Funções internas do Azure para contêineres
Este artigo lista as funções internas do Azure na categoria Contêineres.
AcrDelete
Exclua repositórios, tags ou manifestos de um registro de contêiner.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/artifacts/delete | Excluir o artefato em um registro de contêiner. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
Envie por push ou extraia imagens confiáveis de um registro de contêiner habilitado para a confiança de conteúdo.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/sign/write | Efetuar push/pull de metadados de conteúdo confiável para um registro de contêiner. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/trustedCollections/write | Permite o push ou a publicação de coleções confiáveis de conteúdo do registro de contêiner. Essa ação é semelhante a Microsoft.ContainerRegistry/registries/sign/write, exceto pelo fato de ser uma ação de dados |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Extraia artefatos de um registro de contêiner.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/pull/read | Efetuar pull ou Obter imagens de um registro de contêiner. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Envie por push ou extraia artefatos de um registro de contêiner.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/pull/read | Efetuar pull ou Obter imagens de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/push/write | Efetuar push ou Gravar imagens para um registro de contêiner. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Extraia imagens em quarentena de um registro de contêiner.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/quarantine/read | Efetuar pull ou Obter imagens em quarentena do registro de contêiner |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Permite pull ou obtenção dos artefatos em quarentena do registro de contêiner. Isso é semelhante a Microsoft.ContainerRegistry/registries/quarantine/read, exceto pelo fato de que é uma ação de dados |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Envie por push ou extraia imagens em quarentena de um registro de contêiner.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/quarantine/read | Efetuar pull ou Obter imagens em quarentena do registro de contêiner |
Microsoft.ContainerRegistry/registries/quarantine/write | Gravar/Modificar o estado de quarentena das imagens em quarentena |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Permite pull ou obtenção dos artefatos em quarentena do registro de contêiner. Isso é semelhante a Microsoft.ContainerRegistry/registries/quarantine/read, exceto pelo fato de que é uma ação de dados |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Permite gravar ou atualizar o estado de quarentena de artefatos em quarentena. Essa ação é semelhante a Microsoft.ContainerRegistry/registries/quarantine/write, exceto pelo fato de ser uma ação de dados |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de usuário do cluster Kubernetes habilitada para o Azure Arc
Listar a ação das credenciais do usuário do cluster.
Ações | Descrição |
---|---|
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | Listar credencial do clusterUser (versão prévia) |
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Listar credencial clusterUser |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador do Kubernetes do Azure Arc
Permite gerenciar todos os recursos no cluster ou no namespace, exceto atualizar ou excluir as cotas de recursos e os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Grava localsubjectaccessreviews |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Lê limitranges |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Lê namespaces |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lê resourcequotas |
Microsoft.Kubernetes/connectedClusters/secrets/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador do Cluster do Kubernetes do Azure Arc
Permite gerenciar todos os recursos no cluster.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Visualizador do Kubernetes do Azure Arc
Permite que você veja todos os recursos no cluster ou namespace, exceto os segredos.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | Lê daemonsets |
Microsoft.Kubernetes/connectedClusters/apps/deployments/read | Lê implantações |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | Lê replicasets |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | Lê statefulsets |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | Lê horizontalpodautoscalers |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | Lê cronjobs |
Microsoft.Kubernetes/connectedClusters/batch/jobs/read | Lê trabalhos |
Microsoft.Kubernetes/connectedClusters/configmaps/read | Lê configmaps |
Microsoft.Kubernetes/connectedClusters/endpoints/read | Lê pontos de extremidade |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | Lê daemonsets |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | Lê implantações |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | Lê entradas |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | Lê networkpolicies |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | Lê replicasets |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Lê limitranges |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Lê namespaces |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | Lê entradas |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | Lê networkpolicies |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | Lê persistentvolumeclaims |
Microsoft.Kubernetes/connectedClusters/pods/read | Lê pods |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | Lê poddisruptionbudgets |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lê replicationcontrollers |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lê replicationcontrollers |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lê resourcequotas |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | Lê serviceaccounts |
Microsoft.Kubernetes/connectedClusters/services/read | Lê serviços |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Gravador do Kubernetes do Azure Arc
Permite que você atualize tudo no cluster ou namespace, exceto as funções (cluster) e ligações de função (cluster).
