컨테이너에 대한 Azure 기본 제공 역할
이 문서에서는 컨테이너 범주의 Azure 기본 제공 역할을 나열합니다.
AcrDelete
컨테이너 레지스트리에서 리포지토리, 태그 또는 매니페스트를 삭제합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/delete | 컨테이너 레지스트리에서 아티팩트를 삭제합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
콘텐츠 신뢰가 사용하도록 설정된 컨테이너 레지스트리에 신뢰할 수 있는 이미지를 푸시하거나 가져옵니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/write | 컨테이너 레지스트리에 대한 콘텐츠 신뢰 메타데이터를 푸시/풀합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | 컨테이너 레지스트리 콘텐츠의 신뢰할 수 있는 컬렉션을 푸시하거나 게시할 수 있습니다. 이는 데이터 작업이라는 점을 제외하고 Microsoft.ContainerRegistry/registries/sign/write 작업과 유사합니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
컨테이너 레지스트리에서 아티팩트를 가져옵니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | 컨테이너 레지스트리에서 이미지를 끌어오거나 가져옵니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
컨테이너 레지스트리에 아티팩트를 푸시하거나 가져옵니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | 컨테이너 레지스트리에서 이미지를 끌어오거나 가져옵니다. |
| Microsoft.ContainerRegistry/registries/push/write | 컨테이너 레지스트리에 이미지를 푸시하거나 씁니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
컨테이너 레지스트리에서 격리된 이미지를 끌어옵니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | 컨테이너 레지스트리에서 격리된 이미지 끌어오기 또는 가져오기 |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 컨테이너 레지스트리에서 격리된 아티팩트를 끌어오거나 가져올 수 있습니다. 이는 데이터 작업이라는 점을 제외하고 Microsoft.ContainerRegistry/registries/quarantine/read와 유사합니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
격리된 이미지를 컨테이너 레지스트리로 푸시하거나 컨테이너 레지스트리에서 가져옵니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | 컨테이너 레지스트리에서 격리된 이미지 끌어오기 또는 가져오기 |
| Microsoft.ContainerRegistry/registries/quarantine/write | 격리된 이미지의 격리 상태 작성/수정 |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 컨테이너 레지스트리에서 격리된 아티팩트를 끌어오거나 가져올 수 있습니다. 이는 데이터 작업이라는 점을 제외하고 Microsoft.ContainerRegistry/registries/quarantine/read와 유사합니다. |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | 격리된 아티팩트의 격리 상태를 작성하거나 업데이트할 수 있습니다. 이는 데이터 작업이라는 점을 제외하고 Microsoft.ContainerRegistry/registries/격리/쓰기 작업과 유사합니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc 지원 Kubernetes 클러스터 사용자 역할
클러스터 사용자 자격 증명 작업을 나열합니다.
| actions | 설명 |
|---|---|
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | clusterUser 자격 증명(미리 보기)을 나열합니다. |
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | clusterUser 자격 증명 나열 |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 관리자
리소스 할당량 및 네임스페이스 업데이트 또는 삭제를 제외하고 클러스터/네임스페이스의 모든 리소스를 관리할 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | localsubjectaccessreviews를 씁니다. |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | limitranges를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 클러스터 관리자
클러스터의 모든 리소스를 관리할 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 뷰어
비밀을 제외하고 클러스터/네임스페이스의 모든 리소스를 볼 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/read | deployments를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | replicasets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | statefulsets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | horizontalpodautoscalers를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | cronjobs를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/read | 작업을 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/configmaps/read | configmaps를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/endpoints/read | 엔드포인트를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | deployments를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | ingresses를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | replicasets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | limitranges를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | ingresses를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | persistentvolumeclaims를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/pods/read | pods를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | poddisruptionbudgets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | replicationcontrollers를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | replicationcontrollers를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | serviceaccounts를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/services/read | services를 읽습니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 작성자
(클러스터)역할 및 (클러스터)역할 바인딩을 제외하고 클러스터/네임스페이스의 모든 항목을 업데이트할 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | limitranges를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Container Storage 기여자
Azure Container Storage를 설치하고 해당 스토리지 리소스를 관리합니다. 역할 할당을 제한하는 ABAC 조건을 포함합니다.
