Funções internas do Azure para contêineres
Este artigo lista as funções internas do Azure na categoria Contêineres.
AcrDelete
Exclua repositórios, tags ou manifestos de um registro de contêiner.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/artifacts/delete | Excluir o artefato em um registro de contêiner. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
Envie por push ou extraia imagens confiáveis de um registro de contêiner habilitado para a confiança de conteúdo.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/sign/write | Efetuar push/pull de metadados de conteúdo confiável para um registro de contêiner. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/trustedCollections/write | Permite o push ou a publicação de coleções confiáveis de conteúdo do registro de contêiner. Essa ação é semelhante a Microsoft.ContainerRegistry/registries/sign/write, exceto pelo fato de ser uma ação de dados |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Extraia artefatos de um registro de contêiner.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/pull/read | Efetuar pull ou Obter imagens de um registro de contêiner. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Envie por push ou extraia artefatos de um registro de contêiner.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/pull/read | Efetuar pull ou Obter imagens de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/push/write | Efetuar push ou Gravar imagens para um registro de contêiner. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Extraia imagens em quarentena de um registro de contêiner.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/quarantine/read | Efetuar pull ou Obter imagens em quarentena do registro de contêiner |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Permite pull ou obtenção dos artefatos em quarentena do registro de contêiner. Isso é semelhante a Microsoft.ContainerRegistry/registries/quarantine/read, exceto pelo fato de que é uma ação de dados |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Envie por push ou extraia imagens em quarentena de um registro de contêiner.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/quarantine/read | Efetuar pull ou Obter imagens em quarentena do registro de contêiner |
Microsoft.ContainerRegistry/registries/quarantine/write | Gravar/Modificar o estado de quarentena das imagens em quarentena |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Permite pull ou obtenção dos artefatos em quarentena do registro de contêiner. Isso é semelhante a Microsoft.ContainerRegistry/registries/quarantine/read, exceto pelo fato de que é uma ação de dados |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Permite gravar ou atualizar o estado de quarentena de artefatos em quarentena. Essa ação é semelhante a Microsoft.ContainerRegistry/registries/quarantine/write, exceto pelo fato de ser uma ação de dados |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de usuário do cluster Kubernetes habilitada para o Azure Arc
Listar a ação das credenciais do usuário do cluster.
Ações | Descrição |
---|---|
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | Listar credencial do clusterUser (versão prévia) |
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Listar credencial clusterUser |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador do Kubernetes do Azure Arc
Permite gerenciar todos os recursos no cluster ou no namespace, exceto atualizar ou excluir as cotas de recursos e os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Grava localsubjectaccessreviews |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Lê limitranges |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Lê namespaces |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lê resourcequotas |
Microsoft.Kubernetes/connectedClusters/secrets/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador do Cluster do Kubernetes do Azure Arc
Permite gerenciar todos os recursos no cluster.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Visualizador do Kubernetes do Azure Arc
Permite que você veja todos os recursos no cluster ou namespace, exceto os segredos.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | Lê daemonsets |
Microsoft.Kubernetes/connectedClusters/apps/deployments/read | Lê implantações |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | Lê replicasets |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | Lê statefulsets |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | Lê horizontalpodautoscalers |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | Lê cronjobs |
Microsoft.Kubernetes/connectedClusters/batch/jobs/read | Lê trabalhos |
Microsoft.Kubernetes/connectedClusters/configmaps/read | Lê configmaps |
Microsoft.Kubernetes/connectedClusters/endpoints/read | Lê pontos de extremidade |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | Lê daemonsets |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | Lê implantações |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | Lê entradas |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | Lê networkpolicies |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | Lê replicasets |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Lê limitranges |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Lê namespaces |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | Lê entradas |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | Lê networkpolicies |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | Lê persistentvolumeclaims |
Microsoft.Kubernetes/connectedClusters/pods/read | Lê pods |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | Lê poddisruptionbudgets |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lê replicationcontrollers |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lê replicationcontrollers |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lê resourcequotas |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | Lê serviceaccounts |
Microsoft.Kubernetes/connectedClusters/services/read | Lê serviços |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Gravador do Kubernetes do Azure Arc
Permite que você atualize tudo no cluster ou namespace, exceto as funções (cluster) e ligações de função (cluster).
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/events/read | Lê eventos |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Lê limitranges |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Lê namespaces |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lê resourcequotas |
Microsoft.Kubernetes/connectedClusters/secrets/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador do Armazenamento de Contêiner do Azure
Instale o Armazenamento de Contêiner do Azure e gerencie seus recursos de armazenamento. Inclui uma condição ABAC para restringir atribuições de função.
Ações | Descrição |
---|---|
Microsoft.KubernetesConfiguration/extensions/write | Cria ou atualiza recursos de extensão. |
Microsoft.KubernetesConfiguration/extensions/read | Obtém o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/delete | Exclui o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Obtém o status da operação assíncrona. |
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Management/managementGroups/read | Listar grupos de gerenciamento para o usuário autenticado. |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Ações | |
Microsoft.Authorization/roleAssignments/write | Criar uma atribuição de função no escopo especificado. |
Microsoft.Authorization/roleAssignments/delete | Exclua uma atribuição de função no escopo especificado. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Condição | |
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OU (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) E ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Adicione ou remova atribuições de função para as seguintes funções: Operador de Armazenamento de Contêiner do Azure |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operador de Armazenamento de Contêiner do Azure
Habilite uma identidade gerenciada para executar operações do Armazenamento de Contêiner do Azure, como gerenciar máquinas virtuais e gerenciar redes virtuais.
