Funções internas do Azure para contêineres
Este artigo lista as funções internas do Azure na categoria Contêineres.
AcrDelete
Exclua repositórios, tags ou manifestos de um registro de contêiner.
| Ações | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/delete | Exclua o artefato em um registro de contêiner. |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
Envie imagens confiáveis ou extraia imagens confiáveis de um registro de contêiner habilitado para confiança de conteúdo.
| Ações | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/write | Push/Pull content trust metadados para um registro de contêiner. |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | Permite enviar por push ou publicar coleções confiáveis de conteúdo do registro de contêiner. Isso é semelhante à ação Microsoft.ContainerRegistry/registries/sign/write, exceto que esta é uma ação de dados |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Extraia artefatos de um registro de contêiner.
| Ações | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Puxe ou obtenha imagens de um registro de contêiner. |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Envie ou extraia artefatos de um registro de contêiner.
| Ações | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Puxe ou obtenha imagens de um registro de contêiner. |
| Microsoft.ContainerRegistry/registries/push/write | Envie ou grave imagens em um registro de contêiner. |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Extraia imagens em quarentena de um registro de contêiner.
| Ações | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/quarentena/read | Extrair ou obter imagens em quarentena do registro de contêiner |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Permite extrair ou obter dos artefatos em quarentena do registro de contêiner. Isso é semelhante a Microsoft.ContainerRegistry/registries/quarantine/read, exceto que é uma ação de dados |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Envie imagens em quarentena ou extraia imagens em quarentena de um registro de contêiner.
| Ações | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/quarentena/read | Extrair ou obter imagens em quarentena do registro de contêiner |
| Microsoft.ContainerRegistry/registros/quarentena/gravação | Gravar/modificar o estado de quarentena de imagens em quarentena |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Permite extrair ou obter dos artefatos em quarentena do registro de contêiner. Isso é semelhante a Microsoft.ContainerRegistry/registries/quarantine/read, exceto que é uma ação de dados |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Permite gravar ou atualizar o estado de quarentena de artefatos em quarentena. Isso é semelhante à ação Microsoft.ContainerRegistry/registries/quarantine/write, exceto que é uma ação de dados |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Usuário do Cluster Kubernetes Habilitado para Azure Arc
Ação Listar credenciais de usuário do cluster.
| Ações | Description |
|---|---|
| Microsoft.Resources/deployments/write | Cria ou atualiza uma implantação. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | Listar clusterCredencial de usuário(visualização) |
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássica |
| Microsoft.Suporte/* | Criar e atualizar um ticket de suporte |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Listar clusterCredencial de usuário |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Admin
Permite gerenciar todos os recursos em cluster/namespace, exceto atualizar ou excluir cotas de recursos e namespaces.
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássica |
| Microsoft.Resources/deployments/write | Cria ou atualiza uma implantação. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.Suporte/* | Criar e atualizar um ticket de suporte |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lê revisões do controlador |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Escreve localsubjectaccessreviews |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lê eventos |
| Microsoft.Kubernetes/connectedClusters/events/read | Lê eventos |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Intervalos de limites de leitura |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Lê namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lê cotas de recursos |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Cluster Admin
Permite gerenciar todos os recursos no cluster.
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássica |
| Microsoft.Resources/deployments/write | Cria ou atualiza uma implantação. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.Suporte/* | Criar e atualizar um ticket de suporte |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/* | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Viewer
Permite visualizar todos os recursos em cluster/namespace, exceto segredos.
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássica |
| Microsoft.Resources/deployments/write | Cria ou atualiza uma implantação. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.Suporte/* | Criar e atualizar um ticket de suporte |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lê revisões do controlador |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | Lê daemonsets |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/read | Lê implantações |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | Lê conjuntos de réplicas |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | Lê statefulsets |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | Lê horizontalpodautoscalers |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | Lê cronjobs |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/read | Lê trabalhos |
| Microsoft.Kubernetes/connectedClusters/configmaps/read | Lê configmaps |
| Microsoft.Kubernetes/connectedClusters/endpoints/read | Lê pontos de extremidade |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lê eventos |
| Microsoft.Kubernetes/connectedClusters/events/read | Lê eventos |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | Lê daemonsets |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | Lê implantações |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | Lê ingressos |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | Lê políticas de rede |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | Lê conjuntos de réplicas |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Intervalos de limites de leitura |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Lê namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | Lê ingressos |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | Lê políticas de rede |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | Lê declarações de volume persistentes |
| Microsoft.Kubernetes/connectedClusters/pods/read | Lê pods |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | Lê poddisruptionbudgets |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lê controladores de replicação |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lê controladores de replicação |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lê cotas de recursos |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | Lê contas de serviço |
| Microsoft.Kubernetes/connectedClusters/services/read | Serviços de leitura |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Writer
Permite atualizar tudo no cluster/namespace, exceto funções (cluster) e ligações de função (cluster).
