Peran bawaan Azure untuk Kontainer
Artikel ini mencantumkan peran bawaan Azure dalam kategori Kontainer.
AcrDelete
Hapus repositori, tag, atau manifes dari registri kontainer.
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerRegistry/registries/artefak/hapus | Hapus artefak dalam registri kontainer. |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
Dorong gambar tepercaya ke atau tarik gambar tepercaya dari registri kontainer yang diaktifkan untuk kepercayaan konten.
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerRegistry/daftar/masuk/tulis | Dorong/Tarik metadata kepercayaan konten untuk registri kontainer. |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.ContainerRegistry/registries/trustedCollections/write | Memungkinkan untuk mendorong atau menerbitkan koleksi tepercaya dari konten registri kontainer. Hal ini mirip dengan tindakan microsoft.ContainerRegistry/registries/sign/write namun ini adalah tindakan data |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Tarik artefak dari registri kontainer.
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerRegistry/daftar/tarik/baca | Tarik atau Dapatkan gambar dari registri kontainer. |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Dorong artefak ke atau tarik artefak dari registri kontainer.
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerRegistry/daftar/tarik/baca | Tarik atau Dapatkan gambar dari registri kontainer. |
Microsoft.ContainerRegistry/registries/push/write | Mendorong atau Menulis gambar ke registri kontainer. |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Tarik gambar yang dikarantina dari registri kontainer.
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerRegistry/daftar/karantina/baca | Tarik atau Dapatkan gambar yang dikarantina dari registri kontainer |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Memungkinkan untuk menarik ataupun mendapatkan artefak yang dikarantina dari registri kontainer. Hal ini mirip dengan Microsoft.ContainerRegistry/registries/quarantine/read namun itu adalah tindakan data |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Dorong gambar yang dikarantina ke atau tarik gambar yang dikarantina dari registri kontainer.
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerRegistry/daftar/karantina/baca | Tarik atau Dapatkan gambar yang dikarantina dari registri kontainer |
Microsoft.ContainerRegistry/daftar/karantina/tulis | Menulis/Memodifikasi status karantina gambar yang dikarantina |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Memungkinkan untuk menarik ataupun mendapatkan artefak yang dikarantina dari registri kontainer. Hal ini mirip dengan Microsoft.ContainerRegistry/registries/quarantine/read namun itu adalah tindakan data |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Memungkinkan untuk menulis atau memperbarui status karantina artefak yang dikarantina. Hal ini mirip dengan Microsoft.ContainerRegistry/registries/quarantine/write action namun itu adalah tindakan data |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Pengguna Klaster Kubernetes Yang Diaktifkan Azure Arc
Tindakan buat daftar kredensial pengguna kluster.
Tindakan | Deskripsi |
---|---|
Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/tindakan | Mencantumkan kredensial clusterUser(pratinjau) |
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Daftar kredensial Pengguna cluster |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin Kubernetes Azure Arc
Memungkinkan Anda mengelola semua sumber daya dalam kluster/namespace layanan, kecuali memperbarui atau menghapus kuota dan namespace.
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/baca | Membaca controllerrevisions |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/penyebaran/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/tulis | Menulis localsubjectaccessreviews |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/pekerjaan/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/acara/baca | Membaca acara |
Microsoft.Kubernetes/connectedClusters/acara/baca | Membaca acara |
Microsoft.Kubernetes/connectedClusters/ekstensi/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/ekstensi/penyebaran/* | |
Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/ekstensi/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/baca | Membaca limitranges |
Microsoft.Kubernetes/connectedClusters/namespaces/baca | Membaca namespaces |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/baca | Membaca resourcequotas |
Microsoft.Kubernetes/connectedClusters/rahasia/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/layanan/* | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin Klaster Azure Arc Kubernetes
Memungkinkan Anda mengelola semua sumber daya dalam kluster.
