Compartilhar via


Funções internas do Azure para contêineres

Este artigo lista as funções internas do Azure na categoria Contêineres.

AcrDelete

Exclua repositórios, tags ou manifestos de um registro de contêiner.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/artifacts/delete Excluir o artefato em um registro de contêiner.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr delete",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/artifacts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrDelete",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrImageSigner

Envie por push ou extraia imagens confiáveis ​​de um registro de contêiner habilitado para a confiança de conteúdo.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/sign/write Efetuar push/pull de metadados de conteúdo confiável para um registro de contêiner.
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/trustedCollections/write Permite o push ou a publicação de coleções confiáveis de conteúdo do registro de contêiner. Essa ação é semelhante a Microsoft.ContainerRegistry/registries/sign/write, exceto pelo fato de ser uma ação de dados
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr image signer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
  "name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/sign/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/trustedCollections/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrImageSigner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPull

Extraia artefatos de um registro de contêiner.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/pull/read Efetuar pull ou Obter imagens de um registro de contêiner.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr pull",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPull",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPush

Envie por push ou extraia artefatos de um registro de contêiner.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/pull/read Efetuar pull ou Obter imagens de um registro de contêiner.
Microsoft.ContainerRegistry/registries/push/write Efetuar push ou Gravar imagens para um registro de contêiner.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr push",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
  "name": "8311e382-0749-4cb8-b61a-304f252e45ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/push/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPush",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineReader

Extraia imagens em quarentena de um registro de contêiner.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/quarantine/read Efetuar pull ou Obter imagens em quarentena do registro de contêiner
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read Permite pull ou obtenção dos artefatos em quarentena do registro de contêiner. Isso é semelhante a Microsoft.ContainerRegistry/registries/quarantine/read, exceto pelo fato de que é uma ação de dados
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
  "name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineReader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineWriter

Envie por push ou extraia imagens em quarentena de um registro de contêiner.

Saiba mais

Ações Descrição
Microsoft.ContainerRegistry/registries/quarantine/read Efetuar pull ou Obter imagens em quarentena do registro de contêiner
Microsoft.ContainerRegistry/registries/quarantine/write Gravar/Modificar o estado de quarentena das imagens em quarentena
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read Permite pull ou obtenção dos artefatos em quarentena do registro de contêiner. Isso é semelhante a Microsoft.ContainerRegistry/registries/quarantine/read, exceto pelo fato de que é uma ação de dados
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write Permite gravar ou atualizar o estado de quarentena de artefatos em quarentena. Essa ação é semelhante a Microsoft.ContainerRegistry/registries/quarantine/write, exceto pelo fato de ser uma ação de dados
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data writer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read",
        "Microsoft.ContainerRegistry/registries/quarantine/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineWriter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de usuário do cluster Kubernetes habilitada para o Azure Arc

Listar a ação das credenciais do usuário do cluster.

Ações Descrição
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action Listar credencial do clusterUser (versão prévia)
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Support/* Criar e atualizar um tíquete de suporte
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action Listar credencial clusterUser
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credentials action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do Kubernetes do Azure Arc

Permite gerenciar todos os recursos no cluster ou no namespace, exceto atualizar ou excluir as cotas de recursos e os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write Grava localsubjectaccessreviews
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read Lê limitranges
Microsoft.Kubernetes/connectedClusters/namespaces/read Lê namespaces
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Lê resourcequotas
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do Cluster do Kubernetes do Azure Arc

Permite gerenciar todos os recursos no cluster.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Visualizador do Kubernetes do Azure Arc

