Roles integrados de Azure para contenedores
En este artículo se enumeran los roles integrados de Azure en la categoría Contenedores.
AcrDelete
Permite eliminar repositorios, etiquetas o manifiestos de un registro de contenedor.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/delete | Eliminar artefacto de un registro de contenedor. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
Permite insertar imágenes de confianza en un registro de contenedor habilitado para la confianza en el contenido, así como extraerlas de dicho registro.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/write | Inserta o extrae metadatos de confianza en el contenido para un registro de contenedor. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | Permite insertar o publicar colecciones de confianza de contenido del registro de contenedor. Se parece a Microsoft.ContainerRegistry/registries/sign/write, salvo que se trata de una acción de datos. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Permite extraer artefactos de un registro de contenedor.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Extrae u obtiene imágenes de un registro de contenedor. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Permite insertar artefactos en un registro de contenedor, así como extraerlos.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Extrae u obtiene imágenes de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/push/write | Inserta o escribe imágenes en un registro de contenedor. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Permite extraer imágenes en cuarentena de un registro de contenedor.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | Extrae u obtiene imágenes en cuarentena de un registro de contenedor |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Permite extraer u obtener los artefactos en cuarentena del registro de contenedor. Se parece a Microsoft.ContainerRegistry/registries/quarantine/read, salvo que se trata de una acción de datos. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Permite insertar imágenes en cuarentena en un registro de contenedor, así como extraerlas.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | Extrae u obtiene imágenes en cuarentena de un registro de contenedor |
| Microsoft.ContainerRegistry/registries/quarantine/write | Escribe o modifica el estado de cuarentena de las imágenes que estén en cuarentena |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Permite extraer u obtener los artefactos en cuarentena del registro de contenedor. Se parece a Microsoft.ContainerRegistry/registries/quarantine/read, salvo que se trata de una acción de datos. |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Permite escribir o actualizar el estado de cuarentena de los artefactos en cuarentena. Se parece a Microsoft.ContainerRegistry/registries/quarantine/write, salvo que se trata de una acción de datos. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de usuario del clúster de Kubernetes habilitado para Azure Arc
Permite enumerar las acciones de credenciales de usuario de clúster.
| Acciones | Descripción |
|---|---|
| Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | Enumeración de la credencial de clusterUser (versión preliminar) |
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Enumera la credencial de usuario de clúster. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de Azure Arc Kubernetes
Permite administrar todos los recursos en un clúster o espacio de nombres, excepto actualizar o eliminar cuotas de recursos y espacios de nombres.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lee controllerrevisions. |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Escribe localsubjectaccessreviews. |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lee eventos. |
| Microsoft.Kubernetes/connectedClusters/events/read | Lee eventos. |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Lee limitranges. |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Lee espacios de nombres. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lee resourcequotas. |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de clústeres de Azure Arc Kubernetes
Permite administrar todos los recursos del clúster.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Visor de Azure Arc Kubernetes
Permite ver todos los recursos del clúster o espacio de nombres, excepto los secretos.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lee controllerrevisions. |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | Lee daemonsets. |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/read | Lee implementaciones. |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | Lee replicasets. |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | Lee statefulsets. |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | Lee horizontalpodautoscalers. |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | Lee cronjobs. |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/read | Lee trabajos. |
| Microsoft.Kubernetes/connectedClusters/configmaps/read | Lee configmaps. |
| Microsoft.Kubernetes/connectedClusters/endpoints/read | Lee puntos de conexión. |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lee eventos. |
| Microsoft.Kubernetes/connectedClusters/events/read | Lee eventos. |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | Lee daemonsets. |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | Lee implementaciones. |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | Lee entradas. |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | Lee networkpolicies. |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | Lee replicasets. |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Lee limitranges. |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Lee espacios de nombres. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | Lee entradas. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | Lee networkpolicies. |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | Lee persistentvolumeclaims. |
| Microsoft.Kubernetes/connectedClusters/pods/read | Lee pods. |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | Lee poddisruptionbudgets. |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lee replicationcontrollers. |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lee replicationcontrollers. |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lee resourcequotas. |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | Lee serviceaccounts. |
| Microsoft.Kubernetes/connectedClusters/services/read | Lee servicios. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Escritor de Azure Arc Kubernetes
Le permite actualizar todo el contenido del clúster o el espacio de nombres, excepto los roles (del clúster) y los enlaces de roles (del clúster).
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lee controllerrevisions. |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lee eventos. |
| Microsoft.Kubernetes/connectedClusters/events/read | Lee eventos. |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Lee limitranges. |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Lee espacios de nombres. |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lee resourcequotas. |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador de Azure Container Storage
Instale Azure Container Storage y administre sus recursos de almacenamiento. Incluye una condición de ABAC para restringir las asignaciones de roles.
| Acciones | Descripción |
|---|---|
| Microsoft.KubernetesConfiguration/extensions/write | Crea o actualiza un recurso de extensión. |
| Microsoft.KubernetesConfiguration/extensions/read | Obtiene el recurso de instancia de extensión. |
| Microsoft.KubernetesConfiguration/extensions/delete | Elimina el recurso de instancia de extensión. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Obtiene el estado de la operación asincrónica. |
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Management/managementGroups/read | Enumera los grupos de administración del usuario autenticado. |
| Microsoft.Resources/deployments/* | Creación y administración de una implementación |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Acciones | |
| Microsoft.Authorization/roleAssignments/write | Crea una asignación de roles en el ámbito especificado. |
| Microsoft.Authorization/roleAssignments/delete | Elimine una asignación de roles en el ámbito especificado. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Condición | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Agregue o quite asignaciones de roles para los roles siguientes: Operador de Azure Container Storage |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operador de Azure Container Storage
Habilite una identidad administrada para realizar operaciones de Azure Container Storage, como administrar máquinas virtuales y administrar redes virtuales.
