Inbyggda Azure-roller för containrar
I den här artikeln visas de inbyggda Azure-rollerna i kategorin Containrar.
AcrDelete
Ta bort lagringsplatser, taggar eller manifest från ett containerregister.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/delete | Ta bort artefakt i ett containerregister. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
Skicka betrodda avbildningar till eller hämta betrodda avbildningar från ett containerregister som är aktiverat för innehållsförtroende.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/write | Push/Pull-innehållsförtroendemetadata för ett containerregister. |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | Tillåter push-överföring eller publicering av betrodda samlingar av containerregisterinnehåll. Detta liknar åtgärden Microsoft.ContainerRegistry/registries/sign/write förutom att det här är en dataåtgärd |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Hämta artefakter från ett containerregister.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Hämta eller hämta avbildningar från ett containerregister. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Skicka artefakter till eller hämta artefakter från ett containerregister.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Hämta eller hämta avbildningar från ett containerregister. |
| Microsoft.ContainerRegistry/registries/push/write | Skicka eller skriv avbildningar till ett containerregister. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Hämta avbildningar i karantän från ett containerregister.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | Hämta eller hämta avbildningar i karantän från containerregistret |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Tillåter hämtning eller hämtning av artefakter i karantän från containerregistret. Detta liknar Microsoft.ContainerRegistry/registries/quarantine/read förutom att det är en dataåtgärd |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Skicka avbildningar i karantän till eller hämta avbildningar i karantän från ett containerregister.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | Hämta eller hämta avbildningar i karantän från containerregistret |
| Microsoft.ContainerRegistry/registries/quarantine/write | Skriv/ändra karantäntillstånd för bilder i karantän |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Tillåter hämtning eller hämtning av artefakter i karantän från containerregistret. Detta liknar Microsoft.ContainerRegistry/registries/quarantine/read förutom att det är en dataåtgärd |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Tillåter skrivning eller uppdatering av karantäntillståndet för artefakter i karantän. Detta liknar åtgärden Microsoft.ContainerRegistry/registries/quarantine/write, förutom att det är en dataåtgärd |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Användarroll för Azure Arc-aktiverade Kubernetes-kluster
Visa en lista över autentiseringsuppgifter för klusteranvändare.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | Lista clusterUser-autentiseringsuppgifter (förhandsversion) |
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Lista clusterUser-autentiseringsuppgifter |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes-administratör
Gör att du kan hantera alla resurser under kluster/namnområde, förutom uppdatera eller ta bort resurskvoter och namnområden.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Skriver localsubjectaccessreviews |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Läser limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Läser namnområden |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Läser resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes-klusteradministratör
Gör att du kan hantera alla resurser i klustret.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Viewer
Gör att du kan visa alla resurser i kluster/namnrymd, förutom hemligheter.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/read | Läser distributioner |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | Läser replikeringsuppsättningar |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | Läser tillståndskänsliga datamängder |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | Läser horizontalpodautoscalers |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | Läser cronjobs |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/read | Läser jobb |
| Microsoft.Kubernetes/connectedClusters/configmaps/read | Läser konfigurationsmappar |
| Microsoft.Kubernetes/connectedClusters/endpoints/read | Läser slutpunkter |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | Läser distributioner |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | Läser ingresser |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | Läser replikeringsuppsättningar |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Läser limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Läser namnområden |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | Läser ingresser |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | Läser persistentvolumeclaims |
| Microsoft.Kubernetes/connectedClusters/pods/read | Läser poddar |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | Läser poddisruptionbudgetar |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Läser replikeringskontroller |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Läser replikeringskontroller |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Läser resourcequotas |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | Läser serviceaccounts |
| Microsoft.Kubernetes/connectedClusters/services/read | Läser tjänster |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Writer
