Compartir vía


Roles integrados de Azure para contenedores

En este artículo se enumeran los roles integrados de Azure en la categoría Contenedores.

AcrDelete

Permite eliminar repositorios, etiquetas o manifiestos de un registro de contenedor.

Más información

Acciones Descripción
Microsoft.ContainerRegistry/registries/artifacts/delete Eliminar artefacto de un registro de contenedor.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr delete",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/artifacts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrDelete",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrImageSigner

Permite insertar imágenes de confianza en un registro de contenedor habilitado para la confianza en el contenido, así como extraerlas de dicho registro.

Más información

Acciones Descripción
Microsoft.ContainerRegistry/registries/sign/write Inserta o extrae metadatos de confianza en el contenido para un registro de contenedor.
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/trustedCollections/write Permite insertar o publicar colecciones de confianza de contenido del registro de contenedor. Se parece a Microsoft.ContainerRegistry/registries/sign/write, salvo que se trata de una acción de datos.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr image signer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
  "name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/sign/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/trustedCollections/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrImageSigner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPull

Permite extraer artefactos de un registro de contenedor.

Más información

Acciones Descripción
Microsoft.ContainerRegistry/registries/pull/read Extrae u obtiene imágenes de un registro de contenedor.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr pull",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPull",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPush

Permite insertar artefactos en un registro de contenedor, así como extraerlos.

Más información

Acciones Descripción
Microsoft.ContainerRegistry/registries/pull/read Extrae u obtiene imágenes de un registro de contenedor.
Microsoft.ContainerRegistry/registries/push/write Inserta o escribe imágenes en un registro de contenedor.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr push",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
  "name": "8311e382-0749-4cb8-b61a-304f252e45ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/push/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPush",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineReader

Permite extraer imágenes en cuarentena de un registro de contenedor.

Más información

Acciones Descripción
Microsoft.ContainerRegistry/registries/quarantine/read Extrae u obtiene imágenes en cuarentena de un registro de contenedor
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read Permite extraer u obtener los artefactos en cuarentena del registro de contenedor. Se parece a Microsoft.ContainerRegistry/registries/quarantine/read, salvo que se trata de una acción de datos.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
  "name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineReader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineWriter

Permite insertar imágenes en cuarentena en un registro de contenedor, así como extraerlas.

Más información

Acciones Descripción
Microsoft.ContainerRegistry/registries/quarantine/read Extrae u obtiene imágenes en cuarentena de un registro de contenedor
Microsoft.ContainerRegistry/registries/quarantine/write Escribe o modifica el estado de cuarentena de las imágenes que estén en cuarentena
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read Permite extraer u obtener los artefactos en cuarentena del registro de contenedor. Se parece a Microsoft.ContainerRegistry/registries/quarantine/read, salvo que se trata de una acción de datos.
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write Permite escribir o actualizar el estado de cuarentena de los artefactos en cuarentena. Se parece a Microsoft.ContainerRegistry/registries/quarantine/write, salvo que se trata de una acción de datos.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data writer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read",
        "Microsoft.ContainerRegistry/registries/quarantine/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineWriter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rol de usuario del clúster de Kubernetes habilitado para Azure Arc

Permite enumerar las acciones de credenciales de usuario de clúster.

Acciones Descripción
Microsoft.Resources/deployments/write Crea o actualiza una implementación.
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action Enumeración de la credencial de clusterUser (versión preliminar)
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Insights/alertRules/* Creación y administración de una alerta de métricas clásica
Microsoft.Support/* Creación y actualización de una incidencia de soporte técnico
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action Enumera la credencial de usuario de clúster.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credentials action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador de Azure Arc Kubernetes

Permite administrar todos los recursos en un clúster o espacio de nombres, excepto actualizar o eliminar cuotas de recursos y espacios de nombres.

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Insights/alertRules/* Creación y administración de una alerta de métricas clásica
Microsoft.Resources/deployments/write Crea o actualiza una implementación.
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.Support/* Creación y actualización de una incidencia de soporte técnico
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Lee controllerrevisions.
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write Escribe localsubjectaccessreviews.
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Lee eventos.
Microsoft.Kubernetes/connectedClusters/events/read Lee eventos.
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read Lee limitranges.
Microsoft.Kubernetes/connectedClusters/namespaces/read Lee espacios de nombres.
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Lee resourcequotas.
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador de clústeres de Azure Arc Kubernetes

Permite administrar todos los recursos del clúster.