| actions | 설명 |
|---|---|
| Microsoft.KubernetesConfiguration/extensions/write | 확장 리소스를 만들거나 업데이트합니다. |
| Microsoft.KubernetesConfiguration/extensions/read | 확장 인스턴스 리소스를 가져옵니다. |
| Microsoft.KubernetesConfiguration/extensions/delete | 확장 인스턴스 리소스를 삭제합니다. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 비동기 작업 상태를 가져옵니다. |
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Management/managementGroups/read | 인증된 사용자의 관리 그룹을 나열합니다. |
| Microsoft.Resources/deployments/* | 배포를 만들고 관리합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 | |
| actions | |
| Microsoft.Authorization/roleAssignments/write | 지정된 범위에서 역할 할당을 만듭니다. |
| Microsoft.Authorization/roleAssignments/delete | 지정된 범위에서 역할 할당을 삭제합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 | |
| Condition | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}) | 다음 역할에 대한 역할 할당을 추가하거나 제거합니다. Azure Container Storage 연산자 |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Container Storage 연산자
관리 ID를 사용하도록 설정하여 가상 머신 관리 및 가상 네트워크 관리와 같은 Azure Container Storage 작업을 수행합니다.
| actions | 설명 |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | 비동기 작업의 상태를 폴링합니다. |
| Microsoft.Network/routeTables/join/action | 경로 테이블을 조인합니다. 경고할 수 없습니다. |
| Microsoft.Network/networkSecurityGroups/join/action | 네트워크 보안 그룹을 조인합니다. 경고할 수 없습니다. |
| Microsoft.Network/virtualNetworks/write | 가상 네트워크를 만들거나 기존 가상 네트워크를 업데이트합니다. |
| Microsoft.Network/virtualNetworks/delete | 가상 네트워크를 삭제합니다. |
| Microsoft.Network/virtualNetworks/join/action | 가상 네트워크를 조인합니다. 경고할 수 없습니다. |
| Microsoft.Network/virtualNetworks/subnets/read | 가상 네트워크 서브넷 정의를 가져옵니다. |
| Microsoft.Network/virtualNetworks/subnets/write | 가상 네트워크 서브넷을 만들거나 기존 가상 네트워크 서브넷을 업데이트합니다. |
| Microsoft.Compute/virtualMachines/read | 가상 머신의 속성을 가져옵니다. |
| Microsoft.Compute/virtualMachines/write | 새 가상 머신을 만들거나 기존 가상 머신을 업데이트합니다. |
| Microsoft.Compute/virtualMachineScaleSets/read | Virtual Machine Scale Set의 속성 가져오기 |
| Microsoft.Compute/virtualMachineScaleSets/write | 새 가상 머신 확장 집합을 만들거나 기존 가상 머신 확장 집합을 업데이트합니다. |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | VM 확장 집합에서 Virtual Machine의 속성을 업데이트합니다. |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | VM 확장 집합에서 Virtual Machine의 속성을 검색합니다. |
| Microsoft.Resources/subscriptions/providers/read | 리소스 공급자를 가져오거나 나열합니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Network/virtualNetworks/read | 가상 네트워크 정의를 가져옵니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Container Storage 소유자
Azure Container Storage를 설치하고, 스토리지 리소스에 대한 액세스 권한을 부여하고, AZURE SAN(Elastic Storage 영역 네트워크)을 구성합니다. 역할 할당을 제한하는 ABAC 조건을 포함합니다.
