Compartilhar via


Funções internas do Azure para contêineres

Este artigo lista as funções internas do Azure na categoria Contêineres.

AcrDelete

Exclua repositórios, tags ou manifestos de um registro de contêiner.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/artifacts/delete Excluir o artefato em um registro de contêiner.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr delete",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/artifacts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrDelete",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrImageSigner

Envie por push ou extraia imagens confiáveis ​​de um registro de contêiner habilitado para a confiança de conteúdo.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/sign/write Efetuar push/pull de metadados de conteúdo confiável para um registro de contêiner.
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/trustedCollections/write Permite o push ou a publicação de coleções confiáveis de conteúdo do registro de contêiner. Essa ação é semelhante a Microsoft.ContainerRegistry/registries/sign/write, exceto pelo fato de ser uma ação de dados
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr image signer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
  "name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/sign/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/trustedCollections/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrImageSigner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPull

Extraia artefatos de um registro de contêiner.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/pull/read Efetuar pull ou Obter imagens de um registro de contêiner.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr pull",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPull",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPush

Envie por push ou extraia artefatos de um registro de contêiner.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/pull/read Efetuar pull ou Obter imagens de um registro de contêiner.
Microsoft.ContainerRegistry/registries/push/write Efetuar push ou Gravar imagens para um registro de contêiner.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr push",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
  "name": "8311e382-0749-4cb8-b61a-304f252e45ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/push/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPush",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineReader

Extraia imagens em quarentena de um registro de contêiner.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/quarantine/read Efetuar pull ou Obter imagens em quarentena do registro de contêiner
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read Permite pull ou obtenção dos artefatos em quarentena do registro de contêiner. Isso é semelhante a Microsoft.ContainerRegistry/registries/quarantine/read, exceto pelo fato de que é uma ação de dados
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
  "name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineReader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineWriter

Envie por push ou extraia imagens em quarentena de um registro de contêiner.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/quarantine/read Efetuar pull ou Obter imagens em quarentena do registro de contêiner
Microsoft.ContainerRegistry/registries/quarantine/write Gravar/Modificar o estado de quarentena das imagens em quarentena
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read Permite pull ou obtenção dos artefatos em quarentena do registro de contêiner. Isso é semelhante a Microsoft.ContainerRegistry/registries/quarantine/read, exceto pelo fato de que é uma ação de dados
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write Permite gravar ou atualizar o estado de quarentena de artefatos em quarentena. Essa ação é semelhante a Microsoft.ContainerRegistry/registries/quarantine/write, exceto pelo fato de ser uma ação de dados
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data writer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read",
        "Microsoft.ContainerRegistry/registries/quarantine/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineWriter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de usuário do cluster Kubernetes habilitada para o Azure Arc

Listar a ação das credenciais do usuário do cluster.

Ações Descrição
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action Listar credencial do clusterUser (versão prévia)
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Support/* Criar e atualizar um tíquete de suporte
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action Listar credencial clusterUser
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credentials action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do Kubernetes do Azure Arc

Permite gerenciar todos os recursos no cluster ou no namespace, exceto atualizar ou excluir as cotas de recursos e os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write Grava localsubjectaccessreviews
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read Lê limitranges
Microsoft.Kubernetes/connectedClusters/namespaces/read Lê namespaces
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Lê resourcequotas
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do Cluster do Kubernetes do Azure Arc

Permite gerenciar todos os recursos no cluster.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Visualizador do Kubernetes do Azure Arc

Permite que você veja todos os recursos no cluster ou namespace, exceto os segredos.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read Lê daemonsets
Microsoft.Kubernetes/connectedClusters/apps/deployments/read Lê implantações
Microsoft.Kubernetes/connectedClusters/apps/replicasets/read Lê replicasets
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read Lê statefulsets
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read Lê horizontalpodautoscalers
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read Lê cronjobs
Microsoft.Kubernetes/connectedClusters/batch/jobs/read Lê trabalhos
Microsoft.Kubernetes/connectedClusters/configmaps/read Lê configmaps
Microsoft.Kubernetes/connectedClusters/endpoints/read Lê pontos de extremidade
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read Lê daemonsets
Microsoft.Kubernetes/connectedClusters/extensions/deployments/read Lê implantações
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read Lê entradas
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read Lê networkpolicies
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read Lê replicasets
Microsoft.Kubernetes/connectedClusters/limitranges/read Lê limitranges
Microsoft.Kubernetes/connectedClusters/namespaces/read Lê namespaces
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read Lê entradas
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read Lê networkpolicies
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read Lê persistentvolumeclaims
Microsoft.Kubernetes/connectedClusters/pods/read Lê pods
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read Lê poddisruptionbudgets
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read Lê replicationcontrollers
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read Lê replicationcontrollers
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Lê resourcequotas
Microsoft.Kubernetes/connectedClusters/serviceaccounts/read Lê serviceaccounts
Microsoft.Kubernetes/connectedClusters/services/read Lê serviços
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view all resources in cluster/namespace, except secrets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
  "name": "63f0a09d-1495-4db4-a681-037d84835eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
        "Microsoft.Kubernetes/connectedClusters/configmaps/read",
        "Microsoft.Kubernetes/connectedClusters/endpoints/read",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
        "Microsoft.Kubernetes/connectedClusters/pods/read",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
        "Microsoft.Kubernetes/connectedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Viewer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gravador do Kubernetes do Azure Arc

Permite que você atualize tudo no cluster ou namespace, exceto as funções (cluster) e ligações de função (cluster).

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read Lê limitranges
Microsoft.Kubernetes/connectedClusters/namespaces/read Lê namespaces
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Lê resourcequotas
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
  "name": "5b999177-9696-4545-85c7-50de3797e5a1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador do Armazenamento de Contêiner do Azure

Instale o Armazenamento de Contêiner do Azure e gerencie seus recursos de armazenamento. Inclui uma condição ABAC para restringir atribuições de função.

Ações Descrição
Microsoft.KubernetesConfiguration/extensions/write Cria ou atualiza recursos de extensão.
Microsoft.KubernetesConfiguration/extensions/read Obtém o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/delete Exclui o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/operations/read Obtém o status da operação assíncrona.
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Management/managementGroups/read Listar grupos de gerenciamento para o usuário autenticado.
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
none
NotDataActions
none
Ações
Microsoft.Authorization/roleAssignments/write Criar uma atribuição de função no escopo especificado.
Microsoft.Authorization/roleAssignments/delete Exclua uma atribuição de função no escopo especificado.
NotActions
none
DataActions
none
NotDataActions
none
Condição
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OU (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) E ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) Adicione ou remova atribuições de função para as seguintes funções:
Operador de Armazenamento de Contêiner do Azure
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and manage its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "permissions": [
    {
      "actions": [
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador de Armazenamento de Contêiner do Azure

Habilite uma identidade gerenciada para executar operações do Armazenamento de Contêiner do Azure, como gerenciar máquinas virtuais e gerenciar redes virtuais.