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Lê limitranges |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Lê namespaces |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lê resourcequotas |
Microsoft.Kubernetes/connectedClusters/secrets/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador do Armazenamento de Contêiner do Azure
Instale o Armazenamento de Contêiner do Azure e gerencie seus recursos de armazenamento. Inclui uma condição ABAC para restringir atribuições de função.
Ações | Descrição |
---|---|
Microsoft.KubernetesConfiguration/extensions/write | Cria ou atualiza recursos de extensão. |
Microsoft.KubernetesConfiguration/extensions/read | Obtém o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/delete | Exclui o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Obtém o status da operação assíncrona. |
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Management/managementGroups/read | Listar grupos de gerenciamento para o usuário autenticado. |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Ações | |
Microsoft.Authorization/roleAssignments/write | Criar uma atribuição de função no escopo especificado. |
Microsoft.Authorization/roleAssignments/delete | Exclua uma atribuição de função no escopo especificado. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Condição | |
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OU (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) E ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Adicione ou remova atribuições de função para as seguintes funções: Operador de Armazenamento de Contêiner do Azure |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operador de Armazenamento de Contêiner do Azure
Habilite uma identidade gerenciada para executar operações do Armazenamento de Contêiner do Azure, como gerenciar máquinas virtuais e gerenciar redes virtuais.
Ações | Descrição |
---|---|
Microsoft.ElasticSan/elasticSans/* | |
Microsoft.ElasticSan/locations/asyncoperations/read | Monitorar o status de uma operação assíncrona. |
Microsoft.Network/routeTables/join/action | Une uma tabela de rotas. Não é possível alertá-lo. |
Microsoft.Network/networkSecurityGroups/join/action | Ingressar em um grupo de segurança de rede. Não é possível alertá-lo. |
Microsoft.Network/virtualNetworks/write | Criar uma rede virtual ou atualizar uma rede virtual existente |
Microsoft.Network/virtualNetworks/delete | Excluir uma rede virtual |
Microsoft.Network/virtualNetworks/join/action | Ingressar em uma rede virtual. Não é possível alertá-lo. |
Microsoft.Network/virtualNetworks/subnets/read | Obter uma definição de sub-rede da rede virtual |
Microsoft.Network/virtualNetworks/subnets/write | Criar uma sub-rede de rede virtual ou atualizar uma sub-rede de rede virtual existente |
Microsoft.Compute/virtualMachines/read | Obter as propriedades de uma máquina virtual |
Microsoft.Compute/virtualMachines/write | Cria uma nova máquina virtual ou atualiza uma máquina virtual existente |
Microsoft.Compute/virtualMachineScaleSets/read | Obter as propriedades de um Conjunto de Dimensionamento de Máquinas Virtuais |
Microsoft.Compute/virtualMachineScaleSets/write | Criar um novo Conjunto de Dimensionamento de Máquinas Virtuais ou atualizar um existente |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | Atualizar as propriedades de uma Máquina Virtual em um Conjunto de Dimensionamento de Máquinas Virtuais |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Recuperar as propriedades de uma máquina virtual em um conjunto de dimensionamento de máquinas virtuais |
Microsoft.Resources/subscriptions/providers/read | Obter ou listar provedores de recursos. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Network/virtualNetworks/read | Obter a definição de rede virtual |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Proprietário do Armazenamento de Contêiner do Azure
Instale o Armazenamento de Contêiner do Azure, conceda acesso aos recursos de armazenamento e configure a SAN (rede de área de armazenamento) elástica do Azure. Inclui uma condição ABAC para restringir atribuições de função.
Ações | Descrição |
---|---|
Microsoft.ElasticSan/elasticSans/* | |
Microsoft.ElasticSan/locations/* | |
Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
Microsoft.ElasticSan/locations/asyncoperations/read | Monitorar o status de uma operação assíncrona. |
Microsoft.KubernetesConfiguration/extensions/write | Cria ou atualiza recursos de extensão. |
Microsoft.KubernetesConfiguration/extensions/read | Obtém o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/delete | Exclui o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Obtém o status da operação assíncrona. |
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Management/managementGroups/read | Listar grupos de gerenciamento para o usuário autenticado. |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Ações | |
Microsoft.Authorization/roleAssignments/write | Criar uma atribuição de função no escopo especificado. |
Microsoft.Authorization/roleAssignments/delete | Exclua uma atribuição de função no escopo especificado. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Condição | |
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OU (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) E ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Adicione ou remova atribuições de função para as seguintes funções: Operador de Armazenamento de Contêiner do Azure |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Colaborador do Gerenciador de Frotas do Kubernetes do Azure
Concede acesso de leitura/gravação aos recursos do Azure fornecidos pelo Azure Kubernetes Fleet Manager, incluindo frotas, membros da frota, estratégias de atualização de frota, execuções de atualização de frota etc.