Permite que você veja todos os recursos no cluster ou namespace, exceto os segredos.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read Lê daemonsets
Microsoft.Kubernetes/connectedClusters/apps/deployments/read Lê implantações
Microsoft.Kubernetes/connectedClusters/apps/replicasets/read Lê replicasets
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read Lê statefulsets
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read Lê horizontalpodautoscalers
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read Lê cronjobs
Microsoft.Kubernetes/connectedClusters/batch/jobs/read Lê trabalhos
Microsoft.Kubernetes/connectedClusters/configmaps/read Lê configmaps
Microsoft.Kubernetes/connectedClusters/endpoints/read Lê pontos de extremidade
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read Lê daemonsets
Microsoft.Kubernetes/connectedClusters/extensions/deployments/read Lê implantações
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read Lê entradas
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read Lê networkpolicies
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read Lê replicasets
Microsoft.Kubernetes/connectedClusters/limitranges/read Lê limitranges
Microsoft.Kubernetes/connectedClusters/namespaces/read Lê namespaces
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read Lê entradas
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read Lê networkpolicies
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read Lê persistentvolumeclaims
Microsoft.Kubernetes/connectedClusters/pods/read Lê pods
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read Lê poddisruptionbudgets
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read Lê replicationcontrollers
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read Lê replicationcontrollers
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Lê resourcequotas
Microsoft.Kubernetes/connectedClusters/serviceaccounts/read Lê serviceaccounts
Microsoft.Kubernetes/connectedClusters/services/read Lê serviços
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view all resources in cluster/namespace, except secrets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
  "name": "63f0a09d-1495-4db4-a681-037d84835eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
        "Microsoft.Kubernetes/connectedClusters/configmaps/read",
        "Microsoft.Kubernetes/connectedClusters/endpoints/read",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
        "Microsoft.Kubernetes/connectedClusters/pods/read",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
        "Microsoft.Kubernetes/connectedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Viewer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gravador do Kubernetes do Azure Arc

Permite que você atualize tudo no cluster ou namespace, exceto as funções (cluster) e ligações de função (cluster).

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/events/read Lê eventos
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read Lê limitranges
Microsoft.Kubernetes/connectedClusters/namespaces/read Lê namespaces
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read Lê resourcequotas
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
  "name": "5b999177-9696-4545-85c7-50de3797e5a1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador do Armazenamento de Contêiner do Azure

Instale o Armazenamento de Contêiner do Azure e gerencie seus recursos de armazenamento. Inclui uma condição ABAC para restringir atribuições de função.

Ações Descrição
Microsoft.KubernetesConfiguration/extensions/write Cria ou atualiza recursos de extensão.
Microsoft.KubernetesConfiguration/extensions/read Obtém o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/delete Exclui o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/operations/read Obtém o status da operação assíncrona.
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Management/managementGroups/read Listar grupos de gerenciamento para o usuário autenticado.
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
none
NotDataActions
none
Ações
Microsoft.Authorization/roleAssignments/write Criar uma atribuição de função no escopo especificado.
Microsoft.Authorization/roleAssignments/delete Exclua uma atribuição de função no escopo especificado.
NotActions
none
DataActions
none
NotDataActions
none
Condição
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OU (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) E ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) Adicione ou remova atribuições de função para as seguintes funções:
Operador de Armazenamento de Contêiner do Azure
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and manage its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "permissions": [
    {
      "actions": [
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador de Armazenamento de Contêiner do Azure

Habilite uma identidade gerenciada para executar operações do Armazenamento de Contêiner do Azure, como gerenciar máquinas virtuais e gerenciar redes virtuais.