Ações Descrição
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/asyncoperations/read Monitorar o status de uma operação assíncrona.
Microsoft.Network/routeTables/join/action Une uma tabela de rotas. Não é possível alertá-lo.
Microsoft.Network/networkSecurityGroups/join/action Ingressar em um grupo de segurança de rede. Não é possível alertá-lo.
Microsoft.Network/virtualNetworks/write Criar uma rede virtual ou atualizar uma rede virtual existente
Microsoft.Network/virtualNetworks/delete Excluir uma rede virtual
Microsoft.Network/virtualNetworks/join/action Ingressar em uma rede virtual. Não é possível alertá-lo.
Microsoft.Network/virtualNetworks/subnets/read Obter uma definição de sub-rede da rede virtual
Microsoft.Network/virtualNetworks/subnets/write Criar uma sub-rede de rede virtual ou atualizar uma sub-rede de rede virtual existente
Microsoft.Compute/virtualMachines/read Obter as propriedades de uma máquina virtual
Microsoft.Compute/virtualMachines/write Cria uma nova máquina virtual ou atualiza uma máquina virtual existente
Microsoft.Compute/virtualMachineScaleSets/read Obter as propriedades de um Conjunto de Dimensionamento de Máquinas Virtuais
Microsoft.Compute/virtualMachineScaleSets/write Criar um novo Conjunto de Dimensionamento de Máquinas Virtuais ou atualizar um existente
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write Atualizar as propriedades de uma Máquina Virtual em um Conjunto de Dimensionamento de Máquinas Virtuais
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read Recuperar as propriedades de uma máquina virtual em um conjunto de dimensionamento de máquinas virtuais
Microsoft.Resources/subscriptions/providers/read Obter ou listar provedores de recursos.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Network/virtualNetworks/read Obter a definição de rede virtual
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role required by a Managed Identity for Azure Container Storage operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/virtualMachineScaleSets/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Resources/subscriptions/providers/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Network/virtualNetworks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Container Storage Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Proprietário do Armazenamento de Contêiner do Azure

Instale o Armazenamento de Contêiner do Azure, conceda acesso aos recursos de armazenamento e configure a SAN (rede de área de armazenamento) elástica do Azure. Inclui uma condição ABAC para restringir atribuições de função.

Ações Descrição
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/*
Microsoft.ElasticSan/elasticSans/volumeGroups/*
Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*
Microsoft.ElasticSan/locations/asyncoperations/read Monitorar o status de uma operação assíncrona.
Microsoft.KubernetesConfiguration/extensions/write Cria ou atualiza recursos de extensão.
Microsoft.KubernetesConfiguration/extensions/read Obtém o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/delete Exclui o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/operations/read Obtém o status da operação assíncrona.
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Management/managementGroups/read Listar grupos de gerenciamento para o usuário autenticado.
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
none
NotDataActions
none
Ações
Microsoft.Authorization/roleAssignments/write Criar uma atribuição de função no escopo especificado.
Microsoft.Authorization/roleAssignments/delete Exclua uma atribuição de função no escopo especificado.
NotActions
none
DataActions
none
NotDataActions
none
Condição
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OU (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) E ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) Adicione ou remova atribuições de função para as seguintes funções:
Operador de Armazenamento de Contêiner do Azure
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and grants access to its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
  "name": "95de85bd-744d-4664-9dde-11430bc34793",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de Colaborador do Gerenciador de Frotas do Kubernetes do Azure

Concede acesso de leitura/gravação aos recursos do Azure fornecidos pelo Azure Kubernetes Fleet Manager, incluindo frotas, membros da frota, estratégias de atualização de frota, execuções de atualização de frota etc.

Ações Descrição
Microsoft.ContainerService/fleets/*
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/fleets/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador de RBAC do Gerenciador de Frota de Kubernetes do Azure

Concede acesso de leitura/gravação aos recursos do Kubernetes em um namespace no cluster do hub gerenciado pela frota - fornece permissões de gravação na maioria dos objetos em um namespace, com exceção do objeto ResourceQuota e do próprio objeto do namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/fleets/read Obter frota
Microsoft.ContainerService/fleets/listCredentials/action Listar credenciais de frota
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/*
Microsoft.ContainerService/fleets/apps/deployments/*
Microsoft.ContainerService/fleets/apps/statefulsets/*
Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write Grava localsubjectaccessreviews
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/fleets/batch/cronjobs/*
Microsoft.ContainerService/fleets/batch/jobs/*
Microsoft.ContainerService/fleets/configmaps/*
Microsoft.ContainerService/fleets/endpoints/*
Microsoft.ContainerService/fleets/events.k8s.io/events/read Lê eventos
Microsoft.ContainerService/fleets/events/read Lê eventos
Microsoft.ContainerService/fleets/extensions/daemonsets/*
Microsoft.ContainerService/fleets/extensions/deployments/*
Microsoft.ContainerService/fleets/extensions/ingresses/*
Microsoft.ContainerService/fleets/extensions/networkpolicies/*
Microsoft.ContainerService/fleets/limitranges/read Lê limitranges
Microsoft.ContainerService/fleets/namespaces/read Lê namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/fleets/persistentvolumeclaims/*
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/resourcequotas/read Lê resourcequotas
Microsoft.ContainerService/fleets/secrets/*
Microsoft.ContainerService/fleets/serviceaccounts/*
Microsoft.ContainerService/fleets/services/*
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read Ler o recurso de cluster internalmemberda da frota
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read Ler recurso de overridesnapshot de recursos de frota
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read Ler recurso de trabalho da frota
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do cluster de RBAC do Gerenciador de Frota de Kubernetes do Azure

Concede acesso de leitura/gravação a todos os recursos do Kubernetes no cluster de hub gerenciado pela frota.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/fleets/read Obter frota
Microsoft.ContainerService/fleets/listCredentials/action Listar credenciais de frota
NotActions
none
DataActions
Microsoft.ContainerService/fleets/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de RBAC do Gerenciador de Frota de Kubernetes do Azure

Concede acesso somente leitura à maioria dos recursos do Kubernetes em um namespace no cluster de hub gerenciado pela frota. Não permite exibir funções nem associações de função. Essa função não permite exibir Segredos, pois a leitura do conteúdo dos Segredos permite acesso às credenciais de ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de elevação de privilégio). A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/fleets/read Obter frota
Microsoft.ContainerService/fleets/listCredentials/action Listar credenciais de frota
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/read Lê daemonsets
Microsoft.ContainerService/fleets/apps/deployments/read Lê implantações
Microsoft.ContainerService/fleets/apps/statefulsets/read Lê statefulsets
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read Lê horizontalpodautoscalers
Microsoft.ContainerService/fleets/batch/cronjobs/read Lê cronjobs
Microsoft.ContainerService/fleets/batch/jobs/read Lê trabalhos
Microsoft.ContainerService/fleets/configmaps/read Lê configmaps
Microsoft.ContainerService/fleets/endpoints/read Lê pontos de extremidade
Microsoft.ContainerService/fleets/events.k8s.io/events/read Lê eventos
Microsoft.ContainerService/fleets/events/read Lê eventos
Microsoft.ContainerService/fleets/extensions/daemonsets/read Lê daemonsets
Microsoft.ContainerService/fleets/extensions/deployments/read Lê implantações
Microsoft.ContainerService/fleets/extensions/ingresses/read Lê entradas
Microsoft.ContainerService/fleets/extensions/networkpolicies/read Lê networkpolicies
Microsoft.ContainerService/fleets/limitranges/read Lê limitranges
Microsoft.ContainerService/fleets/namespaces/read Lê namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read Lê entradas
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read Lê networkpolicies
Microsoft.ContainerService/fleets/persistentvolumeclaims/read Lê persistentvolumeclaims
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read Lê poddisruptionbudgets
Microsoft.ContainerService/fleets/replicationcontrollers/read Lê replicationcontrollers
Microsoft.ContainerService/fleets/replicationcontrollers/read Lê replicationcontrollers
Microsoft.ContainerService/fleets/resourcequotas/read Lê resourcequotas
Microsoft.ContainerService/fleets/serviceaccounts/read Lê serviceaccounts
Microsoft.ContainerService/fleets/services/read Lê serviços
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read Ler o recurso de cluster internalmemberda da frota
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read Ler recurso de substituição de recursos de frota
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read Ler recurso de overridesnapshot de recursos de frota
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read Ler recurso de trabalho da frota
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
  "name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/services/read",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gravador de RBAC do Gerenciador de Frota de Kubernetes do Azure

