpolicies.
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read Liest persistentvolumeclaims.
Microsoft.ContainerService/managedClusters/pods/read Liest pods.
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read Liest poddisruptionbudgets.
Microsoft.ContainerService/managedClusters/replicationcontrollers/read Liest replicationcontrollers.
Microsoft.ContainerService/managedClusters/resourcequotas/read Liest resourcequotas.
Microsoft.ContainerService/managedClusters/serviceaccounts/read Liest serviceaccounts.
Microsoft.ContainerService/managedClusters/services/read Liest services.
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/apps/deployments/read",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/read",
        "Microsoft.ContainerService/managedClusters/configmaps/read",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/endpoints/read",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
        "Microsoft.ContainerService/managedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

RBAC-Writer von Azure Kubernetes Service

Ermöglicht Lese-/Schreibzugriff auf die meisten Objekte in einem Namespace. Diese Rolle lässt das Anzeigen oder Ändern von Rollen oder Rollenbindungen nicht zu. Diese Rolle ermöglicht jedoch den Zugriff auf Geheimnisse und das Ausführen von Pods als beliebiges Dienstkonto im Namespace, sodass sie verwendet werden kann, um die API-Zugriffsebenen eines beliebigen ServiceAccount im Namespace zu erhalten. Wenn Sie diese Rolle im Clusterumfang anwenden, wird der Zugriff auf alle Namespaces ermöglicht.

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
NotActions
keine
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read Liest controllerrevisions.
Microsoft.ContainerService/managedClusters/apps/daemonsets/*
Microsoft.ContainerService/managedClusters/apps/deployments/*
Microsoft.ContainerService/managedClusters/apps/replicasets/*
Microsoft.ContainerService/managedClusters/apps/statefulsets/*
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/managedClusters/batch/cronjobs/*
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read Liest leases.
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write Schreibt leases.
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete Löscht leases.
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read Liest Endpunktelizenzen
Microsoft.ContainerService/managedClusters/batch/jobs/*
Microsoft.ContainerService/managedClusters/configmaps/*
Microsoft.ContainerService/managedClusters/endpoints/*
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read Liest events.
Microsoft.ContainerService/managedClusters/events/*
Microsoft.ContainerService/managedClusters/extensions/daemonsets/*
Microsoft.ContainerService/managedClusters/extensions/deployments/*
Microsoft.ContainerService/managedClusters/extensions/ingresses/*
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*
Microsoft.ContainerService/managedClusters/extensions/replicasets/*
Microsoft.ContainerService/managedClusters/limitranges/read Liest limitranges.
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read Liest pods.
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read Liest nodes.
Microsoft.ContainerService/managedClusters/namespaces/read Liest namespaces.
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*
Microsoft.ContainerService/managedClusters/pods/*
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*
Microsoft.ContainerService/managedClusters/replicationcontrollers/*
Microsoft.ContainerService/managedClusters/resourcequotas/read Liest resourcequotas.
Microsoft.ContainerService/managedClusters/secrets/*
Microsoft.ContainerService/managedClusters/serviceaccounts/*
Microsoft.ContainerService/managedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/apps/deployments/*",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/*",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/*",
        "Microsoft.ContainerService/managedClusters/configmaps/*",
        "Microsoft.ContainerService/managedClusters/endpoints/*",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/*",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/*",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
        "Microsoft.ContainerService/managedClusters/pods/*",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/secrets/*",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/*",
        "Microsoft.ContainerService/managedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Connected Cluster Managed Identity CheckAccess Reader

Integrierte Rolle, mit der eine verwaltete Identität eines verbundenen Clusters die checkAccess-API aufrufen kann

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
NotActions
keine
DataActions
keine
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Connected Cluster Managed Identity CheckAccess Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Kubernetes Agentless Operator

Gewährt Microsoft Defender for Cloud Zugriff auf Azure Kubernetes Services

Weitere Informationen

Aktionen Beschreibung
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write Erstellen oder Aktualisieren von Rollenbindungen für vertrauenswürdigen Zugriff für verwalteten Cluster
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read Abrufen von Rollenbindungen für vertrauenswürdigen Zugriff für verwalteten Cluster
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete Löschen von Rollenbindungen für vertrauenswürdigen Zugriff für verwalteten Cluster
Microsoft.ContainerService/managedClusters/read Ruft einen verwalteten Cluster ab.
Microsoft.Features/features/read Ruft die Features eines Abonnements ab.
Microsoft.Features/providers/features/read Ruft das Feature eines Abonnements in einem angegebenen Ressourcenanbieter ab.
Microsoft.Features/providers/features/register/action Registriert das Feature für ein Abonnement in einem angegebenen Ressourcenanbieter.
Microsoft.Security/pricings/securityoperators/read Ruft die Sicherheitsoperatoren für den Bereich ab.
NotActions
keine
DataActions
keine
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Features/providers/features/register/action",
        "Microsoft.Security/pricings/securityoperators/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Agentless Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Kubernetes-Cluster – Azure Arc-Onboarding

Rollendefinition zum Autorisieren eines Benutzers/Diensts zum Erstellen einer connectedClusters-Ressource

Weitere Informationen

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Insights/alertRules/* Erstellen und Verwalten einer klassischen Metrikwarnung
Microsoft.Resources/deployments/write Erstellt oder aktualisiert eine Bereitstellung.
Microsoft.Resources/subscriptions/operationresults/read Dient zum Abrufen der Ergebnisse des Abonnementvorgangs.
Microsoft.Resources/subscriptions/read Ruft die Abonnementliste ab.
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.Kubernetes/connectedClusters/Write Schreibt connectedClusters.
Microsoft.Kubernetes/connectedClusters/read Liest connectedClusters.
Microsoft.Support/* Erstellen und Aktualisieren eines Supporttickets
NotActions
keine
DataActions
keine
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role definition to authorize any user/service to create connectedClusters resource",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Cluster - Azure Arc Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Mitwirkender für Kubernetes-Erweiterungen

Kann Kubernetes-Erweiterungen erstellen, aktualisieren, abrufen, auflisten und löschen und asynchrone Vorgänge für Kubernetes-Erweiterungen abrufen.

Aktionen Beschreibung
Microsoft.Authorization/*/read Lesen von Rollen und Rollenzuweisungen
Microsoft.Insights/alertRules/* Erstellen und Verwalten einer klassischen Metrikwarnung
Microsoft.Resources/deployments/* Erstellen und Verwalten einer Bereitstellung
Microsoft.Resources/subscriptions/resourceGroups/read Ruft Ressourcengruppen ab oder listet sie auf.
Microsoft.KubernetesConfiguration/extensions/write Hiermit wird eine Erweiterungsressource erstellt oder aktualisiert.
Microsoft.KubernetesConfiguration/extensions/read Hiermit wird die Erweiterungsinstanzressource abgerufen.
Microsoft.KubernetesConfiguration/extensions/delete Hiermit wird die Erweiterungsinstanzressource gelöscht.
Microsoft.KubernetesConfiguration/extensions/operations/read Hiermit wird der Status für einen asynchronen Vorgang abgerufen.
NotActions
keine
DataActions
keine
NotDataActions
keine
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
  "name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Extension Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Nächste Schritte