| Acciones | Descripción |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Sondea el estado de una operación asincrónica. |
| Microsoft.Network/routeTables/join/action | Unirse a una tabla de rutas. No genera alertas. |
| Microsoft.Network/networkSecurityGroups/join/action | Se une a un grupo de seguridad de red. No genera alertas. |
| Microsoft.Network/virtualNetworks/write | Crea una red virtual o actualiza una que ya existe |
| Microsoft.Network/virtualNetworks/delete | Elimina una red virtual |
| Microsoft.Network/virtualNetworks/join/action | Se une a una red virtual. No genera alertas. |
| Microsoft.Network/virtualNetworks/subnets/read | Obtiene una definición de subred de red virtual |
| Microsoft.Network/virtualNetworks/subnets/write | Crea una subred de red virtual o actualiza una que ya existe |
| Microsoft.Compute/virtualMachines/read | Obtención de las propiedades de una máquina virtual |
| Microsoft.Compute/virtualMachines/write | Crea una nueva máquina virtual o actualiza una existente |
| Microsoft.Compute/virtualMachineScaleSets/read | Obtiene las propiedades de un conjunto de escalado de máquinas virtuales. |
| Microsoft.Compute/virtualMachineScaleSets/write | Crea un nuevo conjunto de escalado de máquinas virtuales o actualiza uno ya existente. |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | Actualiza las propiedades de una máquina virtual en un conjunto de escalado de máquinas virtuales. |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Recupera las propiedades de una máquina virtual de un conjunto de escalado de máquinas virtuales |
| Microsoft.Resources/subscriptions/providers/read | Obtiene o enumera los proveedores de recursos. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Network/virtualNetworks/read | Obtiene la definición de red virtual |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Propietario de Azure Container Storage
Instale Azure Container Storage, conceda acceso a sus recursos de almacenamiento y configure la red de área de almacenamiento elástica (SAN) de Azure. Incluye una condición de ABAC para restringir las asignaciones de roles.
| Acciones | Descripción |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Sondea el estado de una operación asincrónica. |
| Microsoft.KubernetesConfiguration/extensions/write | Crea o actualiza un recurso de extensión. |
| Microsoft.KubernetesConfiguration/extensions/read | Obtiene el recurso de instancia de extensión. |
| Microsoft.KubernetesConfiguration/extensions/delete | Elimina el recurso de instancia de extensión. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Obtiene el estado de la operación asincrónica. |
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Management/managementGroups/read | Enumera los grupos de administración del usuario autenticado. |
| Microsoft.Resources/deployments/* | Creación y administración de una implementación |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Acciones | |
| Microsoft.Authorization/roleAssignments/write | Crea una asignación de roles en el ámbito especificado. |
| Microsoft.Authorization/roleAssignments/delete | Elimine una asignación de roles en el ámbito especificado. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Condición | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Agregue o quite asignaciones de roles para los roles siguientes: Operador de Azure Container Storage |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol colaborador de Fleet Manager de Azure Kubernetes
Concede acceso de lectura y escritura a los recursos de Azure proporcionados por Azure Kubernetes Fleet Manager, incluidas las flotas, los miembros de la flota, las estrategias de actualización de flota, las ejecuciones de actualizaciones de flota, etc.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerService/fleets/* | |
| Microsoft.Resources/deployments/* | Creación y administración de una implementación |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de RBAC de Azure Kubernetes Fleet Manager
Concede acceso de lectura y escritura a los recursos de Kubernetes dentro de un espacio de nombres en el clúster del centro administrado por flotas: proporciona permisos de escritura en la mayoría de los objetos de un espacio de nombres, con la excepción del objeto ResourceQuota y el propio objeto de espacio de nombres. Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.ContainerService/fleets/read | Obtiene la flota |
| Microsoft.ContainerService/fleets/listCredentials/action | Enumera las credenciales de flota. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lee controllerrevisions. |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Escribe localsubjectaccessreviews. |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lee eventos. |
| Microsoft.ContainerService/fleets/events/read | Lee eventos. |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | Lee limitranges. |
| Microsoft.ContainerService/fleets/namespaces/read | Lee espacios de nombres. |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | Lee resourcequotas. |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Lee el recurso internalmembercluster de la flota. |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/* | |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Lee el recurso de fleet resourceoverridesnapshot. |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Leer el recurso de trabajo de flota |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de clústeres de RBAC de Azure Kubernetes Fleet Manager
Concede acceso de lectura y escritura a todos los recursos de Kubernetes del clúster del centro administrado por flotas.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.ContainerService/fleets/read | Obtiene la flota |
| Microsoft.ContainerService/fleets/listCredentials/action | Enumera las credenciales de flota. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lector de RBAC de Azure Kubernetes Fleet Manager
Concede acceso de solo lectura a la mayoría de los recursos de Kubernetes dentro de un espacio de nombres en el clúster del centro administrado por flotas. No permite la visualización de roles o enlaces de roles. Este rol no permite visualización de secretos, ya que leer el contenido de estos permite el acceso a las credenciales de ServiceAccount en el espacio de nombres, que permitiría el acceso a la API como cualquier ServiceAccount en el espacio de nombres (una forma de elevación de privilegios). Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.ContainerService/fleets/read | Obtiene la flota |
| Microsoft.ContainerService/fleets/listCredentials/action | Enumera las credenciales de flota. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lee controllerrevisions. |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | Lee daemonsets. |
| Microsoft.ContainerService/fleets/apps/deployments/read | Lee implementaciones. |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | Lee statefulsets. |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Lee horizontalpodautoscalers. |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | Lee cronjobs. |
| Microsoft.ContainerService/fleets/batch/jobs/read | Lee trabajos. |
| Microsoft.ContainerService/fleets/configmaps/read | Lee configmaps. |
| Microsoft.ContainerService/fleets/endpoints/read | Lee puntos de conexión. |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lee eventos. |
| Microsoft.ContainerService/fleets/events/read | Lee eventos. |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | Lee daemonsets. |
| Microsoft.ContainerService/fleets/extensions/deployments/read | Lee implementaciones. |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | Lee entradas. |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Lee networkpolicies. |
| Microsoft.ContainerService/fleets/limitranges/read | Lee limitranges. |
