Kapsayıcılar için Azure yerleşik rolleri
Bu makalede Kapsayıcılar kategorisindeki Azure yerleşik rolleri listelenmiştir.
AcrDelete
Kapsayıcı kayıt defterinden depoları, etiketleri veya bildirimleri silin.
Eylemler | Açıklama |
---|---|
Microsoft.ContainerRegistry/registries/artifacts/delete | Kapsayıcı kayıt defterindeki yapıtı silme. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
güvenilir görüntüleri içerik güveni için etkinleştirilmiş bir kapsayıcı kayıt defterine gönderin veya güvenilir görüntüleri çekin.
Eylemler | Açıklama |
---|---|
Microsoft.ContainerRegistry/kayıt defterleri/sign/write | Kapsayıcı kayıt defteri için gönderme/çekme içerik güveni meta verileri. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/trustedCollections/write | Kapsayıcı kayıt defteri içeriğinin güvenilen koleksiyonlarının gönderilip yayımlanmasına izin verir. Bu, bir veri eylemi olması dışında Microsoft.ContainerRegistry/registries/sign/write eylemine benzer |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Kapsayıcı kayıt defterinden yapıtları çekme.
Eylemler | Açıklama |
---|---|
Microsoft.ContainerRegistry/kayıt defterleri/çekme/okuma | Kapsayıcı kayıt defterinden görüntü çekme veya alma. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Yapıtları bir kapsayıcı kayıt defterine gönderin veya bu kayıt defterinden yapıtları çekin.
Eylemler | Açıklama |
---|---|
Microsoft.ContainerRegistry/kayıt defterleri/çekme/okuma | Kapsayıcı kayıt defterinden görüntü çekme veya alma. |
Microsoft.ContainerRegistry/kayıt defterleri/gönderme/yazma | Kapsayıcı kayıt defterine görüntü gönderme veya yazma. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Kapsayıcı kayıt defterinden karantinaya alınmış görüntüleri çekin.
Eylemler | Açıklama |
---|---|
Microsoft.ContainerRegistry/kayıt defterleri/karantina/okuma | Kapsayıcı kayıt defterinden karantinaya alınan görüntüleri çekme veya alma |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Kapsayıcı kayıt defterinden karantinaya alınan yapıtların çekilmesine veya alınmasına izin verir. Bu, bir veri eylemi olması dışında Microsoft.ContainerRegistry/registries/quarantine/read ile benzerdir |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Karantinaya alınan görüntüleri bir kapsayıcı kayıt defterine gönderin veya karantinaya alınan görüntüleri çekin.
Eylemler | Açıklama |
---|---|
Microsoft.ContainerRegistry/kayıt defterleri/karantina/okuma | Kapsayıcı kayıt defterinden karantinaya alınan görüntüleri çekme veya alma |
Microsoft.ContainerRegistry/kayıt defterleri/karantina/yazma | Karantinaya alınan görüntülerin karantina durumunu yazma/değiştirme |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Kapsayıcı kayıt defterinden karantinaya alınan yapıtların çekilmesine veya alınmasına izin verir. Bu, bir veri eylemi olması dışında Microsoft.ContainerRegistry/registries/quarantine/read ile benzerdir |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Karantinaya alınan yapıtların karantina durumunun yazılmasına veya güncelleştirilmesini sağlar. Bu, bir veri eylemi olması dışında Microsoft.ContainerRegistry/registries/quarantine/write eylemine benzer |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Özellikli Kubernetes Kümesi Kullanıcı Rolü
Küme kullanıcı kimlik bilgilerini listele eylemi.