Ações | Descrição |
---|---|
Microsoft.ElasticSan/elasticSans/* | |
Microsoft.ElasticSan/locations/asyncoperations/read | Monitorar o status de uma operação assíncrona. |
Microsoft.Network/routeTables/join/action | Une uma tabela de rotas. Não é possível alertá-lo. |
Microsoft.Network/networkSecurityGroups/join/action | Ingressar em um grupo de segurança de rede. Não é possível alertá-lo. |
Microsoft.Network/virtualNetworks/write | Criar uma rede virtual ou atualizar uma rede virtual existente |
Microsoft.Network/virtualNetworks/delete | Excluir uma rede virtual |
Microsoft.Network/virtualNetworks/join/action | Ingressar em uma rede virtual. Não é possível alertá-lo. |
Microsoft.Network/virtualNetworks/subnets/read | Obter uma definição de sub-rede da rede virtual |
Microsoft.Network/virtualNetworks/subnets/write | Criar uma sub-rede de rede virtual ou atualizar uma sub-rede de rede virtual existente |
Microsoft.Compute/virtualMachines/read | Obter as propriedades de uma máquina virtual |
Microsoft.Compute/virtualMachines/write | Cria uma nova máquina virtual ou atualiza uma máquina virtual existente |
Microsoft.Compute/virtualMachineScaleSets/read | Obter as propriedades de um Conjunto de Dimensionamento de Máquinas Virtuais |
Microsoft.Compute/virtualMachineScaleSets/write | Criar um novo Conjunto de Dimensionamento de Máquinas Virtuais ou atualizar um existente |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | Atualizar as propriedades de uma Máquina Virtual em um Conjunto de Dimensionamento de Máquinas Virtuais |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Recuperar as propriedades de uma máquina virtual em um conjunto de dimensionamento de máquinas virtuais |
Microsoft.Resources/subscriptions/providers/read | Obter ou listar provedores de recursos. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Network/virtualNetworks/read | Obter a definição de rede virtual |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Proprietário do Armazenamento de Contêiner do Azure
Instale o Armazenamento de Contêiner do Azure, conceda acesso aos recursos de armazenamento e configure a SAN (rede de área de armazenamento) elástica do Azure. Inclui uma condição ABAC para restringir atribuições de função.
Ações | Descrição |
---|---|
Microsoft.ElasticSan/elasticSans/* | |
Microsoft.ElasticSan/locations/* | |
Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
Microsoft.ElasticSan/locations/asyncoperations/read | Monitorar o status de uma operação assíncrona. |
Microsoft.KubernetesConfiguration/extensions/write | Cria ou atualiza recursos de extensão. |
Microsoft.KubernetesConfiguration/extensions/read | Obtém o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/delete | Exclui o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Obtém o status da operação assíncrona. |
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Management/managementGroups/read | Listar grupos de gerenciamento para o usuário autenticado. |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Ações | |
Microsoft.Authorization/roleAssignments/write | Criar uma atribuição de função no escopo especificado. |
Microsoft.Authorization/roleAssignments/delete | Exclua uma atribuição de função no escopo especificado. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Condição | |
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OU (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) E ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Adicione ou remova atribuições de função para as seguintes funções: Operador de Armazenamento de Contêiner do Azure |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Colaborador do Gerenciador de Frotas do Kubernetes do Azure
Concede acesso de leitura/gravação aos recursos do Azure fornecidos pelo Azure Kubernetes Fleet Manager, incluindo frotas, membros da frota, estratégias de atualização de frota, execuções de atualização de frota etc.
Ações | Descrição |
---|---|
Microsoft.ContainerService/fleets/* | |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de RBAC do Gerenciador de Frota de Kubernetes do Azure
Concede acesso de leitura/gravação aos recursos do Kubernetes em um namespace no cluster do hub gerenciado pela frota - fornece permissões de gravação na maioria dos objetos em um namespace, com exceção do objeto ResourceQuota e do próprio objeto do namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obter frota |
Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais de frota |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.ContainerService/fleets/apps/daemonsets/* | |
Microsoft.ContainerService/fleets/apps/deployments/* | |
Microsoft.ContainerService/fleets/apps/statefulsets/* | |
Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Grava localsubjectaccessreviews |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/fleets/batch/cronjobs/* | |
Microsoft.ContainerService/fleets/batch/jobs/* | |
Microsoft.ContainerService/fleets/configmaps/* | |
Microsoft.ContainerService/fleets/endpoints/* | |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lê eventos |
Microsoft.ContainerService/fleets/events/read | Lê eventos |
Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
Microsoft.ContainerService/fleets/extensions/deployments/* | |
Microsoft.ContainerService/fleets/extensions/ingresses/* | |
Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
Microsoft.ContainerService/fleets/limitranges/read | Lê limitranges |
Microsoft.ContainerService/fleets/namespaces/read | Lê namespaces |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/resourcequotas/read | Lê resourcequotas |
Microsoft.ContainerService/fleets/secrets/* | |
Microsoft.ContainerService/fleets/serviceaccounts/* | |
Microsoft.ContainerService/fleets/services/* | |
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Ler o recurso de cluster internalmemberda da frota |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/* | |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Ler recurso de overridesnapshot de recursos de frota |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Ler recurso de trabalho da frota |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador do cluster de RBAC do Gerenciador de Frota de Kubernetes do Azure
Concede acesso de leitura/gravação a todos os recursos do Kubernetes no cluster de hub gerenciado pela frota.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obter frota |
Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais de frota |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Leitor de RBAC do Gerenciador de Frota de Kubernetes do Azure
Concede acesso somente leitura à maioria dos recursos do Kubernetes em um namespace no cluster de hub gerenciado pela frota. Não permite exibir funções nem associações de função. Essa função não permite exibir Segredos, pois a leitura do conteúdo dos Segredos permite acesso às credenciais de ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de elevação de privilégio). A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obter frota |
Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais de frota |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.ContainerService/fleets/apps/daemonsets/read | Lê daemonsets |
Microsoft.ContainerService/fleets/apps/deployments/read | Lê implantações |
Microsoft.ContainerService/fleets/apps/statefulsets/read | Lê statefulsets |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Lê horizontalpodautoscalers |
Microsoft.ContainerService/fleets/batch/cronjobs/read | Lê cronjobs |
Microsoft.ContainerService/fleets/batch/jobs/read | Lê trabalhos |
Microsoft.ContainerService/fleets/configmaps/read | Lê configmaps |
Microsoft.ContainerService/fleets/endpoints/read | Lê pontos de extremidade |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lê eventos |