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Insights/alertRules/* Creación y administración de una alerta de métricas clásica
Microsoft.Resources/deployments/write Crea o actualiza una implementación.
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.Support/* Creación y actualización de una incidencia de soporte técnico
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Visor de Azure Arc Kubernetes

Permite ver todos los recursos del clúster o espacio de nombres, excepto los secretos.

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Insights/alertRules/* Creación y administración de una alerta de métricas clásica
Microsoft.Resources/deployments/write Crea o actualiza una implementación.
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.Support/* Creación y actualización de una incidencia de soporte técnico
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Lee controllerrevisions.
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read Lee daemonsets.
Microsoft.Kubernetes/connectedClusters/apps/deployments/read Lee implementaciones.
Microsoft.Kubernetes/connectedClusters/apps/replicasets/read Lee replicasets.
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read Lee statefulsets.
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read Lee horizontalpodautoscalers.
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read Lee cronjobs.
Microsoft.Kubernetes/connectedClusters/batch/jobs/read Lee trabajos.
Microsoft.Kubernetes/connectedClusters/configmaps/read Lee configmaps.
Microsoft.Kubernetes/connectedClusters/endpoints/read Lee puntos de conexión.
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Lee eventos.
Microsoft.Kubernetes/connectedClusters/events/read Lee eventos.
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read Lee daemonsets.
Microsoft.Kubernetes/connectedClusters/extensions/deployments/read Lee implementaciones.
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read Lee entradas.
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read Lee networkpolicies.
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read Lee replicasets.
Microsoft.Kubernetes/connectedClusters/limitranges/read Lee limitranges.
Microsoft.Kubernetes/connectedClusters/namespaces/read Lee espacios de nombres.
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read Lee entradas.
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read Lee networkpolicies.
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read Lee persistentvolumeclaims.
Microsoft.Kubernetes/connectedClusters/pods/read Lee pods.
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read Lee poddisruptionbudgets.
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read Lee replicationcontrollers.
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read Lee replicationcontrollers.
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Lee resourcequotas.
Microsoft.Kubernetes/connectedClusters/serviceaccounts/read Lee serviceaccounts.
Microsoft.Kubernetes/connectedClusters/services/read Lee servicios.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view all resources in cluster/namespace, except secrets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
  "name": "63f0a09d-1495-4db4-a681-037d84835eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
        "Microsoft.Kubernetes/connectedClusters/configmaps/read",
        "Microsoft.Kubernetes/connectedClusters/endpoints/read",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
        "Microsoft.Kubernetes/connectedClusters/pods/read",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
        "Microsoft.Kubernetes/connectedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Viewer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Escritor de Azure Arc Kubernetes

Le permite actualizar todo el contenido del clúster o el espacio de nombres, excepto los roles (del clúster) y los enlaces de roles (del clúster).

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Insights/alertRules/* Creación y administración de una alerta de métricas clásica
Microsoft.Resources/deployments/write Crea o actualiza una implementación.
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.Support/* Creación y actualización de una incidencia de soporte técnico
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Lee controllerrevisions.
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Lee eventos.
Microsoft.Kubernetes/connectedClusters/events/read Lee eventos.
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read Lee limitranges.
Microsoft.Kubernetes/connectedClusters/namespaces/read Lee espacios de nombres.
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Lee resourcequotas.
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
  "name": "5b999177-9696-4545-85c7-50de3797e5a1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador de Azure Container Storage

Instale Azure Container Storage y administre sus recursos de almacenamiento. Incluye una condición de ABAC para restringir las asignaciones de roles.

Acciones Descripción
Microsoft.KubernetesConfiguration/extensions/write Crea o actualiza un recurso de extensión.
Microsoft.KubernetesConfiguration/extensions/read Obtiene el recurso de instancia de extensión.
Microsoft.KubernetesConfiguration/extensions/delete Elimina el recurso de instancia de extensión.
Microsoft.KubernetesConfiguration/extensions/operations/read Obtiene el estado de la operación asincrónica.
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Management/managementGroups/read Enumera los grupos de administración del usuario autenticado.
Microsoft.Resources/deployments/* Creación y administración de una implementación
Microsoft.Support/* Creación y actualización de una incidencia de soporte técnico
NotActions
none
DataActions
none
NotDataActions
none
Acciones
Microsoft.Authorization/roleAssignments/write Crea una asignación de roles en el ámbito especificado.
Microsoft.Authorization/roleAssignments/delete Elimine una asignación de roles en el ámbito especificado.
NotActions
none
DataActions
none
NotDataActions
none
Condición
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) Agregue o quite asignaciones de roles para los roles siguientes:
Operador de Azure Container Storage
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and manage its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "permissions": [
    {
      "actions": [
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador de Azure Container Storage

Habilite una identidad administrada para realizar operaciones de Azure Container Storage, como administrar máquinas virtuales y administrar redes virtuales.