Ações Descrição
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/asyncoperations/read Monitorar o status de uma operação assíncrona.
Microsoft.Network/routeTables/join/action Une uma tabela de rotas. Não é possível alertá-lo.
Microsoft.Network/networkSecurityGroups/join/action Ingressar em um grupo de segurança de rede. Não é possível alertá-lo.
Microsoft.Network/virtualNetworks/write Criar uma rede virtual ou atualizar uma rede virtual existente
Microsoft.Network/virtualNetworks/delete Excluir uma rede virtual
Microsoft.Network/virtualNetworks/join/action Ingressar em uma rede virtual. Não é possível alertá-lo.
Microsoft.Network/virtualNetworks/subnets/read Obter uma definição de sub-rede da rede virtual
Microsoft.Network/virtualNetworks/subnets/write Criar uma sub-rede de rede virtual ou atualizar uma sub-rede de rede virtual existente
Microsoft.Compute/virtualMachines/read Obter as propriedades de uma máquina virtual
Microsoft.Compute/virtualMachines/write Cria uma nova máquina virtual ou atualiza uma máquina virtual existente
Microsoft.Compute/virtualMachineScaleSets/read Obter as propriedades de um Conjunto de Dimensionamento de Máquinas Virtuais
Microsoft.Compute/virtualMachineScaleSets/write Criar um novo Conjunto de Dimensionamento de Máquinas Virtuais ou atualizar um existente
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write Atualizar as propriedades de uma Máquina Virtual em um Conjunto de Dimensionamento de Máquinas Virtuais
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read Recuperar as propriedades de uma máquina virtual em um conjunto de dimensionamento de máquinas virtuais
Microsoft.Resources/subscriptions/providers/read Obter ou listar provedores de recursos.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Network/virtualNetworks/read Obter a definição de rede virtual
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role required by a Managed Identity for Azure Container Storage operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/virtualMachineScaleSets/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Resources/subscriptions/providers/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Network/virtualNetworks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Container Storage Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Proprietário do Armazenamento de Contêiner do Azure

Instale o Armazenamento de Contêiner do Azure, conceda acesso aos recursos de armazenamento e configure a SAN (rede de área de armazenamento) elástica do Azure. Inclui uma condição ABAC para restringir atribuições de função.

Ações Descrição
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/*
Microsoft.ElasticSan/elasticSans/volumeGroups/*
Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*
Microsoft.ElasticSan/locations/asyncoperations/read Monitorar o status de uma operação assíncrona.
Microsoft.KubernetesConfiguration/extensions/write Cria ou atualiza recursos de extensão.
Microsoft.KubernetesConfiguration/extensions/read Obtém o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/delete Exclui o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/operations/read Obtém o status da operação assíncrona.
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Management/managementGroups/read Listar grupos de gerenciamento para o usuário autenticado.
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
none
NotDataActions
none
Ações
Microsoft.Authorization/roleAssignments/write Criar uma atribuição de função no escopo especificado.
Microsoft.Authorization/roleAssignments/delete Exclua uma atribuição de função no escopo especificado.
NotActions
none
DataActions
none
NotDataActions
none
Condição
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OU (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) E ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) Adicione ou remova atribuições de função para as seguintes funções:
Operador de Armazenamento de Contêiner do Azure
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and grants access to its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
  "name": "95de85bd-744d-4664-9dde-11430bc34793",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de Colaborador do Gerenciador de Frotas do Kubernetes do Azure

Concede acesso de leitura/gravação aos recursos do Azure fornecidos pelo Azure Kubernetes Fleet Manager, incluindo frotas, membros da frota, estratégias de atualização de frota, execuções de atualização de frota etc.

Ações Descrição
Microsoft.ContainerService/fleets/*
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/fleets/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador de RBAC do Gerenciador de Frota de Kubernetes do Azure

Concede acesso de leitura/gravação aos recursos do Kubernetes em um namespace no cluster do hub gerenciado pela frota - fornece permissões de gravação na maioria dos objetos em um namespace, com exceção do objeto ResourceQuota e do próprio objeto do namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/fleets/read Obter frota
Microsoft.ContainerService/fleets/listCredentials/action Listar credenciais de frota
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/*
Microsoft.ContainerService/fleets/apps/deployments/*
Microsoft.ContainerService/fleets/apps/statefulsets/*
Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write Grava localsubjectaccessreviews
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/fleets/batch/cronjobs/*
Microsoft.ContainerService/fleets/batch/jobs/*
Microsoft.ContainerService/fleets/configmaps/*
Microsoft.ContainerService/fleets/endpoints/*
Microsoft.ContainerService/fleets/events.k8s.io/events/read Lê eventos
Microsoft.ContainerService/fleets/events/read Lê eventos
Microsoft.ContainerService/fleets/extensions/daemonsets/*
Microsoft.ContainerService/fleets/extensions/deployments/*
Microsoft.ContainerService/fleets/extensions/ingresses/*
Microsoft.ContainerService/fleets/extensions/networkpolicies/*
Microsoft.ContainerService/fleets/limitranges/read Lê limitranges
Microsoft.ContainerService/fleets/namespaces/read Lê namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/fleets/persistentvolumeclaims/*
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/resourcequotas/read Lê resourcequotas
Microsoft.ContainerService/fleets/secrets/*
Microsoft.ContainerService/fleets/serviceaccounts/*
Microsoft.ContainerService/fleets/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do cluster de RBAC do Gerenciador de Frota de Kubernetes do Azure