Microsoft.ContainerService/fleets/events/read | Lê eventos |
Microsoft.ContainerService/fleets/extensions/daemonsets/read | Lê daemonsets |
Microsoft.ContainerService/fleets/extensions/deployments/read | Lê implantações |
Microsoft.ContainerService/fleets/extensions/ingresses/read | Lê entradas |
Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Lê networkpolicies |
Microsoft.ContainerService/fleets/limitranges/read | Lê limitranges |
Microsoft.ContainerService/fleets/namespaces/read | Lê namespaces |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Lê entradas |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Lê networkpolicies |
Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Lê persistentvolumeclaims |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Lê poddisruptionbudgets |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Lê replicationcontrollers |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Lê replicationcontrollers |
Microsoft.ContainerService/fleets/resourcequotas/read | Lê resourcequotas |
Microsoft.ContainerService/fleets/serviceaccounts/read | Lê serviceaccounts |
Microsoft.ContainerService/fleets/services/read | Lê serviços |
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Ler o recurso de cluster internalmemberda da frota |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | Ler recurso de substituição de recursos de frota |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Ler recurso de overridesnapshot de recursos de frota |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Ler recurso de trabalho da frota |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Gravador de RBAC do Gerenciador de Frota de Kubernetes do Azure
Concede acesso de leitura/gravação à maioria dos recursos do Kubernetes em um namespace no cluster do hub gerenciado pela frota. Esta função não permite visualizar ou modificar funções ou vinculações de função. No entanto, essa função permite acessar segredos como qualquer conta de serviço no namespace, portanto, pode ser usada para obter os níveis de acesso da API de uma conta de serviço no namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obter frota |
Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais de frota |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.ContainerService/fleets/apps/daemonsets/read | Lê daemonsets |
Microsoft.ContainerService/fleets/apps/daemonsets/write | Grava daemonsets |
Microsoft.ContainerService/fleets/apps/deployments/read | Lê implantações |
Microsoft.ContainerService/frotas/aplicativos/implantações/gravação | Grava implantações |
Microsoft.ContainerService/fleets/apps/statefulsets/read | Lê statefulsets |
Microsoft.ContainerService/fleets/apps/statefulsets/write | Grava statefulsets |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Lê horizontalpodautoscalers |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write | Grava horizontalpodautoscalers |
Microsoft.ContainerService/fleets/batch/cronjobs/read | Lê cronjobs |
Microsoft.ContainerService/fleets/batch/cronjobs/write | Grava cronjobs |
Microsoft.ContainerService/fleets/batch/jobs/read | Lê trabalhos |
Microsoft.ContainerService/fleets/batch/jobs/write | Grava trabalhos |
Microsoft.ContainerService/fleets/configmaps/read | Lê configmaps |
Microsoft.ContainerService/fleets/configmaps/write | Grava configmaps |
Microsoft.ContainerService/fleets/endpoints/read | Lê pontos de extremidade |
Microsoft.ContainerService/fleets/endpoints/write | Grava pontos de extremidade |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lê eventos |
Microsoft.ContainerService/fleets/events/read | Lê eventos |
Microsoft.ContainerService/fleets/extensions/daemonsets/read | Lê daemonsets |
Microsoft.ContainerService/frotas/extensões/daemonsets/write | Grava daemonsets |
Microsoft.ContainerService/fleets/extensions/deployments/read | Lê implantações |
Microsoft.ContainerService/frotas/extensões/implantações/gravação | Grava implantações |
Microsoft.ContainerService/fleets/extensions/ingresses/read | Lê entradas |
Microsoft.ContainerService/frotas/extensões/ingresses/write | Grava entradas |
Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Lê networkpolicies |
Microsoft.ContainerService/frotas/extensões/networkpolicies/write | Grava networkpolicies |
Microsoft.ContainerService/fleets/limitranges/read | Lê limitranges |
Microsoft.ContainerService/fleets/namespaces/read | Lê namespaces |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Lê entradas |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write | Grava entradas |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Lê networkpolicies |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write | Grava networkpolicies |
Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Lê persistentvolumeclaims |
Microsoft.ContainerService/fleets/persistentvolumeclaims/write | Grava persistentvolumeclaims |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Lê poddisruptionbudgets |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write | Grava poddisruptionbudgets |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Lê replicationcontrollers |
Microsoft.ContainerService/fleets/replicationcontrollers/write | Grava replicationcontrollers |
Microsoft.ContainerService/fleets/resourcequotas/read | Lê resourcequotas |
Microsoft.ContainerService/fleets/secrets/read | Lê segredos |
Microsoft.ContainerService/fleets/secrets/write | Grava segredos |
Microsoft.ContainerService/fleets/serviceaccounts/read | Lê serviceaccounts |
Microsoft.ContainerService/fleets/serviceaccounts/write | Grava serviceaccounts |
Microsoft.ContainerService/fleets/services/read | Lê serviços |
Microsoft.ContainerService/fleets/services/write | Grava serviços |
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Ler o recurso de cluster internalmemberda da frota |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | Ler recurso de substituição de recursos de frota |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write | Gravar recurso de substituição de recursos de frota |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Ler recurso de overridesnapshot de recursos de frota |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Ler recurso de trabalho da frota |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/write",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/deployments/write",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/write",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/write",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/configmaps/write",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/endpoints/write",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/write",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/deployments/write",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/write",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/write",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/read",
"Microsoft.ContainerService/fleets/secrets/write",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/serviceaccounts/write",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/services/write",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de administrador de cluster do Arc do Serviço de Kubernetes do Azure
Liste a ação de credencial de administrador de cluster.
Ações | Descrição |
---|---|
Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado |
Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | Lista as credenciais de administrador de uma instância de cluster provisionada usada somente no modo direto. |
Microsoft.Kubernetes/connectedClusters/Read | Ler connectedClusters |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de usuário do Arc Cluster do Serviço de Kubernetes do Azure
Liste a ação de credencial de usuário de cluster.