| Microsoft.ContainerService/fleets/namespaces/read | Lee espacios de nombres. |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Lee entradas. |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Lee networkpolicies. |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Lee persistentvolumeclaims. |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Lee poddisruptionbudgets. |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Lee replicationcontrollers. |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Lee replicationcontrollers. |
| Microsoft.ContainerService/fleets/resourcequotas/read | Lee resourcequotas. |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Lee serviceaccounts. |
| Microsoft.ContainerService/fleets/services/read | Lee servicios. |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Lee el recurso internalmembercluster de la flota. |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | Lee el recurso de fleet resourceoverride. |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Lee el recurso de fleet resourceoverridesnapshot. |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Leer el recurso de trabajo de flota |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Escritor de RBAC de Azure Kubernetes Fleet Manager
Concede acceso de lectura y escritura a la mayoría de los recursos de Kubernetes dentro de un espacio de nombres en el clúster del centro administrado por flotas. Este rol no permite la visualización o modificación de roles o enlaces de roles. Pero este rol permite acceder a secretos como cualquier ServiceAccount en el espacio de nombres, por lo que se puede usar para obtener los niveles de acceso de la API de cualquier ServiceAccount en el espacio de nombres. Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.ContainerService/fleets/read | Obtiene la flota |
| Microsoft.ContainerService/fleets/listCredentials/action | Enumera las credenciales de flota. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lee controllerrevisions. |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | Lee daemonsets. |
| Microsoft.ContainerService/fleets/apps/daemonsets/write | Escribe daemonsets. |
| Microsoft.ContainerService/fleets/apps/deployments/read | Lee implementaciones. |
| Microsoft.ContainerService/fleets/apps/deployments/write | Escribe implementaciones. |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | Lee statefulsets. |
| Microsoft.ContainerService/fleets/apps/statefulsets/write | Escribe statefulsets. |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Lee horizontalpodautoscalers. |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write | Escribe horizontalpodautoscalers. |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | Lee cronjobs. |
| Microsoft.ContainerService/fleets/batch/cronjobs/write | Escribe cronjobs. |
| Microsoft.ContainerService/fleets/batch/jobs/read | Lee trabajos. |
| Microsoft.ContainerService/fleets/batch/jobs/write | Escribe trabajos. |
| Microsoft.ContainerService/fleets/configmaps/read | Lee configmaps. |
| Microsoft.ContainerService/fleets/configmaps/write | Escribe configmaps. |
| Microsoft.ContainerService/fleets/endpoints/read | Lee puntos de conexión. |
| Microsoft.ContainerService/fleets/endpoints/write | Escribe puntos de conexión. |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lee eventos. |
| Microsoft.ContainerService/fleets/events/read | Lee eventos. |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | Lee daemonsets. |
| Microsoft.ContainerService/fleets/extensions/daemonsets/write | Escribe daemonsets. |
| Microsoft.ContainerService/fleets/extensions/deployments/read | Lee implementaciones. |
| Microsoft.ContainerService/fleets/extensions/deployments/write | Escribe implementaciones. |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | Lee entradas. |
| Microsoft.ContainerService/fleets/extensions/ingresses/write | Escribe entradas. |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Lee networkpolicies. |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/write | Escribe networkpolicies. |
| Microsoft.ContainerService/fleets/limitranges/read | Lee limitranges. |
| Microsoft.ContainerService/fleets/namespaces/read | Lee espacios de nombres. |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Lee entradas. |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write | Escribe entradas. |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Lee networkpolicies. |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write | Escribe networkpolicies. |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Lee persistentvolumeclaims. |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/write | Escribe persistentvolumeclaims. |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Lee poddisruptionbudgets. |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write | Escribe poddisruptionbudgets. |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Lee replicationcontrollers. |
| Microsoft.ContainerService/fleets/replicationcontrollers/write | Escribe replicationcontrollers. |
| Microsoft.ContainerService/fleets/resourcequotas/read | Lee resourcequotas. |
| Microsoft.ContainerService/fleets/secrets/read | Lee secretos. |
| Microsoft.ContainerService/fleets/secrets/write | Escribe secretos. |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Lee serviceaccounts. |
| Microsoft.ContainerService/fleets/serviceaccounts/write | Escribe serviceaccounts. |
| Microsoft.ContainerService/fleets/services/read | Lee servicios. |
| Microsoft.ContainerService/fleets/services/write | Escribe servicios. |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Lee el recurso internalmembercluster de la flota. |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | Lee el recurso de fleet resourceoverride. |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write | Escritura de un recurso de fleet resourceoverride |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Lee el recurso de fleet resourceoverridesnapshot. |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Leer el recurso de trabajo de flota |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/write",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/deployments/write",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/write",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/write",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/configmaps/write",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/endpoints/write",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/write",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/deployments/write",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/write",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/write",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/read",
"Microsoft.ContainerService/fleets/secrets/write",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/serviceaccounts/write",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/services/write",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de administrador de clústeres de Azure Kubernetes Service Arc
Enumerar la acción de credenciales administrativas del clúster.
| Acciones | Descripción |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtiene las instancias de clúster aprovisionadas de AKS híbridas asociadas al clúster conectado. |
| Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | Enumera las credenciales de administrador de una instancia de clúster aprovisionada que solo se usa en modo directo. |
| Microsoft.Kubernetes/connectedClusters/Read | Lee connectedClusters. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de usuario de clúster de Azure Kubernetes Service Arc
Enumerar la acción de credenciales de usuario del clúster.