Concede acesso de leitura/gravação à maioria dos recursos do Kubernetes em um namespace no cluster do hub gerenciado pela frota. Esta função não permite visualizar ou modificar funções ou vinculações de função. No entanto, essa função permite acessar segredos como qualquer conta de serviço no namespace, portanto, pode ser usada para obter os níveis de acesso da API de uma conta de serviço no namespace.  A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/fleets/read Obter frota
Microsoft.ContainerService/fleets/listCredentials/action Listar credenciais de frota
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/read Lê daemonsets
Microsoft.ContainerService/fleets/apps/daemonsets/write Grava daemonsets
Microsoft.ContainerService/fleets/apps/deployments/read Lê implantações
Microsoft.ContainerService/frotas/aplicativos/implantações/gravação Grava implantações
Microsoft.ContainerService/fleets/apps/statefulsets/read Lê statefulsets
Microsoft.ContainerService/fleets/apps/statefulsets/write Grava statefulsets
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read Lê horizontalpodautoscalers
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write Grava horizontalpodautoscalers
Microsoft.ContainerService/fleets/batch/cronjobs/read Lê cronjobs
Microsoft.ContainerService/fleets/batch/cronjobs/write Grava cronjobs
Microsoft.ContainerService/fleets/batch/jobs/read Lê trabalhos
Microsoft.ContainerService/fleets/batch/jobs/write Grava trabalhos
Microsoft.ContainerService/fleets/configmaps/read Lê configmaps
Microsoft.ContainerService/fleets/configmaps/write Grava configmaps
Microsoft.ContainerService/fleets/endpoints/read Lê pontos de extremidade
Microsoft.ContainerService/fleets/endpoints/write Grava pontos de extremidade
Microsoft.ContainerService/fleets/events.k8s.io/events/read Lê eventos
Microsoft.ContainerService/fleets/events/read Lê eventos
Microsoft.ContainerService/fleets/extensions/daemonsets/read Lê daemonsets
Microsoft.ContainerService/frotas/extensões/daemonsets/write Grava daemonsets
Microsoft.ContainerService/fleets/extensions/deployments/read Lê implantações
Microsoft.ContainerService/frotas/extensões/implantações/gravação Grava implantações
Microsoft.ContainerService/fleets/extensions/ingresses/read Lê entradas
Microsoft.ContainerService/frotas/extensões/ingresses/write Grava entradas
Microsoft.ContainerService/fleets/extensions/networkpolicies/read Lê networkpolicies
Microsoft.ContainerService/frotas/extensões/networkpolicies/write Grava networkpolicies
Microsoft.ContainerService/fleets/limitranges/read Lê limitranges
Microsoft.ContainerService/fleets/namespaces/read Lê namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read Lê entradas
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write Grava entradas
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read Lê networkpolicies
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write Grava networkpolicies
Microsoft.ContainerService/fleets/persistentvolumeclaims/read Lê persistentvolumeclaims
Microsoft.ContainerService/fleets/persistentvolumeclaims/write Grava persistentvolumeclaims
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read Lê poddisruptionbudgets
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write Grava poddisruptionbudgets
Microsoft.ContainerService/fleets/replicationcontrollers/read Lê replicationcontrollers
Microsoft.ContainerService/fleets/replicationcontrollers/write Grava replicationcontrollers
Microsoft.ContainerService/fleets/resourcequotas/read Lê resourcequotas
Microsoft.ContainerService/fleets/secrets/read Lê segredos
Microsoft.ContainerService/fleets/secrets/write Grava segredos
Microsoft.ContainerService/fleets/serviceaccounts/read Lê serviceaccounts
Microsoft.ContainerService/fleets/serviceaccounts/write Grava serviceaccounts
Microsoft.ContainerService/fleets/services/read Lê serviços
Microsoft.ContainerService/fleets/services/write Grava serviços
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read Ler o recurso de cluster internalmemberda da frota
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read Ler recurso de substituição de recursos de frota
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write Gravar recurso de substituição de recursos de frota
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read Ler recurso de overridesnapshot de recursos de frota
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read Ler recurso de trabalho da frota
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/write",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/deployments/write",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/write",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/write",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/configmaps/write",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/endpoints/write",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/write",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/write",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/write",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/write",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/read",
        "Microsoft.ContainerService/fleets/secrets/write",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/write",
        "Microsoft.ContainerService/fleets/services/read",
        "Microsoft.ContainerService/fleets/services/write",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de administrador de cluster do Arc do Serviço de Kubernetes do Azure

Liste a ação de credencial de administrador de cluster.

Saiba mais

Ações Descrição
Microsoft.HybridContainerService/provisionedClusterInstances/read Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado
Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action Lista as credenciais de administrador de uma instância de cluster provisionada usada somente no modo direto.
Microsoft.Kubernetes/connectedClusters/Read Ler connectedClusters
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de usuário do Arc Cluster do Serviço de Kubernetes do Azure

Liste a ação de credencial de usuário de cluster.