Ações | Descrição |
---|---|
Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado |
Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | Lista as credenciais de usuário do AAD de uma instância de cluster provisionada usada somente no modo direto. |
Microsoft.Kubernetes/connectedClusters/Read | Ler connectedClusters |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Colaborador do Arc do Serviço de Kubernetes do Azure
Concede acesso para ler e gravar clusters híbridos dos Serviços de Kubernetes do Azure
Ações | Descrição |
---|---|
Microsoft.HybridContainerService/Locations/operationStatuses/read | ler operationStatuses |
Microsoft.HybridContainerService/Operations/read | leia Operações |
Microsoft.HybridContainerService/kubernetesVersions/read | Lista as versões do Kubernetes com suporte do local personalizado subjacente |
Microsoft.HybridContainerService/kubernetesVersions/write | Coloca o tipo de recurso de versão do kubernetes |
Microsoft.HybridContainerService/kubernetesVersions/delete | Excluir o tipo de recurso de versões do kubernetes |
Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado |
Microsoft.HybridContainerService/provisionedClusterInstances/write | Cria a instância de cluster provisionado do AKS híbrido |
Microsoft.HybridContainerService/provisionedClusterInstances/delete | Exclui a instância do cluster provisionado do AKS híbrido |
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | Obtém os pools de agentes na instância de cluster provisionado do AKS Híbrido |
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | Atualiza o pool de agentes na instância de cluster provisionado do AKS híbrido |
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | Exclui o pool de agentes na instância de cluster provisionado do AKS híbrido |
Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | leia upgradeProfiles |
Microsoft.HybridContainerService/skus/read | Lista os SKUs de VM com suporte do local personalizado subjacente |
Microsoft.HybridContainerService/skus/write | Coloca o tipo de recurso SKUs de VM |
Microsoft.HybridContainerService/skus/delete | Exclui o tipo de recurso Vm Sku |
Microsoft.HybridContainerService/virtualNetworks/read | Lista as redes virtuais do AKS híbrido por assinatura |
Microsoft.HybridContainerService/virtualNetworks/write | Corrige a rede virtual do AKS híbrido |
Microsoft.HybridContainerService/virtualNetworks/delete | Exclui a rede virtual do AKS híbrido |
Microsoft.ExtendedLocation/customLocations/deploy/action | Implantar permissões em um recurso de Localização Personalizada |
Microsoft.ExtendedLocation/customLocations/read | Obtém um recurso de Local Personalizado |
Microsoft.Kubernetes/connectedClusters/Read | Ler connectedClusters |
Microsoft.Kubernetes/connectedClusters/Write | Grava connectedClusters |
Microsoft.Kubernetes/connectedClusters/Excluir | Exclui connectedClusters |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Listar credencial clusterUser |
Microsoft.AzureStackHCI/clusters/read | Obtém clusters |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Administrador do Cluster do Serviço de Kubernetes do Azure
Liste a ação de credencial de administrador de cluster.
Ações | Descrição |
---|---|
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | Listar a credencial clusterAdmin de um cluster gerenciado |
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | Obtém um perfil de acesso do cluster gerenciado por nome de função usando a credencial de lista |
Microsoft.ContainerService/managedClusters/read | Obtém um cluster gerenciado |
Microsoft.ContainerService/managedClusters/runcommand/action | Executar o comando emitido pelo usuário no servidor de Kubernetes gerenciado. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Usuário de Monitoramento de Cluster do Serviço de Kubernetes do Azure
Lista a ação de credencial de usuário de monitoramento do cluster.
Ações | Descrição |
---|---|
Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | Listar a credencial clusterMonitoringUser de um cluster gerenciado |
Microsoft.ContainerService/managedClusters/read | Obtém um cluster gerenciado |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Usuário do Cluster do Serviço de Kubernetes do Azure
Liste a ação de credencial de usuário de cluster.
Ações | Descrição |
---|---|
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Listar a credencial clusterUser de um cluster gerenciado |
Microsoft.ContainerService/managedClusters/read | Obtém um cluster gerenciado |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Contributor Role
Concede o acesso de leitura e gravação a clusters do Serviço de Kubernetes do Azure
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.ContainerService/locations/* | Locais de leitura disponíveis para recursos do ContainerService |
Microsoft.ContainerService/managedClusters/* | Criar e gerenciar um cluster gerenciado |
Microsoft.ContainerService/managedclustersnapshots/* | Criar e gerenciar um snapshot de cluster gerenciado |
Microsoft.ContainerService/snapshots/* | Criar e gerenciar um snapshot |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador do RBAC do Serviço de Kubernetes do Azure
Permite gerenciar todos os recursos no cluster ou no namespace, exceto atualizar ou excluir as cotas de recursos e os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Listar a credencial clusterUser de um cluster gerenciado |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
Microsoft.ContainerService/managedClusters/resourcequotas/write | Grava resourcequotas |
Microsoft.ContainerService/managedClusters/resourcequotas/delete | Exclui resourcequotas |
Microsoft.ContainerService/managedClusters/namespaces/write | Grava namespaces |
Microsoft.ContainerService/managedClusters/namespaces/delete | Exclui namespaces |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador do Cluster do RBAC do Serviço de Kubernetes do Azure
Permite gerenciar todos os recursos no cluster.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Listar a credencial clusterUser de um cluster gerenciado |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Leitor de RBAC do Serviço de Kubernetes do Azure
Permite acesso somente leitura para ver a maioria dos objetos em um namespace. Não permite exibir funções nem associações de função. Essa função não permite exibir Segredos, pois a leitura do conteúdo dos Segredos permite acesso às credenciais de ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de elevação de privilégio). A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.ContainerService/managedClusters/apps/daemonsets/read | Lê daemonsets |
Microsoft.ContainerService/managedClusters/apps/deployments/read | Lê implantações |
Microsoft.ContainerService/managedClusters/apps/replicasets/read | Lê replicasets |
Microsoft.ContainerService/managedClusters/apps/statefulsets/read | Lê statefulsets |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | Lê horizontalpodautoscalers |
Microsoft.ContainerService/managedClusters/batch/cronjobs/read | Lê cronjobs |
Microsoft.ContainerService/managedClusters/batch/jobs/read | Lê trabalhos |
Microsoft.ContainerService/managedClusters/configmaps/read | Lê configmaps |
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lê fatias de ponto de extremidade |
Microsoft.ContainerService/managedClusters/endpoints/read | Lê pontos de extremidade |
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lê eventos |
Microsoft.ContainerService/managedClusters/events/read | Lê eventos |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | Lê daemonsets |
Microsoft.ContainerService/managedClusters/extensions/deployments/read | Lê implantações |
Microsoft.ContainerService/managedClusters/extensions/ingresses/read | Lê entradas |
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | Lê networkpolicies |
Microsoft.ContainerService/managedClusters/extensions/replicasets/read | Lê replicasets |
Microsoft.ContainerService/managedClusters/limitranges/read | Lê limitranges |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lê pods |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lê nodes |