Acciones Descripción
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/asyncoperations/read Sondea el estado de una operación asincrónica.
Microsoft.Network/routeTables/join/action Unirse a una tabla de rutas. No genera alertas.
Microsoft.Network/networkSecurityGroups/join/action Se une a un grupo de seguridad de red. No genera alertas.
Microsoft.Network/virtualNetworks/write Crea una red virtual o actualiza una que ya existe
Microsoft.Network/virtualNetworks/delete Elimina una red virtual
Microsoft.Network/virtualNetworks/join/action Se une a una red virtual. No genera alertas.
Microsoft.Network/virtualNetworks/subnets/read Obtiene una definición de subred de red virtual
Microsoft.Network/virtualNetworks/subnets/write Crea una subred de red virtual o actualiza una que ya existe
Microsoft.Compute/virtualMachines/read Obtención de las propiedades de una máquina virtual
Microsoft.Compute/virtualMachines/write Crea una nueva máquina virtual o actualiza una existente
Microsoft.Compute/virtualMachineScaleSets/read Obtiene las propiedades de un conjunto de escalado de máquinas virtuales.
Microsoft.Compute/virtualMachineScaleSets/write Crea un nuevo conjunto de escalado de máquinas virtuales o actualiza uno ya existente.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write Actualiza las propiedades de una máquina virtual en un conjunto de escalado de máquinas virtuales.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read Recupera las propiedades de una máquina virtual de un conjunto de escalado de máquinas virtuales
Microsoft.Resources/subscriptions/providers/read Obtiene o enumera los proveedores de recursos.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.Network/virtualNetworks/read Obtiene la definición de red virtual
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role required by a Managed Identity for Azure Container Storage operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/virtualMachineScaleSets/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Resources/subscriptions/providers/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Network/virtualNetworks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Container Storage Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Propietario de Azure Container Storage

Instale Azure Container Storage, conceda acceso a sus recursos de almacenamiento y configure la red de área de almacenamiento elástica (SAN) de Azure. Incluye una condición de ABAC para restringir las asignaciones de roles.

Acciones Descripción
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/*
Microsoft.ElasticSan/elasticSans/volumeGroups/*
Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*
Microsoft.ElasticSan/locations/asyncoperations/read Sondea el estado de una operación asincrónica.
Microsoft.KubernetesConfiguration/extensions/write Crea o actualiza un recurso de extensión.
Microsoft.KubernetesConfiguration/extensions/read Obtiene el recurso de instancia de extensión.
Microsoft.KubernetesConfiguration/extensions/delete Elimina el recurso de instancia de extensión.
Microsoft.KubernetesConfiguration/extensions/operations/read Obtiene el estado de la operación asincrónica.
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Management/managementGroups/read Enumera los grupos de administración del usuario autenticado.
Microsoft.Resources/deployments/* Creación y administración de una implementación
Microsoft.Support/* Creación y actualización de una incidencia de soporte técnico
NotActions
none
DataActions
none
NotDataActions
none
Acciones
Microsoft.Authorization/roleAssignments/write Crea una asignación de roles en el ámbito especificado.
Microsoft.Authorization/roleAssignments/delete Elimine una asignación de roles en el ámbito especificado.
NotActions
none
DataActions
none
NotDataActions
none
Condición
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) Agregue o quite asignaciones de roles para los roles siguientes:
Operador de Azure Container Storage
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and grants access to its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
  "name": "95de85bd-744d-4664-9dde-11430bc34793",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rol colaborador de Fleet Manager de Azure Kubernetes

Concede acceso de lectura y escritura a los recursos de Azure proporcionados por Azure Kubernetes Fleet Manager, incluidas las flotas, los miembros de la flota, las estrategias de actualización de flota, las ejecuciones de actualizaciones de flota, etc.