Concede acesso de leitura/gravação a todos os recursos do Kubernetes no cluster de hub gerenciado pela frota.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/fleets/read Obter frota
Microsoft.ContainerService/fleets/listCredentials/action Listar credenciais de frota
NotActions
none
DataActions
Microsoft.ContainerService/fleets/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de RBAC do Gerenciador de Frota de Kubernetes do Azure

Concede acesso somente leitura à maioria dos recursos do Kubernetes em um namespace no cluster de hub gerenciado pela frota. Não permite exibir funções nem associações de função. Essa função não permite exibir Segredos, pois a leitura do conteúdo dos Segredos permite acesso às credenciais de ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de elevação de privilégio). A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/fleets/read Obter frota
Microsoft.ContainerService/fleets/listCredentials/action Listar credenciais de frota
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/read Lê daemonsets
Microsoft.ContainerService/fleets/apps/deployments/read Lê implantações
Microsoft.ContainerService/fleets/apps/statefulsets/read Lê statefulsets
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read Lê horizontalpodautoscalers
Microsoft.ContainerService/fleets/batch/cronjobs/read Lê cronjobs
Microsoft.ContainerService/fleets/batch/jobs/read Lê trabalhos
Microsoft.ContainerService/fleets/configmaps/read Lê configmaps
Microsoft.ContainerService/fleets/endpoints/read Lê pontos de extremidade
Microsoft.ContainerService/fleets/events.k8s.io/events/read Lê eventos
Microsoft.ContainerService/fleets/events/read Lê eventos
Microsoft.ContainerService/fleets/extensions/daemonsets/read Lê daemonsets
Microsoft.ContainerService/fleets/extensions/deployments/read Lê implantações
Microsoft.ContainerService/fleets/extensions/ingresses/read Lê entradas
Microsoft.ContainerService/fleets/extensions/networkpolicies/read Lê networkpolicies
Microsoft.ContainerService/fleets/limitranges/read Lê limitranges
Microsoft.ContainerService/fleets/namespaces/read Lê namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read Lê entradas
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read Lê networkpolicies
Microsoft.ContainerService/fleets/persistentvolumeclaims/read Lê persistentvolumeclaims
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read Lê poddisruptionbudgets
Microsoft.ContainerService/fleets/replicationcontrollers/read Lê replicationcontrollers
Microsoft.ContainerService/fleets/replicationcontrollers/read Lê replicationcontrollers
Microsoft.ContainerService/fleets/resourcequotas/read Lê resourcequotas
Microsoft.ContainerService/fleets/serviceaccounts/read Lê serviceaccounts
Microsoft.ContainerService/fleets/services/read Lê serviços
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
  "name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gravador de RBAC do Gerenciador de Frota de Kubernetes do Azure