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/* | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Penampil Kubernetes Azure Arc
Memungkinkan Anda melihat semua sumber daya di kluster/namespace, kecuali rahasia.
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/baca | Membaca controllerrevisions |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/baca | Membaca daemonset |
Microsoft.Kubernetes/connectedClusters/apps/penyebaran/baca | Membaca penyebaran |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/baca | Membaca replicasets |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/baca | Membaca statefulsets |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/baca | Membaca horizontalpodautoscalers |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/baca | Membaca cronjobs |
Microsoft.Kubernetes/connectedClusters/batch/jobs/baca | Membaca pekerjaan |
Microsoft.Kubernetes/connectedClusters/configmaps/baca | Membaca configmaps |
Microsoft.Kubernetes/connectedClusters/endpoints/baca | Membaca titik akhir |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/acara/baca | Membaca acara |
Microsoft.Kubernetes/connectedClusters/acara/baca | Membaca acara |
Microsoft.Kubernetes/connectedClusters/ekstensi/daemonsets/baca | Membaca daemonset |
Microsoft.Kubernetes/connectedClusters/ekstensi/penyebaran/baca | Membaca penyebaran |
Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/baca | Membaca ingresses |
Microsoft.Kubernetes/connectedClusters/ekstensi/networkpolicies/baca | Membaca networkpolicies |
Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/baca | Membaca replicasets |
Microsoft.Kubernetes/connectedClusters/limitranges/baca | Membaca limitranges |
Microsoft.Kubernetes/connectedClusters/namespaces/baca | Membaca namespaces |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/baca | Membaca ingresses |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/baca | Membaca networkpolicies |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/baca | Membaca persistentvolumeclaims |
Microsoft.Kubernetes/connectedClusters/pods/baca | Membaca Pod |
Microsoft.Kubernetes/connectedClusters/kebijakan/poddisruptionbudgets/baca | Membaca poddisruptionbudgets |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/baca | Membaca replikasikontroler |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/baca | Membaca replikasikontroler |
Microsoft.Kubernetes/connectedClusters/resourcequotas/baca | Membaca resourcequotas |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/baca | Membaca serviceaccounts |
Microsoft.Kubernetes/connectedClusters/layanan/baca | Layanan baca |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Penulis Azure Arc Kubernetes
Memungkinkan Anda memperbarui semuanya di kluster/namespace, kecuali peran (kluster) dan ikatan peran (kluster).
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/baca | Membaca controllerrevisions |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/penyebaran/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/pekerjaan/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/acara/baca | Membaca acara |
Microsoft.Kubernetes/connectedClusters/acara/baca | Membaca acara |
Microsoft.Kubernetes/connectedClusters/ekstensi/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/ekstensi/penyebaran/* | |
Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/ekstensi/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/baca | Membaca limitranges |
Microsoft.Kubernetes/connectedClusters/namespaces/baca | Membaca namespaces |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/baca | Membaca resourcequotas |
Microsoft.Kubernetes/connectedClusters/rahasia/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/layanan/* | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Kontributor Manajer Armada Azure Kubernetes
Memberikan akses baca/tulis ke sumber daya Azure yang disediakan oleh Azure Kubernetes Fleet Manager, termasuk armada, anggota armada, strategi pembaruan armada, eksekusi pembaruan armada, dll.
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerService/fleets/* | |
Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin RBAC Manajer Armada Azure Kubernetes
Memberikan akses baca/tulis ke sumber daya Kubernetes dalam namespace di kluster hub yang dikelola armada - memberikan izin tulis pada sebagian besar objek dalam namespace, dengan pengecualian objek ResourceQuota dan objek namespace itu sendiri. Menerapkan peran ini pada lingkup kluster akan memberikan akses ke semua namespace.
