Roles integrados de Azure para contenedores
En este artículo se enumeran los roles integrados de Azure en la categoría Contenedores.
AcrDelete
Permite eliminar repositorios, etiquetas o manifiestos de un registro de contenedor.
Acciones | Descripción |
---|---|
Microsoft.ContainerRegistry/registries/artifacts/delete | Eliminar artefacto de un registro de contenedor. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
Permite insertar imágenes de confianza en un registro de contenedor habilitado para la confianza en el contenido, así como extraerlas de dicho registro.
Acciones | Descripción |
---|---|
Microsoft.ContainerRegistry/registries/sign/write | Inserta o extrae metadatos de confianza en el contenido para un registro de contenedor. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/trustedCollections/write | Permite insertar o publicar colecciones de confianza de contenido del registro de contenedor. Se parece a Microsoft.ContainerRegistry/registries/sign/write, salvo que se trata de una acción de datos. |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Permite extraer artefactos de un registro de contenedor.
Acciones | Descripción |
---|---|
Microsoft.ContainerRegistry/registries/pull/read | Extrae u obtiene imágenes de un registro de contenedor. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Permite insertar artefactos en un registro de contenedor, así como extraerlos.
Acciones | Descripción |
---|---|
Microsoft.ContainerRegistry/registries/pull/read | Extrae u obtiene imágenes de un registro de contenedor. |
Microsoft.ContainerRegistry/registries/push/write | Inserta o escribe imágenes en un registro de contenedor. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Permite extraer imágenes en cuarentena de un registro de contenedor.
Acciones | Descripción |
---|---|
Microsoft.ContainerRegistry/registries/quarantine/read | Extrae u obtiene imágenes en cuarentena de un registro de contenedor |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Permite extraer u obtener los artefactos en cuarentena del registro de contenedor. Se parece a Microsoft.ContainerRegistry/registries/quarantine/read, salvo que se trata de una acción de datos. |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Permite insertar imágenes en cuarentena en un registro de contenedor, así como extraerlas.
Acciones | Descripción |
---|---|
Microsoft.ContainerRegistry/registries/quarantine/read | Extrae u obtiene imágenes en cuarentena de un registro de contenedor |
Microsoft.ContainerRegistry/registries/quarantine/write | Escribe o modifica el estado de cuarentena de las imágenes que estén en cuarentena |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Permite extraer u obtener los artefactos en cuarentena del registro de contenedor. Se parece a Microsoft.ContainerRegistry/registries/quarantine/read, salvo que se trata de una acción de datos. |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Permite escribir o actualizar el estado de cuarentena de los artefactos en cuarentena. Se parece a Microsoft.ContainerRegistry/registries/quarantine/write, salvo que se trata de una acción de datos. |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de usuario del clúster de Kubernetes habilitado para Azure Arc
Permite enumerar las acciones de credenciales de usuario de clúster.
Acciones | Descripción |
---|---|
Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | Enumeración de la credencial de clusterUser (versión preliminar) |
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Enumera la credencial de usuario de clúster. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de Azure Arc Kubernetes
Permite administrar todos los recursos en un clúster o espacio de nombres, excepto actualizar o eliminar cuotas de recursos y espacios de nombres.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lee controllerrevisions. |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Escribe localsubjectaccessreviews. |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lee eventos. |
Microsoft.Kubernetes/connectedClusters/events/read | Lee eventos. |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Lee limitranges. |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Lee espacios de nombres. |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lee resourcequotas. |
Microsoft.Kubernetes/connectedClusters/secrets/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de clústeres de Azure Arc Kubernetes
Permite administrar todos los recursos del clúster.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Visor de Azure Arc Kubernetes
Permite ver todos los recursos del clúster o espacio de nombres, excepto los secretos.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lee controllerrevisions. |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | Lee daemonsets. |
Microsoft.Kubernetes/connectedClusters/apps/deployments/read | Lee implementaciones. |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | Lee replicasets. |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | Lee statefulsets. |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | Lee horizontalpodautoscalers. |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | Lee cronjobs. |
Microsoft.Kubernetes/connectedClusters/batch/jobs/read | Lee trabajos. |
Microsoft.Kubernetes/connectedClusters/configmaps/read | Lee configmaps. |
Microsoft.Kubernetes/connectedClusters/endpoints/read | Lee puntos de conexión. |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lee eventos. |
Microsoft.Kubernetes/connectedClusters/events/read | Lee eventos. |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | Lee daemonsets. |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | Lee implementaciones. |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | Lee entradas. |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | Lee networkpolicies. |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | Lee replicasets. |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Lee limitranges. |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Lee espacios de nombres. |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | Lee entradas. |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | Lee networkpolicies. |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | Lee persistentvolumeclaims. |
Microsoft.Kubernetes/connectedClusters/pods/read | Lee pods. |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | Lee poddisruptionbudgets. |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lee replicationcontrollers. |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lee replicationcontrollers. |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lee resourcequotas. |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | Lee serviceaccounts. |
Microsoft.Kubernetes/connectedClusters/services/read | Lee servicios. |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Escritor de Azure Arc Kubernetes
Le permite actualizar todo el contenido del clúster o el espacio de nombres, excepto los roles (del clúster) y los enlaces de roles (del clúster).