Microsoft.ContainerService/managedClusters/namespaces/read | Lê namespaces |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | Lê entradas |
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | Lê networkpolicies |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | Lê persistentvolumeclaims |
Microsoft.ContainerService/managedClusters/pods/read | Lê pods |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | Lê poddisruptionbudgets |
Microsoft.ContainerService/managedClusters/replicationcontrollers/read | Lê replicationcontrollers |
Microsoft.ContainerService/managedClusters/resourcequotas/read | Lê resourcequotas |
Microsoft.ContainerService/managedClusters/serviceaccounts/read | Lê serviceaccounts |
Microsoft.ContainerService/managedClusters/services/read | Lê serviços |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Gravador de RBAC do Serviço de Kubernetes do Azure
Permite acesso de leitura/gravação à maioria dos objetos em um namespace. Esta função não permite visualizar ou modificar funções ou vinculações de função. No entanto, essa função permite acessar os Segredos e executar Pods como qualquer ServiceAccount no namespace, de modo que ela possa ser usada para obter os níveis de acesso de API de uma ServiceAccount no namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lê controllerrevisions |
Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
Microsoft.ContainerService/managedClusters/apps/deployments/* | |
Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Lê concessões |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Grava concessões |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Exclui concessões |
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lê fatias de ponto de extremidade |
Microsoft.ContainerService/managedClusters/batch/jobs/* | |
Microsoft.ContainerService/managedClusters/configmaps/* | |
Microsoft.ContainerService/managedClusters/endpoints/* | |
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lê eventos |
Microsoft.ContainerService/managedClusters/events/* | |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
Microsoft.ContainerService/managedClusters/limitranges/read | Lê limitranges |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lê pods |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lê nodes |
Microsoft.ContainerService/managedClusters/namespaces/read | Lê namespaces |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
Microsoft.ContainerService/managedClusters/pods/* | |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
Microsoft.ContainerService/managedClusters/resourcequotas/read | Lê resourcequotas |
Microsoft.ContainerService/managedClusters/secrets/* | |
Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
Microsoft.ContainerService/managedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Verificação de Identidade Gerenciada de Cluster ConectadoLeitor de Acesso
Função interna que permite que uma identidade gerenciada do Cluster Conectado chame a API checkAccess
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Leitor de Configuração do Registro de Contêiner e Leitor de Configuração de Acesso a Dados
Fornece permissões para listar registros de contêiner e propriedades de configuração do Registro. Fornece permissões para listar a configuração de acesso a dados, como credenciais de usuário administrador, mapas de escopo e tokens, que podem ser usados para ler, gravar ou excluir repositórios e imagens. Não fornece permissões diretas para ler, listar ou gravar conteúdo do Registro, incluindo repositórios e imagens. Não fornece permissões para modificar o conteúdo do plano de dados, como importações, Cache ou Sincronização de Artefatos e Pipelines de Transferência. Não fornece permissões para gerenciar tarefas.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/operationStatuses/read | Obter um status de operação assíncrona do registro |
Microsoft.ContainerRegistry/registries/read | Obter as propriedades do registro de contêiner especificado ou listar todos os registros de contêiner sob o grupo de recursos ou assinatura especificada. |
Microsoft.ContainerRegistry/registries/privateEndpointConnections/read | Obtém as propriedades da conexão de ponto de extremidade privado ou lista todas as conexões de ponto de extremidade privado para o registro de contêiner especificado |
Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read | Obter Status de Operação Assíncrona da Conexão de Ponto de Extremidade Privado |
Microsoft.ContainerRegistry/registries/listCredentials/action | Listar as credenciais de logon para o registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/tokens/read | Obtém as propriedades de token especificado ou lista todos os tokens para o registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read | Obtém um status de operação assíncrona do token. |
Microsoft.ContainerRegistry/registries/scopeMaps/read | Obtém as propriedades do mapa de escopo especificado ou lista todos os mapas de escopo para o registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read | Obtém um status de operação assíncrona do mapa de escopo. |
Microsoft.ContainerRegistry/registries/webhooks/read | Obter as propriedades do webhook especificado ou listar todos os webhooks para o registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | Obter a configuração de URI de serviço e cabeçalhos personalizados para o webhook. |
Microsoft.ContainerRegistry/registries/webhooks/listEvents/action | Listar eventos recentes para o webhook especificado. |
Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read | Obter um status de operação assíncrona do webhook |
Microsoft.ContainerRegistry/registries/replications/read | Obter as propriedades da replicação especificada ou listar todas as replicações do registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/replications/operationStatuses/read | Obter um status de operação assíncrona de replicação |
Microsoft.ContainerRegistry/registries/connectedRegistries/read | Obtém as propriedades do registro conectado especificado ou lista todos os registros conectados do registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read | Obter a configuração de diagnóstico para o recurso |
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write | Criar ou atualizar a configuração de diagnóstico para o recurso |
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read | Obtém os logs disponíveis para o Microsoft ContainerRegistry |
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read | Obtém as métricas disponíveis para o Microsoft ContainerRegistry |
Microsoft.Insights/AlertRules/Write | Criar ou atualizar o alerta de métrica clássico |
Microsoft.Insights/AlertRules/Delete | Excluir alerta de métrica clássico |
Microsoft.Insights/AlertRules/Read | Ler alerta de métrica clássico |
Microsoft.Insights/AlertRules/Activated/Action | Alerta de métrica clássico ativado |
Microsoft.Insights/AlertRules/Resolved/Action | Alerta de métrica clássico resolvido |
Microsoft.Insights/AlertRules/Throttled/Action | Regra de alerta de métrica clássico acelerada |
Microsoft.Insights/AlertRules/Incidents/Read | Ler incidente de alerta de métrica clássico |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69b07be0-09bf-439a-b9a6-e73de851bd59",
"name": "69b07be0-09bf-439a-b9a6-e73de851bd59",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Configuration Reader and Data Access Configuration Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador do Container Registry e Administrador de Configuração de Acesso a Dados
Fornece permissões para criar, listar e atualizar registros de contêiner e propriedades de configuração do Registro. Fornece permissões para configurar o acesso a dados, como credenciais de usuário administrador, mapas de escopo e tokens, que podem ser usados para ler, gravar ou excluir repositórios e imagens. Não fornece permissões diretas para ler, listar ou gravar conteúdo do Registro, incluindo repositórios e imagens. Não fornece permissões para modificar o conteúdo do plano de dados, como importações, Cache ou Sincronização de Artefatos e Pipelines de Transferência. Não fornece permissões para gerenciar tarefas.
