컨테이너에 대한 Azure 기본 제공 역할
이 문서에서는 컨테이너 범주의 Azure 기본 제공 역할을 나열합니다.
AcrDelete
컨테이너 레지스트리에서 리포지토리, 태그 또는 매니페스트를 삭제합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/delete | 컨테이너 레지스트리에서 아티팩트를 삭제합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
콘텐츠 신뢰가 사용하도록 설정된 컨테이너 레지스트리에 신뢰할 수 있는 이미지를 푸시하거나 가져옵니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/write | 컨테이너 레지스트리에 대한 콘텐츠 신뢰 메타데이터를 푸시/풀합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | 컨테이너 레지스트리 콘텐츠의 신뢰할 수 있는 컬렉션을 푸시하거나 게시할 수 있습니다. 이는 데이터 작업이라는 점을 제외하고 Microsoft.ContainerRegistry/registries/sign/write 작업과 유사합니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
컨테이너 레지스트리에서 아티팩트를 가져옵니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | 컨테이너 레지스트리에서 이미지를 끌어오거나 가져옵니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
컨테이너 레지스트리에 아티팩트를 푸시하거나 가져옵니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | 컨테이너 레지스트리에서 이미지를 끌어오거나 가져옵니다. |
| Microsoft.ContainerRegistry/registries/push/write | 컨테이너 레지스트리에 이미지를 푸시하거나 씁니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
컨테이너 레지스트리에서 격리된 이미지를 끌어옵니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | 컨테이너 레지스트리에서 격리된 이미지 끌어오기 또는 가져오기 |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 컨테이너 레지스트리에서 격리된 아티팩트를 끌어오거나 가져올 수 있습니다. 이는 데이터 작업이라는 점을 제외하고 Microsoft.ContainerRegistry/registries/quarantine/read와 유사합니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
격리된 이미지를 컨테이너 레지스트리로 푸시하거나 컨테이너 레지스트리에서 가져옵니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | 컨테이너 레지스트리에서 격리된 이미지 끌어오기 또는 가져오기 |
| Microsoft.ContainerRegistry/registries/quarantine/write | 격리된 이미지의 격리 상태 작성/수정 |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 컨테이너 레지스트리에서 격리된 아티팩트를 끌어오거나 가져올 수 있습니다. 이는 데이터 작업이라는 점을 제외하고 Microsoft.ContainerRegistry/registries/quarantine/read와 유사합니다. |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | 격리된 아티팩트의 격리 상태를 작성하거나 업데이트할 수 있습니다. 이는 데이터 작업이라는 점을 제외하고 Microsoft.ContainerRegistry/registries/격리/쓰기 작업과 유사합니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc 지원 Kubernetes 클러스터 사용자 역할
클러스터 사용자 자격 증명 작업을 나열합니다.
| actions | 설명 |
|---|---|
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | clusterUser 자격 증명(미리 보기)을 나열합니다. |
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | clusterUser 자격 증명 나열 |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 관리자
리소스 할당량 및 네임스페이스 업데이트 또는 삭제를 제외하고 클러스터/네임스페이스의 모든 리소스를 관리할 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/복제본(replica)sets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | localsubjectaccessreviews를 씁니다. |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | limitranges를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 클러스터 관리자
클러스터의 모든 리소스를 관리할 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 뷰어
비밀을 제외하고 클러스터/네임스페이스의 모든 리소스를 볼 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/read | deployments를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/복제본(replica)sets/read | replicasets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | statefulsets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | horizontalpodautoscalers를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | cronjobs를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/read | 작업을 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/configmaps/read | configmaps를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/endpoints/read | 엔드포인트를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | deployments를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | ingresses를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/복제본(replica)sets/read | replicasets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | limitranges를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | ingresses를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | persistentvolumeclaims를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/pods/read | pods를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | poddisruptionbudgets를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/복제본(replica)tioncontrollers/read | replicationcontrollers를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/복제본(replica)tioncontrollers/read | replicationcontrollers를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | serviceaccounts를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/services/read | services를 읽습니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 작성자
(클러스터)역할 및 (클러스터)역할 바인딩을 제외하고 클러스터/네임스페이스의 모든 항목을 업데이트할 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/복제본(replica)sets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/events/read | events를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | limitranges를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager 기여자 역할
플릿, 플릿 멤버, 함대 업데이트 전략, 플릿 업데이트 실행 등을 포함하여 Azure Kubernetes Fleet Manager에서 제공하는 Azure 리소스에 대한 읽기/쓰기 권한을 부여합니다.