Eylemler | Açıklama |
---|---|
Microsoft.Resources/deployments/write | Dağıtım oluşturur veya güncelleştirir. |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | Liste kümesiKullanıcı kimlik bilgileri (önizleme) |
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft. Analizler/alertRules/* | Klasik ölçüm uyarısı oluşturma ve yönetme |
Microsoft.Support/* | Destek bileti oluşturma ve güncelleştirme |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Liste kümesiKullanıcı kimlik bilgileri |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Yönetici
Kaynak kotalarını ve ad alanlarını güncelleştirme veya silme dışında küme/ad alanı altındaki tüm kaynakları yönetmenize olanak tanır.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft. Analizler/alertRules/* | Klasik ölçüm uyarısı oluşturma ve yönetme |
Microsoft.Resources/deployments/write | Dağıtım oluşturur veya güncelleştirir. |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.Support/* | Destek bileti oluşturma ve güncelleştirme |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Denetleyiciyi okur |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Localsubjectaccessreviews yazar |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Olayları okur |
Microsoft.Kubernetes/connectedClusters/events/read | Olayları okur |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Sınır aralıklarını okur |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Ad alanlarını okur |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Resourcequotas'ı okur |
Microsoft.Kubernetes/connectedClusters/secrets/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Kümesi Yönetici
Kümedeki tüm kaynakları yönetmenize olanak tanır.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft. Analizler/alertRules/* | Klasik ölçüm uyarısı oluşturma ve yönetme |
Microsoft.Resources/deployments/write | Dağıtım oluşturur veya güncelleştirir. |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.Support/* | Destek bileti oluşturma ve güncelleştirme |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Viewer
Gizli diziler dışında küme/ad alanı içindeki tüm kaynakları görüntülemenizi sağlar.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft. Analizler/alertRules/* | Klasik ölçüm uyarısı oluşturma ve yönetme |
Microsoft.Resources/deployments/write | Dağıtım oluşturur veya güncelleştirir. |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.Support/* | Destek bileti oluşturma ve güncelleştirme |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Denetleyiciyi okur |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | Daemonset'leri okur |
Microsoft.Kubernetes/connectedClusters/apps/deployments/read | Dağıtımları okur |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | Çoğaltma kümelerini okur |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | Durum bilgisi kümelerini okur |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | Yataypodautoscaler'ları okur |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | Cronjobs okur |
Microsoft.Kubernetes/connectedClusters/batch/jobs/read | İşleri okur |
Microsoft.Kubernetes/connectedClusters/configmaps/read | Yapılandırma haritalarını okur |
Microsoft.Kubernetes/connectedClusters/endpoints/read | Uç noktaları okur |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Olayları okur |
Microsoft.Kubernetes/connectedClusters/events/read | Olayları okur |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | Daemonset'leri okur |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | Dağıtımları okur |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | Girişler okunur |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | Ağpolicileri okur |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | Çoğaltma kümelerini okur |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Sınır aralıklarını okur |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Ad alanlarını okur |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | Girişler okunur |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | Ağpolicileri okur |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | Persistentvolumeclaims okur |
Microsoft.Kubernetes/connectedClusters/pods/read | Podları okur |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | Poddisruptionbudget'leri okur |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Çoğaltma denetleyicilerini okur |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Çoğaltma denetleyicilerini okur |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Resourcequotas'ı okur |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | Hizmethesaplarını okur |
Microsoft.Kubernetes/connectedClusters/services/read | Hizmetleri okur |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Yazıcı
(küme)rolleri ve (küme)rol bağlamaları dışında küme/ad alanı içindeki her şeyi güncelleştirmenizi sağlar.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft. Analizler/alertRules/* | Klasik ölçüm uyarısı oluşturma ve yönetme |
Microsoft.Resources/deployments/write | Dağıtım oluşturur veya güncelleştirir. |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.Support/* | Destek bileti oluşturma ve güncelleştirme |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Denetleyiciyi okur |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Olayları okur |
Microsoft.Kubernetes/connectedClusters/events/read | Olayları okur |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Sınır aralıklarını okur |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Ad alanlarını okur |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Resourcequotas'ı okur |
Microsoft.Kubernetes/connectedClusters/secrets/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager Katkıda Bulunan Rolü
Azure Kubernetes Fleet Manager tarafından sağlanan, filolar, filo üyeleri, filo güncelleştirme stratejileri, filo güncelleştirme çalıştırmaları gibi Azure kaynaklarına okuma/yazma erişimi verir.