Ações | Descrição |
---|---|
Microsoft.ContainerService/fleets/* | |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de RBAC do Gerenciador de Frota de Kubernetes do Azure
Concede acesso de leitura/gravação aos recursos do Kubernetes em um namespace no cluster do hub gerenciado pela frota - fornece permissões de gravação na maioria dos objetos em um namespace, com exceção do objeto ResourceQuota e do próprio objeto do namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obter frota |
Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais de frota |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.ContainerService/fleets/apps/daemonsets/* | |
Microsoft.ContainerService/fleets/apps/deployments/* | |
Microsoft.ContainerService/fleets/apps/statefulsets/* | |
Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Grava localsubjectaccessreviews |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/fleets/batch/cronjobs/* | |
Microsoft.ContainerService/fleets/batch/jobs/* | |
Microsoft.ContainerService/fleets/configmaps/* | |
Microsoft.ContainerService/fleets/endpoints/* | |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lê eventos |
Microsoft.ContainerService/fleets/events/read | Lê eventos |
Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
Microsoft.ContainerService/fleets/extensions/deployments/* | |
Microsoft.ContainerService/fleets/extensions/ingresses/* | |
Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
Microsoft.ContainerService/fleets/limitranges/read | Lê limitranges |
Microsoft.ContainerService/fleets/namespaces/read | Lê namespaces |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/resourcequotas/read | Lê resourcequotas |
Microsoft.ContainerService/fleets/secrets/* | |
Microsoft.ContainerService/fleets/serviceaccounts/* | |
Microsoft.ContainerService/fleets/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador do cluster de RBAC do Gerenciador de Frota de Kubernetes do Azure
Concede acesso de leitura/gravação a todos os recursos do Kubernetes no cluster de hub gerenciado pela frota.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obter frota |
Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais de frota |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Leitor de RBAC do Gerenciador de Frota de Kubernetes do Azure
Concede acesso somente leitura à maioria dos recursos do Kubernetes em um namespace no cluster de hub gerenciado pela frota. Não permite exibir funções nem associações de função. Essa função não permite exibir Segredos, pois a leitura do conteúdo dos Segredos permite acesso às credenciais de ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de elevação de privilégio). A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obter frota |
Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais de frota |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.ContainerService/fleets/apps/daemonsets/read | Lê daemonsets |
Microsoft.ContainerService/fleets/apps/deployments/read | Lê implantações |
Microsoft.ContainerService/fleets/apps/statefulsets/read | Lê statefulsets |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Lê horizontalpodautoscalers |
Microsoft.ContainerService/fleets/batch/cronjobs/read | Lê cronjobs |
Microsoft.ContainerService/fleets/batch/jobs/read | Lê trabalhos |
Microsoft.ContainerService/fleets/configmaps/read | Lê configmaps |
Microsoft.ContainerService/fleets/endpoints/read | Lê pontos de extremidade |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lê eventos |
Microsoft.ContainerService/fleets/events/read | Lê eventos |
Microsoft.ContainerService/fleets/extensions/daemonsets/read | Lê daemonsets |
Microsoft.ContainerService/fleets/extensions/deployments/read | Lê implantações |
Microsoft.ContainerService/fleets/extensions/ingresses/read | Lê entradas |
Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Lê networkpolicies |
Microsoft.ContainerService/fleets/limitranges/read | Lê limitranges |
Microsoft.ContainerService/fleets/namespaces/read | Lê namespaces |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Lê entradas |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Lê networkpolicies |
Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Lê persistentvolumeclaims |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Lê poddisruptionbudgets |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Lê replicationcontrollers |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Lê replicationcontrollers |
Microsoft.ContainerService/fleets/resourcequotas/read | Lê resourcequotas |
Microsoft.ContainerService/fleets/serviceaccounts/read | Lê serviceaccounts |
Microsoft.ContainerService/fleets/services/read | Lê serviços |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Gravador de RBAC do Gerenciador de Frota de Kubernetes do Azure
Concede acesso de leitura/gravação à maioria dos recursos do Kubernetes em um namespace no cluster do hub gerenciado pela frota. Esta função não permite visualizar ou modificar funções ou vinculações de função. No entanto, essa função permite acessar segredos como qualquer conta de serviço no namespace, portanto, pode ser usada para obter os níveis de acesso da API de uma conta de serviço no namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obter frota |
Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais de frota |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.ContainerService/fleets/apps/daemonsets/* | |
Microsoft.ContainerService/fleets/apps/deployments/* | |
Microsoft.ContainerService/fleets/apps/statefulsets/* | |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/fleets/batch/cronjobs/* | |
Microsoft.ContainerService/fleets/batch/jobs/* | |
Microsoft.ContainerService/fleets/configmaps/* | |
Microsoft.ContainerService/fleets/endpoints/* | |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lê eventos |
Microsoft.ContainerService/fleets/events/read | Lê eventos |
Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
Microsoft.ContainerService/fleets/extensions/deployments/* | |
Microsoft.ContainerService/fleets/extensions/ingresses/* | |
Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
Microsoft.ContainerService/fleets/limitranges/read | Lê limitranges |
Microsoft.ContainerService/fleets/namespaces/read | Lê namespaces |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/resourcequotas/read | Lê resourcequotas |
Microsoft.ContainerService/fleets/secrets/* | |
Microsoft.ContainerService/fleets/serviceaccounts/* | |
Microsoft.ContainerService/fleets/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de administrador de cluster do Arc do Serviço de Kubernetes do Azure
Liste a ação de credencial de administrador de cluster.
Ações | Descrição |
---|---|
Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado |
Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | Lista as credenciais de administrador de uma instância de cluster provisionada usada somente no modo direto. |
Microsoft.Kubernetes/connectedClusters/Read | Ler connectedClusters |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de usuário do Arc Cluster do Serviço de Kubernetes do Azure
Liste a ação de credencial de usuário de cluster.
Ações | Descrição |
---|---|
Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado |
Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | Lista as credenciais de usuário do AAD de uma instância de cluster provisionada usada somente no modo direto. |
Microsoft.Kubernetes/connectedClusters/Read | Ler connectedClusters |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Colaborador do Arc do Serviço de Kubernetes do Azure
Concede acesso para ler e gravar clusters híbridos dos Serviços de Kubernetes do Azure
Ações | Descrição |
---|---|
Microsoft.HybridContainerService/Locations/operationStatuses/read | ler operationStatuses |
Microsoft.HybridContainerService/Operations/read | leia Operações |
Microsoft.HybridContainerService/kubernetesVersions/read | Lista as versões do Kubernetes com suporte do local personalizado subjacente |
Microsoft.HybridContainerService/kubernetesVersions/write | Coloca o tipo de recurso de versão do kubernetes |
Microsoft.HybridContainerService/kubernetesVersions/delete | Excluir o tipo de recurso de versões do kubernetes |
Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado |
Microsoft.HybridContainerService/provisionedClusterInstances/write | Cria a instância de cluster provisionado do AKS híbrido |
Microsoft.HybridContainerService/provisionedClusterInstances/delete | Exclui a instância do cluster provisionado do AKS híbrido |
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | Obtém os pools de agentes na instância de cluster provisionado do AKS Híbrido |
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | Atualiza o pool de agentes na instância de cluster provisionado do AKS híbrido |
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | Exclui o pool de agentes na instância de cluster provisionado do AKS híbrido |
Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | leia upgradeProfiles |
Microsoft.HybridContainerService/skus/read | Lista os SKUs de VM com suporte do local personalizado subjacente |
Microsoft.HybridContainerService/skus/write | Coloca o tipo de recurso SKUs de VM |
Microsoft.HybridContainerService/skus/delete | Exclui o tipo de recurso Vm Sku |
Microsoft.HybridContainerService/virtualNetworks/read | Lista as redes virtuais do AKS híbrido por assinatura |
Microsoft.HybridContainerService/virtualNetworks/write | Corrige a rede virtual do AKS híbrido |
Microsoft.HybridContainerService/virtualNetworks/delete | Exclui a rede virtual do AKS híbrido |
Microsoft.ExtendedLocation/customLocations/deploy/action | Implantar permissões em um recurso de Localização Personalizada |
Microsoft.ExtendedLocation/customLocations/read | Obtém um recurso de Local Personalizado |
Microsoft.Kubernetes/connectedClusters/Read | Ler connectedClusters |
Microsoft.Kubernetes/connectedClusters/Write | Grava connectedClusters |
Microsoft.Kubernetes/connectedClusters/Excluir | Exclui connectedClusters |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Listar credencial clusterUser |
Microsoft.AzureStackHCI/clusters/read | Obtém clusters |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Administrador do Cluster do Serviço de Kubernetes do Azure
Liste a ação de credencial de administrador de cluster.