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássica |
| Microsoft.Resources/deployments/write | Cria ou atualiza uma implantação. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.Suporte/* | Criar e atualizar um ticket de suporte |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lê revisões do controlador |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lê eventos |
| Microsoft.Kubernetes/connectedClusters/events/read | Lê eventos |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Intervalos de limites de leitura |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Lê namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lê cotas de recursos |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Container Storage Contributor
Instale o Armazenamento de Contêiner do Azure e gerencie seus recursos de armazenamento. Inclui uma condição ABAC para restringir atribuições de função.
| Ações | Description |
|---|---|
| Microsoft.KubernetesConfiguração/extensões/gravação | Cria ou atualiza o recurso de extensão. |
| Microsoft.KubernetesConfiguração/extensões/leitura | Obtém recurso de instância de extensão. |
| Microsoft.KubernetesConfiguration/extensions/delete | Exclui o recurso de instância de extensão. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Obtém o status da operação assíncrona. |
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Management/managementGroups/read | Listar grupos de gerenciamento para o usuário autenticado. |
| Microsoft.Recursos/implantações/* | Criar e gerenciar uma implantação |
| Microsoft.Suporte/* | Criar e atualizar um ticket de suporte |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum | |
| Ações | |
| Microsoft.Authorization/roleAssignments/write | Crie uma atribuição de função no escopo especificado. |
| Microsoft.Authorization/roleAssignments/delete | Exclua uma atribuição de função no escopo especificado. |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum | |
| Condition | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OU (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) E ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OU (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Adicione ou remova atribuições de função para as seguintes funções: Operador de Armazenamento de Contêiner do Azure |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operador de Armazenamento de Contêiner do Azure
Habilite uma identidade gerenciada para executar operações de Armazenamento de Contêiner do Azure, como gerenciar máquinas virtuais e gerenciar redes virtuais.
| Ações | Description |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Sonda o status de uma operação assíncrona. |
| Microsoft.Network/routeTables/join/action | Junta-se a uma tabela de rotas. Não alertável. |
| Microsoft.Network/networkSecurityGroups/join/action | Ingressa em um grupo de segurança de rede. Não alertável. |
| Microsoft.Network/virtualNetworks/gravação | Cria uma rede virtual ou atualiza uma rede virtual existente |
| Microsoft.Network/virtualNetworks/excluir | Exclui uma rede virtual |
| Microsoft.Network/virtualNetworks/join/action | Junta-se a uma rede virtual. Não alertável. |
| Microsoft.Network/virtualNetworks/sub-redes/leitura | Obtém uma definição de sub-rede de rede virtual |
| Microsoft.Network/virtualNetworks/sub-redes/gravação | Cria uma sub-rede de rede virtual ou atualiza uma sub-rede de rede virtual existente |
| Microsoft.Compute/virtualMachines/leitura | Obter as propriedades de uma máquina virtual |
| Microsoft.Compute/virtualMachines/write | Cria uma nova máquina virtual ou atualiza uma máquina virtual existente |
| Microsoft.Compute/virtualMachineScaleSets/read | Obter as propriedades de um Conjunto de Dimensionamento de Máquina Virtual |
| Microsoft.Compute/virtualMachineScaleSets/gravação | Cria um novo Conjunto de Dimensionamento de Máquina Virtual ou atualiza um existente |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | Atualiza as propriedades de uma máquina virtual em um conjunto de escala de VM |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Recupera as propriedades de uma máquina virtual em um conjunto de escala de VM |
| Microsoft.Resources/subscriptions/providers/read | Obtém ou lista provedores de recursos. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.Network/virtualNetworks/ler | Obter a definição de rede virtual |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Proprietário do Armazenamento de Contêiner do Azure
Instale o Armazenamento de Contêineres do Azure, conceda acesso aos seus recursos de armazenamento e configure a SAN (rede de área de armazenamento) elástica do Azure. Inclui uma condição ABAC para restringir atribuições de função.