Eylemler | Açıklama |
---|---|
Microsoft.ContainerService/fleets/* | |
Microsoft.Resources/deployments/* | Dağıtım oluşturma ve yönetme |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Yönetici
Filo tarafından yönetilen hub kümesindeki bir ad alanı içindeki Kubernetes kaynaklarına okuma/yazma erişimi verir. ResourceQuota nesnesi ve ad alanı nesnesinin kendisi dışında, ad alanı içindeki çoğu nesne üzerinde yazma izinleri sağlar. Bu rolün küme kapsamında uygulanması tüm ad alanları arasında erişim sağlar.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.ContainerService/fleets/read | Filoyu edinin |
Microsoft.ContainerService/fleets/listCredentials/action | Filo kimlik bilgilerini listeleme |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Denetleyiciyi okur |
Microsoft.ContainerService/fleets/apps/daemonsets/* | |
Microsoft.ContainerService/fleets/apps/deployments/* | |
Microsoft.ContainerService/fleets/apps/statefulsets/* | |
Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Localsubjectaccessreviews yazar |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/fleets/batch/cronjobs/* | |
Microsoft.ContainerService/fleets/batch/jobs/* | |
Microsoft.ContainerService/fleets/configmaps/* | |
Microsoft.ContainerService/fleets/endpoints/* | |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Olayları okur |
Microsoft.ContainerService/fleets/events/read | Olayları okur |
Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
Microsoft.ContainerService/fleets/extensions/deployments/* | |
Microsoft.ContainerService/fleets/extensions/ingresses/* | |
Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
Microsoft.ContainerService/fleets/limitranges/read | Sınır aralıklarını okur |
Microsoft.ContainerService/fleets/namespaces/read | Ad alanlarını okur |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/resourcequotas/read | Resourcequotas'ı okur |
Microsoft.ContainerService/fleets/secrets/* | |
Microsoft.ContainerService/fleets/serviceaccounts/* | |
Microsoft.ContainerService/fleets/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Kümesi Yönetici
Filo tarafından yönetilen hub kümesindeki tüm Kubernetes kaynaklarına okuma/yazma erişimi verir.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.ContainerService/fleets/read | Filoyu edinin |
Microsoft.ContainerService/fleets/listCredentials/action | Filo kimlik bilgilerini listeleme |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Okuyucusu
Filo tarafından yönetilen hub kümesindeki bir ad alanı içindeki kubernetes kaynaklarının çoğuna salt okunur erişim verir. Rollerin veya rol bağlamalarının görüntülenmesine izin vermez. Gizli Dizilerin okunması ad alanında ServiceAccount kimlik bilgilerine erişim sağladığından bu rol Gizli Dizileri görüntülemeye izin vermez. Bu, ad alanında herhangi bir ServiceAccount olarak API erişimine izin verir (ayrıcalık yükseltme biçimi). Bu rolün küme kapsamında uygulanması tüm ad alanları arasında erişim sağlar.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.ContainerService/fleets/read | Filoyu edinin |
Microsoft.ContainerService/fleets/listCredentials/action | Filo kimlik bilgilerini listeleme |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Denetleyiciyi okur |
Microsoft.ContainerService/fleets/apps/daemonsets/read | Daemonset'leri okur |
Microsoft.ContainerService/fleets/apps/deployments/read | Dağıtımları okur |
Microsoft.ContainerService/fleets/apps/statefulsets/read | Durum bilgisi kümelerini okur |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Yataypodautoscaler'ları okur |
Microsoft.ContainerService/fleets/batch/cronjobs/read | Cronjobs okur |
Microsoft.ContainerService/fleets/batch/jobs/read | İşleri okur |
Microsoft.ContainerService/fleets/configmaps/read | Yapılandırma haritalarını okur |
Microsoft.ContainerService/fleets/endpoints/read | Uç noktaları okur |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Olayları okur |
Microsoft.ContainerService/fleets/events/read | Olayları okur |
Microsoft.ContainerService/fleets/extensions/daemonsets/read | Daemonset'leri okur |
Microsoft.ContainerService/fleets/extensions/deployments/read | Dağıtımları okur |
