Peran bawaan Azure untuk Kontainer
Artikel ini mencantumkan peran bawaan Azure dalam kategori Kontainer.
AcrDelete
Hapus repositori, tag, atau manifes dari registri kontainer.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ContainerRegistry/registries/artefak/hapus | Hapus artefak dalam registri kontainer. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
Dorong gambar tepercaya ke atau tarik gambar tepercaya dari registri kontainer yang diaktifkan untuk kepercayaan konten.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ContainerRegistry/daftar/masuk/tulis | Dorong/Tarik metadata kepercayaan konten untuk registri kontainer. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | Memungkinkan untuk mendorong atau menerbitkan koleksi tepercaya dari konten registri kontainer. Hal ini mirip dengan tindakan microsoft.ContainerRegistry/registries/sign/write namun ini adalah tindakan data |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Tarik artefak dari registri kontainer.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ContainerRegistry/daftar/tarik/baca | Tarik atau Dapatkan gambar dari registri kontainer. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Dorong artefak ke atau tarik artefak dari registri kontainer.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ContainerRegistry/daftar/tarik/baca | Tarik atau Dapatkan gambar dari registri kontainer. |
| Microsoft.ContainerRegistry/registries/push/write | Mendorong atau Menulis gambar ke registri kontainer. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Tarik gambar yang dikarantina dari registri kontainer.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ContainerRegistry/daftar/karantina/baca | Tarik atau Dapatkan gambar yang dikarantina dari registri kontainer |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Memungkinkan untuk menarik ataupun mendapatkan artefak yang dikarantina dari registri kontainer. Hal ini mirip dengan Microsoft.ContainerRegistry/registries/quarantine/read namun itu adalah tindakan data |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Dorong gambar yang dikarantina ke atau tarik gambar yang dikarantina dari registri kontainer.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ContainerRegistry/daftar/karantina/baca | Tarik atau Dapatkan gambar yang dikarantina dari registri kontainer |
| Microsoft.ContainerRegistry/daftar/karantina/tulis | Menulis/Memodifikasi status karantina gambar yang dikarantina |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Memungkinkan untuk menarik ataupun mendapatkan artefak yang dikarantina dari registri kontainer. Hal ini mirip dengan Microsoft.ContainerRegistry/registries/quarantine/read namun itu adalah tindakan data |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Memungkinkan untuk menulis atau memperbarui status karantina artefak yang dikarantina. Hal ini mirip dengan Microsoft.ContainerRegistry/registries/quarantine/write action namun itu adalah tindakan data |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Pengguna Klaster Kubernetes Yang Diaktifkan Azure Arc
Tindakan buat daftar kredensial pengguna kluster.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/tindakan | Mencantumkan kredensial clusterUser(pratinjau) |
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Daftar kredensial Pengguna cluster |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin Kubernetes Azure Arc
Memungkinkan Anda mengelola semua sumber daya dalam kluster/namespace layanan, kecuali memperbarui atau menghapus kuota dan namespace.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/baca | Membaca controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/penyebaran/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/tulis | Menulis localsubjectaccessreviews |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/pekerjaan/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/acara/baca | Membaca acara |
| Microsoft.Kubernetes/connectedClusters/acara/baca | Membaca acara |
| Microsoft.Kubernetes/connectedClusters/ekstensi/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/ekstensi/penyebaran/* | |
| Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/ekstensi/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/baca | Membaca limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/baca | Membaca namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/baca | Membaca resourcequotas |
| Microsoft.Kubernetes/connectedClusters/rahasia/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/layanan/* | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin Klaster Azure Arc Kubernetes
Memungkinkan Anda mengelola semua sumber daya dalam kluster.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/* | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Penampil Kubernetes Azure Arc
Memungkinkan Anda melihat semua sumber daya di kluster/namespace, kecuali rahasia.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/baca | Membaca controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/baca | Membaca daemonset |
| Microsoft.Kubernetes/connectedClusters/apps/penyebaran/baca | Membaca penyebaran |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/baca | Membaca replicasets |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/baca | Membaca statefulsets |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/baca | Membaca horizontalpodautoscalers |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/baca | Membaca cronjobs |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/baca | Membaca pekerjaan |