| Ações | Description |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Sonda o status de uma operação assíncrona. |
| Microsoft.KubernetesConfiguração/extensões/gravação | Cria ou atualiza o recurso de extensão. |
| Microsoft.KubernetesConfiguração/extensões/leitura | Obtém recurso de instância de extensão. |
| Microsoft.KubernetesConfiguration/extensions/delete | Exclui o recurso de instância de extensão. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Obtém o status da operação assíncrona. |
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Management/managementGroups/read | Listar grupos de gerenciamento para o usuário autenticado. |
| Microsoft.Recursos/implantações/* | Criar e gerenciar uma implantação |
| Microsoft.Suporte/* | Criar e atualizar um ticket de suporte |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum | |
| Ações | |
| Microsoft.Authorization/roleAssignments/write | Crie uma atribuição de função no escopo especificado. |
| Microsoft.Authorization/roleAssignments/delete | Exclua uma atribuição de função no escopo especificado. |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum | |
| Condition | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OU (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) E ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OU (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Adicione ou remova atribuições de função para as seguintes funções: Operador de Armazenamento de Contêiner do Azure |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Colaborador do Azure Kubernetes Fleet Manager
Concede acesso de leitura/gravação aos recursos do Azure fornecidos pelo Azure Kubernetes Fleet Manager, incluindo frotas, membros da frota, estratégias de atualização de frota, execuções de atualização de frota, etc.
| Ações | Description |
|---|---|
| Microsoft.ContainerService/frotas/* | |
| Microsoft.Recursos/implantações/* | Criar e gerenciar uma implantação |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Admin
Concede acesso de leitura/gravação aos recursos do Kubernetes dentro de um namespace no cluster de hub gerenciado por frota - fornece permissões de gravação na maioria dos objetos dentro de um namespace, com exceção do objeto ResourceQuota e do próprio objeto de namespace. A aplicação dessa função no escopo do cluster dará acesso a todos os namespaces.
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.ContainerService/fleets/read | Obter frota |
| Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais da frota |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lê revisões do controlador |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Escreve localsubjectaccessreviews |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/frotas/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lê eventos |
| Microsoft.ContainerService/fleets/events/read | Lê eventos |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | Intervalos de limites de leitura |
| Microsoft.ContainerService/fleets/namespaces/read | Lê namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | Lê cotas de recursos |
| Microsoft.ContainerService/frotas/segredos/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/frotas/serviços/* | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Cluster Admin
Concede acesso de leitura/gravação a todos os recursos do Kubernetes no cluster de hub gerenciado pela frota.
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.ContainerService/fleets/read | Obter frota |
| Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais da frota |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.ContainerService/frotas/* | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Reader
Concede acesso somente leitura à maioria dos recursos do Kubernetes dentro de um namespace no cluster de hub gerenciado por frota. Ele não permite a visualização de funções ou associações de funções. Essa função não permite a visualização de Segredos, uma vez que a leitura do conteúdo de Segredos permite o acesso às credenciais ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de escalonamento de privilégios). A aplicação dessa função no escopo do cluster dará acesso a todos os namespaces.