| Acciones | Descripción |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtiene las instancias de clúster aprovisionadas de AKS híbridas asociadas al clúster conectado. |
| Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | Enumera las credenciales de usuario de AAD de una instancia de clúster aprovisionada que solo se usa en modo directo. |
| Microsoft.Kubernetes/connectedClusters/Read | Lee connectedClusters. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de colaborador de Azure Kubernetes Service Arc
Concede acceso para leer y escribir clústeres híbridos de Azure Kubernetes Services
| Acciones | Descripción |
|---|---|
| Microsoft.HybridContainerService/Locations/operationStatuses/read | read operationStatuses |
| Microsoft.HybridContainerService/Operations/read | Operaciones de lectura |
| Microsoft.HybridContainerService/kubernetesVersions/read | Enumera las versiones de Kubernetes admitidas desde la ubicación personalizada subyacente. |
| Microsoft.HybridContainerService/kubernetesVersions/write | Coloca el tipo de recurso de versión de Kubernetes |
| Microsoft.HybridContainerService/kubernetesVersions/delete | Eliminación del tipo de recurso de versiones de Kubernetes |
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtiene las instancias de clúster aprovisionadas de AKS híbridas asociadas al clúster conectado. |
| Microsoft.HybridContainerService/provisionedClusterInstances/write | Crea la instancia de clúster aprovisionada de AKS híbrido. |
| Microsoft.HybridContainerService/provisionedClusterInstances/delete | Elimina la instancia de clúster aprovisionada de AKS híbrido. |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | Obtiene los grupos de agentes en la instancia de clúster aprovisionada de AKS híbrido. |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | Actualiza el grupo de agentes en la instancia de clúster aprovisionada de AKS híbrido. |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | Elimina el grupo de agentes en la instancia de clúster aprovisionada de AKS híbrido. |
| Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | leer upgradeProfiles |
| Microsoft.HybridContainerService/skus/read | Enumera las SKU de máquina virtual admitidas de la ubicación personalizada subyacente. |
| Microsoft.HybridContainerService/skus/write | Coloca el tipo de recurso SKU de máquina virtual |
| Microsoft.HybridContainerService/skus/delete | Elimina el tipo de recurso SKU de máquina virtual. |
| Microsoft.HybridContainerService/virtualNetworks/read | Enumera las redes virtuales de AKS híbridas por suscripción |
| Microsoft.HybridContainerService/virtualNetworks/write | Revisiones de la red virtual de AKS híbrida |
| Microsoft.HybridContainerService/virtualNetworks/delete | Elimina la red virtual de AKS híbrida. |
| Microsoft.ExtendedLocation/customLocations/deploy/action | Implementación de permisos en un recurso de ubicación personalizada |
| Microsoft.ExtendedLocation/customLocations/read | Obtiene un recurso de ubicación personalizada. |
| Microsoft.Kubernetes/connectedClusters/Read | Lee connectedClusters. |
| Microsoft.Kubernetes/connectedClusters/Write | Escribe connectedClusters. |
| Microsoft.Kubernetes/connectedClusters/Delete | Elimina connectedClusters. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Enumera la credencial de usuario de clúster. |
| Microsoft.AzureStackHCI/clusters/read | Obtiene clústeres. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de administrador de clúster de Azure Kubernetes Service
Enumerar la acción de credenciales administrativas del clúster.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | Muestra la credencial clusterAdmin de un clúster administrado. |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | Obtiene el perfil de acceso de un clúster administrados por nombre de rol mediante las credenciales de la lista |
| Microsoft.ContainerService/managedClusters/read | Obtiene un clúster administrado |
| Microsoft.ContainerService/managedClusters/runcommand/action | Ejecuta un comando emitido por el usuario en un servidor de Kubernetes administrado. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Usuario de supervisión de clústeres de Azure Kubernetes Service
Enumerar la acción de credenciales de usuario de supervisión del clúster.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | Enumera la credencial clusterMonitoringUser de un clúster administrado. |
| Microsoft.ContainerService/managedClusters/read | Obtiene un clúster administrado |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de usuario de clúster de Azure Kubernetes Service
Enumerar la acción de credenciales de usuario del clúster.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Muestra la credencial clusterUser de un clúster administrado. |
| Microsoft.ContainerService/managedClusters/read | Obtiene un clúster administrado |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rol de colaborador de Azure Kubernetes Service
Concede acceso de lectura y escritura a los clústeres de Azure Kubernetes Service
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.ContainerService/locations/* | Leer ubicaciones disponibles para los recursos de ContainerService |
| Microsoft.ContainerService/managedClusters/* | Creación y administración de un clúster administrado |
| Microsoft.ContainerService/managedclustersnapshots/* | Creación y administración de una instantánea de clúster administrado |
| Microsoft.ContainerService/snapshots/* | Creación y administración de una instantánea |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Resources/deployments/* | Creación y administración de una implementación |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de Azure Kubernetes Service RBAC
Permite administrar todos los recursos en un clúster o espacio de nombres, excepto actualizar o eliminar cuotas de recursos y espacios de nombres.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Muestra la credencial clusterUser de un clúster administrado. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/write | Escribe resourcequotas. |
| Microsoft.ContainerService/managedClusters/resourcequotas/delete | Elimina resourcequotas. |
| Microsoft.ContainerService/managedClusters/namespaces/write | Escribe espacios de nombres. |
| Microsoft.ContainerService/managedClusters/namespaces/delete | Elimina espacios de nombres. |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de clúster de Azure Kubernetes Service RBAC
Permite administrar todos los recursos del clúster.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Muestra la credencial clusterUser de un clúster administrado. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lector de Azure Kubernetes Service RBAC
Permite el acceso de solo lectura para ver la mayoría de los objetos en un espacio de nombres. No permite la visualización de roles o enlaces de roles. Este rol no permite visualización de secretos, ya que leer el contenido de estos permite el acceso a las credenciales de ServiceAccount en el espacio de nombres, que permitiría el acceso a la API como cualquier ServiceAccount en el espacio de nombres (una forma de elevación de privilegios). Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lee controllerrevisions. |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/read | Lee daemonsets. |
| Microsoft.ContainerService/managedClusters/apps/deployments/read | Lee implementaciones. |
| Microsoft.ContainerService/managedClusters/apps/replicasets/read | Lee replicasets. |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/read | Lee statefulsets. |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | Lee horizontalpodautoscalers. |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/read | Lee cronjobs. |
| Microsoft.ContainerService/managedClusters/batch/jobs/read | Lee trabajos. |
| Microsoft.ContainerService/managedClusters/configmaps/read | Lee configmaps. |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lee los puntos de conexiónlices. |
| Microsoft.ContainerService/managedClusters/endpoints/read | Lee puntos de conexión. |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lee eventos. |
| Microsoft.ContainerService/managedClusters/events/read | Lee eventos. |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | Lee daemonsets. |