Microsoft.ContainerService/fleets/extensions/ingresses/read | Girişler okunur |
Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Ağpolicileri okur |
Microsoft.ContainerService/fleets/limitranges/read | Sınır aralıklarını okur |
Microsoft.ContainerService/fleets/namespaces/read | Ad alanlarını okur |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Girişler okunur |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Ağpolicileri okur |
Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Persistentvolumeclaims okur |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Poddisruptionbudget'leri okur |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Çoğaltma denetleyicilerini okur |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Çoğaltma denetleyicilerini okur |
Microsoft.ContainerService/fleets/resourcequotas/read | Resourcequotas'ı okur |
Microsoft.ContainerService/fleets/serviceaccounts/read | Hizmethesaplarını okur |
Microsoft.ContainerService/fleets/services/read | Hizmetleri okur |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Yazıcısı
Filo tarafından yönetilen hub kümesindeki bir ad alanı içindeki kubernetes kaynaklarının çoğuna okuma/yazma erişimi verir. Bu rol, rollerin veya rol bağlamalarının görüntülenmesine veya değiştirilmesine izin vermez. Ancak bu rol, ad alanında herhangi bir ServiceAccount olarak Gizli Dizilere erişmeye izin verir, bu nedenle ad alanında herhangi bir ServiceAccount'ın API erişim düzeylerini kazanmak için kullanılabilir. Bu rolün küme kapsamında uygulanması tüm ad alanları arasında erişim sağlar.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.ContainerService/fleets/read | Filoyu edinin |
Microsoft.ContainerService/fleets/listCredentials/action | Filo kimlik bilgilerini listeleme |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Denetleyiciyi okur |
Microsoft.ContainerService/fleets/apps/daemonsets/* | |
Microsoft.ContainerService/fleets/apps/deployments/* | |
Microsoft.ContainerService/fleets/apps/statefulsets/* | |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/fleets/batch/cronjobs/* | |
Microsoft.ContainerService/fleets/batch/jobs/* | |
Microsoft.ContainerService/fleets/configmaps/* | |
Microsoft.ContainerService/fleets/endpoints/* | |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Olayları okur |
Microsoft.ContainerService/fleets/events/read | Olayları okur |
Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
Microsoft.ContainerService/fleets/extensions/deployments/* | |
Microsoft.ContainerService/fleets/extensions/ingresses/* | |
Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
Microsoft.ContainerService/fleets/limitranges/read | Sınır aralıklarını okur |
Microsoft.ContainerService/fleets/namespaces/read | Ad alanlarını okur |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/resourcequotas/read | Resourcequotas'ı okur |
Microsoft.ContainerService/fleets/secrets/* | |
Microsoft.ContainerService/fleets/serviceaccounts/* | |
Microsoft.ContainerService/fleets/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Kümesi Yönetici Rolü
Küme yöneticisi kimlik bilgisi eylemini listeleyin.
Eylemler | Açıklama |
---|---|
Microsoft.ContainerService/managedClusters/listCluster Yönetici Credential/action | Yönetilen kümenin Yönetici kimlik bilgilerini listeleme |
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | Liste kimlik bilgilerini kullanarak rol adına göre yönetilen küme erişim profili alma |
Microsoft.ContainerService/managedClusters/read | Yönetilen küme alma |
Microsoft.ContainerService/managedClusters/runcommand/action | Yönetilen kubernetes sunucusunda kullanıcı tarafından verilen komutu çalıştırın. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Küme İzleme Kullanıcısı
Küme izleme kullanıcı kimlik bilgisi eylemini listeleyin.
Eylemler | Açıklama |
---|---|
Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | Yönetilen kümenin clusterMonitoringUser kimlik bilgilerini listeleme |
Microsoft.ContainerService/managedClusters/read | Yönetilen küme alma |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Kümesi Kullanıcı Rolü
Küme kullanıcı kimlik bilgisi eylemini listeleyin.