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.ContainerService/fleets/read | Obter frota |
| Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais da frota |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lê revisões do controlador |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | Lê daemonsets |
| Microsoft.ContainerService/fleets/apps/deployments/read | Lê implantações |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | Lê statefulsets |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Lê horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | Lê cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | Lê trabalhos |
| Microsoft.ContainerService/fleets/configmaps/read | Lê configmaps |
| Microsoft.ContainerService/fleets/endpoints/read | Lê pontos de extremidade |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lê eventos |
| Microsoft.ContainerService/fleets/events/read | Lê eventos |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | Lê daemonsets |
| Microsoft.ContainerService/fleets/extensions/deployments/read | Lê implantações |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | Lê ingressos |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Lê políticas de rede |
| Microsoft.ContainerService/fleets/limitranges/read | Intervalos de limites de leitura |
| Microsoft.ContainerService/fleets/namespaces/read | Lê namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Lê ingressos |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Lê políticas de rede |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Lê declarações de volume persistentes |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Lê poddisruptionbudgets |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Lê controladores de replicação |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Lê controladores de replicação |
| Microsoft.ContainerService/fleets/resourcequotas/read | Lê cotas de recursos |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Lê contas de serviço |
| Microsoft.ContainerService/fleets/services/read | Serviços de leitura |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Writer
Concede acesso de leitura/gravação à maioria dos recursos do Kubernetes dentro de um namespace no cluster de hub gerenciado pela frota. Essa função não permite exibir ou modificar funções ou associações de função. No entanto, essa função permite acessar Secrets como qualquer ServiceAccount no namespace, para que possa ser usada para obter os níveis de acesso à API de qualquer ServiceAccount no namespace. A aplicação dessa função no escopo do cluster dará acesso a todos os namespaces.
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.ContainerService/fleets/read | Obter frota |
| Microsoft.ContainerService/fleets/listCredentials/action | Listar credenciais da frota |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lê revisões do controlador |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/frotas/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lê eventos |
| Microsoft.ContainerService/fleets/events/read | Lê eventos |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | Intervalos de limites de leitura |
| Microsoft.ContainerService/fleets/namespaces/read | Lê namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | Lê cotas de recursos |
| Microsoft.ContainerService/frotas/segredos/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/frotas/serviços/* | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de administrador do Azure Kubernetes Service Arc Cluster
Listar ação de credencial de administrador de cluster.
| Ações | Description |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado |
| Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | Lista as credenciais de administrador de uma instância de cluster provisionada usada somente no modo direto. |
| Microsoft.Kubernetes/connectedClusters/Leitura | Ler connectedClusters |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Usuário do Azure Kubernetes Service Arc Cluster
Listar ação de credencial de usuário do cluster.
| Ações | Description |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado |
| Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | Lista as credenciais de usuário do AAD de uma instância de cluster provisionada usada somente no modo direto. |
| Microsoft.Kubernetes/connectedClusters/Leitura | Ler connectedClusters |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Colaborador do Azure Kubernetes Service Arc
Concede acesso para ler e gravar clusters híbridos dos Serviços Kubernetes do Azure
| Ações | Description |
|---|---|
| Microsoft.HybridContainerService/Locations/operationStatuses/read | ler operationStatuses |
| Microsoft.HybridContainerService/Operations/read | ler Operações |
| Microsoft.HybridContainerService/kubernetesVersions/read | Lista as versões kubernetes suportadas do local personalizado subjacente |
| Microsoft.HybridContainerService/kubernetesVersions/write | Coloca o tipo de recurso de versão do kubernetes |
| Microsoft.HybridContainerService/kubernetesVersions/delete | Excluir o tipo de recurso de versões do kubernetes |
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtém as instâncias de cluster provisionadas do AKS híbrido associadas ao cluster conectado |
| Microsoft.HybridContainerService/provisionedClusterInstances/write | Cria a instância de cluster provisionada do AKS híbrido |
| Microsoft.HybridContainerService/provisionedClusterInstances/delete | Exclui a instância de cluster provisionada do AKS híbrido |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | Obtém os pools de agentes na instância de cluster provisionada do AKS híbrido |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | Atualiza o pool de agentes na instância de cluster provisionada do AKS híbrido |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | Exclui o pool de agentes na instância de cluster provisionada do AKS híbrido |
| Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | ler upgradeProfiles |
| Microsoft.HybridContainerService/skus/read | Lista as SKUs de VM suportadas do local personalizado subjacente |
| Microsoft.HybridContainerService/skus/write | Coloca o tipo de recurso SKUs da VM |
| Microsoft.HybridContainerService/skus/delete | Exclui o tipo de recurso Vm Sku |
| Microsoft.HybridContainerService/virtualNetworks/read | Lista as redes virtuais AKS híbridas por assinatura |
| Microsoft.HybridContainerService/virtualNetworks/write | Corrige a rede virtual AKS híbrida |
| Microsoft.HybridContainerService/virtualNetworks/delete | Exclui a rede virtual AKS híbrida |
| Microsoft.ExtendedLocation/customLocations/deploy/action | Implantar permissões em um recurso de Local Personalizado |
| Microsoft.ExtendedLocation/customLocations/read | Obtém um recurso de Localização Personalizada |
| Microsoft.Kubernetes/connectedClusters/Leitura | Ler connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Gravação | Grava connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Excluir | Exclui connectedClusters |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Listar clusterCredencial de usuário |
| Microsoft.AzureStackHCI/clusters/read | Obtém clusters |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Administrador do Cluster de Serviço do Kubernetes do Azure
Listar ação de credencial de administrador de cluster.