| Microsoft.ContainerService/managedClusters/extensions/deployments/read | Lee implementaciones. |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/read | Lee entradas. |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | Lee networkpolicies. |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/read | Lee replicasets. |
| Microsoft.ContainerService/managedClusters/limitranges/read | Lee limitranges. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lee pods. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lee nodos. |
| Microsoft.ContainerService/managedClusters/namespaces/read | Lee espacios de nombres. |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | Lee entradas. |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | Lee networkpolicies. |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | Lee persistentvolumeclaims. |
| Microsoft.ContainerService/managedClusters/pods/read | Lee pods. |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | Lee poddisruptionbudgets. |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/read | Lee replicationcontrollers. |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Lee resourcequotas. |
| Microsoft.ContainerService/managedClusters/serviceaccounts/read | Lee serviceaccounts. |
| Microsoft.ContainerService/managedClusters/services/read | Lee servicios. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Escritor de Azure Kubernetes Service RBAC
Permite el acceso de lectura y escritura para ver la mayoría de los objetos en un espacio de nombres. Este rol no permite la visualización o modificación de roles o enlaces de roles. Sin embargo, este rol permite acceder a secretos y ejecutar pods como cualquier ServiceAccount en el espacio de nombres, por lo que se puede usar para obtener los niveles de acceso de la API de cualquier ServiceAccount en el espacio de nombres. Al aplicar este rol en el ámbito del clúster, se proporcionará acceso a todos los espacios de nombres.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lee controllerrevisions. |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Lee concesiones. |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Escribe concesiones. |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Elimina concesiones. |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lee los puntos de conexiónlices. |
| Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lee eventos. |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/read | Lee limitranges. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lee pods. |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lee nodos. |
| Microsoft.ContainerService/managedClusters/namespaces/read | Lee espacios de nombres. |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Lee resourcequotas. |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lector checkAccess de identidad administrada del clúster conectado
Rol integrado que permite que una identidad administrada del clúster conectado llame a la API checkAccess
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lector de configuración de Container Registry y Lector de configuración de acceso a datos
Proporciona permisos para enumerar registros de contenedor y propiedades de configuración del Registro. Proporciona permisos para enumerar la configuración de acceso a datos, como credenciales de usuario administrador, mapas de ámbito y tokens, que se pueden usar para leer, escribir o eliminar repositorios e imágenes. No proporciona permisos directos para leer, enumerar ni escribir contenido del Registro, incluidos repositorios e imágenes. No proporciona permisos para modificar el contenido del plano de datos, como importaciones, caché de artefactos o sincronización y canalizaciones de transferencia. No proporciona permisos para administrar tareas.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerRegistry/registries/operationStatuses/read | Obtiene el estado de la operación asincrónica del registro. |
| Microsoft.ContainerRegistry/registries/read | Obtiene las propiedades del registro de contenedor especificado o enumera todos los registros de contenedores en la suscripción o el grupo de recursos especificado. |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/read | Obtiene las propiedades de conexión de punto de conexión privado o enumera todas las conexiones de punto de conexión privado para el registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read | Obtención del estado de la operación asincrónica de conexión de punto de conexión privado |
| Microsoft.ContainerRegistry/registries/listCredentials/action | Enumera las credenciales de inicio de sesión del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/tokens/read | Obtiene las propiedades del token especificado o enumera todos los tokens del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read | Obtiene el estado de la operación asincrónica de un token. |
| Microsoft.ContainerRegistry/registries/scopeMaps/read | Obtiene las propiedades del mapa de ámbito especificado o enumera todos los mapas de ámbito del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read | Obtiene el estado de la operación asincrónica de un mapa de ámbito. |
| Microsoft.ContainerRegistry/registries/webhooks/read | Obtiene las propiedades de un webhook específico o enumera todos los webhooks del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | Obtiene la configuración del servicio de URI y los encabezados personalizados del webhook. |
| Microsoft.ContainerRegistry/registries/webhooks/listEvents/action | Enumera los eventos recientes del webhook especificado. |
| Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read | Obtiene el estado de la operación asincrónica del webhook. |
| Microsoft.ContainerRegistry/registries/replications/read | Obtiene las propiedades de una replicación específica o enumera todas las replicaciones del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/replications/operationStatuses/read | Obtiene el estado de la operación asincrónica de replicación. |
| Microsoft.ContainerRegistry/registries/connectedRegistries/read | Obtiene las propiedades del registro conectado especificado o muestra todos los registros conectados de la suscripción del registro especificado. |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read | Obtiene la configuración de diagnóstico del recurso |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write | Crea o actualiza la configuración de diagnóstico del recurso |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read | Obtiene los registros disponibles para Microsoft ContainerRegistry. |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read | Obtiene las métricas disponibles para Microsoft Container Registry |
| Microsoft.Insights/AlertRules/Write | Crea o actualiza una alerta de métrica clásica. |
| Microsoft.Insights/AlertRules/Delete | Elimina una alerta de métrica clásica. |
| Microsoft.Insights/AlertRules/Read | Lee una alerta de métrica clásica. |
| Microsoft.Insights/AlertRules/Activated/Action | Alerta de métrica clásica activada. |
| Microsoft.Insights/AlertRules/Resolved/Action | Alerta de métrica clásica resuelta. |
| Microsoft.Insights/AlertRules/Throttled/Action | Regla de alerta de métrica clásica acelerada. |
| Microsoft.Insights/AlertRules/Incidents/Read | Lee el incidente de una alerta de métrica clásica. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69b07be0-09bf-439a-b9a6-e73de851bd59",
"name": "69b07be0-09bf-439a-b9a6-e73de851bd59",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Configuration Reader and Data Access Configuration Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador de Container Registry y administrador de configuración de acceso a datos
Proporciona permisos para crear, enumerar y actualizar registros de contenedor y propiedades de configuración del Registro. Proporciona permisos para configurar el acceso a datos, como credenciales de usuario administrador, mapas de ámbito y tokens, que se pueden usar para leer, escribir o eliminar repositorios e imágenes. No proporciona permisos directos para leer, enumerar ni escribir contenido del Registro, incluidos repositorios e imágenes. No proporciona permisos para modificar el contenido del plano de datos, como importaciones, caché de artefactos o sincronización y canalizaciones de transferencia. No proporciona permisos para administrar tareas.