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
NotActions | |
none | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lee controllerrevisions. |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lee eventos. |
Microsoft.Kubernetes/connectedClusters/events/read | Lee eventos. |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/read | Lee limitranges. |
Microsoft.Kubernetes/connectedClusters/namespaces/read | Lee espacios de nombres. |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lee resourcequotas. |
Microsoft.Kubernetes/connectedClusters/secrets/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador de Azure Container Storage
Instale Azure Container Storage y administre sus recursos de almacenamiento. Incluye una condición de ABAC para restringir las asignaciones de roles.
Acciones | Descripción |
---|---|
Microsoft.KubernetesConfiguration/extensions/write | Crea o actualiza un recurso de extensión. |
Microsoft.KubernetesConfiguration/extensions/read | Obtiene el recurso de instancia de extensión. |
Microsoft.KubernetesConfiguration/extensions/delete | Elimina el recurso de instancia de extensión. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Obtiene el estado de la operación asincrónica. |
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Management/managementGroups/read | Enumera los grupos de administración del usuario autenticado. |
Microsoft.Resources/deployments/* | Creación y administración de una implementación |
Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Acciones | |
Microsoft.Authorization/roleAssignments/write | Crea una asignación de roles en el ámbito especificado. |
Microsoft.Authorization/roleAssignments/delete | Elimine una asignación de roles en el ámbito especificado. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Condición | |
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Agregue o quite asignaciones de roles para los roles siguientes: Operador de Azure Container Storage |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operador de Azure Container Storage
Habilite una identidad administrada para realizar operaciones de Azure Container Storage, como administrar máquinas virtuales y administrar redes virtuales.
Acciones | Descripción |
---|---|
Microsoft.ElasticSan/elasticSans/* | |
Microsoft.ElasticSan/locations/asyncoperations/read | Sondea el estado de una operación asincrónica. |
Microsoft.Network/routeTables/join/action | Unirse a una tabla de rutas. No genera alertas. |
Microsoft.Network/networkSecurityGroups/join/action | Se une a un grupo de seguridad de red. No genera alertas. |
Microsoft.Network/virtualNetworks/write | Crea una red virtual o actualiza una que ya existe |
Microsoft.Network/virtualNetworks/delete | Elimina una red virtual |
Microsoft.Network/virtualNetworks/join/action | Se une a una red virtual. No genera alertas. |
Microsoft.Network/virtualNetworks/subnets/read | Obtiene una definición de subred de red virtual |
Microsoft.Network/virtualNetworks/subnets/write | Crea una subred de red virtual o actualiza una que ya existe |
Microsoft.Compute/virtualMachines/read | Obtención de las propiedades de una máquina virtual |
Microsoft.Compute/virtualMachines/write | Crea una nueva máquina virtual o actualiza una existente |
Microsoft.Compute/virtualMachineScaleSets/read | Obtiene las propiedades de un conjunto de escalado de máquinas virtuales. |
Microsoft.Compute/virtualMachineScaleSets/write | Crea un nuevo conjunto de escalado de máquinas virtuales o actualiza uno ya existente. |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | Actualiza las propiedades de una máquina virtual en un conjunto de escalado de máquinas virtuales. |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Recupera las propiedades de una máquina virtual de un conjunto de escalado de máquinas virtuales |
Microsoft.Resources/subscriptions/providers/read | Obtiene o enumera los proveedores de recursos. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.Network/virtualNetworks/read | Obtiene la definición de red virtual |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Propietario de Azure Container Storage
Instale Azure Container Storage, conceda acceso a sus recursos de almacenamiento y configure la red de área de almacenamiento elástica (SAN) de Azure. Incluye una condición de ABAC para restringir las asignaciones de roles.