Ações | Descrição |
---|---|
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | Listar a credencial clusterAdmin de um cluster gerenciado |
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | Obtém um perfil de acesso do cluster gerenciado por nome de função usando a credencial de lista |
Microsoft.ContainerService/managedClusters/read | Obtém um cluster gerenciado |
Microsoft.ContainerService/managedClusters/runcommand/action | Executar o comando emitido pelo usuário no servidor de Kubernetes gerenciado. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Usuário de Monitoramento de Cluster do Serviço de Kubernetes do Azure
Lista a ação de credencial de usuário de monitoramento do cluster.
Ações | Descrição |
---|---|
Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | Listar a credencial clusterMonitoringUser de um cluster gerenciado |
Microsoft.ContainerService/managedClusters/read | Obtém um cluster gerenciado |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Usuário do Cluster do Serviço de Kubernetes do Azure
Liste a ação de credencial de usuário de cluster.
Ações | Descrição |
---|---|
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Listar a credencial clusterUser de um cluster gerenciado |
Microsoft.ContainerService/managedClusters/read | Obtém um cluster gerenciado |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Contributor Role
Concede o acesso de leitura e gravação a clusters do Serviço de Kubernetes do Azure
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.ContainerService/locations/* | Locais de leitura disponíveis para recursos do ContainerService |
Microsoft.ContainerService/managedClusters/* | Criar e gerenciar um cluster gerenciado |
Microsoft.ContainerService/managedclustersnapshots/* | Criar e gerenciar um snapshot de cluster gerenciado |
Microsoft.ContainerService/snapshots/* | Criar e gerenciar um snapshot |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador do RBAC do Serviço de Kubernetes do Azure
Permite gerenciar todos os recursos no cluster ou no namespace, exceto atualizar ou excluir as cotas de recursos e os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Listar a credencial clusterUser de um cluster gerenciado |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
Microsoft.ContainerService/managedClusters/resourcequotas/write | Grava resourcequotas |
Microsoft.ContainerService/managedClusters/resourcequotas/delete | Exclui resourcequotas |
Microsoft.ContainerService/managedClusters/namespaces/write | Grava namespaces |
Microsoft.ContainerService/managedClusters/namespaces/delete | Exclui namespaces |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador do Cluster do RBAC do Serviço de Kubernetes do Azure
Permite gerenciar todos os recursos no cluster.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Listar a credencial clusterUser de um cluster gerenciado |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Leitor de RBAC do Serviço de Kubernetes do Azure
Permite acesso somente leitura para ver a maioria dos objetos em um namespace. Não permite exibir funções nem associações de função. Essa função não permite exibir Segredos, pois a leitura do conteúdo dos Segredos permite acesso às credenciais de ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de elevação de privilégio). A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.ContainerService/managedClusters/apps/daemonsets/read | Lê daemonsets |
Microsoft.ContainerService/managedClusters/apps/deployments/read | Lê implantações |
Microsoft.ContainerService/managedClusters/apps/replicasets/read | Lê replicasets |
Microsoft.ContainerService/managedClusters/apps/statefulsets/read | Lê statefulsets |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | Lê horizontalpodautoscalers |
Microsoft.ContainerService/managedClusters/batch/cronjobs/read | Lê cronjobs |
Microsoft.ContainerService/managedClusters/batch/jobs/read | Lê trabalhos |
Microsoft.ContainerService/managedClusters/configmaps/read | Lê configmaps |
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lê fatias de ponto de extremidade |
Microsoft.ContainerService/managedClusters/endpoints/read | Lê pontos de extremidade |
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lê eventos |
Microsoft.ContainerService/managedClusters/events/read | Lê eventos |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | Lê daemonsets |
Microsoft.ContainerService/managedClusters/extensions/deployments/read | Lê implantações |
Microsoft.ContainerService/managedClusters/extensions/ingresses/read | Lê entradas |
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | Lê networkpolicies |
Microsoft.ContainerService/managedClusters/extensions/replicasets/read | Lê replicasets |
Microsoft.ContainerService/managedClusters/limitranges/read | Lê limitranges |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lê pods |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lê nodes |