Concede acesso de leitura/gravação à maioria dos recursos do Kubernetes em um namespace no cluster do hub gerenciado pela frota. Esta função não permite visualizar ou modificar funções ou vinculações de função. No entanto, essa função permite acessar segredos como qualquer conta de serviço no namespace, portanto, pode ser usada para obter os níveis de acesso da API de uma conta de serviço no namespace.  A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/fleets/read Obter frota
Microsoft.ContainerService/fleets/listCredentials/action Listar credenciais de frota
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/*
Microsoft.ContainerService/fleets/apps/deployments/*
Microsoft.ContainerService/fleets/apps/statefulsets/*
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/fleets/batch/cronjobs/*
Microsoft.ContainerService/fleets/batch/jobs/*
Microsoft.ContainerService/fleets/configmaps/*
Microsoft.ContainerService/fleets/endpoints/*
Microsoft.ContainerService/fleets/events.k8s.io/events/read Lê eventos
Microsoft.ContainerService/fleets/events/read Lê eventos
Microsoft.ContainerService/fleets/extensions/daemonsets/*
Microsoft.ContainerService/fleets/extensions/deployments/*
Microsoft.ContainerService/fleets/extensions/ingresses/*
Microsoft.ContainerService/fleets/extensions/networkpolicies/*
Microsoft.ContainerService/fleets/limitranges/read Lê limitranges
Microsoft.ContainerService/fleets/namespaces/read Lê namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/fleets/persistentvolumeclaims/*
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/resourcequotas/read Lê resourcequotas
Microsoft.ContainerService/fleets/secrets/*
Microsoft.ContainerService/fleets/serviceaccounts/*
Microsoft.ContainerService/fleets/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de administrador de cluster do Arc do Serviço de Kubernetes do Azure

Liste a ação de credencial de administrador de cluster.

Saiba mais

Ações Descrição
Microsoft.HybridContainerService/provisionedClusterInstances/read Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado
Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action Lista as credenciais de administrador de uma instância de cluster provisionada usada somente no modo direto.
Microsoft.Kubernetes/connectedClusters/Read Ler connectedClusters
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de usuário do Arc Cluster do Serviço de Kubernetes do Azure

Liste a ação de credencial de usuário de cluster.

Saiba mais

Ações Descrição
Microsoft.HybridContainerService/provisionedClusterInstances/read Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado
Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action Lista as credenciais de usuário do AAD de uma instância de cluster provisionada usada somente no modo direto.
Microsoft.Kubernetes/connectedClusters/Read Ler connectedClusters
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
  "name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de Colaborador do Arc do Serviço de Kubernetes do Azure

Concede acesso para ler e gravar clusters híbridos dos Serviços de Kubernetes do Azure

Saiba mais

Ações Descrição
Microsoft.HybridContainerService/Locations/operationStatuses/read ler operationStatuses
Microsoft.HybridContainerService/Operations/read leia Operações
Microsoft.HybridContainerService/kubernetesVersions/read Lista as versões do Kubernetes com suporte do local personalizado subjacente
Microsoft.HybridContainerService/kubernetesVersions/write Coloca o tipo de recurso de versão do kubernetes
Microsoft.HybridContainerService/kubernetesVersions/delete Excluir o tipo de recurso de versões do kubernetes
Microsoft.HybridContainerService/provisionedClusterInstances/read Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado
Microsoft.HybridContainerService/provisionedClusterInstances/write Cria a instância de cluster provisionado do AKS híbrido
Microsoft.HybridContainerService/provisionedClusterInstances/delete Exclui a instância do cluster provisionado do AKS híbrido
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read Obtém os pools de agentes na instância de cluster provisionado do AKS Híbrido
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write Atualiza o pool de agentes na instância de cluster provisionado do AKS híbrido
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete Exclui o pool de agentes na instância de cluster provisionado do AKS híbrido
Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read leia upgradeProfiles
Microsoft.HybridContainerService/skus/read Lista os SKUs de VM com suporte do local personalizado subjacente
Microsoft.HybridContainerService/skus/write Coloca o tipo de recurso SKUs de VM
Microsoft.HybridContainerService/skus/delete Exclui o tipo de recurso Vm Sku
Microsoft.HybridContainerService/virtualNetworks/read Lista as redes virtuais do AKS híbrido por assinatura
Microsoft.HybridContainerService/virtualNetworks/write Corrige a rede virtual do AKS híbrido
Microsoft.HybridContainerService/virtualNetworks/delete Exclui a rede virtual do AKS híbrido
Microsoft.ExtendedLocation/customLocations/deploy/action Implantar permissões em um recurso de Localização Personalizada
Microsoft.ExtendedLocation/customLocations/read Obtém um recurso de Local Personalizado
Microsoft.Kubernetes/connectedClusters/Read Ler connectedClusters
Microsoft.Kubernetes/connectedClusters/Write Grava connectedClusters
Microsoft.Kubernetes/connectedClusters/Excluir Exclui connectedClusters
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action Listar credencial clusterUser
Microsoft.AzureStackHCI/clusters/read Obtém clusters
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
  "name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/Locations/operationStatuses/read",
        "Microsoft.HybridContainerService/Operations/read",
        "Microsoft.HybridContainerService/kubernetesVersions/read",
        "Microsoft.HybridContainerService/kubernetesVersions/write",
        "Microsoft.HybridContainerService/kubernetesVersions/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
        "Microsoft.HybridContainerService/skus/read",
        "Microsoft.HybridContainerService/skus/write",
        "Microsoft.HybridContainerService/skus/delete",
        "Microsoft.HybridContainerService/virtualNetworks/read",
        "Microsoft.HybridContainerService/virtualNetworks/write",
        "Microsoft.HybridContainerService/virtualNetworks/delete",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.Kubernetes/connectedClusters/Read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/Delete",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
        "Microsoft.AzureStackHCI/clusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de Administrador do Cluster do Serviço de Kubernetes do Azure