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.ContainerService/fleets/read | Dapatkan armada |
Microsoft.ContainerService/fleets/listCredentials/action | Mencantumkan kredensial armada |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Membaca controllerrevisions |
Microsoft.ContainerService/fleets/apps/daemonsets/* | |
Microsoft.ContainerService/fleets/apps/deployments/* | |
Microsoft.ContainerService/fleets/apps/statefulsets/* | |
Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Menulis localsubjectaccessreviews |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/fleets/batch/cronjobs/* | |
Microsoft.ContainerService/fleets/batch/jobs/* | |
Microsoft.ContainerService/fleets/configmaps/* | |
Microsoft.ContainerService/fleets/endpoints/* | |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Membaca acara |
Microsoft.ContainerService/fleets/events/read | Membaca acara |
Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
Microsoft.ContainerService/fleets/extensions/deployments/* | |
Microsoft.ContainerService/fleets/extensions/ingresses/* | |
Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
Microsoft.ContainerService/fleets/limitranges/read | Membaca limitranges |
Microsoft.ContainerService/fleets/namespaces/read | Membaca namespaces |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/resourcequotas/read | Membaca resourcequotas |
Microsoft.ContainerService/fleets/secrets/* | |
Microsoft.ContainerService/fleets/serviceaccounts/* | |
Microsoft.ContainerService/fleets/services/* | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin Kluster RBAC Manajer Armada Azure Kubernetes
Memberikan akses baca/tulis ke semua sumber daya Kubernetes di kluster hub yang dikelola armada.
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.ContainerService/fleets/read | Dapatkan armada |
Microsoft.ContainerService/fleets/listCredentials/action | Mencantumkan kredensial armada |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.ContainerService/fleets/* | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pembaca RBAC Manajer Armada Azure Kubernetes
Memberikan akses baca-saja ke sebagian besar sumber daya Kubernetes dalam namespace layanan di kluster hub yang dikelola armada. Hal ini tidak mengizinkan untuk menampilkan peran atau pengikatan peran. Peran ini tidak memungkinkan penayangan, karena membaca konten Rahasia memungkinkan akses ke kredensial ServiceAccount di namespace, yang akan memungkinkan akses API sebagai ServiceAccount apa pun di namespace (bentuk eskalasi hak istimewa). Menerapkan peran ini pada lingkup kluster akan memberikan akses ke semua namespace.
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.ContainerService/fleets/read | Dapatkan armada |
Microsoft.ContainerService/fleets/listCredentials/action | Mencantumkan kredensial armada |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Membaca controllerrevisions |
Microsoft.ContainerService/fleets/apps/daemonsets/read | Membaca daemonset |
Microsoft.ContainerService/fleets/apps/deployments/read | Membaca penyebaran |
Microsoft.ContainerService/fleets/apps/statefulsets/read | Membaca statefulsets |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Membaca horizontalpodautoscalers |
Microsoft.ContainerService/fleets/batch/cronjobs/read | Membaca cronjobs |
Microsoft.ContainerService/fleets/batch/jobs/read | Membaca pekerjaan |
Microsoft.ContainerService/fleets/configmaps/read | Membaca configmaps |
Microsoft.ContainerService/fleets/endpoints/read | Membaca titik akhir |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Membaca acara |
Microsoft.ContainerService/fleets/events/read | Membaca acara |
Microsoft.ContainerService/fleets/extensions/daemonsets/read | Membaca daemonset |
Microsoft.ContainerService/fleets/extensions/deployments/read | Membaca penyebaran |
Microsoft.ContainerService/fleets/extensions/ingresses/read | Membaca ingresses |
Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Membaca networkpolicies |
Microsoft.ContainerService/fleets/limitranges/read | Membaca limitranges |
Microsoft.ContainerService/fleets/namespaces/read | Membaca namespaces |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Membaca ingresses |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Membaca networkpolicies |
Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Membaca persistentvolumeclaims |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Membaca poddisruptionbudgets |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Membaca replikasikontroler |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Membaca replikasikontroler |
Microsoft.ContainerService/fleets/resourcequotas/read | Membaca resourcequotas |
Microsoft.ContainerService/fleets/serviceaccounts/read | Membaca serviceaccounts |
Microsoft.ContainerService/fleets/services/read | Layanan baca |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Penulis RBAC Manajer Armada Azure Kubernetes
Memberikan akses baca/tulis ke sebagian besar sumber daya Kubernetes dalam namespace layanan di kluster hub yang dikelola armada. Peran ini tidak mengizinkan melihat atau memodifikasi peran atau pengikatan peran. Namun, peran ini memungkinkan akses Rahasia sebagai ServiceAccount apa pun di namespace layanan, sehingga dapat digunakan untuk mendapatkan tingkat akses API dari ServiceAccount apa pun di namespace layanan. Menerapkan peran ini pada lingkup kluster akan memberikan akses ke semua namespace.