Gör att du kan uppdatera allt i kluster/namnområde, förutom (kluster)roller och (kluster)rollbindningar.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Läser limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Läser namnområden |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Läser resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Container Storage-deltagare
Installera Azure Container Storage och hantera dess lagringsresurser. Innehåller ett ABAC-villkor för att begränsa rolltilldelningar.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.KubernetesConfiguration/extensions/write | Skapar eller uppdaterar tilläggsresursen. |
| Microsoft.KubernetesConfiguration/extensions/read | Hämtar tilläggsinstansresurs. |
| Microsoft.KubernetesConfiguration/extensions/delete | Tar bort tilläggsinstansresursen. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Hämtar status för asynkron åtgärd. |
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Management/managementGroups/read | Lista hanteringsgrupper för den autentiserade användaren. |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen | |
| Åtgärder | |
| Microsoft.Authorization/roleAssignments/write | Skapa en rolltilldelning i det angivna omfånget. |
| Microsoft.Authorization/roleAssignments/delete | Ta bort en rolltilldelning i det angivna omfånget. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen | |
| Condition | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Lägg till eller ta bort rolltilldelningar för följande roller: Azure Container Storage-operatör |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Container Storage-operatör
Aktivera en hanterad identitet för att utföra Azure Container Storage-åtgärder, till exempel hantera virtuella datorer och hantera virtuella nätverk.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Avsöker status för en asynkron åtgärd. |
| Microsoft.Network/routeTables/join/action | Ansluter till en routningstabell. Inte aviseringsbar. |
| Microsoft.Network/networkSecurityGroups/join/action | Ansluter till en nätverkssäkerhetsgrupp. Inte aviseringsbar. |
| Microsoft.Network/virtualNetworks/write | Skapar ett virtuellt nätverk eller uppdaterar ett befintligt virtuellt nätverk |
| Microsoft.Network/virtualNetworks/delete | Tar bort ett virtuellt nätverk |
| Microsoft.Network/virtualNetworks/join/action | Ansluter till ett virtuellt nätverk. Inte aviseringsbar. |
| Microsoft.Network/virtualNetworks/subnets/read | Hämtar en undernätsdefinition för virtuellt nätverk |
| Microsoft.Network/virtualNetworks/subnets/write | Skapar ett virtuellt nätverksundernät eller uppdaterar ett befintligt virtuellt nätverksundernät |
| Microsoft.Compute/virtualMachines/read | Hämta egenskaperna för en virtuell dator |
| Microsoft.Compute/virtualMachines/write | Skapar en ny virtuell dator eller uppdaterar en befintlig virtuell dator |
| Microsoft.Compute/virtualMachineScaleSets/read | Hämta egenskaperna för en VM-skalningsuppsättning |
| Microsoft.Compute/virtualMachineScaleSets/write | Skapar en ny vm-skalningsuppsättning eller uppdaterar en befintlig |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | Uppdaterar egenskaperna för en virtuell dator i en VM-skalningsuppsättning |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Hämtar egenskaperna för en virtuell dator i en VM-skalningsuppsättning |
| Microsoft.Resources/subscriptions/providers/read | Hämtar eller listar resursprovidrar. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Network/virtualNetworks/read | Hämta definitionen för virtuellt nätverk |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Container Storage-ägare
Installera Azure Container Storage, bevilja åtkomst till dess lagringsresurser och konfigurera Azure Elastic Storage Area Network (SAN). Innehåller ett ABAC-villkor för att begränsa rolltilldelningar.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Avsöker status för en asynkron åtgärd. |
| Microsoft.KubernetesConfiguration/extensions/write | Skapar eller uppdaterar tilläggsresursen. |
| Microsoft.KubernetesConfiguration/extensions/read | Hämtar tilläggsinstansresurs. |
| Microsoft.KubernetesConfiguration/extensions/delete | Tar bort tilläggsinstansresursen. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Hämtar status för asynkron åtgärd. |
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Management/managementGroups/read | Lista hanteringsgrupper för den autentiserade användaren. |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen | |
| Åtgärder | |
| Microsoft.Authorization/roleAssignments/write | Skapa en rolltilldelning i det angivna omfånget. |
| Microsoft.Authorization/roleAssignments/delete | Ta bort en rolltilldelning i det angivna omfånget. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen | |
| Condition | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Lägg till eller ta bort rolltilldelningar för följande roller: Azure Container Storage-operatör |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager-deltagarroll
Ger läs-/skrivåtkomst till Azure-resurser som tillhandahålls av Azure Kubernetes Fleet Manager, inklusive flottor, medlemmar i flottan, uppdateringsstrategier för flottan, uppdateringskörningar för flottan osv.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerService/fleets/* | |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
RBAC-administratör för Azure Kubernetes Fleet Manager
Ger läs-/skrivåtkomst till Kubernetes-resurser i ett namnområde i det flotthanterade hubbklustret – ger skrivbehörigheter för de flesta objekt i ett namnområde, med undantag för ResourceQuota-objektet och själva namnområdesobjektet. Om du använder den här rollen i klusteromfånget får du åtkomst till alla namnområden.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/fleets/read | Hämta vagnpark |