Ações | Descrição |
---|---|
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerRegistry/registries/operationStatuses/read | Obter um status de operação assíncrona do registro |
Microsoft.ContainerRegistry/registries/read | Obter as propriedades do registro de contêiner especificado ou listar todos os registros de contêiner sob o grupo de recursos ou assinatura especificada. |
Microsoft.ContainerRegistry/registries/write | Criar ou atualizar um registro de contêiner com os parâmetros especificados. |
Microsoft.ContainerRegistry/registries/delete | Excluir um registro de contêiner. |
Microsoft.ContainerRegistry/registries/listCredentials/action | Listar as credenciais de logon para o registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/regenerateCredential/action | Regenerar uma das credenciais de logon para o registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/generateCredentials/action | Gerar chaves para um token de um registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/replications/read | Obter as propriedades da replicação especificada ou listar todas as replicações do registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/replications/write | Criar ou atualizar uma replicação para um registro de contêiner com os parâmetros especificados. |
Microsoft.ContainerRegistry/registries/replications/delete | Excluir uma replicação de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/replications/operationStatuses/read | Obter um status de operação assíncrona de replicação |
Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action | Aprova automaticamente uma conexão de ponto de extremidade privado |
Microsoft.ContainerRegistry/registries/privateEndpointConnections/read | Obtém as propriedades da conexão de ponto de extremidade privado ou lista todas as conexões de ponto de extremidade privado para o registro de contêiner especificado |
Microsoft.ContainerRegistry/registries/privateEndpointConnections/write | Aprovar/rejeitar a conexão de ponto de extremidade privado |
Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete | Exclui a conexão de ponto de extremidade privado |
Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read | Obter Status de Operação Assíncrona da Conexão de Ponto de Extremidade Privado |
Microsoft.ContainerRegistry/registries/tokens/read | Obtém as propriedades de token especificado ou lista todos os tokens para o registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/tokens/write | Cria ou atualiza um token para um registro de contêiner com os parâmetros especificados. |
Microsoft.ContainerRegistry/registries/tokens/delete | Exclui um token de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read | Obtém um status de operação assíncrona do token. |
Microsoft.ContainerRegistry/registries/scopeMaps/read | Obtém as propriedades do mapa de escopo especificado ou lista todos os mapas de escopo para o registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/scopeMaps/write | Cria ou atualiza um mapa de escopo para um registro de contêiner com os parâmetros especificados. |
Microsoft.ContainerRegistry/registries/scopeMaps/delete | Exclui um mapa de escopo de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read | Obtém um status de operação assíncrona do mapa de escopo. |
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read | Obter a configuração de diagnóstico para o recurso |
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write | Criar ou atualizar a configuração de diagnóstico para o recurso |
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read | Obtém os logs disponíveis para o Microsoft ContainerRegistry |
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read | Obtém as métricas disponíveis para o Microsoft ContainerRegistry |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.ContainerRegistry/registries/connectedRegistries/read | Obtém as propriedades do registro conectado especificado ou lista todos os registros conectados do registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/connectedRegistries/write | Cria ou atualiza um registro conectado de um registro de contêiner com os parâmetros especificados. |
Microsoft.ContainerRegistry/registries/connectedRegistries/delete | Exclui um registro conectado de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action | Desativa um registro conectado para um registro de contêiner |
Microsoft.ContainerRegistry/registries/webhooks/read | Obter as propriedades do webhook especificado ou listar todos os webhooks para o registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/webhooks/write | Criar ou atualizar um webhook para um registro de contêiner com os parâmetros especificados. |
Microsoft.ContainerRegistry/registries/webhooks/delete | Excluir um webhook de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | Obter a configuração de URI de serviço e cabeçalhos personalizados para o webhook. |
Microsoft.ContainerRegistry/registries/webhooks/ping/action | Disparar um evento de ping para ser enviado ao webhook. |
Microsoft.ContainerRegistry/registries/webhooks/listEvents/action | Listar eventos recentes para o webhook especificado. |
Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read | Obter um status de operação assíncrona do webhook |
Microsoft.Insights/AlertRules/Write | Criar ou atualizar o alerta de métrica clássico |
Microsoft.Insights/AlertRules/Delete | Excluir alerta de métrica clássico |
Microsoft.Insights/AlertRules/Read | Ler alerta de métrica clássico |
Microsoft.Insights/AlertRules/Activated/Action | Alerta de métrica clássico ativado |
Microsoft.Insights/AlertRules/Resolved/Action | Alerta de métrica clássico resolvido |
Microsoft.Insights/AlertRules/Throttled/Action | Regra de alerta de métrica clássico acelerada |
Microsoft.Insights/AlertRules/Incidents/Read | Ler incidente de alerta de métrica clássico |
Microsoft.ContainerRegistry/locations/operationResults/read | Obter um resultado de operação assíncrona |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Adicionar recursos como conta de armazenamento ou banco de dados SQL a uma sub-rede. Não é possível alertá-lo. |
Microsoft.Network/virtualNetworks/subnets/read | Obter uma definição de sub-rede da rede virtual |
Microsoft.Network/virtualNetworks/subnets/write | Criar uma sub-rede de rede virtual ou atualizar uma sub-rede de rede virtual existente |
Microsoft.Network/virtualNetworks/read | Obter a definição de rede virtual |
Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write | Cria um novo proxy de serviço de link privado ou atualiza um existente. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
"name": "3bc748fc-213d-45c1-8d91-9da5725539b9",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/write",
"Microsoft.ContainerRegistry/registries/delete",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/regenerateCredential/action",
"Microsoft.ContainerRegistry/registries/generateCredentials/action",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/write",
"Microsoft.ContainerRegistry/registries/replications/delete",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/write",
"Microsoft.ContainerRegistry/registries/tokens/delete",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/write",
"Microsoft.ContainerRegistry/registries/scopeMaps/delete",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/write",
"Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
"Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/write",
"Microsoft.ContainerRegistry/registries/webhooks/delete",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/ping/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.ContainerRegistry/locations/operationResults/read",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Contributor and Data Access Configuration Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Importador de Dados e Leitor de Dados do Container Registry
Fornece a capacidade de importar imagens para um registro por meio da operação de importação do registro. Fornece a capacidade de listar repositórios, exibir imagens e marcas, obter manifestos e extrair imagens. Não fornece permissões para importar imagens por meio da configuração de pipelines de transferência do Registro, como pipelines de importação e exportação. Não fornece permissões para importação por meio da configuração de regras de Cache de Artefato ou Sincronização.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/importImage/action | Importa a imagem para o registro de contêiner com os parâmetros especificados. |
Microsoft.ContainerRegistry/registries/read | Obter as propriedades do registro de contêiner especificado ou listar todos os registros de contêiner sob o grupo de recursos ou assinatura especificada. |
Microsoft.ContainerRegistry/registries/pull/read | Efetuar pull ou Obter imagens de um registro de contêiner. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"name": "577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/importImage/action",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Data Importer and Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lista de Catálogos de Repositórios do Container Registry
Permite listar todos os repositórios em um Registro de Contêiner do Azure. Essa função está em pré-visualização e sujeita a alterações.