Saiba mais

Ações Descrição
Microsoft.HybridContainerService/provisionedClusterInstances/read Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado
Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action Lista as credenciais de usuário do AAD de uma instância de cluster provisionada usada somente no modo direto.
Microsoft.Kubernetes/connectedClusters/Read Ler connectedClusters
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
  "name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de Colaborador do Arc do Serviço de Kubernetes do Azure

Concede acesso para ler e gravar clusters híbridos dos Serviços de Kubernetes do Azure

Saiba mais

Ações Descrição
Microsoft.HybridContainerService/Locations/operationStatuses/read ler operationStatuses
Microsoft.HybridContainerService/Operations/read leia Operações
Microsoft.HybridContainerService/kubernetesVersions/read Lista as versões do Kubernetes com suporte do local personalizado subjacente
Microsoft.HybridContainerService/kubernetesVersions/write Coloca o tipo de recurso de versão do kubernetes
Microsoft.HybridContainerService/kubernetesVersions/delete Excluir o tipo de recurso de versões do kubernetes
Microsoft.HybridContainerService/provisionedClusterInstances/read Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado
Microsoft.HybridContainerService/provisionedClusterInstances/write Cria a instância de cluster provisionado do AKS híbrido
Microsoft.HybridContainerService/provisionedClusterInstances/delete Exclui a instância do cluster provisionado do AKS híbrido
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read Obtém os pools de agentes na instância de cluster provisionado do AKS Híbrido
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write Atualiza o pool de agentes na instância de cluster provisionado do AKS híbrido
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete Exclui o pool de agentes na instância de cluster provisionado do AKS híbrido
Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read leia upgradeProfiles
Microsoft.HybridContainerService/skus/read Lista os SKUs de VM com suporte do local personalizado subjacente
Microsoft.HybridContainerService/skus/write Coloca o tipo de recurso SKUs de VM
Microsoft.HybridContainerService/skus/delete Exclui o tipo de recurso Vm Sku
Microsoft.HybridContainerService/virtualNetworks/read Lista as redes virtuais do AKS híbrido por assinatura
Microsoft.HybridContainerService/virtualNetworks/write Corrige a rede virtual do AKS híbrido
Microsoft.HybridContainerService/virtualNetworks/delete Exclui a rede virtual do AKS híbrido
Microsoft.ExtendedLocation/customLocations/deploy/action Implantar permissões em um recurso de Localização Personalizada
Microsoft.ExtendedLocation/customLocations/read Obtém um recurso de Local Personalizado
Microsoft.Kubernetes/connectedClusters/Read Ler connectedClusters
Microsoft.Kubernetes/connectedClusters/Write Grava connectedClusters
Microsoft.Kubernetes/connectedClusters/Excluir Exclui connectedClusters
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action Listar credencial clusterUser
Microsoft.AzureStackHCI/clusters/read Obtém clusters
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
  "name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/Locations/operationStatuses/read",
        "Microsoft.HybridContainerService/Operations/read",
        "Microsoft.HybridContainerService/kubernetesVersions/read",
        "Microsoft.HybridContainerService/kubernetesVersions/write",
        "Microsoft.HybridContainerService/kubernetesVersions/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
        "Microsoft.HybridContainerService/skus/read",
        "Microsoft.HybridContainerService/skus/write",
        "Microsoft.HybridContainerService/skus/delete",
        "Microsoft.HybridContainerService/virtualNetworks/read",
        "Microsoft.HybridContainerService/virtualNetworks/write",
        "Microsoft.HybridContainerService/virtualNetworks/delete",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.Kubernetes/connectedClusters/Read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/Delete",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
        "Microsoft.AzureStackHCI/clusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de Administrador do Cluster do Serviço de Kubernetes do Azure

Liste a ação de credencial de administrador de cluster.

Saiba mais

Ações Descrição
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Listar a credencial clusterAdmin de um cluster gerenciado
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action Obtém um perfil de acesso do cluster gerenciado por nome de função usando a credencial de lista
Microsoft.ContainerService/managedClusters/read Obtém um cluster gerenciado
Microsoft.ContainerService/managedClusters/runcommand/action Executar o comando emitido pelo usuário no servidor de Kubernetes gerenciado.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/runcommand/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Usuário de Monitoramento de Cluster do Serviço de Kubernetes do Azure

Lista a ação de credencial de usuário de monitoramento do cluster.

Ações Descrição
Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action Listar a credencial clusterMonitoringUser de um cluster gerenciado
Microsoft.ContainerService/managedClusters/read Obtém um cluster gerenciado
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster monitoring user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Monitoring User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de Usuário do Cluster do Serviço de Kubernetes do Azure

Liste a ação de credencial de usuário de cluster.

Saiba mais

Ações Descrição
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Listar a credencial clusterUser de um cluster gerenciado
Microsoft.ContainerService/managedClusters/read Obtém um cluster gerenciado
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Contributor Role

Concede o acesso de leitura e gravação a clusters do Serviço de Kubernetes do Azure

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.ContainerService/locations/* Locais de leitura disponíveis para recursos do ContainerService
Microsoft.ContainerService/managedClusters/* Criar e gerenciar um cluster gerenciado
Microsoft.ContainerService/managedclustersnapshots/* Criar e gerenciar um snapshot de cluster gerenciado
Microsoft.ContainerService/snapshots/* Criar e gerenciar um snapshot
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Service clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerService/locations/*",
        "Microsoft.ContainerService/managedClusters/*",
        "Microsoft.ContainerService/managedclustersnapshots/*",
        "Microsoft.ContainerService/snapshots/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do RBAC do Serviço de Kubernetes do Azure

Permite gerenciar todos os recursos no cluster ou no namespace, exceto atualizar ou excluir as cotas de recursos e os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Listar a credencial clusterUser de um cluster gerenciado
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions
Microsoft.ContainerService/managedClusters/resourcequotas/write Grava resourcequotas
Microsoft.ContainerService/managedClusters/resourcequotas/delete Exclui resourcequotas
Microsoft.ContainerService/managedClusters/namespaces/write Grava namespaces
Microsoft.ContainerService/managedClusters/namespaces/delete Exclui namespaces
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
  "name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/managedClusters/resourcequotas/write",
        "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
        "Microsoft.ContainerService/managedClusters/namespaces/write",
        "Microsoft.ContainerService/managedClusters/namespaces/delete"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do Cluster do RBAC do Serviço de Kubernetes do Azure

Permite gerenciar todos os recursos no cluster.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Listar a credencial clusterUser de um cluster gerenciado
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de RBAC do Serviço de Kubernetes do Azure

Permite acesso somente leitura para ver a maioria dos objetos em um namespace. Não permite exibir funções nem associações de função. Essa função não permite exibir Segredos, pois a leitura do conteúdo dos Segredos permite acesso às credenciais de ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de elevação de privilégio). A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.ContainerService/managedClusters/apps/daemonsets/read Lê daemonsets
Microsoft.ContainerService/managedClusters/apps/deployments/read Lê implantações
Microsoft.ContainerService/managedClusters/apps/replicasets/read Lê replicasets
Microsoft.ContainerService/managedClusters/apps/statefulsets/read Lê statefulsets
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read Lê horizontalpodautoscalers
Microsoft.ContainerService/managedClusters/batch/cronjobs/read Lê cronjobs
Microsoft.ContainerService/managedClusters/batch/jobs/read Lê trabalhos
Microsoft.ContainerService/managedClusters/configmaps/read Lê configmaps
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read Lê fatias de ponto de extremidade
Microsoft.ContainerService/managedClusters/endpoints/read Lê pontos de extremidade
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read Lê eventos
Microsoft.ContainerService/managedClusters/events/read Lê eventos
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read Lê daemonsets
Microsoft.ContainerService/managedClusters/extensions/deployments/read Lê implantações
Microsoft.ContainerService/managedClusters/extensions/ingresses/read Lê entradas
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read Lê networkpolicies
Microsoft.ContainerService/managedClusters/extensions/replicasets/read Lê replicasets
Microsoft.ContainerService/managedClusters/limitranges/read Lê limitranges
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read Lê pods
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read Lê nodes
Microsoft.ContainerService/managedClusters/namespaces/read Lê namespaces
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read Lê entradas
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read Lê networkpolicies
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read Lê persistentvolumeclaims
Microsoft.ContainerService/managedClusters/pods/read Lê pods
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read Lê poddisruptionbudgets
Microsoft.ContainerService/managedClusters/replicationcontrollers/read Lê replicationcontrollers
Microsoft.ContainerService/managedClusters/resourcequotas/read Lê resourcequotas
Microsoft.ContainerService/managedClusters/serviceaccounts/read Lê serviceaccounts
Microsoft.ContainerService/managedClusters/services/read Lê serviços
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/apps/deployments/read",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/read",
        "Microsoft.ContainerService/managedClusters/configmaps/read",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/endpoints/read",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
        "Microsoft.ContainerService/managedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gravador de RBAC do Serviço de Kubernetes do Azure