| Microsoft.Kubernetes/connectedClusters/configmaps/baca | Membaca configmaps |
| Microsoft.Kubernetes/connectedClusters/endpoints/baca | Membaca titik akhir |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/acara/baca | Membaca acara |
| Microsoft.Kubernetes/connectedClusters/acara/baca | Membaca acara |
| Microsoft.Kubernetes/connectedClusters/ekstensi/daemonsets/baca | Membaca daemonset |
| Microsoft.Kubernetes/connectedClusters/ekstensi/penyebaran/baca | Membaca penyebaran |
| Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/baca | Membaca ingresses |
| Microsoft.Kubernetes/connectedClusters/ekstensi/networkpolicies/baca | Membaca networkpolicies |
| Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/baca | Membaca replicasets |
| Microsoft.Kubernetes/connectedClusters/limitranges/baca | Membaca limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/baca | Membaca namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/baca | Membaca ingresses |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/baca | Membaca networkpolicies |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/baca | Membaca persistentvolumeclaims |
| Microsoft.Kubernetes/connectedClusters/pods/baca | Membaca Pod |
| Microsoft.Kubernetes/connectedClusters/kebijakan/poddisruptionbudgets/baca | Membaca poddisruptionbudgets |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/baca | Membaca replikasikontroler |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/baca | Membaca replikasikontroler |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/baca | Membaca resourcequotas |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/baca | Membaca serviceaccounts |
| Microsoft.Kubernetes/connectedClusters/layanan/baca | Layanan baca |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Penulis Azure Arc Kubernetes
Memungkinkan Anda memperbarui semuanya di kluster/namespace, kecuali peran (kluster) dan ikatan peran (kluster).
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/baca | Membaca controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/penyebaran/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/pekerjaan/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/acara/baca | Membaca acara |
| Microsoft.Kubernetes/connectedClusters/acara/baca | Membaca acara |
| Microsoft.Kubernetes/connectedClusters/ekstensi/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/ekstensi/penyebaran/* | |
| Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/ekstensi/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/ekstensi/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/baca | Membaca limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/baca | Membaca namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/baca | Membaca resourcequotas |
| Microsoft.Kubernetes/connectedClusters/rahasia/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/layanan/* | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor Azure Container Storage
Instal Azure Container Storage dan kelola sumber daya penyimpanannya. Menyertakan kondisi ABAC untuk membatasi penetapan peran.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.KubernetesConfiguration/extensions/write | Membuat atau memperbarui ekstensi sumber daya. |
| Microsoft.KubernetesConfiguration/extensions/read | Mendapatkan sumber daya instans ekstensi. |
| Microsoft.KubernetesConfiguration/extensions/delete | Menghapus sumber daya instans ekstensi. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Membaca Status Operasi Async. |
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Management/managementGroups/baca | Grup manajemen daftar untuk pengguna yang diautentikasi. |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada | |
| Tindakan | |
| Microsoft.Authorization/roleAssignments/write | Membuat penetapan peran pada cakupan yang ditentukan. |
| Microsoft.Authorization/roleAssignments/delete | Menghapus penetapan peran pada cakupan yang ditentukan. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada | |
| Kondisi | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Tambahkan atau hapus penetapan peran untuk peran berikut: Azure Container Storage Operator |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Container Storage Operator
Aktifkan identitas terkelola untuk melakukan operasi Azure Container Storage, seperti mengelola komputer virtual dan mengelola jaringan virtual.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Polling status operasi asinkron. |
| Microsoft.Network/routeTables/join/action | Menggabungkan tabel rute. Tidak bisa diperingatkan. |
| Microsoft.Network/networkSecurityGroups/gabung/tindakan | Menggabungkan kelompok keamanan jaringan. Tidak bisa diperingatkan. |
| Microsoft.Network/virtualNetworks/write | Membuat jaringan virtual atau memperbarui jaringan virtual yang ada |
| Microsoft.Network/virtualNetworks/delete | Menghapus jaringan virtual |
| Microsoft.Network/virtualNetworks/gabung/tindakan | Bergabung dengan jaringan virtual. Tidak bisa diperingatkan. |
| Microsoft.Network/virtualNetworks/subnets/baca | Mendapatkan definisi subnet jaringan virtual |
| Microsoft.Network/virtualNetworks/subnets/write | Membuat subnet jaringan virtual atau memperbarui subnet jaringan virtual yang ada |
| Microsoft.Compute/virtualMachines/baca | Mendapatkan properti mesin virtual |
| Microsoft.Compute/virtualMachines/write | Membuat komputer virtual baru atau memperbarui komputer virtual yang sudah ada |
| Microsoft.Compute/virtualMachineScaleSets/read | Mendapatkan properti Set Skala Komputer Virtual |