| Acciones | Descripción |
|---|---|
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.ContainerRegistry/registries/operationStatuses/read | Obtiene el estado de la operación asincrónica del registro. |
| Microsoft.ContainerRegistry/registries/read | Obtiene las propiedades del registro de contenedor especificado o enumera todos los registros de contenedores en la suscripción o el grupo de recursos especificado. |
| Microsoft.ContainerRegistry/registries/write | Crea o actualiza un registro de contenedor con los parámetros especificados. |
| Microsoft.ContainerRegistry/registries/delete | Elimina un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/listCredentials/action | Enumera las credenciales de inicio de sesión del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/regenerateCredential/action | Regenera una de las credenciales de inicio de sesión del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/generateCredentials/action | Genera claves para un token de un registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/replications/read | Obtiene las propiedades de una replicación específica o enumera todas las replicaciones del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/replications/write | Crea o actualiza una replicación de un registro de contenedor con los parámetros especificados. |
| Microsoft.ContainerRegistry/registries/replications/delete | Elimina una réplica de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/replications/operationStatuses/read | Obtiene el estado de la operación asincrónica de replicación. |
| Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action | Aprueba automaticamente una conexión de punto de conexión privado. |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/read | Obtiene las propiedades de conexión de punto de conexión privado o enumera todas las conexiones de punto de conexión privado para el registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/write | Aprueba o rechaza la conexión del punto de conexión privado. |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete | Elimina la conexión del punto de conexión privado. |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read | Obtención del estado de la operación asincrónica de conexión de punto de conexión privado |
| Microsoft.ContainerRegistry/registries/tokens/read | Obtiene las propiedades del token especificado o enumera todos los tokens del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/tokens/write | Crea o actualiza un token de un registro de contenedor con los parámetros especificados. |
| Microsoft.ContainerRegistry/registries/tokens/delete | Elimina un token de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read | Obtiene el estado de la operación asincrónica de un token. |
| Microsoft.ContainerRegistry/registries/scopeMaps/read | Obtiene las propiedades del mapa de ámbito especificado o enumera todos los mapas de ámbito del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/scopeMaps/write | Crea o actualiza un mapa de ámbito de un registro de contenedor con los parámetros especificados. |
| Microsoft.ContainerRegistry/registries/scopeMaps/delete | Elimina un mapa de ámbito de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read | Obtiene el estado de la operación asincrónica de un mapa de ámbito. |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read | Obtiene la configuración de diagnóstico del recurso |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write | Crea o actualiza la configuración de diagnóstico del recurso |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read | Obtiene los registros disponibles para Microsoft ContainerRegistry. |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read | Obtiene las métricas disponibles para Microsoft Container Registry |
| Microsoft.Resources/deployments/* | Creación y administración de una implementación |
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.ContainerRegistry/registries/connectedRegistries/read | Obtiene las propiedades del registro conectado especificado o muestra todos los registros conectados de la suscripción del registro especificado. |
| Microsoft.ContainerRegistry/registries/connectedRegistries/write | Crea o actualiza un registro conectado de un registro de contenedor con los parámetros especificados. |
| Microsoft.ContainerRegistry/registries/connectedRegistries/delete | Elimina un registro conectado de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action | Desactiva un registro conectado para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/webhooks/read | Obtiene las propiedades de un webhook específico o enumera todos los webhooks del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/webhooks/write | Crea o actualiza un webhook de un registro de contenedor con los parámetros especificados. |
| Microsoft.ContainerRegistry/registries/webhooks/delete | Elimina un webhook de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | Obtiene la configuración del servicio de URI y los encabezados personalizados del webhook. |
| Microsoft.ContainerRegistry/registries/webhooks/ping/action | Desencadena el evento de ping que se enviará al webhook. |
| Microsoft.ContainerRegistry/registries/webhooks/listEvents/action | Enumera los eventos recientes del webhook especificado. |
| Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read | Obtiene el estado de la operación asincrónica del webhook. |
| Microsoft.Insights/AlertRules/Write | Crea o actualiza una alerta de métrica clásica. |
| Microsoft.Insights/AlertRules/Delete | Elimina una alerta de métrica clásica. |
| Microsoft.Insights/AlertRules/Read | Lee una alerta de métrica clásica. |
| Microsoft.Insights/AlertRules/Activated/Action | Alerta de métrica clásica activada. |
| Microsoft.Insights/AlertRules/Resolved/Action | Alerta de métrica clásica resuelta. |
| Microsoft.Insights/AlertRules/Throttled/Action | Regla de alerta de métrica clásica acelerada. |
| Microsoft.Insights/AlertRules/Incidents/Read | Lee el incidente de una alerta de métrica clásica. |
| Microsoft.ContainerRegistry/locations/operationResults/read | Obtiene el resultado de una operación asincrónica. |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Combina un recurso como una cuenta de almacenamiento o una instancia de SQL Database con una subred. No genera alertas. |
| Microsoft.Network/virtualNetworks/subnets/read | Obtiene una definición de subred de red virtual |
| Microsoft.Network/virtualNetworks/subnets/write | Crea una subred de red virtual o actualiza una que ya existe |
| Microsoft.Network/virtualNetworks/read | Obtiene la definición de red virtual |
| Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write | Crea un proxy de servicio de vínculo privado o actualiza uno ya existente. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
"name": "3bc748fc-213d-45c1-8d91-9da5725539b9",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/write",
"Microsoft.ContainerRegistry/registries/delete",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/regenerateCredential/action",
"Microsoft.ContainerRegistry/registries/generateCredentials/action",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/write",
"Microsoft.ContainerRegistry/registries/replications/delete",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/write",
"Microsoft.ContainerRegistry/registries/tokens/delete",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/write",
"Microsoft.ContainerRegistry/registries/scopeMaps/delete",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/write",
"Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
"Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/write",
"Microsoft.ContainerRegistry/registries/webhooks/delete",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/ping/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.ContainerRegistry/locations/operationResults/read",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Contributor and Data Access Configuration Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Importador de datos de Container Registry y Lector de datos
Proporciona la capacidad de importar imágenes en un registro a través de la operación de importación del Registro. Proporciona la capacidad de enumerar repositorios, ver imágenes y etiquetas, obtener manifiestos e imágenes de extracción. No proporciona permisos para importar imágenes mediante la configuración de canalizaciones de transferencia del Registro, como las canalizaciones de importación y exportación. No proporciona permisos para importar mediante la configuración de la caché de artefactos o las reglas de sincronización.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerRegistry/registries/importImage/action | Importa una imagen en un registro de contenedor con los parámetros especificados. |
| Microsoft.ContainerRegistry/registries/read | Obtiene las propiedades del registro de contenedor especificado o enumera todos los registros de contenedores en la suscripción o el grupo de recursos especificado. |
| Microsoft.ContainerRegistry/registries/pull/read | Extrae u obtiene imágenes de un registro de contenedor. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"name": "577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/importImage/action",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Data Importer and Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry Repository Catalog Lister
Permite enumerar todos los repositorios de una instancia de Azure Container Registry. Este rol está en versión preliminar y está sujeto a cambios.
| Acciones | Descripción |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/catalog/read | Enumera los repositorios de un registro de contenedor. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"name": "bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/catalog/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Catalog Lister",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador del repositorio de Container Registry
Permite el acceso de lectura, escritura y eliminación a repositorios de Azure Container Registry, pero sin incluir la lista de catálogos. Este rol está en versión preliminar y está sujeto a cambios.
| Acciones | Descripción |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | Obtiene los metadatos de un repositorio específico para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/repositories/content/read | Extrae u obtiene imágenes de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/repositories/metadata/write | Actualiza los metadatos de un repositorio para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/repositories/content/write | Inserta o escribe imágenes en un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/repository/metadata/delete | Eliminación de los metadatos de un repositorio para un registro de contenedor |
| Microsoft.ContainerRegistry/registries/repository/content/delete | Eliminar artefacto de un registro de contenedor. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"name": "2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write",
"Microsoft.ContainerRegistry/registries/repositories/metadata/delete",
"Microsoft.ContainerRegistry/registries/repositories/content/delete"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lector del repositorio de Container Registry
Permite el acceso de lectura a los repositorios de Azure Container Registry, pero excluye la lista de catálogos. Este rol está en versión preliminar y está sujeto a cambios.
| Acciones | Descripción |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | Obtiene los metadatos de un repositorio específico para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/repositories/content/read | Extrae u obtiene imágenes de un registro de contenedor. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b93aa761-3e63-49ed-ac28-beffa264f7ac",
"name": "b93aa761-3e63-49ed-ac28-beffa264f7ac",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Escritor de repositorios de Container Registry
Permite el acceso de lectura y escritura a los repositorios de Azure Container Registry, pero excluye la lista de catálogos. Este rol está en versión preliminar y está sujeto a cambios.
| Acciones | Descripción |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | Obtiene los metadatos de un repositorio específico para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/repositories/content/read | Extrae u obtiene imágenes de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/repositories/metadata/write | Actualiza los metadatos de un repositorio para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/repositories/content/write | Inserta o escribe imágenes en un registro de contenedor. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a1e307c-b015-4ebd-883e-5b7698a07328",
"name": "2a1e307c-b015-4ebd-883e-5b7698a07328",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador de tareas de Container Registry
Proporciona permisos para configurar, leer, enumerar, desencadenar o cancelar tareas del Registro de contenedor, ejecuciones de tareas, registros de tareas, ejecuciones rápidas, compilaciones rápidas y grupos de agentes de tareas. Los permisos concedidos para la administración de tareas se pueden usar para los permisos completos del plano de datos del Registro, incluida la lectura, escritura o eliminación de imágenes de contenedor en registros. Los permisos concedidos para la administración de tareas también se pueden usar para ejecutar directivas de compilación creadas por el cliente y ejecutar scripts para compilar artefactos de software.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerRegistry/registries/agentpools/read | Obtiene un grupo de agentes para un registro de contenedor o muestra todos los grupos de agentes. |
| Microsoft.ContainerRegistry/registries/agentpools/write | Crea o actualiza un grupo de agentes para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/agentpools/delete | Elimina un grupo de agentes para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action | Muestra todos los estados de cola de un grupo de agentes en un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read | Obtiene un estado de resultado de la operación asincrónica del grupo de agentes. |
| Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read | Obtiene un estado de operación asincrónica del grupo de agentes. |
| Microsoft.ContainerRegistry/registries/tasks/read | Obtiene una tarea para un registro de contenedor o enumera todas las tareas. |
| Microsoft.ContainerRegistry/registries/tasks/write | Crea o actualiza una tarea para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/tasks/delete | Elimina una tarea para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/tasks/listDetails/action | Enumera todos los detalles de una tarea de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/scheduleRun/action | Programa una ejecución en un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action | Obtiene la ubicación de la dirección URL de carga de origen de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/runs/read | Obtiene las propiedades de una ejecución en un registro de contenedor o ejecuciones de lista. |