Eylemler | Açıklama |
---|---|
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Kümeyi listelemeKullanıcı yönetilen kümenin kimlik bilgileri |
Microsoft.ContainerService/managedClusters/read | Yönetilen küme alma |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Katkıda Bulunan Rolü
Azure Kubernetes Service kümelerini okuma ve yazma erişimi verir
Eylemler | Açıklama |
---|---|
Microsoft.ContainerService/managedClusters/read | Yönetilen küme alma |
Microsoft.ContainerService/managedClusters/write | Yeni bir yönetilen küme oluşturur veya mevcut kümeyi güncelleştirir |
Microsoft.Resources/deployments/* | Dağıtım oluşturma ve yönetme |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Yönetici
Kaynak kotalarını ve ad alanlarını güncelleştirme veya silme dışında küme/ad alanı altındaki tüm kaynakları yönetmenize olanak tanır.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Kümeyi listelemeKullanıcı yönetilen kümenin kimlik bilgileri |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
Microsoft.ContainerService/managedClusters/resourcequotas/write | Resourcequotas yazar |
Microsoft.ContainerService/managedClusters/resourcequotas/delete | Resourcequotas'ı siler |
Microsoft.ContainerService/managedClusters/namespaces/write | Ad alanlarını yazar |
Microsoft.ContainerService/managedClusters/namespaces/delete | Ad alanlarını siler |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Kümesi Yönetici
Kümedeki tüm kaynakları yönetmenize olanak tanır.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Kümeyi listelemeKullanıcı yönetilen kümenin kimlik bilgileri |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Okuyucusu
Ad alanında çoğu nesneyi görmek için salt okunur erişime izin verir. Rollerin veya rol bağlamalarının görüntülenmesine izin vermez. Gizli Dizilerin okunması ad alanında ServiceAccount kimlik bilgilerine erişim sağladığından bu rol Gizli Dizileri görüntülemeye izin vermez. Bu, ad alanında herhangi bir ServiceAccount olarak API erişimine izin verir (ayrıcalık yükseltme biçimi). Bu rolün küme kapsamında uygulanması tüm ad alanları arasında erişim sağlar.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Denetleyiciyi okur |
Microsoft.ContainerService/managedClusters/apps/daemonsets/read | Daemonset'leri okur |
Microsoft.ContainerService/managedClusters/apps/deployments/read | Dağıtımları okur |
Microsoft.ContainerService/managedClusters/apps/replicasets/read | Çoğaltma kümelerini okur |
Microsoft.ContainerService/managedClusters/apps/statefulsets/read | Durum bilgisi kümelerini okur |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | Yataypodautoscaler'ları okur |
Microsoft.ContainerService/managedClusters/batch/cronjobs/read | Cronjobs okur |
Microsoft.ContainerService/managedClusters/batch/jobs/read | İşleri okur |
Microsoft.ContainerService/managedClusters/configmaps/read | Yapılandırma haritalarını okur |
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Uç noktaları okur |
Microsoft.ContainerService/managedClusters/endpoints/read | Uç noktaları okur |
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Olayları okur |
Microsoft.ContainerService/managedClusters/events/read | Olayları okur |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | Daemonset'leri okur |
Microsoft.ContainerService/managedClusters/extensions/deployments/read | Dağıtımları okur |
Microsoft.ContainerService/managedClusters/extensions/ingresses/read | Girişler okunur |
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | Ağpolicileri okur |
Microsoft.ContainerService/managedClusters/extensions/replicasets/read | Çoğaltma kümelerini okur |
Microsoft.ContainerService/managedClusters/limitranges/read | Sınır aralıklarını okur |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Podları okur |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Düğümleri okur |
Microsoft.ContainerService/managedClusters/namespaces/read | Ad alanlarını okur |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | Girişler okunur |
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | Ağpolicileri okur |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | Persistentvolumeclaims okur |
Microsoft.ContainerService/managedClusters/pods/read | Podları okur |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | Poddisruptionbudget'leri okur |
Microsoft.ContainerService/managedClusters/replicationcontrollers/read | Çoğaltma denetleyicilerini okur |
Microsoft.ContainerService/managedClusters/resourcequotas/read | Resourcequotas'ı okur |
Microsoft.ContainerService/managedClusters/serviceaccounts/read | Hizmethesaplarını okur |
Microsoft.ContainerService/managedClusters/services/read | Hizmetleri okur |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Yazıcısı
Ad alanı içindeki çoğu nesneye okuma/yazma erişimine izin verir. Bu rol, rollerin veya rol bağlamalarının görüntülenmesine veya değiştirilmesine izin vermez. Ancak, bu rol Gizli Dizilere erişmeye ve podları ad alanında herhangi bir ServiceAccount olarak çalıştırmaya olanak tanır, bu nedenle ad alanında herhangi bir ServiceAccount'ın API erişim düzeylerini kazanmak için kullanılabilir. Bu rolün küme kapsamında uygulanması tüm ad alanları arasında erişim sağlar.