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.ContainerService/fleets/read | Dapatkan armada |
Microsoft.ContainerService/fleets/listCredentials/action | Mencantumkan kredensial armada |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Membaca controllerrevisions |
Microsoft.ContainerService/fleets/apps/daemonsets/* | |
Microsoft.ContainerService/fleets/apps/deployments/* | |
Microsoft.ContainerService/fleets/apps/statefulsets/* | |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/fleets/batch/cronjobs/* | |
Microsoft.ContainerService/fleets/batch/jobs/* | |
Microsoft.ContainerService/fleets/configmaps/* | |
Microsoft.ContainerService/fleets/endpoints/* | |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Membaca acara |
Microsoft.ContainerService/fleets/events/read | Membaca acara |
Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
Microsoft.ContainerService/fleets/extensions/deployments/* | |
Microsoft.ContainerService/fleets/extensions/ingresses/* | |
Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
Microsoft.ContainerService/fleets/limitranges/read | Membaca limitranges |
Microsoft.ContainerService/fleets/namespaces/read | Membaca namespaces |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/resourcequotas/read | Membaca resourcequotas |
Microsoft.ContainerService/fleets/secrets/* | |
Microsoft.ContainerService/fleets/serviceaccounts/* | |
Microsoft.ContainerService/fleets/services/* | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Admin kluster Azure Kubernetes Service
Tindakan buat daftar kredensial admin kluster.
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/tindakan | Mencantumkan klusterMenambahkan kredensial kluster terkelola |
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/tindakan | Mendapatkan profil akses kluster terkelola berdasarkan nama peran menggunakan info masuk terdaftar |
Microsoft.ContainerService/managedClusters/baca | Mendapatkan kluster terkelola |
Microsoft.ContainerService/managedClusters/runcommand/action | Jalankan perintah yang dikeluarkan pengguna terhadap server kubernetes terkelola. |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pengguna Pemantauan Kluster Azure Kubernetes Service
Mencantumkan tindakan kredensial pengguna pemantauan kluster.
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | Mencantumkan info masuk clusterMonitoringUser dari kluster terkelola |
Microsoft.ContainerService/managedClusters/baca | Mendapatkan kluster terkelola |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Pengguna kluster Azure Kubernetes Service
Tindakan buat daftar kredensial pengguna kluster.
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/tindakan | Mencantumkan info masuk clusterUser dari kluster terkelola |
Microsoft.ContainerService/managedClusters/baca | Mendapatkan kluster terkelola |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Kontributor Azure Kubernetes Service
Memberikan akses untuk membaca dan menulis kluster Azure Kubernetes Service
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerService/managedClusters/baca | Mendapatkan kluster terkelola |
Microsoft.ContainerService/managedClusters/tulis | Membuat kluster terkelola baru atau memperbarui yang sudah ada |
Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin RBAC Azure Kubernetes Service
Memungkinkan Anda mengelola semua sumber daya dalam kluster/namespace layanan, kecuali memperbarui atau menghapus kuota dan namespace.