| Microsoft.ContainerService/fleets/listCredentials/action | Lista autentiseringsuppgifter för flottan |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Skriver localsubjectaccessreviews |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | Läser limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Läser namnområden |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | Läser resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC-klusteradministratör
Ger läs-/skrivåtkomst till alla Kubernetes-resurser i det vagnparkshanterade hubbklustret.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/fleets/read | Hämta vagnpark |
| Microsoft.ContainerService/fleets/listCredentials/action | Lista autentiseringsuppgifter för flottan |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/fleets/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
RBAC-läsare för Azure Kubernetes Fleet Manager
Ger skrivskyddad åtkomst till de flesta Kubernetes-resurser i ett namnområde i det flotthanterade hubbklustret. Det tillåter inte visning av roller eller rollbindningar. Den här rollen tillåter inte visning av hemligheter eftersom läsning av innehållet i Hemligheter ger åtkomst till ServiceAccount-autentiseringsuppgifter i namnområdet, vilket skulle tillåta API-åtkomst som alla ServiceAccount i namnområdet (en form av eskalering av privilegier). Om du använder den här rollen i klusteromfånget får du åtkomst till alla namnområden.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/fleets/read | Hämta vagnpark |
| Microsoft.ContainerService/fleets/listCredentials/action | Lista autentiseringsuppgifter för flottan |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.ContainerService/fleets/apps/deployments/read | Läser distributioner |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | Läser tillståndskänsliga datamängder |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Läser horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | Läser cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | Läser jobb |
| Microsoft.ContainerService/fleets/configmaps/read | Läser konfigurationsmappar |
| Microsoft.ContainerService/fleets/endpoints/read | Läser slutpunkter |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.ContainerService/fleets/extensions/deployments/read | Läser distributioner |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | Läser ingresser |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.ContainerService/fleets/limitranges/read | Läser limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Läser namnområden |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Läser ingresser |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Läser persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Läser poddisruptionbudgetar |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Läser replikeringskontroller |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Läser replikeringskontroller |
| Microsoft.ContainerService/fleets/resourcequotas/read | Läser resourcequotas |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Läser serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | Läser tjänster |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Writer
Ger läs-/skrivåtkomst till de flesta Kubernetes-resurser i ett namnområde i det vagnparkshanterade hubbklustret. Den här rollen tillåter inte visning eller ändring av roller eller rollbindningar. Den här rollen tillåter dock åtkomst till hemligheter som alla ServiceAccount i namnområdet, så den kan användas för att få API-åtkomstnivåerna för alla ServiceAccount i namnområdet. Om du använder den här rollen i klusteromfånget får du åtkomst till alla namnområden.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/fleets/read | Hämta vagnpark |
| Microsoft.ContainerService/fleets/listCredentials/action | Lista autentiseringsuppgifter för flottan |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | Läser limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Läser namnområden |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | Läser resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administratörsroll för Azure Kubernetes Service Arc-kluster
Visa en lista över åtgärden för klusteradministratörsautentiseringsuppgifter.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Hämtar hybrid-AKS-etablerade klusterinstanser som är associerade med det anslutna klustret |
| Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | Visar en lista över administratörsautentiseringsuppgifterna för en etablerad klusterinstans som endast används i direktläge. |
| Microsoft.Kubernetes/connectedClusters/Read | Läsa connectedClusters |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Användarroll för Azure Kubernetes Service Arc-kluster
Visa en lista över autentiseringsuppgifter för klusteranvändare.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Hämtar hybrid-AKS-etablerade klusterinstanser som är associerade med det anslutna klustret |
| Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | Visar en lista över autentiseringsuppgifterna för AAD-användare för en etablerad klusterinstans som endast används i direktläge. |
| Microsoft.Kubernetes/connectedClusters/Read | Läsa connectedClusters |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Arc-deltagarroll
Ger åtkomst till att läsa och skriva Azure Kubernetes Services-hybridkluster
| Åtgärder | beskrivning |
|---|---|
| Microsoft.HybridContainerService/Locations/operationStatuses/read | read operationStatuses |
| Microsoft.HybridContainerService/Operations/read | läsåtgärder |
| Microsoft.HybridContainerService/kubernetesVersions/read | Visar en lista över kubernetes-versioner som stöds från den underliggande anpassade platsen |