Ações | Descrição |
---|---|
none | |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/catalog/read | Listar repositórios em um registro de contêiner. |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"name": "bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/catalog/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Catalog Lister",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador do Repositório do Container Registry
Permite acesso de leitura, gravação e exclusão aos repositórios do Registro de Contêiner do Azure, mas excluindo a listagem de catálogos. Essa função está em pré-visualização e sujeita a alterações.
Ações | Descrição |
---|---|
none | |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/repositories/metadata/read | Obtém os metadados de um repositório específico para um registro de contêiner |
Microsoft.ContainerRegistry/registros/repositórios/conteúdo/leitura | Efetuar pull ou Obter imagens de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/repositories/metadata/write | Atualiza os metadados de um repositório para um registro de contêiner |
Microsoft.ContainerRegistry/registries/repositories/content/write | Efetuar push ou Gravar imagens para um registro de contêiner. |
Microsoft.ContainerRegistry/registries/repositories/metadata/delete | Excluir os metadados de um repositório para um registro de contêiner |
Microsoft.ContainerRegistry/registries/repositories/content/delete | Excluir o artefato em um registro de contêiner. |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"name": "2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write",
"Microsoft.ContainerRegistry/registries/repositories/metadata/delete",
"Microsoft.ContainerRegistry/registries/repositories/content/delete"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Leitor de Repositório do Container Registry
Permite acesso de leitura aos repositórios do Registro de Contêiner do Azure, mas excluindo a listagem de catálogo. Essa função está em pré-visualização e sujeita a alterações.
Ações | Descrição |
---|---|
none | |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/repositories/metadata/read | Obtém os metadados de um repositório específico para um registro de contêiner |
Microsoft.ContainerRegistry/registros/repositórios/conteúdo/leitura | Efetuar pull ou Obter imagens de um registro de contêiner. |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b93aa761-3e63-49ed-ac28-beffa264f7ac",
"name": "b93aa761-3e63-49ed-ac28-beffa264f7ac",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Gravador de Repositório do Container Registry
Permite acesso de leitura e gravação aos repositórios do Registro de Contêiner do Azure, mas excluindo a listagem de catálogo. Essa função está em pré-visualização e sujeita a alterações.
Ações | Descrição |
---|---|
none | |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/repositories/metadata/read | Obtém os metadados de um repositório específico para um registro de contêiner |
Microsoft.ContainerRegistry/registros/repositórios/conteúdo/leitura | Efetuar pull ou Obter imagens de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/repositories/metadata/write | Atualiza os metadados de um repositório para um registro de contêiner |
Microsoft.ContainerRegistry/registries/repositories/content/write | Efetuar push ou Gravar imagens para um registro de contêiner. |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a1e307c-b015-4ebd-883e-5b7698a07328",
"name": "2a1e307c-b015-4ebd-883e-5b7698a07328",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador de Tarefas do Container Registry
Fornece permissões para configurar, ler, listar, disparar ou cancelar Tarefas do Registro de Contêiner, Execuções de Tarefas, Logs de Tarefas, Execuções Rápidas, Compilações Rápidas e Pools de Agentes de Tarefas. As permissões concedidas para o gerenciamento de tarefas podem ser usadas para permissões completas do plano de dados do registro, incluindo leitura/gravação/exclusão de imagens de contêiner em registros. As permissões concedidas para o gerenciamento de tarefas também podem ser usadas para executar diretivas de compilação criadas pelo cliente e executar scripts para criar artefatos de software.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/agentpools/read | Obter um pool de agentes de um registro de contêiner ou listar todos os pools de agentes. |
Microsoft.ContainerRegistry/registries/agentpools/write | Criar ou atualizar um pool de agentes de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/agentpools/delete | Excluir um pool de agentes de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action | Listar todo o status da fila de um agentpool para um registro de contêiner. |
Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read | Obtém um status de resultado de operação assíncrona do pool de agentes |
Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read | Obtém um status de operação assíncrona do pool de agentes |
Microsoft.ContainerRegistry/registries/tasks/read | Obtém uma tarefa para um registro de contêiner ou lista todas as tarefas. |
Microsoft.ContainerRegistry/registries/tasks/write | Cria ou atualiza uma tarefa para um registro de contêiner. |
Microsoft.ContainerRegistry/registries/tasks/delete | Exclui uma tarefa para um registro de contêiner. |
Microsoft.ContainerRegistry/registries/tasks/listDetails/action | Liste todos os detalhes de uma tarefa para um registro de contêiner. |
Microsoft.ContainerRegistry/registries/scheduleRun/action | Agende uma execução em um registro de contêiner. |
Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action | Obtenha o local de URL de upload de origem para um registro de contêiner. |
Microsoft.ContainerRegistry/registries/runs/read | Obtém as propriedades de uma execução em um registro de contêiner ou lista é executado. |
Microsoft.ContainerRegistry/registries/runs/write | Atualiza uma execução. |
Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action | Obtém o log da URL do SAS para uma execução. |
Microsoft.ContainerRegistry/registries/runs/cancel/action | Cancele um tempo de execução existente. |
Microsoft.ContainerRegistry/registries/taskruns/read | Obter uma execução de tarefa de um registro de contêiner ou listar todas as execuções de tarefa. |
Microsoft.ContainerRegistry/registries/taskruns/write | Criar ou atualizar uma execução de tarefa de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/taskruns/delete | Excluir uma execução de tarefa de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/taskruns/listDetails/action | Listar todos os detalhes de uma execução de tarefa para um registro de contêiner. |
Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read | Obtém um status de operação assíncrona de execução de tarefa |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.ContainerRegistry/registries/read | Obter as propriedades do registro de contêiner especificado ou listar todos os registros de contêiner sob o grupo de recursos ou assinatura especificada. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb382eab-e894-4461-af04-94435c366c3f",
"name": "fb382eab-e894-4461-af04-94435c366c3f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/agentpools/read",
"Microsoft.ContainerRegistry/registries/agentpools/write",
"Microsoft.ContainerRegistry/registries/agentpools/delete",
"Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action",
"Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read",
"Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tasks/read",
"Microsoft.ContainerRegistry/registries/tasks/write",
"Microsoft.ContainerRegistry/registries/tasks/delete",
"Microsoft.ContainerRegistry/registries/tasks/listDetails/action",
"Microsoft.ContainerRegistry/registries/scheduleRun/action",
"Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action",
"Microsoft.ContainerRegistry/registries/runs/read",
"Microsoft.ContainerRegistry/registries/runs/write",
"Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action",
"Microsoft.ContainerRegistry/registries/runs/cancel/action",
"Microsoft.ContainerRegistry/registries/taskruns/read",
"Microsoft.ContainerRegistry/registries/taskruns/write",
"Microsoft.ContainerRegistry/registries/taskruns/delete",
"Microsoft.ContainerRegistry/registries/taskruns/listDetails/action",
"Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Tasks Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador do Pipeline de Transferência do Container Registry
Fornece a capacidade de transferir, importar e exportar artefatos por meio da configuração de pipelines de transferência do Registro que envolvem contas de armazenamento intermediárias e cofres de chaves. Não fornece permissões para enviar ou extrair imagens. Não fornece permissões para criar, gerenciar ou listar contas de armazenamento ou cofres de chaves. Não fornece permissões para executar atribuições de função.