| actions | 설명 |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | 비동기 작업의 상태를 폴링합니다. |
| Microsoft.KubernetesConfiguration/extensions/write | 확장 리소스를 만들거나 업데이트합니다. |
| Microsoft.KubernetesConfiguration/extensions/read | 확장 인스턴스 리소스를 가져옵니다. |
| Microsoft.KubernetesConfiguration/extensions/delete | 확장 인스턴스 리소스를 삭제합니다. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 비동기 작업 상태를 가져옵니다. |
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Management/managementGroups/read | 인증된 사용자의 관리 그룹을 나열합니다. |
| Microsoft.Resources/deployments/* | 배포를 만들고 관리합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 | |
| actions | |
| Microsoft.Authorization/roleAssignments/write | 지정된 범위에서 역할 할당을 만듭니다. |
| Microsoft.Authorization/roleAssignments/delete | 지정된 범위에서 역할 할당을 삭제합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 | |
| Condition | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}) | 다음 역할에 대한 역할 할당을 추가하거나 제거합니다. Azure Container Storage 연산자 |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager 기여자 역할
플릿, 플릿 멤버, 함대 업데이트 전략, 플릿 업데이트 실행 등을 포함하여 Azure Kubernetes Fleet Manager에서 제공하는 Azure 리소스에 대한 읽기/쓰기 권한을 부여합니다.
| actions | 설명 |
|---|---|
| Microsoft.ContainerService/fleets/* | |
| Microsoft.Resources/deployments/* | 배포를 만들고 관리합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC 관리자
Fleet 관리형 허브 클러스터의 네임스페이스 내에서 Kubernetes 리소스에 대한 읽기/쓰기 권한을 부여합니다. ResourceQuota 개체와 네임스페이스 개체 자체를 제외하고 네임스페이스 내의 대부분의 개체에 대한 쓰기 권한을 제공합니다. 클러스터 범위에서 이 역할을 적용하면 모든 네임스페이스에 대한 액세스 권한이 부여됩니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/fleets/read | 플릿을 가져옵니다. |
| Microsoft.ContainerService/fleets/listCredentials/action | 플릿 자격 증명을 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | localsubjectaccessreviews를 씁니다. |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | limitranges를 읽습니다. |
| Microsoft.ContainerService/fleets/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC 클러스터 관리자
집합 관리 허브 클러스터의 모든 Kubernetes 리소스에 대한 읽기/쓰기 권한을 부여합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/fleets/read | 플릿을 가져옵니다. |
| Microsoft.ContainerService/fleets/listCredentials/action | 플릿 자격 증명을 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/fleets/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC 읽기 권한자
집합 관리 허브 클러스터의 네임스페이스 내 대부분의 Kubernetes 리소스에 대한 읽기 전용 액세스 권한을 부여합니다. 역할이나 역할 바인딩 보기는 허용되지 않습니다. 비밀의 콘텐츠를 읽으면 네임스페이스의 ServiceAccount 자격 증명에 액세스할 수 있으므로 이 역할은 비밀 보기를 허용하지 않습니다. 그러면 네임스페이스의 모든 ServiceAccount로 API 액세스가 허용됩니다(권한 상승의 한 형태). 클러스터 범위에서 이 역할을 적용하면 모든 네임스페이스에 대한 액세스 권한이 부여됩니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/fleets/read | 플릿을 가져옵니다. |
| Microsoft.ContainerService/fleets/listCredentials/action | 플릿 자격 증명을 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.ContainerService/fleets/apps/deployments/read | deployments를 읽습니다. |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | statefulsets를 읽습니다. |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | horizontalpodautoscalers를 읽습니다. |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | cronjobs를 읽습니다. |
| Microsoft.ContainerService/fleets/batch/jobs/read | 작업을 읽습니다. |
| Microsoft.ContainerService/fleets/configmaps/read | configmaps를 읽습니다. |
| Microsoft.ContainerService/fleets/endpoints/read | 엔드포인트를 읽습니다. |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/deployments/read | deployments를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | ingresses를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.ContainerService/fleets/limitranges/read | limitranges를 읽습니다. |
| Microsoft.ContainerService/fleets/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | ingresses를 읽습니다. |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | persistentvolumeclaims를 읽습니다. |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | poddisruptionbudgets를 읽습니다. |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | replicationcontrollers를 읽습니다. |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | replicationcontrollers를 읽습니다. |
| Microsoft.ContainerService/fleets/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.ContainerService/fleets/serviceaccounts/read | serviceaccounts를 읽습니다. |