| Microsoft.Compute/virtualMachineScaleSets/write | Membuat Set Skala Komputer Virtual baru atau memperbarui yang sudah ada |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | Memperbarui properti Komputer Virtual dalam Set Skala VM |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Mengambil properti Komputer Virtual dalam Set Skala VM |
| Microsoft.Resources/subscriptions/providers/read | Mendapatkan atau mencantumkan penyedia sumber daya. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Network/virtualNetworks/baca | Dapatkan definisi jaringan virtual |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pemilik Azure Container Storage
Instal Azure Container Storage, berikan akses ke sumber daya penyimpanannya, dan konfigurasikan jaringan area penyimpanan Azure Elastic (SAN). Menyertakan kondisi ABAC untuk membatasi penetapan peran.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Polling status operasi asinkron. |
| Microsoft.KubernetesConfiguration/extensions/write | Membuat atau memperbarui ekstensi sumber daya. |
| Microsoft.KubernetesConfiguration/extensions/read | Mendapatkan sumber daya instans ekstensi. |
| Microsoft.KubernetesConfiguration/extensions/delete | Menghapus sumber daya instans ekstensi. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Membaca Status Operasi Async. |
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Management/managementGroups/baca | Grup manajemen daftar untuk pengguna yang diautentikasi. |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada | |
| Tindakan | |
| Microsoft.Authorization/roleAssignments/write | Membuat penetapan peran pada cakupan yang ditentukan. |
| Microsoft.Authorization/roleAssignments/delete | Menghapus penetapan peran pada cakupan yang ditentukan. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada | |
| Kondisi | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Tambahkan atau hapus penetapan peran untuk peran berikut: Azure Container Storage Operator |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Kontributor Manajer Armada Azure Kubernetes
Memberikan akses baca/tulis ke sumber daya Azure yang disediakan oleh Azure Kubernetes Fleet Manager, termasuk armada, anggota armada, strategi pembaruan armada, eksekusi pembaruan armada, dll.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ContainerService/fleets/* | |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin RBAC Manajer Armada Azure Kubernetes
Memberikan akses baca/tulis ke sumber daya Kubernetes dalam namespace di kluster hub yang dikelola armada - memberikan izin tulis pada sebagian besar objek dalam namespace, dengan pengecualian objek ResourceQuota dan objek namespace itu sendiri. Menerapkan peran ini pada lingkup kluster akan memberikan akses ke semua namespace.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.ContainerService/fleets/read | Dapatkan armada |
| Microsoft.ContainerService/fleets/listCredentials/action | Mencantumkan kredensial armada |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Membaca controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Menulis localsubjectaccessreviews |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Membaca acara |
| Microsoft.ContainerService/fleets/events/read | Membaca acara |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | Membaca limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Membaca namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | Membaca resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin Kluster RBAC Manajer Armada Azure Kubernetes
Memberikan akses baca/tulis ke semua sumber daya Kubernetes di kluster hub yang dikelola armada.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.ContainerService/fleets/read | Dapatkan armada |
| Microsoft.ContainerService/fleets/listCredentials/action | Mencantumkan kredensial armada |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.ContainerService/fleets/* | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pembaca RBAC Manajer Armada Azure Kubernetes
Memberikan akses baca-saja ke sebagian besar sumber daya Kubernetes dalam namespace layanan di kluster hub yang dikelola armada. Hal ini tidak mengizinkan untuk menampilkan peran atau pengikatan peran. Peran ini tidak memungkinkan penayangan, karena membaca konten Rahasia memungkinkan akses ke kredensial ServiceAccount di namespace, yang akan memungkinkan akses API sebagai ServiceAccount apa pun di namespace (bentuk eskalasi hak istimewa). Menerapkan peran ini pada lingkup kluster akan memberikan akses ke semua namespace.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.ContainerService/fleets/read | Dapatkan armada |
| Microsoft.ContainerService/fleets/listCredentials/action | Mencantumkan kredensial armada |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Membaca controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | Membaca daemonset |
| Microsoft.ContainerService/fleets/apps/deployments/read | Membaca penyebaran |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | Membaca statefulsets |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Membaca horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | Membaca cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | Membaca pekerjaan |
| Microsoft.ContainerService/fleets/configmaps/read | Membaca configmaps |
| Microsoft.ContainerService/fleets/endpoints/read | Membaca titik akhir |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Membaca acara |