Liste a ação de credencial de administrador de cluster.

Saiba mais

Ações Descrição
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Listar a credencial clusterAdmin de um cluster gerenciado
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action Obtém um perfil de acesso do cluster gerenciado por nome de função usando a credencial de lista
Microsoft.ContainerService/managedClusters/read Obtém um cluster gerenciado
Microsoft.ContainerService/managedClusters/runcommand/action Executar o comando emitido pelo usuário no servidor de Kubernetes gerenciado.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/runcommand/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Usuário de Monitoramento de Cluster do Serviço de Kubernetes do Azure

Lista a ação de credencial de usuário de monitoramento do cluster.

Ações Descrição
Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action Listar a credencial clusterMonitoringUser de um cluster gerenciado
Microsoft.ContainerService/managedClusters/read Obtém um cluster gerenciado
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster monitoring user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Monitoring User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de Usuário do Cluster do Serviço de Kubernetes do Azure

Liste a ação de credencial de usuário de cluster.

Saiba mais

Ações Descrição
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Listar a credencial clusterUser de um cluster gerenciado
Microsoft.ContainerService/managedClusters/read Obtém um cluster gerenciado
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Contributor Role

Concede o acesso de leitura e gravação a clusters do Serviço de Kubernetes do Azure

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.ContainerService/locations/* Locais de leitura disponíveis para recursos do ContainerService
Microsoft.ContainerService/managedClusters/* Criar e gerenciar um cluster gerenciado
Microsoft.ContainerService/managedclustersnapshots/* Criar e gerenciar um snapshot de cluster gerenciado
Microsoft.ContainerService/snapshots/* Criar e gerenciar um snapshot
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Service clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerService/locations/*",
        "Microsoft.ContainerService/managedClusters/*",
        "Microsoft.ContainerService/managedclustersnapshots/*",
        "Microsoft.ContainerService/snapshots/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do RBAC do Serviço de Kubernetes do Azure

Permite gerenciar todos os recursos no cluster ou no namespace, exceto atualizar ou excluir as cotas de recursos e os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Listar a credencial clusterUser de um cluster gerenciado
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions
Microsoft.ContainerService/managedClusters/resourcequotas/write Grava resourcequotas
Microsoft.ContainerService/managedClusters/resourcequotas/delete Exclui resourcequotas
Microsoft.ContainerService/managedClusters/namespaces/write Grava namespaces
Microsoft.ContainerService/managedClusters/namespaces/delete Exclui namespaces
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
  "name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/managedClusters/resourcequotas/write",
        "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
        "Microsoft.ContainerService/managedClusters/namespaces/write",
        "Microsoft.ContainerService/managedClusters/namespaces/delete"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do Cluster do RBAC do Serviço de Kubernetes do Azure