| actions | 설명 |
|---|---|
| Microsoft.ContainerService/fleets/* | |
| Microsoft.Resources/deployments/* | 배포를 만들고 관리합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC 관리자
Fleet 관리형 허브 클러스터의 네임스페이스 내에서 Kubernetes 리소스에 대한 읽기/쓰기 권한을 부여합니다. ResourceQuota 개체와 네임스페이스 개체 자체를 제외하고 네임스페이스 내의 대부분의 개체에 대한 쓰기 권한을 제공합니다. 클러스터 범위에서 이 역할을 적용하면 모든 네임스페이스에 대한 액세스 권한이 부여됩니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/fleets/read | 플릿을 가져옵니다. |
| Microsoft.ContainerService/fleets/listCredentials/action | 플릿 자격 증명을 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | localsubjectaccessreviews를 씁니다. |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | limitranges를 읽습니다. |
| Microsoft.ContainerService/fleets/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC 클러스터 관리자
플릿 관리형 허브 클러스터의 모든 Kubernetes 리소스에 대한 읽기/쓰기 권한을 부여합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/fleets/read | 플릿을 가져옵니다. |
| Microsoft.ContainerService/fleets/listCredentials/action | 플릿 자격 증명을 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/fleets/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC 읽기 권한자
Fleet 관리형 허브 클러스터의 네임스페이스 내에서 대부분의 Kubernetes 리소스에 대한 읽기 전용 액세스 권한을 부여합니다. 역할이나 역할 바인딩 보기는 허용되지 않습니다. 비밀의 콘텐츠를 읽으면 네임스페이스의 ServiceAccount 자격 증명에 액세스할 수 있으므로 이 역할은 비밀 보기를 허용하지 않습니다. 그러면 네임스페이스의 모든 ServiceAccount로 API 액세스가 허용됩니다(권한 상승의 한 형태). 클러스터 범위에서 이 역할을 적용하면 모든 네임스페이스에 대한 액세스 권한이 부여됩니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/fleets/read | 플릿을 가져옵니다. |
| Microsoft.ContainerService/fleets/listCredentials/action | 플릿 자격 증명을 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.ContainerService/fleets/apps/deployments/read | deployments를 읽습니다. |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | statefulsets를 읽습니다. |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | horizontalpodautoscalers를 읽습니다. |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | cronjobs를 읽습니다. |
| Microsoft.ContainerService/fleets/batch/jobs/read | 작업을 읽습니다. |
| Microsoft.ContainerService/fleets/configmaps/read | configmaps를 읽습니다. |
| Microsoft.ContainerService/fleets/endpoints/read | 엔드포인트를 읽습니다. |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/deployments/read | deployments를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | ingresses를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.ContainerService/fleets/limitranges/read | limitranges를 읽습니다. |
| Microsoft.ContainerService/fleets/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | ingresses를 읽습니다. |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | persistentvolumeclaims를 읽습니다. |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | poddisruptionbudgets를 읽습니다. |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | replicationcontrollers를 읽습니다. |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | replicationcontrollers를 읽습니다. |
| Microsoft.ContainerService/fleets/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.ContainerService/fleets/serviceaccounts/read | serviceaccounts를 읽습니다. |
| Microsoft.ContainerService/fleets/services/read | services를 읽습니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC 작성자
Fleet 관리형 허브 클러스터의 네임스페이스 내에서 대부분의 Kubernetes 리소스에 대한 읽기/쓰기 권한을 부여합니다. 이 역할은 보기 또는 수정 역할 또는 역할 바인딩을 허용하지 않습니다. 그러나 이 역할을 사용하여 네임스페이스의 ServiceAccount로 비밀에 액세스할 수 있으므로 네임스페이스에 있는 모든 ServiceAccount의 API 액세스 수준을 얻을 수 있습니다. 클러스터 범위에서 이 역할을 적용하면 모든 네임스페이스에 대한 액세스 권한이 부여됩니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/fleets/read | 플릿을 가져옵니다. |
| Microsoft.ContainerService/fleets/listCredentials/action | 플릿 자격 증명을 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/events/read | events를 읽습니다. |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | limitranges를 읽습니다. |
| Microsoft.ContainerService/fleets/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 클러스터 관리자 역할
클러스터 관리자 자격 증명 작업을 나열합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerService/managedClusters/listCluster관리Credential/action | 관리형 클러스터의 클러스터관리 자격 증명 나열 |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | 목록 자격 증명을 사용하여 역할 이름으로 관리형 클러스터 액세스 프로필 가져오기 |
| Microsoft.ContainerService/managedClusters/read | 관리형 클러스터 가져오기 |
| Microsoft.ContainerService/managedClusters/runcommand/action | 관리되는 kubernetes 서버에 대해 사용자가 실행한 명령을 실행합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 클러스터 모니터링 사용자
클러스터 모니터링 사용자 자격 증명 작업을 나열합니다.