| Ações | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | Listar a credencial clusterAdmin de um cluster gerenciado |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | Obter um perfil de acesso gerenciado ao cluster por nome de função usando a credencial de lista |
| Microsoft.ContainerService/managedClusters/read | Obter um cluster gerenciado |
| Microsoft.ContainerService/managedClusters/runcommand/action | Execute o comando user issued no servidor kubernetes gerenciado. |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Usuário de Monitoramento de Cluster de Serviço do Kubernetes do Azure
Listar ação de credencial de usuário de monitoramento de cluster.
| Ações | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | Listar a credencial clusterMonitoringUser de um cluster gerenciado |
| Microsoft.ContainerService/managedClusters/read | Obter um cluster gerenciado |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Usuário do Cluster de Serviço do Kubernetes do Azure
Listar ação de credencial de usuário do cluster.
| Ações | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Listar a credencial clusterUser de um cluster gerenciado |
| Microsoft.ContainerService/managedClusters/read | Obter um cluster gerenciado |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Função de Contribuidor do Azure Kubernetes Service
Concede acesso para ler e gravar clusters do Serviço Kubernetes do Azure
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.ContainerService/locais/* | Ler locais disponíveis para recursos do ContainerService |
| Microsoft.ContainerService/managedClusters/* | Criar e gerenciar um cluster gerenciado |
| Microsoft.ContainerService/managedclustersnapshots/* | Criar e gerenciar um instantâneo de cluster gerenciado |
| Microsoft.ContainerService/snapshots/* | Criar e gerenciar um snapshot |
| Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássica |
| Microsoft.Recursos/implantações/* | Criar e gerenciar uma implantação |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Admin
Permite gerenciar todos os recursos em cluster/namespace, exceto atualizar ou excluir cotas de recursos e namespaces.
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Listar a credencial clusterUser de um cluster gerenciado |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/write | Grava cotas de recursos |
| Microsoft.ContainerService/managedClusters/resourcequotas/delete | Exclui cotas de recursos |
| Microsoft.ContainerService/managedClusters/namespaces/write | Grava namespaces |
| Microsoft.ContainerService/managedClusters/namespaces/delete | Exclui namespaces |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Cluster Admin
Permite gerenciar todos os recursos no cluster.
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Listar a credencial clusterUser de um cluster gerenciado |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Reader
Permite acesso somente leitura para ver a maioria dos objetos em um namespace. Ele não permite a visualização de funções ou associações de funções. Essa função não permite a visualização de Segredos, uma vez que a leitura do conteúdo de Segredos permite o acesso às credenciais ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de escalonamento de privilégios). A aplicação dessa função no escopo do cluster dará acesso a todos os namespaces.