Microsoft.ContainerService/managedClusters/namespaces/read | Lê namespaces |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | Lê entradas |
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | Lê networkpolicies |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | Lê persistentvolumeclaims |
Microsoft.ContainerService/managedClusters/pods/read | Lê pods |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | Lê poddisruptionbudgets |
Microsoft.ContainerService/managedClusters/replicationcontrollers/read | Lê replicationcontrollers |
Microsoft.ContainerService/managedClusters/resourcequotas/read | Lê resourcequotas |
Microsoft.ContainerService/managedClusters/serviceaccounts/read | Lê serviceaccounts |
Microsoft.ContainerService/managedClusters/services/read | Lê serviços |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Gravador de RBAC do Serviço de Kubernetes do Azure
Permite acesso de leitura/gravação à maioria dos objetos em um namespace. Esta função não permite visualizar ou modificar funções ou vinculações de função. No entanto, essa função permite acessar os Segredos e executar Pods como qualquer ServiceAccount no namespace, de modo que ela possa ser usada para obter os níveis de acesso de API de uma ServiceAccount no namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
Microsoft.ContainerService/managedClusters/apps/deployments/* | |
Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Lê concessões |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Grava concessões |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Exclui concessões |
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lê fatias de ponto de extremidade |
Microsoft.ContainerService/managedClusters/batch/jobs/* | |
Microsoft.ContainerService/managedClusters/configmaps/* | |
Microsoft.ContainerService/managedClusters/endpoints/* | |
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lê eventos |
Microsoft.ContainerService/managedClusters/events/* | |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
Microsoft.ContainerService/managedClusters/limitranges/read | Lê limitranges |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lê pods |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lê nodes |
Microsoft.ContainerService/managedClusters/namespaces/read | Lê namespaces |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
Microsoft.ContainerService/managedClusters/pods/* | |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
Microsoft.ContainerService/managedClusters/resourcequotas/read | Lê resourcequotas |
Microsoft.ContainerService/managedClusters/secrets/* | |
Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
Microsoft.ContainerService/managedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Verificação de Identidade Gerenciada de Cluster ConectadoLeitor de Acesso
Função interna que permite que uma identidade gerenciada do Cluster Conectado chame a API checkAccess
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operador sem Agente do Kubernetes
Concede acesso ao Microsoft Defender para Nuvem para usar os Serviços de Kubernetes do Azure
Ações | Descrição |
---|---|
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Criar ou atualizar associações de função de acesso confiável para cluster gerenciado |
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Obter associações de função de acesso confiável para cluster gerenciado |
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Excluir associações de função de acesso confiável para cluster gerenciado |
Microsoft.ContainerService/managedClusters/read | Obtém um cluster gerenciado |
Microsoft.Features/features/read | Obter os recursos de uma assinatura. |
Microsoft.Features/providers/features/read | Obter o recurso de uma assinatura em determinado provedor de recursos. |
Microsoft.Features/providers/features/register/action | Registrar o recurso de uma assinatura em determinado provedor de recursos. |
Microsoft.Security/preços/securityoperators/read | Obtém os operadores de segurança para o escopo |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cluster do Kubernetes – Integração ao Azure Arc
Definição de função para autorizar qualquer usuário ou serviço a criar um recurso de connectedClusters.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Kubernetes/connectedClusters/Write | Grava connectedClusters |
Microsoft.Kubernetes/connectedClusters/read | Ler connectedClusters |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador da Extensão Kubernetes
Pode criar, atualizar, obter, listar e excluir Extensões Kubernetes e obter operações assíncronas de extensão
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.KubernetesConfiguration/extensions/write | Cria ou atualiza recursos de extensão. |
Microsoft.KubernetesConfiguration/extensions/read | Obtém o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/delete | Exclui o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Obtém o status da operação assíncrona. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}