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Denetleyiciyi okur |
Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
Microsoft.ContainerService/managedClusters/apps/deployments/* | |
Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Kiralamaları okur |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Kiralamaları yazar |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Kiralamaları siler |
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Uç noktaları okur |
Microsoft.ContainerService/managedClusters/batch/jobs/* | |
Microsoft.ContainerService/managedClusters/configmaps/* | |
Microsoft.ContainerService/managedClusters/endpoints/* | |
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Olayları okur |
Microsoft.ContainerService/managedClusters/events/* | |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
Microsoft.ContainerService/managedClusters/limitranges/read | Sınır aralıklarını okur |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Podları okur |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Düğümleri okur |
Microsoft.ContainerService/managedClusters/namespaces/read | Ad alanlarını okur |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
Microsoft.ContainerService/managedClusters/pods/* | |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
Microsoft.ContainerService/managedClusters/resourcequotas/read | Resourcequotas'ı okur |
Microsoft.ContainerService/managedClusters/secrets/* | |
Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
Microsoft.ContainerService/managedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes Aracısız İşleci
Azure Kubernetes Services'a Bulut için Microsoft Defender erişim verir
Eylemler | Açıklama |
---|---|
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Yönetilen küme için güvenilen erişim rolü bağlamaları oluşturma veya güncelleştirme |
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Yönetilen küme için güvenilen erişim rolü bağlamaları alma |
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Yönetilen küme için güvenilen erişim rolü bağlamalarını silme |
Microsoft.ContainerService/managedClusters/read | Yönetilen küme alma |
Microsoft.Features/features/read | Aboneliğin özelliklerini alır. |
Microsoft.Features/providers/features/read | Belirli bir kaynak sağlayıcısındaki bir aboneliğin özelliğini alır. |
Microsoft.Features/providers/features/register/action | Belirli bir kaynak sağlayıcısındaki bir abonelik için özelliği kaydeder. |
Microsoft.Security/pricings/securityoperators/read | Kapsamın güvenlik işleçlerini alır |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes Kümesi - Azure Arc Ekleme
Herhangi bir kullanıcıyı/hizmeti connectedClusters kaynağı oluşturma yetkisi vermek için rol tanımı
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft. Analizler/alertRules/* | Klasik ölçüm uyarısı oluşturma ve yönetme |
Microsoft.Resources/deployments/write | Dağıtım oluşturur veya güncelleştirir. |
Microsoft.Resources/subscriptions/operationresults/read | Abonelik işlemi sonuçlarını alın. |
Microsoft.Resources/subscriptions/read | Abonelik listesini alır. |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.Kubernetes/connectedClusters/Write | BağlıCluster'ları yazar |
Microsoft.Kubernetes/connectedClusters/read | BağlıCluster'ları okuma |
Microsoft.Support/* | Destek bileti oluşturma ve güncelleştirme |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes Uzantısı Katkıda Bulunanı
Kubernetes Uzantılarını oluşturabilir, güncelleştirebilir, alabilir, listeleyebilir ve silebilir ve zaman uyumsuz uzantı işlemleri alabilir
Eylemler | Açıklama |
---|---|
Microsoft.Authorization/*/read | Rolleri ve rol atamalarını okuma |
Microsoft. Analizler/alertRules/* | Klasik ölçüm uyarısı oluşturma ve yönetme |
Microsoft.Resources/deployments/* | Dağıtım oluşturma ve yönetme |
Microsoft.Resources/subscriptions/resourceGroups/read | Kaynak gruplarını alır veya listeler. |
Microsoft.KubernetesConfiguration/extensions/write | Uzantı kaynağını oluşturur veya güncelleştirir. |
Microsoft.KubernetesConfiguration/extensions/read | Uzantı örneği kaynağını alır. |
Microsoft.KubernetesConfiguration/extensions/delete | Uzantı örneği kaynağını siler. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Zaman Uyumsuz İşlem durumunu alır. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}