Permite gerenciar todos os recursos no cluster.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Listar a credencial clusterUser de um cluster gerenciado
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de RBAC do Serviço de Kubernetes do Azure

Permite acesso somente leitura para ver a maioria dos objetos em um namespace. Não permite exibir funções nem associações de função. Essa função não permite exibir Segredos, pois a leitura do conteúdo dos Segredos permite acesso às credenciais de ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de elevação de privilégio). A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.ContainerService/managedClusters/apps/daemonsets/read Lê daemonsets
Microsoft.ContainerService/managedClusters/apps/deployments/read Lê implantações
Microsoft.ContainerService/managedClusters/apps/replicasets/read Lê replicasets
Microsoft.ContainerService/managedClusters/apps/statefulsets/read Lê statefulsets
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read Lê horizontalpodautoscalers
Microsoft.ContainerService/managedClusters/batch/cronjobs/read Lê cronjobs
Microsoft.ContainerService/managedClusters/batch/jobs/read Lê trabalhos
Microsoft.ContainerService/managedClusters/configmaps/read Lê configmaps
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read Lê fatias de ponto de extremidade
Microsoft.ContainerService/managedClusters/endpoints/read Lê pontos de extremidade
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read Lê eventos
Microsoft.ContainerService/managedClusters/events/read Lê eventos
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read Lê daemonsets
Microsoft.ContainerService/managedClusters/extensions/deployments/read Lê implantações
Microsoft.ContainerService/managedClusters/extensions/ingresses/read Lê entradas
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read Lê networkpolicies
Microsoft.ContainerService/managedClusters/extensions/replicasets/read Lê replicasets
Microsoft.ContainerService/managedClusters/limitranges/read Lê limitranges
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read Lê pods
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read Lê nodes
Microsoft.ContainerService/managedClusters/namespaces/read Lê namespaces
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read Lê entradas
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read Lê networkpolicies
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read Lê persistentvolumeclaims
Microsoft.ContainerService/managedClusters/pods/read Lê pods
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read Lê poddisruptionbudgets
Microsoft.ContainerService/managedClusters/replicationcontrollers/read Lê replicationcontrollers
Microsoft.ContainerService/managedClusters/resourcequotas/read Lê resourcequotas
Microsoft.ContainerService/managedClusters/serviceaccounts/read Lê serviceaccounts
Microsoft.ContainerService/managedClusters/services/read Lê serviços
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/apps/deployments/read",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/read",
        "Microsoft.ContainerService/managedClusters/configmaps/read",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/endpoints/read",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
        "Microsoft.ContainerService/managedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gravador de RBAC do Serviço de Kubernetes do Azure