| Microsoft.ContainerService/fleets/events/read | Membaca acara |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | Membaca daemonset |
| Microsoft.ContainerService/fleets/extensions/deployments/read | Membaca penyebaran |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | Membaca ingresses |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Membaca networkpolicies |
| Microsoft.ContainerService/fleets/limitranges/read | Membaca limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Membaca namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Membaca ingresses |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Membaca networkpolicies |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Membaca persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Membaca poddisruptionbudgets |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Membaca replikasikontroler |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Membaca replikasikontroler |
| Microsoft.ContainerService/fleets/resourcequotas/read | Membaca resourcequotas |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Membaca serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | Layanan baca |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Penulis RBAC Manajer Armada Azure Kubernetes
Memberikan akses baca/tulis ke sebagian besar sumber daya Kubernetes dalam namespace layanan di kluster hub yang dikelola armada. Peran ini tidak mengizinkan melihat atau memodifikasi peran atau pengikatan peran. Namun, peran ini memungkinkan akses Rahasia sebagai ServiceAccount apa pun di namespace layanan, sehingga dapat digunakan untuk mendapatkan tingkat akses API dari ServiceAccount apa pun di namespace layanan. Menerapkan peran ini pada lingkup kluster akan memberikan akses ke semua namespace.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.ContainerService/fleets/read | Dapatkan armada |
| Microsoft.ContainerService/fleets/listCredentials/action | Mencantumkan kredensial armada |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Membaca controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Membaca acara |
| Microsoft.ContainerService/fleets/events/read | Membaca acara |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | Membaca limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Membaca namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | Membaca resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Admin Kluster Azure Kubernetes Service Arc
Tindakan buat daftar kredensial admin kluster.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Mendapatkan instans kluster yang disediakan Hybrid AKS yang terkait dengan kluster yang terhubung |
| Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | Mencantumkan kredensial admin instans kluster yang disediakan yang hanya digunakan dalam mode langsung. |
| Microsoft.Kubernetes/connectedClusters/Read | Baca ConnectedClusters |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Pengguna Kluster Azure Kubernetes Service Arc
Tindakan buat daftar kredensial pengguna kluster.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Mendapatkan instans kluster yang disediakan Hybrid AKS yang terkait dengan kluster yang terhubung |
| Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | Mencantumkan kredensial pengguna AAD dari instans kluster yang disediakan yang hanya digunakan dalam mode langsung. |
| Microsoft.Kubernetes/connectedClusters/Read | Baca ConnectedClusters |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Kontributor Azure Kubernetes Service Arc
Memberikan akses untuk membaca dan menulis kluster hibrid Azure Kubernetes Services
| Tindakan | Deskripsi |
|---|---|
| Microsoft.HybridContainerService/Locations/operationStatuses/read | baca operationStatuses |
| Microsoft.HybridContainerService/Operations/read | baca Operasi |
| Microsoft.HybridContainerService/kubernetesVersions/read | Mencantumkan versi kubernetes yang didukung dari lokasi kustom yang mendasar |
| Microsoft.HybridContainerService/kubernetesVersions/write | Menempatkan jenis sumber daya versi kubernetes |
| Microsoft.HybridContainerService/kubernetesVersions/delete | Menghapus jenis sumber daya versi kubernetes |
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Mendapatkan instans kluster yang disediakan Hybrid AKS yang terkait dengan kluster yang terhubung |
| Microsoft.HybridContainerService/provisionedClusterInstances/write | Membuat instans kluster yang disediakan Hybrid AKS |
| Microsoft.HybridContainerService/provisionedClusterInstances/delete | Menghapus instans kluster yang disediakan Hybrid AKS |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | Mendapatkan kumpulan agen dalam instans kluster yang disediakan Hybrid AKS |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | Memperbarui kumpulan agen dalam instans kluster yang disediakan Hybrid AKS |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | Menghapus kumpulan agen dalam instans kluster yang disediakan Hybrid AKS |
| Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | baca upgradeProfiles |
| Microsoft.HybridContainerService/skus/read | Mencantumkan SKU VM yang didukung dari lokasi kustom yang mendasar |
| Microsoft.HybridContainerService/skus/write | Menempatkan jenis sumber daya SKU VM |
| Microsoft.HybridContainerService/skus/delete | Menghapus jenis sumber daya Vm Sku |
| Microsoft.HybridContainerService/virtualNetworks/read | Mencantumkan jaringan virtual AKS Hibrid berdasarkan langganan |
| Microsoft.HybridContainerService/virtualNetworks/write | Menambal jaringan virtual Hybrid AKS |