Acciones Descripción
Microsoft.ContainerService/fleets/*
Microsoft.Resources/deployments/* Creación y administración de una implementación
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/fleets/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador de RBAC de Azure Kubernetes Fleet Manager

Concede acceso de lectura y escritura a los recursos de Kubernetes dentro de un espacio de nombres en el clúster del centro administrado por flotas: proporciona permisos de escritura en la mayoría de los objetos de un espacio de nombres, con la excepción del objeto ResourceQuota y el propio objeto de espacio de nombres. Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.ContainerService/fleets/read Obtiene la flota
Microsoft.ContainerService/fleets/listCredentials/action Enumera las credenciales de flota.
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Lee controllerrevisions.
Microsoft.ContainerService/fleets/apps/daemonsets/*
Microsoft.ContainerService/fleets/apps/deployments/*
Microsoft.ContainerService/fleets/apps/statefulsets/*
Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write Escribe localsubjectaccessreviews.
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/fleets/batch/cronjobs/*
Microsoft.ContainerService/fleets/batch/jobs/*
Microsoft.ContainerService/fleets/configmaps/*
Microsoft.ContainerService/fleets/endpoints/*
Microsoft.ContainerService/fleets/events.k8s.io/events/read Lee eventos.
Microsoft.ContainerService/fleets/events/read Lee eventos.
Microsoft.ContainerService/fleets/extensions/daemonsets/*
Microsoft.ContainerService/fleets/extensions/deployments/*
Microsoft.ContainerService/fleets/extensions/ingresses/*
Microsoft.ContainerService/fleets/extensions/networkpolicies/*
Microsoft.ContainerService/fleets/limitranges/read Lee limitranges.
Microsoft.ContainerService/fleets/namespaces/read Lee espacios de nombres.
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/fleets/persistentvolumeclaims/*
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/resourcequotas/read Lee resourcequotas.
Microsoft.ContainerService/fleets/secrets/*
Microsoft.ContainerService/fleets/serviceaccounts/*
Microsoft.ContainerService/fleets/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador de clústeres de RBAC de Azure Kubernetes Fleet Manager

Concede acceso de lectura y escritura a todos los recursos de Kubernetes del clúster del centro administrado por flotas.

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.ContainerService/fleets/read Obtiene la flota
Microsoft.ContainerService/fleets/listCredentials/action Enumera las credenciales de flota.
NotActions
none
DataActions
Microsoft.ContainerService/fleets/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lector de RBAC de Azure Kubernetes Fleet Manager

Concede acceso de solo lectura a la mayoría de los recursos de Kubernetes dentro de un espacio de nombres en el clúster del centro administrado por flotas. No permite la visualización de roles o enlaces de roles. Este rol no permite visualización de secretos, ya que leer el contenido de estos permite el acceso a las credenciales de ServiceAccount en el espacio de nombres, que permitiría el acceso a la API como cualquier ServiceAccount en el espacio de nombres (una forma de elevación de privilegios). Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.ContainerService/fleets/read Obtiene la flota
Microsoft.ContainerService/fleets/listCredentials/action Enumera las credenciales de flota.
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Lee controllerrevisions.
Microsoft.ContainerService/fleets/apps/daemonsets/read Lee daemonsets.
Microsoft.ContainerService/fleets/apps/deployments/read Lee implementaciones.
Microsoft.ContainerService/fleets/apps/statefulsets/read Lee statefulsets.
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read Lee horizontalpodautoscalers.
Microsoft.ContainerService/fleets/batch/cronjobs/read Lee cronjobs.
Microsoft.ContainerService/fleets/batch/jobs/read Lee trabajos.
Microsoft.ContainerService/fleets/configmaps/read Lee configmaps.
Microsoft.ContainerService/fleets/endpoints/read Lee puntos de conexión.
Microsoft.ContainerService/fleets/events.k8s.io/events/read Lee eventos.
Microsoft.ContainerService/fleets/events/read Lee eventos.
Microsoft.ContainerService/fleets/extensions/daemonsets/read Lee daemonsets.
Microsoft.ContainerService/fleets/extensions/deployments/read Lee implementaciones.
Microsoft.ContainerService/fleets/extensions/ingresses/read Lee entradas.
Microsoft.ContainerService/fleets/extensions/networkpolicies/read Lee networkpolicies.
Microsoft.ContainerService/fleets/limitranges/read Lee limitranges.
Microsoft.ContainerService/fleets/namespaces/read Lee espacios de nombres.
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read Lee entradas.
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read Lee networkpolicies.
Microsoft.ContainerService/fleets/persistentvolumeclaims/read Lee persistentvolumeclaims.
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read Lee poddisruptionbudgets.
Microsoft.ContainerService/fleets/replicationcontrollers/read Lee replicationcontrollers.
Microsoft.ContainerService/fleets/replicationcontrollers/read Lee replicationcontrollers.
Microsoft.ContainerService/fleets/resourcequotas/read Lee resourcequotas.
Microsoft.ContainerService/fleets/serviceaccounts/read Lee serviceaccounts.
Microsoft.ContainerService/fleets/services/read Lee servicios.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
  "name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Escritor de RBAC de Azure Kubernetes Fleet Manager