| Microsoft.HybridContainerService/kubernetesVersions/write | Placerar resurstypen kubernetes-version |
| Microsoft.HybridContainerService/kubernetesVersions/delete | Ta bort resurstypen kubernetes-versioner |
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Hämtar hybrid-AKS-etablerade klusterinstanser som är associerade med det anslutna klustret |
| Microsoft.HybridContainerService/provisionedClusterInstances/write | Skapar den hybrid-AKS-etablerade klusterinstansen |
| Microsoft.HybridContainerService/provisionedClusterInstances/delete | Tar bort den hybrid-AKS-etablerade klusterinstansen |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | Hämtar agentpoolerna i hybrid-AKS-etablerad klusterinstans |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | Uppdaterar agentpoolen i hybrid-AKS-etablerad klusterinstans |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | Tar bort agentpoolen i hybrid-AKS-etablerad klusterinstans |
| Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | läs upgradeProfiles |
| Microsoft.HybridContainerService/skus/read | Visar en lista över vm-SKU:er som stöds från den underliggande anpassade platsen |
| Microsoft.HybridContainerService/skus/write | Placerar resurstypen VM-SKU:er |
| Microsoft.HybridContainerService/skus/delete | Tar bort resurstypen Vm SKU |
| Microsoft.HybridContainerService/virtualNetworks/read | Visar en lista över virtuella Hybrid AKS-nätverk efter prenumeration |
| Microsoft.HybridContainerService/virtualNetworks/write | Korrigerar det virtuella Hybrid AKS-nätverket |
| Microsoft.HybridContainerService/virtualNetworks/delete | Tar bort det virtuella Hybrid AKS-nätverket |
| Microsoft.ExtendedLocation/customLocations/deploy/action | Distribuera behörigheter till en anpassad platsresurs |
| Microsoft.ExtendedLocation/customLocations/read | Hämtar en anpassad platsresurs |
| Microsoft.Kubernetes/connectedClusters/Read | Läsa connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Write | Skriver connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Delete | Tar bort anslutnaClustrar |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Lista clusterUser-autentiseringsuppgifter |
| Microsoft.AzureStackHCI/clusters/read | Hämtar kluster |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administratörsroll för Azure Kubernetes-tjänstkluster
Visa en lista över åtgärden för klusteradministratörsautentiseringsuppgifter.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | Lista klustretAdmin-autentiseringsuppgifter för ett hanterat kluster |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | Hämta en profil för hanterad klusteråtkomst efter rollnamn med hjälp av listautentiseringsuppgifter |
| Microsoft.ContainerService/managedClusters/read | Hämta ett hanterat kluster |
| Microsoft.ContainerService/managedClusters/runcommand/action | Kör användar utfärdat kommando mot hanterad kubernetes-server. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service-klusterövervakningsanvändare
Visa en lista över åtgärder för klusterövervakning av användarautentiseringsuppgifter.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | Lista klustretÖvervakaAnvändarautentiseringsuppgifter för ett hanterat kluster |
| Microsoft.ContainerService/managedClusters/read | Hämta ett hanterat kluster |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Användarroll för Azure Kubernetes Service-kluster
Visa en lista över autentiseringsuppgifter för klusteranvändare.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Visa en lista över klusterAnvändarens autentiseringsuppgifter för ett hanterat kluster |
| Microsoft.ContainerService/managedClusters/read | Hämta ett hanterat kluster |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes-tjänstens deltagarroll
Ger åtkomst till att läsa och skriva Azure Kubernetes Service-kluster
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.ContainerService/locations/* | Läsplatser som är tillgängliga för ContainerService-resurser |
| Microsoft.ContainerService/managedClusters/* | Skapa och hantera ett hanterat kluster |
| Microsoft.ContainerService/managedclustersnapshots/* | Skapa och hantera en ögonblicksbild av ett hanterat kluster |
| Microsoft.ContainerService/snapshots/* | Skapa och hantera en ögonblicksbild |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
RBAC-administratör för Azure Kubernetes Service
Gör att du kan hantera alla resurser under kluster/namnområde, förutom uppdatera eller ta bort resurskvoter och namnområden.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Visa en lista över klusterAnvändarens autentiseringsuppgifter för ett hanterat kluster |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/write | Skriver resourcequotas |
| Microsoft.ContainerService/managedClusters/resourcequotas/delete | Tar bort resourcequotas |
| Microsoft.ContainerService/managedClusters/namespaces/write | Skriver namnområden |
| Microsoft.ContainerService/managedClusters/namespaces/delete | Tar bort namnområden |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
RBAC-klusteradministratör för Azure Kubernetes Service
Gör att du kan hantera alla resurser i klustret.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Visa en lista över klusterAnvändarens autentiseringsuppgifter för ett hanterat kluster |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
RBAC-läsare för Azure Kubernetes Service
Tillåter skrivskyddad åtkomst för att se de flesta objekt i ett namnområde. Det tillåter inte visning av roller eller rollbindningar. Den här rollen tillåter inte visning av hemligheter eftersom läsning av innehållet i Hemligheter ger åtkomst till ServiceAccount-autentiseringsuppgifter i namnområdet, vilket skulle tillåta API-åtkomst som alla ServiceAccount i namnområdet (en form av eskalering av privilegier). Om du använder den här rollen i klusteromfånget får du åtkomst till alla namnområden.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.ContainerService/managedClusters/apps/deployments/read | Läser distributioner |