Ações | Descrição |
---|---|
Microsoft.ContainerRegistry/registries/exportPipelines/read | Obtém as propriedades do pipeline de exportação especificado ou lista todos os pipelines de exportação do registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/exportPipelines/write | Cria ou atualiza um pipeline de exportação de um registro de contêiner com os parâmetros especificados. |
Microsoft.ContainerRegistry/registries/exportPipelines/delete | Exclui um pipeline de exportação de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/importPipelines/read | Obtém as propriedades do pipeline de importação especificado ou lista todos os pipelines de importação do registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/importPipelines/write | Cria ou atualiza um pipeline de importação de um registro de contêiner com os parâmetros especificados. |
Microsoft.ContainerRegistry/registries/importPipelines/delete | Exclui um pipeline de importação de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/pipelineRuns/read | Obtém as propriedades do pipeline especificado ou lista todas as execuções de pipeline do registro de contêiner especificado. |
Microsoft.ContainerRegistry/registries/pipelineRuns/write | Cria ou atualiza uma execução de pipeline de um registro de contêiner com os parâmetros especificados. |
Microsoft.ContainerRegistry/registries/pipelineRuns/delete | Exclui uma execução de pipeline de um registro de contêiner. |
Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read | Obtém o status da operação assíncrona de uma execução de pipeline. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"name": "bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/exportPipelines/read",
"Microsoft.ContainerRegistry/registries/exportPipelines/write",
"Microsoft.ContainerRegistry/registries/exportPipelines/delete",
"Microsoft.ContainerRegistry/registries/importPipelines/read",
"Microsoft.ContainerRegistry/registries/importPipelines/write",
"Microsoft.ContainerRegistry/registries/importPipelines/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/read",
"Microsoft.ContainerRegistry/registries/pipelineRuns/write",
"Microsoft.ContainerRegistry/registries/pipelineRuns/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Transfer Pipeline Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operador sem Agente do Kubernetes
Concede acesso ao Microsoft Defender para Nuvem para usar os Serviços de Kubernetes do Azure
Ações | Descrição |
---|---|
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Criar ou atualizar associações de função de acesso confiável para cluster gerenciado |
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Obter associações de função de acesso confiável para cluster gerenciado |
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Excluir associações de função de acesso confiável para cluster gerenciado |
Microsoft.ContainerService/managedClusters/read | Obtém um cluster gerenciado |
Microsoft.Features/features/read | Obter os recursos de uma assinatura. |
Microsoft.Features/providers/features/read | Obter o recurso de uma assinatura em determinado provedor de recursos. |
Microsoft.Features/providers/features/register/action | Registrar o recurso de uma assinatura em determinado provedor de recursos. |
Microsoft.Security/preços/securityoperators/read | Obtém os operadores de segurança para o escopo |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cluster do Kubernetes – Integração ao Azure Arc
Definição de função para autorizar qualquer usuário ou serviço a criar um recurso de connectedClusters.
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/write | Criar ou atualizar uma implantação. |
Microsoft.Resources/subscriptions/operationresults/read | Obter os resultados da operação da assinatura. |
Microsoft.Resources/subscriptions/read | Obter a lista de assinaturas. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.Kubernetes/connectedClusters/Write | Grava connectedClusters |
Microsoft.Kubernetes/connectedClusters/read | Ler connectedClusters |
Microsoft.KubernetesConfiguration/extensions/write | Cria ou atualiza recursos de extensão. |
Microsoft.KubernetesConfiguration/extensions/read | Obtém o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/delete | Exclui o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Obtém o status da operação assíncrona. |
Microsoft.Support/* | Criar e atualizar um tíquete de suporte |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador da Extensão Kubernetes
Pode criar, atualizar, obter, listar e excluir Extensões Kubernetes e obter operações assíncronas de extensão
Ações | Descrição |
---|---|
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
Microsoft.KubernetesConfiguration/extensions/write | Cria ou atualiza recursos de extensão. |
Microsoft.KubernetesConfiguration/extensions/read | Obtém o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/delete | Exclui o recurso de instância de extensão. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Obtém o status da operação assíncrona. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador de cluster do Service Fabric
Gerencie seus recursos de cluster do Service Fabric. Inclui clusters, tipos de aplicativos, versões de tipos de aplicativos, aplicativos e serviços. Você precisará de permissões adicionais para implantar e gerenciar os recursos subjacentes do cluster, como conjuntos de dimensionamento de máquinas virtuais, contas de armazenamento, redes etc.
Ações | Descrição |
---|---|
Microsoft.ServiceFabric/clusters/* | |
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",
"name": "b6efc156-f0da-4e90-a50a-8c000140b017",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/clusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador de cluster gerenciado do Service Fabric
Implante e gerencie seus recursos de Cluster Gerenciado do Service Fabric. Inclui clusters gerenciados, tipos de nó, tipos de aplicativos, versões de tipos de aplicativos, aplicativos e serviços.
Ações | Descrição |
---|---|
Microsoft.ServiceFabric/managedclusters/* | |
Microsoft.Authorization/*/read | Ler funções e atribuições de função |
Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássico |
Microsoft.Resources/deployments/* | Criar e gerenciar uma implantação |
Microsoft.Resources/subscriptions/resourceGroups/read | Obter ou listar de grupos de recursos. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",
"name": "83f80186-3729-438c-ad2d-39e94d718838",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/managedclusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Managed Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}