Concede acceso de lectura y escritura a la mayoría de los recursos de Kubernetes dentro de un espacio de nombres en el clúster del centro administrado por flotas. Este rol no permite la visualización o modificación de roles o enlaces de roles. Pero este rol permite acceder a secretos como cualquier ServiceAccount en el espacio de nombres, por lo que se puede usar para obtener los niveles de acceso de la API de cualquier ServiceAccount en el espacio de nombres.  Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.ContainerService/fleets/read Obtiene la flota
Microsoft.ContainerService/fleets/listCredentials/action Enumera las credenciales de flota.
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Lee controllerrevisions.
Microsoft.ContainerService/fleets/apps/daemonsets/*
Microsoft.ContainerService/fleets/apps/deployments/*
Microsoft.ContainerService/fleets/apps/statefulsets/*
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/fleets/batch/cronjobs/*
Microsoft.ContainerService/fleets/batch/jobs/*
Microsoft.ContainerService/fleets/configmaps/*
Microsoft.ContainerService/fleets/endpoints/*
Microsoft.ContainerService/fleets/events.k8s.io/events/read Lee eventos.
Microsoft.ContainerService/fleets/events/read Lee eventos.
Microsoft.ContainerService/fleets/extensions/daemonsets/*
Microsoft.ContainerService/fleets/extensions/deployments/*
Microsoft.ContainerService/fleets/extensions/ingresses/*
Microsoft.ContainerService/fleets/extensions/networkpolicies/*
Microsoft.ContainerService/fleets/limitranges/read Lee limitranges.
Microsoft.ContainerService/fleets/namespaces/read Lee espacios de nombres.
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/fleets/persistentvolumeclaims/*
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/resourcequotas/read Lee resourcequotas.
Microsoft.ContainerService/fleets/secrets/*
Microsoft.ContainerService/fleets/serviceaccounts/*
Microsoft.ContainerService/fleets/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rol de administrador de clústeres de Azure Kubernetes Service Arc

Enumerar la acción de credenciales administrativas del clúster.

Más información

Acciones Descripción
Microsoft.HybridContainerService/provisionedClusterInstances/read Obtiene las instancias de clúster aprovisionadas de AKS híbridas asociadas al clúster conectado.
Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action Enumera las credenciales de administrador de una instancia de clúster aprovisionada que solo se usa en modo directo.
Microsoft.Kubernetes/connectedClusters/Read Lee connectedClusters.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rol de usuario de clúster de Azure Kubernetes Service Arc

Enumerar la acción de credenciales de usuario del clúster.

Más información

Acciones Descripción
Microsoft.HybridContainerService/provisionedClusterInstances/read Obtiene las instancias de clúster aprovisionadas de AKS híbridas asociadas al clúster conectado.
Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action Enumera las credenciales de usuario de AAD de una instancia de clúster aprovisionada que solo se usa en modo directo.
Microsoft.Kubernetes/connectedClusters/Read Lee connectedClusters.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
  "name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rol de colaborador de Azure Kubernetes Service Arc

Concede acceso para leer y escribir clústeres híbridos de Azure Kubernetes Services