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/tindakan | Mencantumkan info masuk clusterUser dari kluster terkelola |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
Microsoft.ContainerService/managedClusters/resourcequotas/tulis | Menulis resourcequotas |
Microsoft.ContainerService/managedClusters/resourcequotas/hapus | Menghapus resourcequotas |
Microsoft.ContainerService/managedClusters/namespaces/tulis | Menulis namespaces |
Microsoft.ContainerService/managedClusters/namespaces/hapus | Menghapus namespace |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin Kluster RBAC Azure Kubernetes Service
Memungkinkan Anda mengelola semua sumber daya dalam kluster.
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/tindakan | Mencantumkan info masuk clusterUser dari kluster terkelola |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pembaca RBAC Azure Kubernetes Service
Mengizinkan akses baca-saja untuk melihat sebagian besar objek di namespace layanan. Hal ini tidak mengizinkan untuk menampilkan peran atau pengikatan peran. Peran ini tidak memungkinkan penayangan, karena membaca konten Rahasia memungkinkan akses ke kredensial ServiceAccount di namespace, yang akan memungkinkan akses API sebagai ServiceAccount apa pun di namespace (bentuk eskalasi hak istimewa). Menerapkan peran ini pada lingkup kluster akan memberikan akses ke semua namespace.
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.ContainerService/managedClusters/aplikasi/controllerrevisions/baca | Membaca controllerrevisions |
Microsoft.ContainerService/managedClusters/apps/daemonsets/baca | Membaca daemonset |
Microsoft.ContainerService/managedClusters/apps/daemonsets/baca | Membaca penyebaran |
Microsoft.ContainerService/managedClusters/apps/daemonsets/baca | Membaca replicasets |
Microsoft.ContainerService/managedClusters/apps/daemonsets/baca | Membaca statefulsets |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/baca | Membaca horizontalpodautoscalers |
Microsoft.ContainerService/managedClusters/batch/cronjobs/baca | Membaca cronjobs |
Microsoft.ContainerService/managedClusters/batch/cronjobs/baca | Membaca pekerjaan |
Microsoft.ContainerService/managedClusters/configmaps/baca | Membaca configmaps |
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Membaca irisan titik akhir |
Microsoft.ContainerService/managedClusters/endpoints/baca | Membaca titik akhir |
Microsoft.ContainerService/managedClusters/events.k8s.io/acara/baca | Membaca acara |
Microsoft.ContainerService/managedClusters/endpoints/baca | Membaca acara |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/baca | Membaca daemonset |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/baca | Membaca penyebaran |
Microsoft.ContainerService/managedClusters/extensions/ingresses/baca | Membaca ingresses |
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/baca | Membaca networkpolicies |
Microsoft.ContainerService/managedClusters/extensions/replicasets/baca | Membaca replicasets |
Microsoft.ContainerService/managedClusters/batasa/baca | Membaca limitranges |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Membaca Pod |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/node/read | Membaca simpul |
Microsoft.ContainerService/managedClusters/namespaces/baca | Membaca namespaces |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/baca | Membaca ingresses |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/baca | Membaca networkpolicies |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/baca | Membaca persistentvolumeclaims |
Microsoft.ContainerService/managedClusters/baca | Membaca Pod |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/baca | Membaca poddisruptionbudgets |
Microsoft.ContainerService/managedClusters/replicationcontrollers/baca | Membaca replikasikontroler |
Microsoft.ContainerService/managedClusters/resourcequotas/tulis | Membaca resourcequotas |
Microsoft.ContainerService/managedClusters/serviceaccounts/baca | Membaca serviceaccounts |
Microsoft.ContainerService/managedClusters/layanan/baca | Layanan baca |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Penulis RBAC Azure Kubernetes Service
Mengizinkan akses read/write ke sebagian besar objek dalam sebuah namespace layanan. Peran ini tidak mengizinkan melihat atau memodifikasi peran atau pengikatan peran. Namun, peran ini memungkinkan akses Rahasia dan menjalankan Pod sebagai ServiceAccount mana pun di namespace, sehingga dapat digunakan untuk mendapatkan level akses API dari ServiceAccount apa pun di namespace. Menerapkan peran ini pada lingkup kluster akan memberikan akses ke semua namespace.