Acciones | Descripción |
---|---|
Microsoft.ElasticSan/elasticSans/* | |
Microsoft.ElasticSan/locations/* | |
Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
Microsoft.ElasticSan/locations/asyncoperations/read | Sondea el estado de una operación asincrónica. |
Microsoft.KubernetesConfiguration/extensions/write | Crea o actualiza un recurso de extensión. |
Microsoft.KubernetesConfiguration/extensions/read | Obtiene el recurso de instancia de extensión. |
Microsoft.KubernetesConfiguration/extensions/delete | Elimina el recurso de instancia de extensión. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Obtiene el estado de la operación asincrónica. |
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Management/managementGroups/read | Enumera los grupos de administración del usuario autenticado. |
Microsoft.Resources/deployments/* | Creación y administración de una implementación |
Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Acciones | |
Microsoft.Authorization/roleAssignments/write | Crea una asignación de roles en el ámbito especificado. |
Microsoft.Authorization/roleAssignments/delete | Elimine una asignación de roles en el ámbito especificado. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Condición | |
((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Agregue o quite asignaciones de roles para los roles siguientes: Operador de Azure Container Storage |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol colaborador de Fleet Manager de Azure Kubernetes
Concede acceso de lectura y escritura a los recursos de Azure proporcionados por Azure Kubernetes Fleet Manager, incluidas las flotas, los miembros de la flota, las estrategias de actualización de flota, las ejecuciones de actualizaciones de flota, etc.
Acciones | Descripción |
---|---|
Microsoft.ContainerService/fleets/* | |
Microsoft.Resources/deployments/* | Creación y administración de una implementación |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de RBAC de Azure Kubernetes Fleet Manager
Concede acceso de lectura y escritura a los recursos de Kubernetes dentro de un espacio de nombres en el clúster del centro administrado por flotas: proporciona permisos de escritura en la mayoría de los objetos de un espacio de nombres, con la excepción del objeto ResourceQuota y el propio objeto de espacio de nombres. Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obtiene la flota |
Microsoft.ContainerService/fleets/listCredentials/action | Enumera las credenciales de flota. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lee controllerrevisions. |
Microsoft.ContainerService/fleets/apps/daemonsets/* | |
Microsoft.ContainerService/fleets/apps/deployments/* | |
Microsoft.ContainerService/fleets/apps/statefulsets/* | |
Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Escribe localsubjectaccessreviews. |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/fleets/batch/cronjobs/* | |
Microsoft.ContainerService/fleets/batch/jobs/* | |
Microsoft.ContainerService/fleets/configmaps/* | |
Microsoft.ContainerService/fleets/endpoints/* | |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lee eventos. |
Microsoft.ContainerService/fleets/events/read | Lee eventos. |
Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
Microsoft.ContainerService/fleets/extensions/deployments/* | |
Microsoft.ContainerService/fleets/extensions/ingresses/* | |
Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
Microsoft.ContainerService/fleets/limitranges/read | Lee limitranges. |
Microsoft.ContainerService/fleets/namespaces/read | Lee espacios de nombres. |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/replicationcontrollers/* | |
Microsoft.ContainerService/fleets/resourcequotas/read | Lee resourcequotas. |
Microsoft.ContainerService/fleets/secrets/* | |
Microsoft.ContainerService/fleets/serviceaccounts/* | |
Microsoft.ContainerService/fleets/services/* | |
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Lee el recurso internalmembercluster de la flota. |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/* | |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Lee el recurso de fleet resourceoverridesnapshot. |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Leer el recurso de trabajo de flota |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de clústeres de RBAC de Azure Kubernetes Fleet Manager
Concede acceso de lectura y escritura a todos los recursos de Kubernetes del clúster del centro administrado por flotas.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obtiene la flota |
Microsoft.ContainerService/fleets/listCredentials/action | Enumera las credenciales de flota. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lector de RBAC de Azure Kubernetes Fleet Manager