| actions | 설명 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | 관리형 클러스터의 clusterMonitoringUser 자격 증명을 나열합니다. |
| Microsoft.ContainerService/managedClusters/read | 관리형 클러스터 가져오기 |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 클러스터 사용자 역할
클러스터 사용자 자격 증명 작업을 나열합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 관리형 클러스터의 clusterUser 자격 증명 나열 |
| Microsoft.ContainerService/managedClusters/read | 관리형 클러스터 가져오기 |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 기여자 역할
Azure Kubernetes Service 클러스터를 읽고 쓰기 위한 액세스 권한을 부여합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerService/managedClusters/read | 관리형 클러스터 가져오기 |
| Microsoft.ContainerService/managedClusters/write | 새 관리형 클러스터를 만들거나 기존 클러스터를 업데이트합니다. |
| Microsoft.Resources/deployments/* | 배포를 만들고 관리합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 관리자
리소스 할당량 및 네임스페이스 업데이트 또는 삭제를 제외하고 클러스터/네임스페이스의 모든 리소스를 관리할 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 관리형 클러스터의 clusterUser 자격 증명 나열 |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/write | resourcequotas를 씁니다. |
| Microsoft.ContainerService/managedClusters/resourcequotas/delete | resourcequotas를 삭제합니다. |
| Microsoft.ContainerService/managedClusters/namespaces/write | 네임스페이스를 씁니다. |
| Microsoft.ContainerService/managedClusters/namespaces/delete | 네임스페이스를 삭제합니다. |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 클러스터 관리자
클러스터의 모든 리소스를 관리할 수 있습니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 관리형 클러스터의 clusterUser 자격 증명 나열 |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 읽기 권한자
네임스페이스에 있는 대부분의 개체를 볼 수 있는 읽기 전용 권한을 허용합니다. 역할이나 역할 바인딩 보기는 허용되지 않습니다. 비밀의 콘텐츠를 읽으면 네임스페이스의 ServiceAccount 자격 증명에 액세스할 수 있으므로 이 역할은 비밀 보기를 허용하지 않습니다. 그러면 네임스페이스의 모든 ServiceAccount로 API 액세스가 허용됩니다(권한 상승의 한 형태). 클러스터 범위에서 이 역할을 적용하면 모든 네임스페이스에 대한 액세스 권한이 부여됩니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/apps/deployments/read | deployments를 읽습니다. |
| Microsoft.ContainerService/managedClusters/apps/복제본(replica)sets/read | replicasets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/read | statefulsets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | horizontalpodautoscalers를 읽습니다. |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/read | cronjobs를 읽습니다. |
| Microsoft.ContainerService/managedClusters/batch/jobs/read | 작업을 읽습니다. |
| Microsoft.ContainerService/managedClusters/configmaps/read | configmaps를 읽습니다. |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | 엔드포인트를 읽습니다. |
| Microsoft.ContainerService/managedClusters/endpoints/read | 엔드포인트를 읽습니다. |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.ContainerService/managedClusters/events/read | events를 읽습니다. |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | daemonsets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/extensions/deployments/read | deployments를 읽습니다. |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/read | ingresses를 읽습니다. |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.ContainerService/managedClusters/extensions/복제본(replica)sets/read | replicasets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/limitranges/read | limitranges를 읽습니다. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | pods를 읽습니다. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | nodes를 읽습니다. |
| Microsoft.ContainerService/managedClusters/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | ingresses를 읽습니다. |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | networkpolicies를 읽습니다. |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | persistentvolumeclaims를 읽습니다. |
| Microsoft.ContainerService/managedClusters/pods/read | pods를 읽습니다. |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | poddisruptionbudgets를 읽습니다. |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/read | replicationcontrollers를 읽습니다. |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.ContainerService/managedClusters/serviceaccounts/read | serviceaccounts를 읽습니다. |
| Microsoft.ContainerService/managedClusters/services/read | services를 읽습니다. |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 쓰기 권한자
네임스페이스에 있는 대부분의 개체에 대해 읽기/쓰기 액세스 권한을 허용합니다. 이 역할은 보기 또는 수정 역할 또는 역할 바인딩을 허용하지 않습니다. 하지만 이 역할을 사용하면 네임스페이스의 모든 ServiceAccount로 보안 비밀에 액세스하고 Pod를 실행할 수 있으므로 네임스페이스에 있는 모든 ServiceAccount의 API 액세스 수준을 얻는 데 사용할 수 있습니다. 클러스터 범위에서 이 역할을 적용하면 모든 네임스페이스에 대한 액세스 권한이 부여됩니다.