Más información

Acciones Descripción
Microsoft.HybridContainerService/Locations/operationStatuses/read read operationStatuses
Microsoft.HybridContainerService/Operations/read Operaciones de lectura
Microsoft.HybridContainerService/kubernetesVersions/read Enumera las versiones de Kubernetes admitidas desde la ubicación personalizada subyacente.
Microsoft.HybridContainerService/kubernetesVersions/write Coloca el tipo de recurso de versión de Kubernetes
Microsoft.HybridContainerService/kubernetesVersions/delete Eliminación del tipo de recurso de versiones de Kubernetes
Microsoft.HybridContainerService/provisionedClusterInstances/read Obtiene las instancias de clúster aprovisionadas de AKS híbridas asociadas al clúster conectado.
Microsoft.HybridContainerService/provisionedClusterInstances/write Crea la instancia de clúster aprovisionada de AKS híbrido.
Microsoft.HybridContainerService/provisionedClusterInstances/delete Elimina la instancia de clúster aprovisionada de AKS híbrido.
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read Obtiene los grupos de agentes en la instancia de clúster aprovisionada de AKS híbrido.
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write Actualiza el grupo de agentes en la instancia de clúster aprovisionada de AKS híbrido.
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete Elimina el grupo de agentes en la instancia de clúster aprovisionada de AKS híbrido.
Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read leer upgradeProfiles
Microsoft.HybridContainerService/skus/read Enumera las SKU de máquina virtual admitidas de la ubicación personalizada subyacente.
Microsoft.HybridContainerService/skus/write Coloca el tipo de recurso SKU de máquina virtual
Microsoft.HybridContainerService/skus/delete Elimina el tipo de recurso SKU de máquina virtual.
Microsoft.HybridContainerService/virtualNetworks/read Enumera las redes virtuales de AKS híbridas por suscripción
Microsoft.HybridContainerService/virtualNetworks/write Revisiones de la red virtual de AKS híbrida
Microsoft.HybridContainerService/virtualNetworks/delete Elimina la red virtual de AKS híbrida.
Microsoft.ExtendedLocation/customLocations/deploy/action Implementación de permisos en un recurso de ubicación personalizada
Microsoft.ExtendedLocation/customLocations/read Obtiene un recurso de ubicación personalizada.
Microsoft.Kubernetes/connectedClusters/Read Lee connectedClusters.
Microsoft.Kubernetes/connectedClusters/Write Escribe connectedClusters.
Microsoft.Kubernetes/connectedClusters/Delete Elimina connectedClusters.
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action Enumera la credencial de usuario de clúster.
Microsoft.AzureStackHCI/clusters/read Obtiene clústeres.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
  "name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/Locations/operationStatuses/read",
        "Microsoft.HybridContainerService/Operations/read",
        "Microsoft.HybridContainerService/kubernetesVersions/read",
        "Microsoft.HybridContainerService/kubernetesVersions/write",
        "Microsoft.HybridContainerService/kubernetesVersions/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
        "Microsoft.HybridContainerService/skus/read",
        "Microsoft.HybridContainerService/skus/write",
        "Microsoft.HybridContainerService/skus/delete",
        "Microsoft.HybridContainerService/virtualNetworks/read",
        "Microsoft.HybridContainerService/virtualNetworks/write",
        "Microsoft.HybridContainerService/virtualNetworks/delete",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.Kubernetes/connectedClusters/Read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/Delete",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
        "Microsoft.AzureStackHCI/clusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rol de administrador de clúster de Azure Kubernetes Service

Enumerar la acción de credenciales administrativas del clúster.

Más información

Acciones Descripción
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Muestra la credencial clusterAdmin de un clúster administrado.
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action Obtiene el perfil de acceso de un clúster administrados por nombre de rol mediante las credenciales de la lista
Microsoft.ContainerService/managedClusters/read Obtiene un clúster administrado
Microsoft.ContainerService/managedClusters/runcommand/action Ejecuta un comando emitido por el usuario en un servidor de Kubernetes administrado.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/runcommand/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Usuario de supervisión de clústeres de Azure Kubernetes Service

Enumerar la acción de credenciales de usuario de supervisión del clúster.

Acciones Descripción
Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action Enumera la credencial clusterMonitoringUser de un clúster administrado.
Microsoft.ContainerService/managedClusters/read Obtiene un clúster administrado
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster monitoring user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Monitoring User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rol de usuario de clúster de Azure Kubernetes Service

Enumerar la acción de credenciales de usuario del clúster.

Más información

Acciones Descripción
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Muestra la credencial clusterUser de un clúster administrado.
Microsoft.ContainerService/managedClusters/read Obtiene un clúster administrado
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rol de colaborador de Azure Kubernetes Service

Concede acceso de lectura y escritura a los clústeres de Azure Kubernetes Service

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.ContainerService/locations/* Leer ubicaciones disponibles para los recursos de ContainerService
Microsoft.ContainerService/managedClusters/* Creación y administración de un clúster administrado
Microsoft.ContainerService/managedclustersnapshots/* Creación y administración de una instantánea de clúster administrado
Microsoft.ContainerService/snapshots/* Creación y administración de una instantánea
Microsoft.Insights/alertRules/* Creación y administración de una alerta de métricas clásica
Microsoft.Resources/deployments/* Creación y administración de una implementación
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Service clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerService/locations/*",
        "Microsoft.ContainerService/managedClusters/*",
        "Microsoft.ContainerService/managedclustersnapshots/*",
        "Microsoft.ContainerService/snapshots/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador de Azure Kubernetes Service RBAC

Permite administrar todos los recursos en un clúster o espacio de nombres, excepto actualizar o eliminar cuotas de recursos y espacios de nombres.