| Microsoft.ContainerService/managedClusters/apps/replicasets/read | Läser replikeringsuppsättningar |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/read | Läser tillståndskänsliga datamängder |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | Läser horizontalpodautoscalers |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/read | Läser cronjobs |
| Microsoft.ContainerService/managedClusters/batch/jobs/read | Läser jobb |
| Microsoft.ContainerService/managedClusters/configmaps/read | Läser konfigurationsmappar |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Läser slutpunkter |
| Microsoft.ContainerService/managedClusters/endpoints/read | Läser slutpunkter |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Läser händelser |
| Microsoft.ContainerService/managedClusters/events/read | Läser händelser |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.ContainerService/managedClusters/extensions/deployments/read | Läser distributioner |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/read | Läser ingresser |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/read | Läser replikeringsuppsättningar |
| Microsoft.ContainerService/managedClusters/limitranges/read | Läser limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Läser poddar |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Läser noder |
| Microsoft.ContainerService/managedClusters/namespaces/read | Läser namnområden |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | Läser ingresser |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | Läser persistentvolumeclaims |
| Microsoft.ContainerService/managedClusters/pods/read | Läser poddar |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | Läser poddisruptionbudgetar |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/read | Läser replikeringskontroller |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Läser resourcequotas |
| Microsoft.ContainerService/managedClusters/serviceaccounts/read | Läser serviceaccounts |
| Microsoft.ContainerService/managedClusters/services/read | Läser tjänster |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Writer
Tillåter läs-/skrivåtkomst till de flesta objekt i ett namnområde. Den här rollen tillåter inte visning eller ändring av roller eller rollbindningar. Den här rollen tillåter dock åtkomst till hemligheter och poddar som alla ServiceAccount i namnområdet, så den kan användas för att få API-åtkomstnivåerna för alla ServiceAccount i namnområdet. Om du använder den här rollen i klusteromfånget får du åtkomst till alla namnområden.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Läser lån |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Skriver lån |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Tar bort lån |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Läser slutpunkter |
| Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Läser händelser |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/read | Läser limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Läser poddar |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Läser noder |
| Microsoft.ContainerService/managedClusters/namespaces/read | Läser namnområden |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Läser resourcequotas |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Ansluten klusterhanterad identitet CheckAccess-läsare
Inbyggd roll som gör att en hanterad identitet för anslutet kluster kan anropa checkAccess-API:et
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes Agentless Operator
Beviljar Microsoft Defender för molnet åtkomst till Azure Kubernetes Services
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Skapa eller uppdatera rollbindningar för betrodd åtkomst för hanterat kluster |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Hämta rollbindningar för betrodd åtkomst för hanterat kluster |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Ta bort rollbindningar för betrodd åtkomst för hanterat kluster |
| Microsoft.ContainerService/managedClusters/read | Hämta ett hanterat kluster |
| Microsoft.Features/features/read | Hämtar funktionerna i en prenumeration. |
| Microsoft.Features/providers/features/read | Hämtar funktionen för en prenumeration i en viss resursprovider. |
| Microsoft.Features/providers/features/register/action | Registrerar funktionen för en prenumeration i en viss resursprovider. |
| Microsoft.Security/pricings/securityoperators/read | Hämtar säkerhetsoperatorerna för omfånget |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes-kluster – Azure Arc-registrering
Rolldefinition för att auktorisera alla användare/tjänster för att skapa en anslutenKlusterresurs
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Kubernetes/connectedClusters/Write | Skriver connectedClusters |
| Microsoft.Kubernetes/connectedClusters/read | Läsa connectedClusters |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes-tilläggsdeltagare
Kan skapa, uppdatera, hämta, lista och ta bort Kubernetes-tillägg och hämta asynkrona tilläggsåtgärder
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.KubernetesConfiguration/extensions/write | Skapar eller uppdaterar tilläggsresursen. |
| Microsoft.KubernetesConfiguration/extensions/read | Hämtar tilläggsinstansresurs. |
| Microsoft.KubernetesConfiguration/extensions/delete | Tar bort tilläggsinstansresursen. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Hämtar status för asynkron åtgärd. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}