Permite acesso de leitura/gravação à maioria dos objetos em um namespace. Esta função não permite visualizar ou modificar funções ou vinculações de função. No entanto, essa função permite acessar os Segredos e executar Pods como qualquer ServiceAccount no namespace, de modo que ela possa ser usada para obter os níveis de acesso de API de uma ServiceAccount no namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.ContainerService/managedClusters/apps/daemonsets/*
Microsoft.ContainerService/managedClusters/apps/deployments/*
Microsoft.ContainerService/managedClusters/apps/replicasets/*
Microsoft.ContainerService/managedClusters/apps/statefulsets/*
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/managedClusters/batch/cronjobs/*
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read Lê concessões
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write Grava concessões
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete Exclui concessões
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read Lê fatias de ponto de extremidade
Microsoft.ContainerService/managedClusters/batch/jobs/*
Microsoft.ContainerService/managedClusters/configmaps/*
Microsoft.ContainerService/managedClusters/endpoints/*
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read Lê eventos
Microsoft.ContainerService/managedClusters/events/*
Microsoft.ContainerService/managedClusters/extensions/daemonsets/*
Microsoft.ContainerService/managedClusters/extensions/deployments/*
Microsoft.ContainerService/managedClusters/extensions/ingresses/*
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*
Microsoft.ContainerService/managedClusters/extensions/replicasets/*
Microsoft.ContainerService/managedClusters/limitranges/read Lê limitranges
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read Lê pods
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read Lê nodes
Microsoft.ContainerService/managedClusters/namespaces/read Lê namespaces
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*
Microsoft.ContainerService/managedClusters/pods/*
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*
Microsoft.ContainerService/managedClusters/replicationcontrollers/*
Microsoft.ContainerService/managedClusters/resourcequotas/read Lê resourcequotas
Microsoft.ContainerService/managedClusters/secrets/*
Microsoft.ContainerService/managedClusters/serviceaccounts/*
Microsoft.ContainerService/managedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/apps/deployments/*",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/*",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/*",
        "Microsoft.ContainerService/managedClusters/configmaps/*",
        "Microsoft.ContainerService/managedClusters/endpoints/*",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/*",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/*",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
        "Microsoft.ContainerService/managedClusters/pods/*",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/secrets/*",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/*",
        "Microsoft.ContainerService/managedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Verificação de Identidade Gerenciada de Cluster ConectadoLeitor de Acesso

Função interna que permite que uma identidade gerenciada do Cluster Conectado chame a API checkAccess

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Connected Cluster Managed Identity CheckAccess Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de Configuração do Registro de Contêiner e Leitor de Configuração de Acesso a Dados

Fornece permissões para listar registros de contêiner e propriedades de configuração do Registro. Fornece permissões para listar a configuração de acesso a dados, como credenciais de usuário administrador, mapas de escopo e tokens, que podem ser usados para ler, gravar ou excluir repositórios e imagens. Não fornece permissões diretas para ler, listar ou gravar conteúdo do Registro, incluindo repositórios e imagens. Não fornece permissões para modificar o conteúdo do plano de dados, como importações, Cache ou Sincronização de Artefatos e Pipelines de Transferência. Não fornece permissões para gerenciar tarefas.

Ações Descrição
Microsoft.ContainerRegistry/registries/operationStatuses/read Obter um status de operação assíncrona do registro
Microsoft.ContainerRegistry/registries/read Obter as propriedades do registro de contêiner especificado ou listar todos os registros de contêiner sob o grupo de recursos ou assinatura especificada.
Microsoft.ContainerRegistry/registries/privateEndpointConnections/read Obtém as propriedades da conexão de ponto de extremidade privado ou lista todas as conexões de ponto de extremidade privado para o registro de contêiner especificado
Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read Obter Status de Operação Assíncrona da Conexão de Ponto de Extremidade Privado
Microsoft.ContainerRegistry/registries/listCredentials/action Listar as credenciais de logon para o registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/tokens/read Obtém as propriedades de token especificado ou lista todos os tokens para o registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read Obtém um status de operação assíncrona do token.
Microsoft.ContainerRegistry/registries/scopeMaps/read Obtém as propriedades do mapa de escopo especificado ou lista todos os mapas de escopo para o registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read Obtém um status de operação assíncrona do mapa de escopo.
Microsoft.ContainerRegistry/registries/webhooks/read Obter as propriedades do webhook especificado ou listar todos os webhooks para o registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action Obter a configuração de URI de serviço e cabeçalhos personalizados para o webhook.
Microsoft.ContainerRegistry/registries/webhooks/listEvents/action Listar eventos recentes para o webhook especificado.
Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read Obter um status de operação assíncrona do webhook
Microsoft.ContainerRegistry/registries/replications/read Obter as propriedades da replicação especificada ou listar todas as replicações do registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/replications/operationStatuses/read Obter um status de operação assíncrona de replicação
Microsoft.ContainerRegistry/registries/connectedRegistries/read Obtém as propriedades do registro conectado especificado ou lista todos os registros conectados do registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read Obter a configuração de diagnóstico para o recurso
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write Criar ou atualizar a configuração de diagnóstico para o recurso
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read Obtém os logs disponíveis para o Microsoft ContainerRegistry
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read Obtém as métricas disponíveis para o Microsoft ContainerRegistry
Microsoft.Insights/AlertRules/Write Criar ou atualizar o alerta de métrica clássico
Microsoft.Insights/AlertRules/Delete Excluir alerta de métrica clássico
Microsoft.Insights/AlertRules/Read Ler alerta de métrica clássico
Microsoft.Insights/AlertRules/Activated/Action Alerta de métrica clássico ativado
Microsoft.Insights/AlertRules/Resolved/Action Alerta de métrica clássico resolvido
Microsoft.Insights/AlertRules/Throttled/Action Regra de alerta de métrica clássico acelerada
Microsoft.Insights/AlertRules/Incidents/Read Ler incidente de alerta de métrica clássico
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/69b07be0-09bf-439a-b9a6-e73de851bd59",
  "name": "69b07be0-09bf-439a-b9a6-e73de851bd59",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/listCredentials/action",
        "Microsoft.ContainerRegistry/registries/tokens/read",
        "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/webhooks/read",
        "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
        "Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
        "Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/replications/read",
        "Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Configuration Reader and Data Access Configuration Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador do Container Registry e Administrador de Configuração de Acesso a Dados

Fornece permissões para criar, listar e atualizar registros de contêiner e propriedades de configuração do Registro. Fornece permissões para configurar o acesso a dados, como credenciais de usuário administrador, mapas de escopo e tokens, que podem ser usados para ler, gravar ou excluir repositórios e imagens. Não fornece permissões diretas para ler, listar ou gravar conteúdo do Registro, incluindo repositórios e imagens. Não fornece permissões para modificar o conteúdo do plano de dados, como importações, Cache ou Sincronização de Artefatos e Pipelines de Transferência. Não fornece permissões para gerenciar tarefas.