| Microsoft.HybridContainerService/virtualNetworks/delete | Menghapus jaringan virtual Hybrid AKS |
| Microsoft.ExtendedLocation/customLocations/deploy/action | Menyebarkan izin ke sumber daya Lokasi Kustom |
| Microsoft.ExtendedLocation/customLocations/read | Mendapatkan sumber daya Lokasi Kustom |
| Microsoft.Kubernetes/connectedClusters/Read | Baca ConnectedClusters |
| Microsoft.Kubernetes/connectedClusters/Tulis | Menulis connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Delete | Menghapus connectedClusters |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Daftar kredensial Pengguna cluster |
| Microsoft.AzureStackHCI/clusters/read | Mendapatkan kluster |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Admin kluster Azure Kubernetes Service
Tindakan buat daftar kredensial admin kluster.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/tindakan | Mencantumkan klusterMenambahkan kredensial kluster terkelola |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/tindakan | Mendapatkan profil akses kluster terkelola berdasarkan nama peran menggunakan info masuk terdaftar |
| Microsoft.ContainerService/managedClusters/baca | Mendapatkan kluster terkelola |
| Microsoft.ContainerService/managedClusters/runcommand/action | Jalankan perintah yang dikeluarkan pengguna terhadap server kubernetes terkelola. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pengguna Pemantauan Kluster Azure Kubernetes Service
Mencantumkan tindakan kredensial pengguna pemantauan kluster.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | Mencantumkan info masuk clusterMonitoringUser dari kluster terkelola |
| Microsoft.ContainerService/managedClusters/baca | Mendapatkan kluster terkelola |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Pengguna kluster Azure Kubernetes Service
Tindakan buat daftar kredensial pengguna kluster.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/tindakan | Mencantumkan info masuk clusterUser dari kluster terkelola |
| Microsoft.ContainerService/managedClusters/baca | Mendapatkan kluster terkelola |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Kontributor Azure Kubernetes Service
Memberikan akses untuk membaca dan menulis kluster Azure Kubernetes Service
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.ContainerService/locations/* | Membaca lokasi yang tersedia untuk sumber daya ContainerService |
| Microsoft.ContainerService/managedClusters/* | Membuat dan mengelola kluster terkelola |
| Microsoft.ContainerService/managedclustersnapshots/* | Membuat dan mengelola rekam jepret kluster terkelola |
| Microsoft.ContainerService/snapshots/* | Membuat dan mengelola rekam jepret |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin RBAC Azure Kubernetes Service
Memungkinkan Anda mengelola semua sumber daya dalam kluster/namespace layanan, kecuali memperbarui atau menghapus kuota dan namespace.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/tindakan | Mencantumkan info masuk clusterUser dari kluster terkelola |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/tulis | Menulis resourcequotas |
| Microsoft.ContainerService/managedClusters/resourcequotas/hapus | Menghapus resourcequotas |
| Microsoft.ContainerService/managedClusters/namespaces/tulis | Menulis namespaces |
| Microsoft.ContainerService/managedClusters/namespaces/hapus | Menghapus namespace |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin Kluster RBAC Azure Kubernetes Service
Memungkinkan Anda mengelola semua sumber daya dalam kluster.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/tindakan | Mencantumkan info masuk clusterUser dari kluster terkelola |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pembaca RBAC Azure Kubernetes Service
Mengizinkan akses baca-saja untuk melihat sebagian besar objek di namespace layanan. Hal ini tidak mengizinkan untuk menampilkan peran atau pengikatan peran. Peran ini tidak memungkinkan penayangan, karena membaca konten Rahasia memungkinkan akses ke kredensial ServiceAccount di namespace, yang akan memungkinkan akses API sebagai ServiceAccount apa pun di namespace (bentuk eskalasi hak istimewa). Menerapkan peran ini pada lingkup kluster akan memberikan akses ke semua namespace.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/aplikasi/controllerrevisions/baca | Membaca controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/baca | Membaca daemonset |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/baca | Membaca penyebaran |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/baca | Membaca replicasets |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/baca | Membaca statefulsets |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/baca | Membaca horizontalpodautoscalers |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/baca | Membaca cronjobs |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/baca | Membaca pekerjaan |
| Microsoft.ContainerService/managedClusters/configmaps/baca | Membaca configmaps |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Membaca irisan titik akhir |
| Microsoft.ContainerService/managedClusters/endpoints/baca | Membaca titik akhir |
| Microsoft.ContainerService/managedClusters/events.k8s.io/acara/baca | Membaca acara |
| Microsoft.ContainerService/managedClusters/endpoints/baca | Membaca acara |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/baca | Membaca daemonset |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/baca | Membaca penyebaran |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/baca | Membaca ingresses |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/baca | Membaca networkpolicies |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/baca | Membaca replicasets |