Concede acceso de solo lectura a la mayoría de los recursos de Kubernetes dentro de un espacio de nombres en el clúster del centro administrado por flotas. No permite la visualización de roles o enlaces de roles. Este rol no permite visualización de secretos, ya que leer el contenido de estos permite el acceso a las credenciales de ServiceAccount en el espacio de nombres, que permitiría el acceso a la API como cualquier ServiceAccount en el espacio de nombres (una forma de elevación de privilegios). Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obtiene la flota |
Microsoft.ContainerService/fleets/listCredentials/action | Enumera las credenciales de flota. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lee controllerrevisions. |
Microsoft.ContainerService/fleets/apps/daemonsets/read | Lee daemonsets. |
Microsoft.ContainerService/fleets/apps/deployments/read | Lee implementaciones. |
Microsoft.ContainerService/fleets/apps/statefulsets/read | Lee statefulsets. |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Lee horizontalpodautoscalers. |
Microsoft.ContainerService/fleets/batch/cronjobs/read | Lee cronjobs. |
Microsoft.ContainerService/fleets/batch/jobs/read | Lee trabajos. |
Microsoft.ContainerService/fleets/configmaps/read | Lee configmaps. |
Microsoft.ContainerService/fleets/endpoints/read | Lee puntos de conexión. |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lee eventos. |
Microsoft.ContainerService/fleets/events/read | Lee eventos. |
Microsoft.ContainerService/fleets/extensions/daemonsets/read | Lee daemonsets. |
Microsoft.ContainerService/fleets/extensions/deployments/read | Lee implementaciones. |
Microsoft.ContainerService/fleets/extensions/ingresses/read | Lee entradas. |
Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Lee networkpolicies. |
Microsoft.ContainerService/fleets/limitranges/read | Lee limitranges. |
Microsoft.ContainerService/fleets/namespaces/read | Lee espacios de nombres. |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Lee entradas. |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Lee networkpolicies. |
Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Lee persistentvolumeclaims. |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Lee poddisruptionbudgets. |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Lee replicationcontrollers. |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Lee replicationcontrollers. |
Microsoft.ContainerService/fleets/resourcequotas/read | Lee resourcequotas. |
Microsoft.ContainerService/fleets/serviceaccounts/read | Lee serviceaccounts. |
Microsoft.ContainerService/fleets/services/read | Lee servicios. |
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Lee el recurso internalmembercluster de la flota. |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | Lee el recurso de fleet resourceoverride. |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Lee el recurso de fleet resourceoverridesnapshot. |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Leer el recurso de trabajo de flota |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Escritor de RBAC de Azure Kubernetes Fleet Manager
Concede acceso de lectura y escritura a la mayoría de los recursos de Kubernetes dentro de un espacio de nombres en el clúster del centro administrado por flotas. Este rol no permite la visualización o modificación de roles o enlaces de roles. Pero este rol permite acceder a secretos como cualquier ServiceAccount en el espacio de nombres, por lo que se puede usar para obtener los niveles de acceso de la API de cualquier ServiceAccount en el espacio de nombres. Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.ContainerService/fleets/read | Obtiene la flota |
Microsoft.ContainerService/fleets/listCredentials/action | Enumera las credenciales de flota. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lee controllerrevisions. |
Microsoft.ContainerService/fleets/apps/daemonsets/read | Lee daemonsets. |
Microsoft.ContainerService/fleets/apps/daemonsets/write | Escribe daemonsets. |
Microsoft.ContainerService/fleets/apps/deployments/read | Lee implementaciones. |
Microsoft.ContainerService/fleets/apps/deployments/write | Escribe implementaciones. |
Microsoft.ContainerService/fleets/apps/statefulsets/read | Lee statefulsets. |
Microsoft.ContainerService/fleets/apps/statefulsets/write | Escribe statefulsets. |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Lee horizontalpodautoscalers. |
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write | Escribe horizontalpodautoscalers. |
Microsoft.ContainerService/fleets/batch/cronjobs/read | Lee cronjobs. |
Microsoft.ContainerService/fleets/batch/cronjobs/write | Escribe cronjobs. |
Microsoft.ContainerService/fleets/batch/jobs/read | Lee trabajos. |
Microsoft.ContainerService/fleets/batch/jobs/write | Escribe trabajos. |