Ações Descrição
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerRegistry/registries/operationStatuses/read Obter um status de operação assíncrona do registro
Microsoft.ContainerRegistry/registries/read Obter as propriedades do registro de contêiner especificado ou listar todos os registros de contêiner sob o grupo de recursos ou assinatura especificada.
Microsoft.ContainerRegistry/registries/write Criar ou atualizar um registro de contêiner com os parâmetros especificados.
Microsoft.ContainerRegistry/registries/delete Excluir um registro de contêiner.
Microsoft.ContainerRegistry/registries/listCredentials/action Listar as credenciais de logon para o registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/regenerateCredential/action Regenerar uma das credenciais de logon para o registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/generateCredentials/action Gerar chaves para um token de um registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/replications/read Obter as propriedades da replicação especificada ou listar todas as replicações do registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/replications/write Criar ou atualizar uma replicação para um registro de contêiner com os parâmetros especificados.
Microsoft.ContainerRegistry/registries/replications/delete Excluir uma replicação de um registro de contêiner.
Microsoft.ContainerRegistry/registries/replications/operationStatuses/read Obter um status de operação assíncrona de replicação
Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action Aprova automaticamente uma conexão de ponto de extremidade privado
Microsoft.ContainerRegistry/registries/privateEndpointConnections/read Obtém as propriedades da conexão de ponto de extremidade privado ou lista todas as conexões de ponto de extremidade privado para o registro de contêiner especificado
Microsoft.ContainerRegistry/registries/privateEndpointConnections/write Aprovar/rejeitar a conexão de ponto de extremidade privado
Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete Exclui a conexão de ponto de extremidade privado
Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read Obter Status de Operação Assíncrona da Conexão de Ponto de Extremidade Privado
Microsoft.ContainerRegistry/registries/tokens/read Obtém as propriedades de token especificado ou lista todos os tokens para o registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/tokens/write Cria ou atualiza um token para um registro de contêiner com os parâmetros especificados.
Microsoft.ContainerRegistry/registries/tokens/delete Exclui um token de um registro de contêiner.
Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read Obtém um status de operação assíncrona do token.
Microsoft.ContainerRegistry/registries/scopeMaps/read Obtém as propriedades do mapa de escopo especificado ou lista todos os mapas de escopo para o registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/scopeMaps/write Cria ou atualiza um mapa de escopo para um registro de contêiner com os parâmetros especificados.
Microsoft.ContainerRegistry/registries/scopeMaps/delete Exclui um mapa de escopo de um registro de contêiner.
Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read Obtém um status de operação assíncrona do mapa de escopo.
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read Obter a configuração de diagnóstico para o recurso
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write Criar ou atualizar a configuração de diagnóstico para o recurso
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read Obtém os logs disponíveis para o Microsoft ContainerRegistry
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read Obtém as métricas disponíveis para o Microsoft ContainerRegistry
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.ContainerRegistry/registries/connectedRegistries/read Obtém as propriedades do registro conectado especificado ou lista todos os registros conectados do registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/connectedRegistries/write Cria ou atualiza um registro conectado de um registro de contêiner com os parâmetros especificados.
Microsoft.ContainerRegistry/registries/connectedRegistries/delete Exclui um registro conectado de um registro de contêiner.
Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action Desativa um registro conectado para um registro de contêiner
Microsoft.ContainerRegistry/registries/webhooks/read Obter as propriedades do webhook especificado ou listar todos os webhooks para o registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/webhooks/write Criar ou atualizar um webhook para um registro de contêiner com os parâmetros especificados.
Microsoft.ContainerRegistry/registries/webhooks/delete Excluir um webhook de um registro de contêiner.
Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action Obter a configuração de URI de serviço e cabeçalhos personalizados para o webhook.
Microsoft.ContainerRegistry/registries/webhooks/ping/action Disparar um evento de ping para ser enviado ao webhook.
Microsoft.ContainerRegistry/registries/webhooks/listEvents/action Listar eventos recentes para o webhook especificado.
Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read Obter um status de operação assíncrona do webhook
Microsoft.Insights/AlertRules/Write Criar ou atualizar o alerta de métrica clássico
Microsoft.Insights/AlertRules/Delete Excluir alerta de métrica clássico
Microsoft.Insights/AlertRules/Read Ler alerta de métrica clássico
Microsoft.Insights/AlertRules/Activated/Action Alerta de métrica clássico ativado
Microsoft.Insights/AlertRules/Resolved/Action Alerta de métrica clássico resolvido
Microsoft.Insights/AlertRules/Throttled/Action Regra de alerta de métrica clássico acelerada
Microsoft.Insights/AlertRules/Incidents/Read Ler incidente de alerta de métrica clássico
Microsoft.ContainerRegistry/locations/operationResults/read Obter um resultado de operação assíncrona
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Adicionar recursos como conta de armazenamento ou banco de dados SQL a uma sub-rede. Não é possível alertá-lo.
Microsoft.Network/virtualNetworks/subnets/read Obter uma definição de sub-rede da rede virtual
Microsoft.Network/virtualNetworks/subnets/write Criar uma sub-rede de rede virtual ou atualizar uma sub-rede de rede virtual existente
Microsoft.Network/virtualNetworks/read Obter a definição de rede virtual
Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write Cria um novo proxy de serviço de link privado ou atualiza um existente.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
  "name": "3bc748fc-213d-45c1-8d91-9da5725539b9",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerRegistry/registries/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/write",
        "Microsoft.ContainerRegistry/registries/delete",
        "Microsoft.ContainerRegistry/registries/listCredentials/action",
        "Microsoft.ContainerRegistry/registries/regenerateCredential/action",
        "Microsoft.ContainerRegistry/registries/generateCredentials/action",
        "Microsoft.ContainerRegistry/registries/replications/read",
        "Microsoft.ContainerRegistry/registries/replications/write",
        "Microsoft.ContainerRegistry/registries/replications/delete",
        "Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/tokens/read",
        "Microsoft.ContainerRegistry/registries/tokens/write",
        "Microsoft.ContainerRegistry/registries/tokens/delete",
        "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/write",
        "Microsoft.ContainerRegistry/registries/scopeMaps/delete",
        "Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/write",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
        "Microsoft.ContainerRegistry/registries/webhooks/read",
        "Microsoft.ContainerRegistry/registries/webhooks/write",
        "Microsoft.ContainerRegistry/registries/webhooks/delete",
        "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
        "Microsoft.ContainerRegistry/registries/webhooks/ping/action",
        "Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
        "Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.ContainerRegistry/locations/operationResults/read",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Contributor and Data Access Configuration Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Importador de Dados e Leitor de Dados do Container Registry

Fornece a capacidade de importar imagens para um registro por meio da operação de importação do registro. Fornece a capacidade de listar repositórios, exibir imagens e marcas, obter manifestos e extrair imagens. Não fornece permissões para importar imagens por meio da configuração de pipelines de transferência do Registro, como pipelines de importação e exportação. Não fornece permissões para importação por meio da configuração de regras de Cache de Artefato ou Sincronização.