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Muestra la credencial clusterUser de un clúster administrado.
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions
Microsoft.ContainerService/managedClusters/resourcequotas/write Escribe resourcequotas.
Microsoft.ContainerService/managedClusters/resourcequotas/delete Elimina resourcequotas.
Microsoft.ContainerService/managedClusters/namespaces/write Escribe espacios de nombres.
Microsoft.ContainerService/managedClusters/namespaces/delete Elimina espacios de nombres.
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
  "name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/managedClusters/resourcequotas/write",
        "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
        "Microsoft.ContainerService/managedClusters/namespaces/write",
        "Microsoft.ContainerService/managedClusters/namespaces/delete"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador de clúster de Azure Kubernetes Service RBAC

Permite administrar todos los recursos del clúster.

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Muestra la credencial clusterUser de un clúster administrado.
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lector de Azure Kubernetes Service RBAC

Permite el acceso de solo lectura para ver la mayoría de los objetos en un espacio de nombres. No permite la visualización de roles o enlaces de roles. Este rol no permite visualización de secretos, ya que leer el contenido de estos permite el acceso a las credenciales de ServiceAccount en el espacio de nombres, que permitiría el acceso a la API como cualquier ServiceAccount en el espacio de nombres (una forma de elevación de privilegios). Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read Lee controllerrevisions.
Microsoft.ContainerService/managedClusters/apps/daemonsets/read Lee daemonsets.
Microsoft.ContainerService/managedClusters/apps/deployments/read Lee implementaciones.
Microsoft.ContainerService/managedClusters/apps/replicasets/read Lee replicasets.
Microsoft.ContainerService/managedClusters/apps/statefulsets/read Lee statefulsets.
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read Lee horizontalpodautoscalers.
Microsoft.ContainerService/managedClusters/batch/cronjobs/read Lee cronjobs.
Microsoft.ContainerService/managedClusters/batch/jobs/read Lee trabajos.
Microsoft.ContainerService/managedClusters/configmaps/read Lee configmaps.
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read Lee los puntos de conexiónlices.
Microsoft.ContainerService/managedClusters/endpoints/read Lee puntos de conexión.
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read Lee eventos.
Microsoft.ContainerService/managedClusters/events/read Lee eventos.
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read Lee daemonsets.
Microsoft.ContainerService/managedClusters/extensions/deployments/read Lee implementaciones.
Microsoft.ContainerService/managedClusters/extensions/ingresses/read Lee entradas.
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read Lee networkpolicies.
Microsoft.ContainerService/managedClusters/extensions/replicasets/read Lee replicasets.
Microsoft.ContainerService/managedClusters/limitranges/read Lee limitranges.
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read Lee pods.
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read Lee nodos.
Microsoft.ContainerService/managedClusters/namespaces/read Lee espacios de nombres.
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read Lee entradas.
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read Lee networkpolicies.
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read Lee persistentvolumeclaims.
Microsoft.ContainerService/managedClusters/pods/read Lee pods.
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read Lee poddisruptionbudgets.
Microsoft.ContainerService/managedClusters/replicationcontrollers/read Lee replicationcontrollers.
Microsoft.ContainerService/managedClusters/resourcequotas/read Lee resourcequotas.
Microsoft.ContainerService/managedClusters/serviceaccounts/read Lee serviceaccounts.
Microsoft.ContainerService/managedClusters/services/read Lee servicios.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/apps/deployments/read",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/read",
        "Microsoft.ContainerService/managedClusters/configmaps/read",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/endpoints/read",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
        "Microsoft.ContainerService/managedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Escritor de Azure Kubernetes Service RBAC