| Microsoft.ContainerService/fleets/services/read | services를 읽습니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC 작성자
Fleet 관리형 허브 클러스터의 네임스페이스 내에서 대부분의 Kubernetes 리소스에 대한 읽기/쓰기 권한을 부여합니다. 이 역할은 보기 또는 수정 역할 또는 역할 바인딩을 허용하지 않습니다. 그러나 이 역할을 사용하여 네임스페이스의 ServiceAccount로 비밀에 액세스할 수 있으므로 네임스페이스에 있는 모든 ServiceAccount의 API 액세스 수준을 얻을 수 있습니다. 클러스터 범위에서 이 역할을 적용하면 모든 네임스페이스에 대한 액세스 권한이 부여됩니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/fleets/read | 플릿을 가져옵니다. |
| Microsoft.ContainerService/fleets/listCredentials/action | 플릿 자격 증명을 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | limitranges를 읽습니다. |
| Microsoft.ContainerService/fleets/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Arc 클러스터 관리자 역할
클러스터 관리자 자격 증명 작업을 나열합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | 연결된 클러스터와 연결된 하이브리드 AKS 프로비전된 클러스터 인스턴스를 가져옵니다. |
| Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | 직접 모드에서만 사용되는 프로비전된 클러스터 인스턴스의 관리자 자격 증명을 나열합니다. |
| Microsoft.Kubernetes/connectedClusters/Read | connectedClusters를 읽습니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Arc 클러스터 사용자 역할
클러스터 사용자 자격 증명 작업을 나열합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | 연결된 클러스터와 연결된 하이브리드 AKS 프로비전된 클러스터 인스턴스를 가져옵니다. |
| Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | 직접 모드에서만 사용되는 프로비전된 클러스터 인스턴스의 AAD 사용자 자격 증명을 나열합니다. |
| Microsoft.Kubernetes/connectedClusters/Read | connectedClusters를 읽습니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Arc 기여자 역할
Azure Kubernetes Services 하이브리드 클러스터를 읽고 쓸 수 있는 액세스 권한 부여
| 작업 | 설명 |
|---|---|
| Microsoft.HybridContainerService/Locations/operationStatuses/read | operationStatuses 읽기 |
| Microsoft.HybridContainerService/Operations/read | 읽기 작업 |
| Microsoft.HybridContainerService/kubernetesVersions/read | 기본 사용자 지정 위치에서 지원되는 kubernetes 버전을 나열합니다. |
| Microsoft.HybridContainerService/kubernetesVersions/write | kubernetes 버전 리소스 종류 배치 |
| Microsoft.HybridContainerService/kubernetesVersions/delete | kubernetes 버전 리소스 종류 삭제 |
| Microsoft.HybridContainerService/provisionedClusterInstances/read | 연결된 클러스터와 연결된 하이브리드 AKS 프로비전된 클러스터 인스턴스를 가져옵니다. |
| Microsoft.HybridContainerService/provisionedClusterInstances/write | 하이브리드 AKS 프로비저닝된 클러스터 인스턴스를 만듭니다. |
| Microsoft.HybridContainerService/provisionedClusterInstances/delete | 하이브리드 AKS 프로비전된 클러스터 인스턴스를 삭제합니다. |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | 하이브리드 AKS 프로비저닝된 클러스터 인스턴스의 에이전트 풀을 가져옵니다. |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | 하이브리드 AKS 프로비전된 클러스터 인스턴스에서 에이전트 풀을 업데이트합니다. |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | 하이브리드 AKS 프로비전된 클러스터 인스턴스에서 에이전트 풀을 삭제합니다. |
| Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | upgradeProfiles 읽기 |
| Microsoft.HybridContainerService/skus/read | 기본 사용자 지정 위치에서 지원되는 VM SKU를 나열합니다. |
| Microsoft.HybridContainerService/sus/write | VM SKU 리소스 종류 배치 |
| Microsoft.HybridContainerService/sus/delete | Vm Sku 리소스 유형을 삭제합니다. |
| Microsoft.HybridContainerService/virtualNetworks/read | 구독별 하이브리드 AKS 가상 네트워크 나열 |
| Microsoft.HybridContainerService/virtualNetworks/write | 하이브리드 AKS 가상 네트워크 패치 |
| Microsoft.HybridContainerService/virtualNetworks/delete | 하이브리드 AKS 가상 네트워크를 삭제합니다. |
| Microsoft.ExtendedLocation/customLocations/deploy/action | 사용자 지정 위치 리소스에 대한 권한을 배포합니다. |
| Microsoft.ExtendedLocation/customLocations/read | 사용자 지정 위치 리소스를 가져옵니다. |
| Microsoft.Kubernetes/connectedClusters/Read | connectedClusters를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/Write | connectedClusters를 씁니다. |
| Microsoft.Kubernetes/connectedClusters/Delete | connectedClusters를 삭제합니다. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | clusterUser 자격 증명 나열 |
| Microsoft.AzureStackHCI/clusters/read | 클러스터를 가져옵니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 클러스터 관리자 역할
클러스터 관리자 자격 증명 작업을 나열합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | 관리형 클러스터의 clusterAdmin 자격 증명 나열 |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | 목록 자격 증명을 사용하여 역할 이름으로 관리형 클러스터 액세스 프로필 가져오기 |
| Microsoft.ContainerService/managedClusters/read | 관리형 클러스터 가져오기 |
| Microsoft.ContainerService/managedClusters/runcommand/action | 관리되는 kubernetes 서버에 대해 사용자가 실행한 명령을 실행합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 클러스터 모니터링 사용자
클러스터 모니터링 사용자 자격 증명 작업을 나열합니다.