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lê revisões do controlador |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/read | Lê daemonsets |
| Microsoft.ContainerService/managedClusters/apps/deployments/read | Lê implantações |
| Microsoft.ContainerService/managedClusters/apps/replicasets/read | Lê conjuntos de réplicas |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/read | Lê statefulsets |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | Lê horizontalpodautoscalers |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/read | Lê cronjobs |
| Microsoft.ContainerService/managedClusters/batch/jobs/read | Lê trabalhos |
| Microsoft.ContainerService/managedClusters/configmaps/read | Lê configmaps |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lê endpointslices |
| Microsoft.ContainerService/managedClusters/endpoints/read | Lê pontos de extremidade |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lê eventos |
| Microsoft.ContainerService/managedClusters/events/read | Lê eventos |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | Lê daemonsets |
| Microsoft.ContainerService/managedClusters/extensions/deployments/read | Lê implantações |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/read | Lê ingressos |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | Lê políticas de rede |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/read | Lê conjuntos de réplicas |
| Microsoft.ContainerService/managedClusters/limitranges/read | Intervalos de limites de leitura |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lê pods |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lê nós |
| Microsoft.ContainerService/managedClusters/namespaces/read | Lê namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | Lê ingressos |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | Lê políticas de rede |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | Lê declarações de volume persistentes |
| Microsoft.ContainerService/managedClusters/pods/read | Lê pods |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | Lê poddisruptionbudgets |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/read | Lê controladores de replicação |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Lê cotas de recursos |
| Microsoft.ContainerService/managedClusters/serviceaccounts/read | Lê contas de serviço |
| Microsoft.ContainerService/managedClusters/services/read | Serviços de leitura |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Gravador RBAC do Serviço Kubernetes do Azure
Permite acesso de leitura/gravação à maioria dos objetos em um namespace. Essa função não permite exibir ou modificar funções ou associações de função. No entanto, essa função permite acessar Secrets e executar Pods como qualquer ServiceAccount no namespace, para que possa ser usada para obter os níveis de acesso à API de qualquer ServiceAccount no namespace. A aplicação dessa função no escopo do cluster dará acesso a todos os namespaces.
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| NotActions | |
| nenhum | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lê revisões do controlador |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Lê arrendamentos |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Escreve arrendamentos |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Exclui concessões |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lê endpointslices |
| Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lê eventos |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/read | Intervalos de limites de leitura |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lê pods |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lê nós |
| Microsoft.ContainerService/managedClusters/namespaces/read | Lê namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Lê cotas de recursos |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cluster Conectado Gerenciado Identity CheckAccess Reader
Função interna que permite que uma identidade gerenciada do Cluster Conectado chame a API checkAccess
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operador sem agente do Kubernetes
Concede ao Microsoft Defender for Cloud acesso aos Serviços Kubernetes do Azure
| Ações | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Criar ou atualizar associações de função de acesso confiável para cluster gerenciado |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Obter associações de função de acesso confiável para cluster gerenciado |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Excluir associações de função de acesso confiável para cluster gerenciado |
| Microsoft.ContainerService/managedClusters/read | Obter um cluster gerenciado |
| Microsoft.Features/features/read | Obtém os recursos de uma assinatura. |
| Microsoft.Features/providers/features/read | Obtém o recurso de uma assinatura em um determinado provedor de recursos. |
| Microsoft.Features/providers/features/register/action | Registra o recurso para uma assinatura em um determinado provedor de recursos. |
| Microsoft.Security/pricings/securityoperators/read | Obtém os operadores de segurança para o escopo |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes Cluster - Azure Arc Onboarding
Definição de função para autorizar qualquer usuário/serviço a criar o recurso connectedClusters
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássica |
| Microsoft.Resources/deployments/write | Cria ou atualiza uma implantação. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenha os resultados da operação de subscrição. |
| Microsoft.Recursos/subscrições/leitura | Obtém a lista de assinaturas. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.Kubernetes/connectedClusters/Gravação | Grava connectedClusters |
| Microsoft.Kubernetes/connectedClusters/read | Ler connectedClusters |
| Microsoft.Suporte/* | Criar e atualizar um ticket de suporte |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador de extensão do Kubernetes
Pode criar, atualizar, obter, listar e excluir extensões do Kubernetes e obter operações assíncronas de extensão
| Ações | Descrição |
|---|---|
| Microsoft.Authorization/*/read | Ler funções e atribuições de funções |
| Microsoft.Insights/alertRules/* | Criar e gerenciar um alerta de métrica clássica |
| Microsoft.Recursos/implantações/* | Criar e gerenciar uma implantação |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtém ou lista grupos de recursos. |
| Microsoft.KubernetesConfiguração/extensões/gravação | Cria ou atualiza o recurso de extensão. |
| Microsoft.KubernetesConfiguração/extensões/leitura | Obtém recurso de instância de extensão. |
| Microsoft.KubernetesConfiguration/extensions/delete | Exclui o recurso de instância de extensão. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Obtém o status da operação assíncrona. |
| NotActions | |
| nenhum | |
| DataActions | |
| nenhum | |
| NotDataActions | |
| nenhum |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}