Permite el acceso de lectura y escritura para ver la mayoría de los objetos en un espacio de nombres. Este rol no permite la visualización o modificación de roles o enlaces de roles. Sin embargo, este rol permite acceder a secretos y ejecutar pods como cualquier ServiceAccount en el espacio de nombres, por lo que se puede usar para obtener los niveles de acceso de la API de cualquier ServiceAccount en el espacio de nombres. Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read Lee controllerrevisions.
Microsoft.ContainerService/managedClusters/apps/daemonsets/*
Microsoft.ContainerService/managedClusters/apps/deployments/*
Microsoft.ContainerService/managedClusters/apps/replicasets/*
Microsoft.ContainerService/managedClusters/apps/statefulsets/*
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/managedClusters/batch/cronjobs/*
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read Lee concesiones.
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write Escribe concesiones.
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete Elimina concesiones.
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read Lee los puntos de conexiónlices.
Microsoft.ContainerService/managedClusters/batch/jobs/*
Microsoft.ContainerService/managedClusters/configmaps/*
Microsoft.ContainerService/managedClusters/endpoints/*
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read Lee eventos.
Microsoft.ContainerService/managedClusters/events/*
Microsoft.ContainerService/managedClusters/extensions/daemonsets/*
Microsoft.ContainerService/managedClusters/extensions/deployments/*
Microsoft.ContainerService/managedClusters/extensions/ingresses/*
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*
Microsoft.ContainerService/managedClusters/extensions/replicasets/*
Microsoft.ContainerService/managedClusters/limitranges/read Lee limitranges.
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read Lee pods.
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read Lee nodos.
Microsoft.ContainerService/managedClusters/namespaces/read Lee espacios de nombres.
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*
Microsoft.ContainerService/managedClusters/pods/*
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*
Microsoft.ContainerService/managedClusters/replicationcontrollers/*
Microsoft.ContainerService/managedClusters/resourcequotas/read Lee resourcequotas.
Microsoft.ContainerService/managedClusters/secrets/*
Microsoft.ContainerService/managedClusters/serviceaccounts/*
Microsoft.ContainerService/managedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/apps/deployments/*",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/*",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/*",
        "Microsoft.ContainerService/managedClusters/configmaps/*",
        "Microsoft.ContainerService/managedClusters/endpoints/*",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/*",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/*",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
        "Microsoft.ContainerService/managedClusters/pods/*",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/secrets/*",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/*",
        "Microsoft.ContainerService/managedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lector checkAccess de identidad administrada del clúster conectado

Rol integrado que permite que una identidad administrada del clúster conectado llame a la API checkAccess

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Connected Cluster Managed Identity CheckAccess Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador sin agente de Kubernetes

Concede a Microsoft Defender for Cloud acceso a Azure Kubernetes Services

Más información

Acciones Descripción
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write Creación o actualización de enlaces de rol de acceso de confianza para un clúster administrado
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read Obtención de enlaces de rol de acceso de confianza para un clúster administrado
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete Eliminación de enlaces de rol de acceso de confianza para un clúster administrado
Microsoft.ContainerService/managedClusters/read Obtiene un clúster administrado
Microsoft.Features/features/read Obtiene las características de una suscripción.
Microsoft.Features/providers/features/read Obtiene la característica de una suscripción de un proveedor de recursos determinado.
Microsoft.Features/providers/features/register/action Registra la característica de una suscripción de un proveedor de recursos determinado.
Microsoft.Security/pricings/securityoperators/read Obtiene los operadores de seguridad para el ámbito.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Features/providers/features/register/action",
        "Microsoft.Security/pricings/securityoperators/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Agentless Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Clúster de Kubernetes: incorporación de Azure Arc

Definición de roles para permitir crear el recurso connectedClusters a cualquier usuario o servicio

Más información

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Insights/alertRules/* Creación y administración de una alerta de métricas clásica
Microsoft.Resources/deployments/write Crea o actualiza una implementación.
Microsoft.Resources/subscriptions/operationresults/read Obtiene los resultados de la operación de suscripción.
Microsoft.Resources/subscriptions/read Obtiene la lista de suscripciones.
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.Kubernetes/connectedClusters/Write Escribe connectedClusters.
Microsoft.Kubernetes/connectedClusters/read Lee connectedClusters.
Microsoft.Support/* Creación y actualización de una incidencia de soporte técnico
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role definition to authorize any user/service to create connectedClusters resource",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Cluster - Azure Arc Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Kubernetes Extension Contributor

Puede crear, actualizar, obtener, enumerar y eliminar extensiones de Kubernetes y obtener operaciones asincrónicas de extensión.

Acciones Descripción
Microsoft.Authorization/*/read Leer roles y asignaciones de roles
Microsoft.Insights/alertRules/* Creación y administración de una alerta de métricas clásica
Microsoft.Resources/deployments/* Creación y administración de una implementación
Microsoft.Resources/subscriptions/resourceGroups/read Obtiene o enumera los grupos de recursos.
Microsoft.KubernetesConfiguration/extensions/write Crea o actualiza un recurso de extensión.
Microsoft.KubernetesConfiguration/extensions/read Obtiene el recurso de instancia de extensión.
Microsoft.KubernetesConfiguration/extensions/delete Elimina el recurso de instancia de extensión.
Microsoft.KubernetesConfiguration/extensions/operations/read Obtiene el estado de la operación asincrónica.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
  "name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Extension Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Pasos siguientes