Microsoft.ContainerService/fleets/configmaps/read | Lee configmaps. |
Microsoft.ContainerService/fleets/configmaps/write | Escribe configmaps. |
Microsoft.ContainerService/fleets/endpoints/read | Lee puntos de conexión. |
Microsoft.ContainerService/fleets/endpoints/write | Escribe puntos de conexión. |
Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lee eventos. |
Microsoft.ContainerService/fleets/events/read | Lee eventos. |
Microsoft.ContainerService/fleets/extensions/daemonsets/read | Lee daemonsets. |
Microsoft.ContainerService/fleets/extensions/daemonsets/write | Escribe daemonsets. |
Microsoft.ContainerService/fleets/extensions/deployments/read | Lee implementaciones. |
Microsoft.ContainerService/fleets/extensions/deployments/write | Escribe implementaciones. |
Microsoft.ContainerService/fleets/extensions/ingresses/read | Lee entradas. |
Microsoft.ContainerService/fleets/extensions/ingresses/write | Escribe entradas. |
Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Lee networkpolicies. |
Microsoft.ContainerService/fleets/extensions/networkpolicies/write | Escribe networkpolicies. |
Microsoft.ContainerService/fleets/limitranges/read | Lee limitranges. |
Microsoft.ContainerService/fleets/namespaces/read | Lee espacios de nombres. |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Lee entradas. |
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write | Escribe entradas. |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Lee networkpolicies. |
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write | Escribe networkpolicies. |
Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Lee persistentvolumeclaims. |
Microsoft.ContainerService/fleets/persistentvolumeclaims/write | Escribe persistentvolumeclaims. |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Lee poddisruptionbudgets. |
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write | Escribe poddisruptionbudgets. |
Microsoft.ContainerService/fleets/replicationcontrollers/read | Lee replicationcontrollers. |
Microsoft.ContainerService/fleets/replicationcontrollers/write | Escribe replicationcontrollers. |
Microsoft.ContainerService/fleets/resourcequotas/read | Lee resourcequotas. |
Microsoft.ContainerService/fleets/secrets/read | Lee secretos. |
Microsoft.ContainerService/fleets/secrets/write | Escribe secretos. |
Microsoft.ContainerService/fleets/serviceaccounts/read | Lee serviceaccounts. |
Microsoft.ContainerService/fleets/serviceaccounts/write | Escribe serviceaccounts. |
Microsoft.ContainerService/fleets/services/read | Lee servicios. |
Microsoft.ContainerService/fleets/services/write | Escribe servicios. |
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Lee el recurso internalmembercluster de la flota. |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | Lee el recurso de fleet resourceoverride. |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write | Escritura de un recurso de fleet resourceoverride |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Lee el recurso de fleet resourceoverridesnapshot. |
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Leer el recurso de trabajo de flota |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/write",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/deployments/write",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/write",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/write",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/configmaps/write",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/endpoints/write",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/write",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/deployments/write",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/write",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/write",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/read",
"Microsoft.ContainerService/fleets/secrets/write",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/serviceaccounts/write",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/services/write",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de administrador de clústeres de Azure Kubernetes Service Arc
Enumerar la acción de credenciales administrativas del clúster.
Acciones | Descripción |
---|---|
Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtiene las instancias de clúster aprovisionadas de AKS híbridas asociadas al clúster conectado. |
Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | Enumera las credenciales de administrador de una instancia de clúster aprovisionada que solo se usa en modo directo. |
Microsoft.Kubernetes/connectedClusters/Read | Lee connectedClusters. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de usuario de clúster de Azure Kubernetes Service Arc
Enumerar la acción de credenciales de usuario del clúster.