Permite acesso de leitura/gravação à maioria dos objetos em um namespace. Esta função não permite visualizar ou modificar funções ou vinculações de função. No entanto, essa função permite acessar os Segredos e executar Pods como qualquer ServiceAccount no namespace, de modo que ela possa ser usada para obter os níveis de acesso de API de uma ServiceAccount no namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read Lê controllerrevisions
Microsoft.ContainerService/managedClusters/apps/daemonsets/*
Microsoft.ContainerService/managedClusters/apps/deployments/*
Microsoft.ContainerService/managedClusters/apps/replicasets/*
Microsoft.ContainerService/managedClusters/apps/statefulsets/*
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/managedClusters/batch/cronjobs/*
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read Lê concessões
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write Grava concessões
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete Exclui concessões
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read Lê fatias de ponto de extremidade
Microsoft.ContainerService/managedClusters/batch/jobs/*
Microsoft.ContainerService/managedClusters/configmaps/*
Microsoft.ContainerService/managedClusters/endpoints/*
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read Lê eventos
Microsoft.ContainerService/managedClusters/events/*
Microsoft.ContainerService/managedClusters/extensions/daemonsets/*
Microsoft.ContainerService/managedClusters/extensions/deployments/*
Microsoft.ContainerService/managedClusters/extensions/ingresses/*
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*
Microsoft.ContainerService/managedClusters/extensions/replicasets/*
Microsoft.ContainerService/managedClusters/limitranges/read Lê limitranges
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read Lê pods
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read Lê nodes
Microsoft.ContainerService/managedClusters/namespaces/read Lê namespaces
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*
Microsoft.ContainerService/managedClusters/pods/*
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*
Microsoft.ContainerService/managedClusters/replicationcontrollers/*
Microsoft.ContainerService/managedClusters/resourcequotas/read Lê resourcequotas
Microsoft.ContainerService/managedClusters/secrets/*
Microsoft.ContainerService/managedClusters/serviceaccounts/*
Microsoft.ContainerService/managedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/apps/deployments/*",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/*",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/*",
        "Microsoft.ContainerService/managedClusters/configmaps/*",
        "Microsoft.ContainerService/managedClusters/endpoints/*",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/*",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/*",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
        "Microsoft.ContainerService/managedClusters/pods/*",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/secrets/*",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/*",
        "Microsoft.ContainerService/managedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Verificação de Identidade Gerenciada de Cluster ConectadoLeitor de Acesso

Função interna que permite que uma identidade gerenciada do Cluster Conectado chame a API checkAccess

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Connected Cluster Managed Identity CheckAccess Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador sem Agente do Kubernetes

Concede acesso ao Microsoft Defender para Nuvem para usar os Serviços de Kubernetes do Azure

Saiba mais

Ações Descrição
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write Criar ou atualizar associações de função de acesso confiável para cluster gerenciado
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read Obter associações de função de acesso confiável para cluster gerenciado
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete Excluir associações de função de acesso confiável para cluster gerenciado
Microsoft.ContainerService/managedClusters/read Obtém um cluster gerenciado
Microsoft.Features/features/read Obter os recursos de uma assinatura.
Microsoft.Features/providers/features/read Obter o recurso de uma assinatura em determinado provedor de recursos.
Microsoft.Features/providers/features/register/action Registrar o recurso de uma assinatura em determinado provedor de recursos.
Microsoft.Security/preços/securityoperators/read Obtém os operadores de segurança para o escopo
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Features/providers/features/register/action",
        "Microsoft.Security/pricings/securityoperators/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Agentless Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Cluster do Kubernetes – Integração ao Azure Arc

Definição de função para autorizar qualquer usuário ou serviço a criar um recurso de connectedClusters.

Saiba mais

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/write Criar ou atualizar uma implantação.
Microsoft.Resources/subscriptions/operationresults/read Obter os resultados da operação da assinatura.
Microsoft.Resources/subscriptions/read Obter a lista de assinaturas.
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.Kubernetes/connectedClusters/Write Grava connectedClusters
Microsoft.Kubernetes/connectedClusters/read Ler connectedClusters
Microsoft.Support/* Criar e atualizar um tíquete de suporte
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role definition to authorize any user/service to create connectedClusters resource",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Cluster - Azure Arc Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador da Extensão Kubernetes

Pode criar, atualizar, obter, listar e excluir Extensões Kubernetes e obter operações assíncronas de extensão

Ações Descrição
Microsoft.Authorization/*/read Ler funções e atribuições de função
Microsoft.Insights/alertRules/* Criar e gerenciar um alerta de métrica clássico
Microsoft.Resources/deployments/* Criar e gerenciar uma implantação
Microsoft.Resources/subscriptions/resourceGroups/read Obter ou listar de grupos de recursos.
Microsoft.KubernetesConfiguration/extensions/write Cria ou atualiza recursos de extensão.
Microsoft.KubernetesConfiguration/extensions/read Obtém o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/delete Exclui o recurso de instância de extensão.
Microsoft.KubernetesConfiguration/extensions/operations/read Obtém o status da operação assíncrona.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
  "name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Extension Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Próximas etapas