| actions | 설명 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | 관리형 클러스터의 clusterMonitoringUser 자격 증명을 나열합니다. |
| Microsoft.ContainerService/managedClusters/read | 관리형 클러스터 가져오기 |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 클러스터 사용자 역할
클러스터 사용자 자격 증명 작업을 나열합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 관리형 클러스터의 clusterUser 자격 증명 나열 |
| Microsoft.ContainerService/managedClusters/read | 관리형 클러스터 가져오기 |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 기여자 역할
Azure Kubernetes Service 클러스터를 읽고 쓰기 위한 액세스 권한을 부여합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.ContainerService/locations/* | ContainerService 리소스에 사용할 수 있는 위치 읽기 |
| Microsoft.ContainerService/managedClusters/* | 관리형 클러스터 만들기 및 관리 |
| Microsoft.ContainerService/managedclustersnapshots/* | 관리형 클러스터 스냅샷 만들기 및 관리 |
| Microsoft.ContainerService/snapshots/* | 스냅샷 만들기 및 관리 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/* | 배포를 만들고 관리합니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 관리자
리소스 할당량 및 네임스페이스 업데이트 또는 삭제를 제외하고 클러스터/네임스페이스의 모든 리소스를 관리할 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 관리형 클러스터의 clusterUser 자격 증명 나열 |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/write | resourcequotas를 씁니다. |
| Microsoft.ContainerService/managedClusters/resourcequotas/delete | resourcequotas를 삭제합니다. |
| Microsoft.ContainerService/managedClusters/namespaces/write | 네임스페이스를 씁니다. |
| Microsoft.ContainerService/managedClusters/namespaces/delete | 네임스페이스를 삭제합니다. |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 클러스터 관리자
클러스터의 모든 리소스를 관리할 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 관리형 클러스터의 clusterUser 자격 증명 나열 |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 읽기 권한자
네임스페이스에 있는 대부분의 개체를 볼 수 있는 읽기 전용 권한을 허용합니다. 역할이나 역할 바인딩 보기는 허용되지 않습니다. 비밀의 콘텐츠를 읽으면 네임스페이스의 ServiceAccount 자격 증명에 액세스할 수 있으므로 이 역할은 비밀 보기를 허용하지 않습니다. 그러면 네임스페이스의 모든 ServiceAccount로 API 액세스가 허용됩니다(권한 상승의 한 형태). 클러스터 범위에서 이 역할을 적용하면 모든 네임스페이스에 대한 액세스 권한이 부여됩니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/apps/deployments/read | deployments를 읽습니다. |
| Microsoft.ContainerService/managedClusters/apps/replicasets/read | replicasets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/read | statefulsets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | horizontalpodautoscalers를 읽습니다. |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/read | cronjobs를 읽습니다. |
| Microsoft.ContainerService/managedClusters/batch/jobs/read | 작업을 읽습니다. |
| Microsoft.ContainerService/managedClusters/configmaps/read | configmaps를 읽습니다. |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | 엔드포인트를 읽습니다. |
| Microsoft.ContainerService/managedClusters/endpoints/read | 엔드포인트를 읽습니다. |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.ContainerService/managedClusters/events/read | events를 읽습니다. |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/extensions/deployments/read | deployments를 읽습니다. |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/read | ingresses를 읽습니다. |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/read | replicasets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/limitranges/read | limitranges를 읽습니다. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | pods를 읽습니다. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | nodes를 읽습니다. |