Ações Descrição
Microsoft.ContainerRegistry/registries/importImage/action Importa a imagem para o registro de contêiner com os parâmetros especificados.
Microsoft.ContainerRegistry/registries/read Obter as propriedades do registro de contêiner especificado ou listar todos os registros de contêiner sob o grupo de recursos ou assinatura especificada.
Microsoft.ContainerRegistry/registries/pull/read Efetuar pull ou Obter imagens de um registro de contêiner.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/577a9874-89fd-4f24-9dbd-b5034d0ad23a",
  "name": "577a9874-89fd-4f24-9dbd-b5034d0ad23a",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/importImage/action",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Data Importer and Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lista de Catálogos de Repositórios do Container Registry

Permite listar todos os repositórios em um Registro de Contêiner do Azure. Essa função está em pré-visualização e sujeita a alterações.

Ações Descrição
none
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/catalog/read Listar repositórios em um registro de contêiner.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
  "name": "bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/catalog/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Catalog Lister",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador do Repositório do Container Registry

Permite acesso de leitura, gravação e exclusão aos repositórios do Registro de Contêiner do Azure, mas excluindo a listagem de catálogos. Essa função está em pré-visualização e sujeita a alterações.

Ações Descrição
none
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/repositories/metadata/read Obtém os metadados de um repositório específico para um registro de contêiner
Microsoft.ContainerRegistry/registros/repositórios/conteúdo/leitura Efetuar pull ou Obter imagens de um registro de contêiner.
Microsoft.ContainerRegistry/registries/repositories/metadata/write Atualiza os metadados de um repositório para um registro de contêiner
Microsoft.ContainerRegistry/registries/repositories/content/write Efetuar push ou Gravar imagens para um registro de contêiner.
Microsoft.ContainerRegistry/registries/repositories/metadata/delete Excluir os metadados de um repositório para um registro de contêiner
Microsoft.ContainerRegistry/registries/repositories/content/delete Excluir o artefato em um registro de contêiner.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2efddaa5-3f1f-4df3-97df-af3f13818f4c",
  "name": "2efddaa5-3f1f-4df3-97df-af3f13818f4c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/write",
        "Microsoft.ContainerRegistry/registries/repositories/content/write",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/delete",
        "Microsoft.ContainerRegistry/registries/repositories/content/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de Repositório do Container Registry

Permite acesso de leitura aos repositórios do Registro de Contêiner do Azure, mas excluindo a listagem de catálogo. Essa função está em pré-visualização e sujeita a alterações.

Ações Descrição
none
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/repositories/metadata/read Obtém os metadados de um repositório específico para um registro de contêiner
Microsoft.ContainerRegistry/registros/repositórios/conteúdo/leitura Efetuar pull ou Obter imagens de um registro de contêiner.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b93aa761-3e63-49ed-ac28-beffa264f7ac",
  "name": "b93aa761-3e63-49ed-ac28-beffa264f7ac",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gravador de Repositório do Container Registry

Permite acesso de leitura e gravação aos repositórios do Registro de Contêiner do Azure, mas excluindo a listagem de catálogo. Essa função está em pré-visualização e sujeita a alterações.

Ações Descrição
none
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/repositories/metadata/read Obtém os metadados de um repositório específico para um registro de contêiner
Microsoft.ContainerRegistry/registros/repositórios/conteúdo/leitura Efetuar pull ou Obter imagens de um registro de contêiner.
Microsoft.ContainerRegistry/registries/repositories/metadata/write Atualiza os metadados de um repositório para um registro de contêiner
Microsoft.ContainerRegistry/registries/repositories/content/write Efetuar push ou Gravar imagens para um registro de contêiner.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2a1e307c-b015-4ebd-883e-5b7698a07328",
  "name": "2a1e307c-b015-4ebd-883e-5b7698a07328",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/write",
        "Microsoft.ContainerRegistry/registries/repositories/content/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador de Tarefas do Container Registry

Fornece permissões para configurar, ler, listar, disparar ou cancelar Tarefas do Registro de Contêiner, Execuções de Tarefas, Logs de Tarefas, Execuções Rápidas, Compilações Rápidas e Pools de Agentes de Tarefas. As permissões concedidas para o gerenciamento de tarefas podem ser usadas para permissões completas do plano de dados do registro, incluindo leitura/gravação/exclusão de imagens de contêiner em registros. As permissões concedidas para o gerenciamento de tarefas também podem ser usadas para executar diretivas de compilação criadas pelo cliente e executar scripts para criar artefatos de software.

Ações Descrição
Microsoft.ContainerRegistry/registries/agentpools/read Obter um pool de agentes de um registro de contêiner ou listar todos os pools de agentes.
Microsoft.ContainerRegistry/registries/agentpools/write Criar ou atualizar um pool de agentes de um registro de contêiner.
Microsoft.ContainerRegistry/registries/agentpools/delete Excluir um pool de agentes de um registro de contêiner.
Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action Listar todo o status da fila de um agentpool para um registro de contêiner.
Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read Obtém um status de resultado de operação assíncrona do pool de agentes
Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read Obtém um status de operação assíncrona do pool de agentes
Microsoft.ContainerRegistry/registries/tasks/read Obtém uma tarefa para um registro de contêiner ou lista todas as tarefas.
Microsoft.ContainerRegistry/registries/tasks/write Cria ou atualiza uma tarefa para um registro de contêiner.
Microsoft.ContainerRegistry/registries/tasks/delete Exclui uma tarefa para um registro de contêiner.
Microsoft.ContainerRegistry/registries/tasks/listDetails/action Liste todos os detalhes de uma tarefa para um registro de contêiner.
Microsoft.ContainerRegistry/registries/scheduleRun/action Agende uma execução em um registro de contêiner.
Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action Obtenha o local de URL de upload de origem para um registro de contêiner.
Microsoft.ContainerRegistry/registries/runs/read Obtém as propriedades de uma execução em um registro de contêiner ou lista é executado.
Microsoft.ContainerRegistry/registries/runs/write Atualiza uma execução.
Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action Obtém o log da URL do SAS para uma execução.
Microsoft.ContainerRegistry/registries/runs/cancel/action Cancele um tempo de execução existente.
Microsoft.ContainerRegistry/registries/taskruns/read Obter uma execução de tarefa de um registro de contêiner ou listar todas as execuções de tarefa.
Microsoft.ContainerRegistry/registries/taskruns/write Criar ou atualizar uma execução de tarefa de um registro de contêiner.
Microsoft.ContainerRegistry/registries/taskruns/delete Excluir uma execução de tarefa de um registro de contêiner.
Microsoft.ContainerRegistry/registries/taskruns/listDetails/action Listar todos os detalhes de uma execução de tarefa para um registro de contêiner.
Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read Obtém um status de operação assíncrona de execução de tarefa
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerRegistry/registries/read Obter as propriedades do registro de contêiner especificado ou listar todos os registros de contêiner sob o grupo de recursos ou assinatura especificada.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fb382eab-e894-4461-af04-94435c366c3f",
  "name": "fb382eab-e894-4461-af04-94435c366c3f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/agentpools/read",
        "Microsoft.ContainerRegistry/registries/agentpools/write",
        "Microsoft.ContainerRegistry/registries/agentpools/delete",
        "Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action",
        "Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read",
        "Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/tasks/read",
        "Microsoft.ContainerRegistry/registries/tasks/write",
        "Microsoft.ContainerRegistry/registries/tasks/delete",
        "Microsoft.ContainerRegistry/registries/tasks/listDetails/action",
        "Microsoft.ContainerRegistry/registries/scheduleRun/action",
        "Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action",
        "Microsoft.ContainerRegistry/registries/runs/read",
        "Microsoft.ContainerRegistry/registries/runs/write",
        "Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action",
        "Microsoft.ContainerRegistry/registries/runs/cancel/action",
        "Microsoft.ContainerRegistry/registries/taskruns/read",
        "Microsoft.ContainerRegistry/registries/taskruns/write",
        "Microsoft.ContainerRegistry/registries/taskruns/delete",
        "Microsoft.ContainerRegistry/registries/taskruns/listDetails/action",
        "Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerRegistry/registries/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Tasks Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador do Pipeline de Transferência do Container Registry