Acciones | Descripción |
---|---|
Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtiene las instancias de clúster aprovisionadas de AKS híbridas asociadas al clúster conectado. |
Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | Enumera las credenciales de usuario de AAD de una instancia de clúster aprovisionada que solo se usa en modo directo. |
Microsoft.Kubernetes/connectedClusters/Read | Lee connectedClusters. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de colaborador de Azure Kubernetes Service Arc
Concede acceso para leer y escribir clústeres híbridos de Azure Kubernetes Services
Acciones | Descripción |
---|---|
Microsoft.HybridContainerService/Locations/operationStatuses/read | read operationStatuses |
Microsoft.HybridContainerService/Operations/read | Operaciones de lectura |
Microsoft.HybridContainerService/kubernetesVersions/read | Enumera las versiones de Kubernetes admitidas desde la ubicación personalizada subyacente. |
Microsoft.HybridContainerService/kubernetesVersions/write | Coloca el tipo de recurso de versión de Kubernetes |
Microsoft.HybridContainerService/kubernetesVersions/delete | Eliminación del tipo de recurso de versiones de Kubernetes |
Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtiene las instancias de clúster aprovisionadas de AKS híbridas asociadas al clúster conectado. |
Microsoft.HybridContainerService/provisionedClusterInstances/write | Crea la instancia de clúster aprovisionada de AKS híbrido. |
Microsoft.HybridContainerService/provisionedClusterInstances/delete | Elimina la instancia de clúster aprovisionada de AKS híbrido. |
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | Obtiene los grupos de agentes en la instancia de clúster aprovisionada de AKS híbrido. |
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | Actualiza el grupo de agentes en la instancia de clúster aprovisionada de AKS híbrido. |
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | Elimina el grupo de agentes en la instancia de clúster aprovisionada de AKS híbrido. |
Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | leer upgradeProfiles |
Microsoft.HybridContainerService/skus/read | Enumera las SKU de máquina virtual admitidas de la ubicación personalizada subyacente. |
Microsoft.HybridContainerService/skus/write | Coloca el tipo de recurso SKU de máquina virtual |
Microsoft.HybridContainerService/skus/delete | Elimina el tipo de recurso SKU de máquina virtual. |
Microsoft.HybridContainerService/virtualNetworks/read | Enumera las redes virtuales de AKS híbridas por suscripción |
Microsoft.HybridContainerService/virtualNetworks/write | Revisiones de la red virtual de AKS híbrida |
Microsoft.HybridContainerService/virtualNetworks/delete | Elimina la red virtual de AKS híbrida. |
Microsoft.ExtendedLocation/customLocations/deploy/action | Implementación de permisos en un recurso de ubicación personalizada |
Microsoft.ExtendedLocation/customLocations/read | Obtiene un recurso de ubicación personalizada. |
Microsoft.Kubernetes/connectedClusters/Read | Lee connectedClusters. |
Microsoft.Kubernetes/connectedClusters/Write | Escribe connectedClusters. |
Microsoft.Kubernetes/connectedClusters/Delete | Elimina connectedClusters. |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Enumera la credencial de usuario de clúster. |
Microsoft.AzureStackHCI/clusters/read | Obtiene clústeres. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de administrador de clúster de Azure Kubernetes Service
Enumerar la acción de credenciales administrativas del clúster.
Acciones | Descripción |
---|---|
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | Muestra la credencial clusterAdmin de un clúster administrado. |
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | Obtiene el perfil de acceso de un clúster administrados por nombre de rol mediante las credenciales de la lista |
Microsoft.ContainerService/managedClusters/read | Obtiene un clúster administrado |
Microsoft.ContainerService/managedClusters/runcommand/action | Ejecuta un comando emitido por el usuario en un servidor de Kubernetes administrado. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Usuario de supervisión de clústeres de Azure Kubernetes Service
Enumerar la acción de credenciales de usuario de supervisión del clúster.
Acciones | Descripción |
---|---|
Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | Enumera la credencial clusterMonitoringUser de un clúster administrado. |
Microsoft.ContainerService/managedClusters/read | Obtiene un clúster administrado |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de usuario de clúster de Azure Kubernetes Service
Enumerar la acción de credenciales de usuario del clúster.