| Microsoft.ContainerService/managedClusters/batasa/baca | Membaca limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Membaca Pod |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/node/read | Membaca simpul |
| Microsoft.ContainerService/managedClusters/namespaces/baca | Membaca namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/baca | Membaca ingresses |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/baca | Membaca networkpolicies |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/baca | Membaca persistentvolumeclaims |
| Microsoft.ContainerService/managedClusters/baca | Membaca Pod |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/baca | Membaca poddisruptionbudgets |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/baca | Membaca replikasikontroler |
| Microsoft.ContainerService/managedClusters/resourcequotas/tulis | Membaca resourcequotas |
| Microsoft.ContainerService/managedClusters/serviceaccounts/baca | Membaca serviceaccounts |
| Microsoft.ContainerService/managedClusters/layanan/baca | Layanan baca |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Penulis RBAC Azure Kubernetes Service
Mengizinkan akses read/write ke sebagian besar objek dalam sebuah namespace layanan. Peran ini tidak mengizinkan melihat atau memodifikasi peran atau pengikatan peran. Namun, peran ini memungkinkan akses Rahasia dan menjalankan Pod sebagai ServiceAccount mana pun di namespace, sehingga dapat digunakan untuk mendapatkan level akses API dari ServiceAccount apa pun di namespace. Menerapkan peran ini pada lingkup kluster akan memberikan akses ke semua namespace.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/aplikasi/controllerrevisions/baca | Membaca controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/aplikasi/penyebaran/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Membaca sewa |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Menulis sewa |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Menghapus sewa |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Membaca irisan titik akhir |
| Microsoft.ContainerService/managedClusters/batch/pekerjaan/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/acara/baca | Membaca acara |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/ekstensi/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/ekstensi/penyebaran/* | |
| Microsoft.ContainerService/managedClusters/ekstensi/ingresses/* | |
| Microsoft.ContainerService/managedClusters/ekstensi/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/batasa/baca | Membaca limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Membaca Pod |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/node/read | Membaca simpul |
| Microsoft.ContainerService/managedClusters/namespaces/baca | Membaca namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/tulis | Membaca resourcequotas |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/layanan/* | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pembaca CheckAccess Identitas Terkelola Kluster yang Tersambung
Peran bawaan yang memungkinkan identitas terkelola Kluster Terhubung untuk memanggil API checkAccess
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operator Tanpa Agen Kubernetes
Memberikan akses Microsoft Defender untuk Cloud ke Azure Kubernetes Services
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Membuat atau memperbarui pengikatan peran akses tepercaya untuk kluster terkelola |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Mendapatkan pengikatan peran akses tepercaya untuk kluster terkelola |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Menghapus pengikatan peran akses tepercaya untuk kluster terkelola |
| Microsoft.ContainerService/managedClusters/baca | Mendapatkan kluster terkelola |
| Microsoft.Features/features/read | Mendapatkan fitur langganan. |
| Microsoft.Features/penyedia/fitur/baca | Mendapatkan fitur langganan di penyedia sumber daya tertentu. |
| Microsoft.Features/providers/features/register/action | Mendaftarkan fitur untuk langganan di penyedia sumber daya tertentu. |
| Microsoft.Security/pricings/securityoperators/read | Mendapatkan operator keamanan untuk cakupan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Klaster Kubernetes - Azure Arc Onboarding
Definisi peran untuk mengotorisasi setiap pengguna/layanan untuk membuat sumber daya connectedClusters
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
| Microsoft.Resources/langganan/hasiloperasi/baca | Dapatkan Hasil Operasi Langganan. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Kubernetes/connectedClusters/Tulis | Menulis connectedClusters |
| Microsoft.Kubernetes/connectedClusters/baca | Baca ConnectedClusters |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor Ekstensi Kubernetes
Dapat membuat, memperbarui, mendapatkan, daftar dan menghapus Ekstensi Kubernetes, dan mendapatkan operasi async ekstensi
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.KubernetesConfiguration/extensions/write | Membuat atau memperbarui ekstensi sumber daya. |
| Microsoft.KubernetesConfiguration/extensions/read | Mendapatkan sumber daya instans ekstensi. |
| Microsoft.KubernetesConfiguration/extensions/delete | Menghapus sumber daya instans ekstensi. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Membaca Status Operasi Async. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}