| Microsoft.ContainerService/managedClusters/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | ingresses를 읽습니다. |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | persistentvolumeclaims를 읽습니다. |
| Microsoft.ContainerService/managedClusters/pods/read | pods를 읽습니다. |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | poddisruptionbudgets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/read | replicationcontrollers를 읽습니다. |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.ContainerService/managedClusters/serviceaccounts/read | serviceaccounts를 읽습니다. |
| Microsoft.ContainerService/managedClusters/services/read | services를 읽습니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 쓰기 권한자
네임스페이스에 있는 대부분의 개체에 대해 읽기/쓰기 액세스 권한을 허용합니다. 이 역할은 보기 또는 수정 역할 또는 역할 바인딩을 허용하지 않습니다. 하지만 이 역할을 사용하면 네임스페이스의 모든 ServiceAccount로 보안 비밀에 액세스하고 Pod를 실행할 수 있으므로 네임스페이스에 있는 모든 ServiceAccount의 API 액세스 수준을 얻는 데 사용할 수 있습니다. 클러스터 범위에서 이 역할을 적용하면 모든 네임스페이스에 대한 액세스 권한이 부여됩니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | 임대를 읽습니다. |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | 임대를 씁니다. |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | 임대를 삭제합니다. |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | 엔드포인트를 읽습니다. |
| Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/read | limitranges를 읽습니다. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | pods를 읽습니다. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | nodes를 읽습니다. |
| Microsoft.ContainerService/managedClusters/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
연결된 클러스터 관리 ID CheckAccess 판독기
연결된 클러스터 관리 ID가 checkAccess API를 호출할 수 있도록 하는 기본 제공 역할
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 에이전트 없는 운영자
Azure Kubernetes Services에 대한 클라우드용 Microsoft Defender 액세스 권한을 부여합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | 관리형 클러스터에 대한 신뢰할 수 있는 액세스 역할 바인딩 만들기 또는 업데이트 |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | 관리형 클러스터에 대한 신뢰할 수 있는 액세스 역할 바인딩 가져오기 |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | 관리형 클러스터에 대한 신뢰할 수 있는 액세스 역할 바인딩 삭제 |
| Microsoft.ContainerService/managedClusters/read | 관리형 클러스터 가져오기 |
| Microsoft.Features/features/read | 구독의 기능을 가져옵니다. |
| Microsoft.Features/providers/features/read | 지정된 리소스 공급자에서 구독의 기능을 가져옵니다. |
| Microsoft.Features/providers/features/register/action | 지정된 리소스 공급자에 구독에 대한 기능을 등록합니다. |
| Microsoft.Security/pricings/securityoperators/read | 범위에 대한 보안 연산자를 가져옵니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 클러스터 - Azure Arc 온보딩
ConnectedClusters 리소스를 만들기 위해 모든 사용자/서비스에 권한을 부여하는 역할 정의
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Kubernetes/connectedClusters/Write | connectedClusters를 씁니다. |
| Microsoft.Kubernetes/connectedClusters/read | connectedClusters를 읽습니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 확장 기여자
Kubernetes 확장을 만들고, 업데이트하고, 가져오고, 나열 및 삭제하고, 확장 비동기 작업을 가져올 수 있습니다.
| actions | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/* | 배포를 만들고 관리합니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.KubernetesConfiguration/extensions/write | 확장 리소스를 만들거나 업데이트합니다. |
| Microsoft.KubernetesConfiguration/extensions/read | 확장 인스턴스 리소스를 가져옵니다. |
| Microsoft.KubernetesConfiguration/extensions/delete | 확장 인스턴스 리소스를 삭제합니다. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 비동기 작업 상태를 가져옵니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}