Acciones | Descripción |
---|---|
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Muestra la credencial clusterUser de un clúster administrado. |
Microsoft.ContainerService/managedClusters/read | Obtiene un clúster administrado |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de colaborador de Azure Kubernetes Service
Concede acceso de lectura y escritura a los clústeres de Azure Kubernetes Service
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.ContainerService/locations/* | Leer ubicaciones disponibles para los recursos de ContainerService |
Microsoft.ContainerService/managedClusters/* | Creación y administración de un clúster administrado |
Microsoft.ContainerService/managedclustersnapshots/* | Creación y administración de una instantánea de clúster administrado |
Microsoft.ContainerService/snapshots/* | Creación y administración de una instantánea |
Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
Microsoft.Resources/deployments/* | Creación y administración de una implementación |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de Azure Kubernetes Service RBAC
Permite administrar todos los recursos en un clúster o espacio de nombres, excepto actualizar o eliminar cuotas de recursos y espacios de nombres.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Muestra la credencial clusterUser de un clúster administrado. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
Microsoft.ContainerService/managedClusters/resourcequotas/write | Escribe resourcequotas. |
Microsoft.ContainerService/managedClusters/resourcequotas/delete | Elimina resourcequotas. |
Microsoft.ContainerService/managedClusters/namespaces/write | Escribe espacios de nombres. |
Microsoft.ContainerService/managedClusters/namespaces/delete | Elimina espacios de nombres. |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de clúster de Azure Kubernetes Service RBAC
Permite administrar todos los recursos del clúster.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Muestra la credencial clusterUser de un clúster administrado. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lector de Azure Kubernetes Service RBAC
Permite el acceso de solo lectura para ver la mayoría de los objetos en un espacio de nombres. No permite la visualización de roles o enlaces de roles. Este rol no permite visualización de secretos, ya que leer el contenido de estos permite el acceso a las credenciales de ServiceAccount en el espacio de nombres, que permitiría el acceso a la API como cualquier ServiceAccount en el espacio de nombres (una forma de elevación de privilegios). Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lee controllerrevisions. |
Microsoft.ContainerService/managedClusters/apps/daemonsets/read | Lee daemonsets. |
Microsoft.ContainerService/managedClusters/apps/deployments/read | Lee implementaciones. |
Microsoft.ContainerService/managedClusters/apps/replicasets/read | Lee replicasets. |
Microsoft.ContainerService/managedClusters/apps/statefulsets/read | Lee statefulsets. |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | Lee horizontalpodautoscalers. |
Microsoft.ContainerService/managedClusters/batch/cronjobs/read | Lee cronjobs. |
Microsoft.ContainerService/managedClusters/batch/jobs/read | Lee trabajos. |
Microsoft.ContainerService/managedClusters/configmaps/read | Lee configmaps. |
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lee los puntos de conexiónlices. |
Microsoft.ContainerService/managedClusters/endpoints/read | Lee puntos de conexión. |
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lee eventos. |
Microsoft.ContainerService/managedClusters/events/read | Lee eventos. |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | Lee daemonsets. |
Microsoft.ContainerService/managedClusters/extensions/deployments/read | Lee implementaciones. |
Microsoft.ContainerService/managedClusters/extensions/ingresses/read | Lee entradas. |
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | Lee networkpolicies. |
Microsoft.ContainerService/managedClusters/extensions/replicasets/read | Lee replicasets. |
Microsoft.ContainerService/managedClusters/limitranges/read | Lee limitranges. |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lee pods. |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lee nodos. |
Microsoft.ContainerService/managedClusters/namespaces/read | Lee espacios de nombres. |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | Lee entradas. |
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | Lee networkpolicies. |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | Lee persistentvolumeclaims. |
Microsoft.ContainerService/managedClusters/pods/read | Lee pods. |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | Lee poddisruptionbudgets. |
Microsoft.ContainerService/managedClusters/replicationcontrollers/read | Lee replicationcontrollers. |
Microsoft.ContainerService/managedClusters/resourcequotas/read | Lee resourcequotas. |
Microsoft.ContainerService/managedClusters/serviceaccounts/read | Lee serviceaccounts. |
Microsoft.ContainerService/managedClusters/services/read | Lee servicios. |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Escritor de Azure Kubernetes Service RBAC
Permite el acceso de lectura y escritura para ver la mayoría de los objetos en un espacio de nombres. Este rol no permite la visualización o modificación de roles o enlaces de roles. Sin embargo, este rol permite acceder a secretos y ejecutar pods como cualquier ServiceAccount en el espacio de nombres, por lo que se puede usar para obtener los niveles de acceso de la API de cualquier ServiceAccount en el espacio de nombres. Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
NotActions | |
none | |
DataActions | |
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lee controllerrevisions. |
Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
Microsoft.ContainerService/managedClusters/apps/deployments/* | |
Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Lee concesiones. |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Escribe concesiones. |
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Elimina concesiones. |
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lee los puntos de conexiónlices. |
Microsoft.ContainerService/managedClusters/batch/jobs/* | |
Microsoft.ContainerService/managedClusters/configmaps/* | |
Microsoft.ContainerService/managedClusters/endpoints/* | |
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lee eventos. |
Microsoft.ContainerService/managedClusters/events/* | |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
Microsoft.ContainerService/managedClusters/limitranges/read | Lee limitranges. |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lee pods. |
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lee nodos. |
Microsoft.ContainerService/managedClusters/namespaces/read | Lee espacios de nombres. |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
Microsoft.ContainerService/managedClusters/pods/* | |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
Microsoft.ContainerService/managedClusters/resourcequotas/read | Lee resourcequotas. |
Microsoft.ContainerService/managedClusters/secrets/* | |
Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
Microsoft.ContainerService/managedClusters/services/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lector checkAccess de identidad administrada del clúster conectado
Rol integrado que permite que una identidad administrada del clúster conectado llame a la API checkAccess
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operador sin agente de Kubernetes
Concede a Microsoft Defender for Cloud acceso a Azure Kubernetes Services
Acciones | Descripción |
---|---|
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Creación o actualización de enlaces de rol de acceso de confianza para un clúster administrado |
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Obtención de enlaces de rol de acceso de confianza para un clúster administrado |
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Eliminación de enlaces de rol de acceso de confianza para un clúster administrado |
Microsoft.ContainerService/managedClusters/read | Obtiene un clúster administrado |
Microsoft.Features/features/read | Obtiene las características de una suscripción. |
Microsoft.Features/providers/features/read | Obtiene la característica de una suscripción de un proveedor de recursos determinado. |
Microsoft.Features/providers/features/register/action | Registra la característica de una suscripción de un proveedor de recursos determinado. |
Microsoft.Security/pricings/securityoperators/read | Obtiene los operadores de seguridad para el ámbito. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Clúster de Kubernetes: incorporación de Azure Arc
Definición de roles para permitir crear el recurso connectedClusters a cualquier usuario o servicio
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.Kubernetes/connectedClusters/Write | Escribe connectedClusters. |
Microsoft.Kubernetes/connectedClusters/read | Lee connectedClusters. |
Microsoft.KubernetesConfiguration/extensions/write | Crea o actualiza un recurso de extensión. |
Microsoft.KubernetesConfiguration/extensions/read | Obtiene el recurso de instancia de extensión. |
Microsoft.KubernetesConfiguration/extensions/delete | Elimina el recurso de instancia de extensión. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Obtiene el estado de la operación asincrónica. |
Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes Extension Contributor
Puede crear, actualizar, obtener, enumerar y eliminar extensiones de Kubernetes y obtener operaciones asincrónicas de extensión.
Acciones | Descripción |
---|---|
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
Microsoft.Resources/deployments/* | Creación y administración de una implementación |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
Microsoft.KubernetesConfiguration/extensions/write | Crea o actualiza un recurso de extensión. |
Microsoft.KubernetesConfiguration/extensions/read | Obtiene el recurso de instancia de extensión. |
Microsoft.KubernetesConfiguration/extensions/delete | Elimina el recurso de instancia de extensión. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Obtiene el estado de la operación asincrónica. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador del clúster de Service Fabric
Administre los recursos del clúster de Service Fabric. Incluye clústeres, tipos de aplicación, versiones de tipo de aplicación, aplicaciones y servicios. Necesitará permisos adicionales para implementar y administrar los recursos subyacentes del clúster, como conjuntos de escalado de máquinas virtuales, cuentas de almacenamiento, redes, etc.
Acciones | Descripción |
---|---|
Microsoft.ServiceFabric/clusters/* | |
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
Microsoft.Resources/deployments/* | Creación y administración de una implementación |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",
"name": "b6efc156-f0da-4e90-a50a-8c000140b017",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/clusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador del clúster administrado de Service Fabric
Implemente y administre los recursos del clúster administrado de Service Fabric. Incluye clústeres administrados, tipos de nodo, tipos de aplicación, versiones de tipo de aplicación, aplicaciones y servicios.
Acciones | Descripción |
---|---|
Microsoft.ServiceFabric/managedclusters/* | |
Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
Microsoft.Resources/deployments/* | Creación y administración de una implementación |
Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",
"name": "83f80186-3729-438c-ad2d-39e94d718838",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/managedclusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Managed Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}