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | controllerrevisions를 읽습니다. |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/복제본(replica)sets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | 임대를 읽습니다. |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | 임대를 씁니다. |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | 임대를 삭제합니다. |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | 엔드포인트를 읽습니다. |
| Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | events를 읽습니다. |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/복제본(replica)sets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/read | limitranges를 읽습니다. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | pods를 읽습니다. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | nodes를 읽습니다. |
| Microsoft.ContainerService/managedClusters/namespaces/read | 네임스페이스를 읽습니다. |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | resourcequotas를 읽습니다. |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 에이전트 없는 운영자
Azure Kubernetes Services에 대한 클라우드용 Microsoft Defender 액세스 권한을 부여합니다.
| 작업 | 설명 |
|---|---|
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | 관리형 클러스터에 대한 신뢰할 수 있는 액세스 역할 바인딩 만들기 또는 업데이트 |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | 관리형 클러스터에 대한 신뢰할 수 있는 액세스 역할 바인딩 가져오기 |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | 관리형 클러스터에 대한 신뢰할 수 있는 액세스 역할 바인딩 삭제 |
| Microsoft.ContainerService/managedClusters/read | 관리형 클러스터 가져오기 |
| Microsoft.Features/features/read | 구독의 기능을 가져옵니다. |
| Microsoft.Features/providers/features/read | 지정된 리소스 공급자에서 구독의 기능을 가져옵니다. |
| Microsoft.Features/providers/features/register/action | 지정된 리소스 공급자에 구독에 대한 기능을 등록합니다. |
| Microsoft.Security/pricings/securityoperators/read | 범위에 대한 보안 연산자를 가져옵니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 클러스터 - Azure Arc 온보딩
ConnectedClusters 리소스를 만들기 위해 모든 사용자/서비스에 권한을 부여하는 역할 정의
| 작업 | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/write | 배포를 만들거나 업데이트합니다. |
| Microsoft.Resources/subscriptions/operationresults/read | 구독 작업 결과를 가져옵니다. |
| Microsoft.Resources/subscriptions/read | 구독 목록을 가져옵니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.Kubernetes/connectedClusters/Write | connectedClusters를 씁니다. |
| Microsoft.Kubernetes/connectedClusters/read | connectedClusters 읽기 |
| Microsoft.Support/* | 지원 티켓을 만들거나 업데이트합니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 확장 기여자
Kubernetes 확장을 만들고, 업데이트하고, 가져오고, 나열 및 삭제하고, 확장 비동기 작업을 가져올 수 있습니다.
| actions | 설명 |
|---|---|
| Microsoft.Authorization/*/read | 역할 및 역할 할당 읽기 |
| Microsoft.Insights/alertRules/* | 클래식 메트릭 경고를 만들고 관리합니다. |
| Microsoft.Resources/deployments/* | 배포를 만들고 관리합니다. |
| Microsoft.Resources/subscriptions/resourceGroups/read | 리소스 그룹을 가져오거나 나열합니다. |
| Microsoft.KubernetesConfiguration/extensions/write | 확장 리소스를 만들거나 업데이트합니다. |
| Microsoft.KubernetesConfiguration/extensions/read | 확장 인스턴스 리소스를 가져옵니다. |
| Microsoft.KubernetesConfiguration/extensions/delete | 확장 인스턴스 리소스를 삭제합니다. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 비동기 작업 상태 가져옵니다. |
| NotActions | |
| 없음 | |
| DataActions | |
| 없음 | |
| NotDataActions | |
| 없음 |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}