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
NotActions | |
Tidak ada | |
DataActions | |
Microsoft.ContainerService/managedClusters/aplikasi/controllerrevisions/baca | Membaca controllerrevisions |
Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
Microsoft.ContainerService/managedClusters/aplikasi/penyebaran/* | |
Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Membaca sewa |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Menulis sewa |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Menghapus sewa |
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Membaca irisan titik akhir |
Microsoft.ContainerService/managedClusters/batch/pekerjaan/* | |
Microsoft.ContainerService/managedClusters/configmaps/* | |
Microsoft.ContainerService/managedClusters/endpoints/* | |
Microsoft.ContainerService/managedClusters/events.k8s.io/acara/baca | Membaca acara |
Microsoft.ContainerService/managedClusters/events/* | |
Microsoft.ContainerService/managedClusters/ekstensi/daemonsets/* | |
Microsoft.ContainerService/managedClusters/ekstensi/penyebaran/* | |
Microsoft.ContainerService/managedClusters/ekstensi/ingresses/* | |
Microsoft.ContainerService/managedClusters/ekstensi/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
Microsoft.ContainerService/managedClusters/batasa/baca | Membaca limitranges |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Membaca Pod |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/node/read | Membaca simpul |
Microsoft.ContainerService/managedClusters/namespaces/baca | Membaca namespaces |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
Microsoft.ContainerService/managedClusters/pods/* | |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
Microsoft.ContainerService/managedClusters/resourcequotas/tulis | Membaca resourcequotas |
Microsoft.ContainerService/managedClusters/secrets/* | |
Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
Microsoft.ContainerService/managedClusters/layanan/* | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operator Tanpa Agen Kubernetes
Memberikan akses Microsoft Defender untuk Cloud ke Azure Kubernetes Services
Tindakan | Deskripsi |
---|---|
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Membuat atau memperbarui pengikatan peran akses tepercaya untuk kluster terkelola |
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Mendapatkan pengikatan peran akses tepercaya untuk kluster terkelola |
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Menghapus pengikatan peran akses tepercaya untuk kluster terkelola |
Microsoft.ContainerService/managedClusters/baca | Mendapatkan kluster terkelola |
Microsoft.Features/features/read | Mendapatkan fitur langganan. |
Microsoft.Features/penyedia/fitur/baca | Mendapatkan fitur langganan di penyedia sumber daya tertentu. |
Microsoft.Features/providers/features/register/action | Mendaftarkan fitur untuk langganan di penyedia sumber daya tertentu. |
Microsoft.Security/pricings/securityoperators/read | Mendapatkan operator keamanan untuk cakupan |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Klaster Kubernetes - Azure Arc Onboarding
Definisi peran untuk mengotorisasi setiap pengguna/layanan untuk membuat sumber daya connectedClusters
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.Kubernetes/connectedClusters/Tulis | Menulis connectedClusters |
Microsoft.Kubernetes/connectedClusters/baca | Baca ConnectedClusters |
Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor Ekstensi Kubernetes
Dapat membuat, memperbarui, mendapatkan, daftar dan menghapus Ekstensi Kubernetes, dan mendapatkan operasi async ekstensi
Tindakan | Deskripsi |
---|---|
Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
Microsoft.KubernetesConfiguration/extensions/write | Membuat atau memperbarui ekstensi sumber daya. |
Microsoft.KubernetesConfiguration/extensions/read | Mendapatkan sumber daya instans ekstensi. |
Microsoft.KubernetesConfiguration/extensions/delete | Menghapus sumber daya instans ekstensi. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Membaca Status Operasi Async. |
NotActions | |
Tidak ada | |
DataActions | |
Tidak ada | |
NotDataActions | |
Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}