Fornece a capacidade de transferir, importar e exportar artefatos por meio da configuração de pipelines de transferência do Registro que envolvem contas de armazenamento intermediárias e cofres de chaves. Não fornece permissões para enviar ou extrair imagens. Não fornece permissões para criar, gerenciar ou listar contas de armazenamento ou cofres de chaves. Não fornece permissões para executar atribuições de função.

Ações Descrição
Microsoft.ContainerRegistry/registries/exportPipelines/read Obtém as propriedades do pipeline de exportação especificado ou lista todos os pipelines de exportação do registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/exportPipelines/write Cria ou atualiza um pipeline de exportação de um registro de contêiner com os parâmetros especificados.
Microsoft.ContainerRegistry/registries/exportPipelines/delete Exclui um pipeline de exportação de um registro de contêiner.
Microsoft.ContainerRegistry/registries/importPipelines/read Obtém as propriedades do pipeline de importação especificado ou lista todos os pipelines de importação do registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/importPipelines/write Cria ou atualiza um pipeline de importação de um registro de contêiner com os parâmetros especificados.
Microsoft.ContainerRegistry/registries/importPipelines/delete Exclui um pipeline de importação de um registro de contêiner.
Microsoft.ContainerRegistry/registries/pipelineRuns/read Obtém as propriedades do pipeline especificado ou lista todas as execuções de pipeline do registro de contêiner especificado.
Microsoft.ContainerRegistry/registries/pipelineRuns/write Cria ou atualiza uma execução de pipeline de um registro de contêiner com os parâmetros especificados.
Microsoft.ContainerRegistry/registries/pipelineRuns/delete Exclui uma execução de pipeline de um registro de contêiner.
Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read Obtém o status da operação assíncrona de uma execução de pipeline.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
  "name": "bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/exportPipelines/read",
        "Microsoft.ContainerRegistry/registries/exportPipelines/write",
        "Microsoft.ContainerRegistry/registries/exportPipelines/delete",
        "Microsoft.ContainerRegistry/registries/importPipelines/read",
        "Microsoft.ContainerRegistry/registries/importPipelines/write",
        "Microsoft.ContainerRegistry/registries/importPipelines/delete",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/read",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/write",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/delete",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Transfer Pipeline Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador sem Agente do Kubernetes

Concede acesso ao Microsoft Defender para Nuvem para usar os Serviços de Kubernetes do Azure

Saiba mais

Ações Descrição
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write Criar ou atualizar associações de função de acesso confiável para cluster gerenciado
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read Obter associações de função de acesso confiável para cluster gerenciado
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete Excluir associações de função de acesso confiável para cluster gerenciado
Microsoft.ContainerService/managedClusters/read Obtém um cluster gerenciado
Microsoft.Features/features/read Obter os recursos de uma assinatura.
Microsoft.Features/providers/features/read Obter o recurso de uma assinatura em determinado provedor de recursos.
Microsoft.Features/providers/features/register/action Registrar o recurso de uma assinatura em determinado provedor de recursos.
Microsoft.Security/preços/securityoperators/read Obtém os operadores de segurança para o escopo
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Features/providers/features/register/action",
        "Microsoft.Security/pricings/securityoperators/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Agentless Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Cluster do Kubernetes – Integração ao Azure Arc

Definição de função para autorizar qualquer usuário ou serviço a criar um recurso de connectedClusters.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Kubernetes/connectedClusters/Write Grava connectedClusters
Microsoft.Kubernetes/connectedClusters/read Ler connectedClusters
Microsoft.KubernetesConfiguration/extensions/write Cria ou atualiza recursos de extensão.
Microsoft.KubernetesConfiguration/extensions/read Obtém o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/delete Exclui o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/operations/read Obtém o status da operação assíncrona.
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role definition to authorize any user/service to create connectedClusters resource",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Cluster - Azure Arc Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador da Extensão Kubernetes

Pode criar, atualizar, obter, listar e excluir Extensões Kubernetes e obter operações assíncronas de extensão

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.KubernetesConfiguration/extensions/write Cria ou atualiza recursos de extensão.
Microsoft.KubernetesConfiguration/extensions/read Obtém o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/delete Exclui o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/operations/read Obtém o status da operação assíncrona.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
  "name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Extension Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador de cluster do Service Fabric

Gerencie seus recursos de cluster do Service Fabric. Inclui clusters, tipos de aplicativos, versões de tipos de aplicativos, aplicativos e serviços. Você precisará de permissões adicionais para implantar e gerenciar os recursos subjacentes do cluster, como conjuntos de dimensionamento de máquinas virtuais, contas de armazenamento, redes etc.

Ações Descrição
Microsoft.ServiceFabric/clusters/*
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",
  "name": "b6efc156-f0da-4e90-a50a-8c000140b017",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceFabric/clusters/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Service Fabric Cluster Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador de cluster gerenciado do Service Fabric

Implante e gerencie seus recursos de Cluster Gerenciado do Service Fabric. Inclui clusters gerenciados, tipos de nó, tipos de aplicativos, versões de tipos de aplicativos, aplicativos e serviços.

Ações Descrição
Microsoft.ServiceFabric/managedclusters/*
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",
  "name": "83f80186-3729-438c-ad2d-39e94d718838",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceFabric/managedclusters/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Service Fabric Managed Cluster Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Próximas etapas