| Microsoft.ContainerRegistry/registries/runs/write | Actualiza una ejecución. |
| Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action | Obtiene la dirección URL de SAS de registro de una ejecución. |
| Microsoft.ContainerRegistry/registries/runs/cancel/action | Cancela una ejecución existente. |
| Microsoft.ContainerRegistry/registries/taskruns/read | Obtiene una ejecución de tarea para un registro de contenedor o enumera todas las ejecuciones de tareas. |
| Microsoft.ContainerRegistry/registries/taskruns/write | Crea o actualiza una ejecución de tareas para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/taskruns/delete | Elimina una ejecución de tareas para un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/taskruns/listDetails/action | Muestra todos los detalles de una ejecución de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read | Obtiene un estado de operación asincrónica de ejecución de tareas. |
| Microsoft.Resources/deployments/* | Creación y administración de una implementación |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.ContainerRegistry/registries/read | Obtiene las propiedades del registro de contenedor especificado o enumera todos los registros de contenedores en la suscripción o el grupo de recursos especificado. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb382eab-e894-4461-af04-94435c366c3f",
"name": "fb382eab-e894-4461-af04-94435c366c3f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/agentpools/read",
"Microsoft.ContainerRegistry/registries/agentpools/write",
"Microsoft.ContainerRegistry/registries/agentpools/delete",
"Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action",
"Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read",
"Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tasks/read",
"Microsoft.ContainerRegistry/registries/tasks/write",
"Microsoft.ContainerRegistry/registries/tasks/delete",
"Microsoft.ContainerRegistry/registries/tasks/listDetails/action",
"Microsoft.ContainerRegistry/registries/scheduleRun/action",
"Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action",
"Microsoft.ContainerRegistry/registries/runs/read",
"Microsoft.ContainerRegistry/registries/runs/write",
"Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action",
"Microsoft.ContainerRegistry/registries/runs/cancel/action",
"Microsoft.ContainerRegistry/registries/taskruns/read",
"Microsoft.ContainerRegistry/registries/taskruns/write",
"Microsoft.ContainerRegistry/registries/taskruns/delete",
"Microsoft.ContainerRegistry/registries/taskruns/listDetails/action",
"Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Tasks Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador de canalización de transferencia de Container Registry
Proporciona la capacidad de transferir, importar y exportar artefactos mediante la configuración de canalizaciones de transferencia del Registro que implican cuentas de almacenamiento intermedias y almacenes de claves. No proporciona permisos para insertar o extraer imágenes. No proporciona permisos para crear, administrar o enumerar cuentas de almacenamiento o almacenes de claves. No proporciona permisos para realizar asignaciones de roles.
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerRegistry/registries/exportPipelines/read | Obtiene las propiedades de la canalización de exportación especificada o muestra todas las canalizaciones de exportación del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/exportPipelines/write | Crea o actualiza una canalización de exportación para un registro de contenedor con los parámetros especificados. |
| Microsoft.ContainerRegistry/registries/exportPipelines/delete | Elimina una canalización de exportación de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/importPipelines/read | Obtiene las propiedades de la canalización de importación especificada o muestra todas las canalizaciones de importación del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/importPipelines/write | Crea o actualiza una canalización de importación para un registro de contenedor con los parámetros especificados. |
| Microsoft.ContainerRegistry/registries/importPipelines/delete | Elimina una canalización de importación de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/pipelineRuns/read | Obtiene las propiedades de la ejecución de canalización especificada o muestra todas las ejecuciones de canalización del registro de contenedor especificado. |
| Microsoft.ContainerRegistry/registries/pipelineRuns/write | Crea o actualiza una ejecución de canalización de un registro de contenedor con los parámetros especificados. |
| Microsoft.ContainerRegistry/registries/pipelineRuns/delete | Elimina una ejecución de canalización de un registro de contenedor. |
| Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read | Obtiene el estado de una operación asincrónica de una ejecución de canalización. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"name": "bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/exportPipelines/read",
"Microsoft.ContainerRegistry/registries/exportPipelines/write",
"Microsoft.ContainerRegistry/registries/exportPipelines/delete",
"Microsoft.ContainerRegistry/registries/importPipelines/read",
"Microsoft.ContainerRegistry/registries/importPipelines/write",
"Microsoft.ContainerRegistry/registries/importPipelines/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/read",
"Microsoft.ContainerRegistry/registries/pipelineRuns/write",
"Microsoft.ContainerRegistry/registries/pipelineRuns/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Transfer Pipeline Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operador sin agente de Kubernetes
Concede a Microsoft Defender for Cloud acceso a Azure Kubernetes Services
| Acciones | Descripción |
|---|---|
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Creación o actualización de enlaces de rol de acceso de confianza para un clúster administrado |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Obtención de enlaces de rol de acceso de confianza para un clúster administrado |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Eliminación de enlaces de rol de acceso de confianza para un clúster administrado |
| Microsoft.ContainerService/managedClusters/read | Obtiene un clúster administrado |
| Microsoft.Features/features/read | Obtiene las características de una suscripción. |
| Microsoft.Features/providers/features/read | Obtiene la característica de una suscripción de un proveedor de recursos determinado. |
| Microsoft.Features/providers/features/register/action | Registra la característica de una suscripción de un proveedor de recursos determinado. |
| Microsoft.Security/pricings/securityoperators/read | Obtiene los operadores de seguridad para el ámbito. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Clúster de Kubernetes: incorporación de Azure Arc
Definición de roles para permitir crear el recurso connectedClusters a cualquier usuario o servicio
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtiene los resultados de la operación de suscripción. |
| Microsoft.Resources/subscriptions/read | Obtiene la lista de suscripciones. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Kubernetes/connectedClusters/Write | Escribe connectedClusters. |
| Microsoft.Kubernetes/connectedClusters/read | Lee connectedClusters. |
| Microsoft.KubernetesConfiguration/extensions/write | Crea o actualiza un recurso de extensión. |
| Microsoft.KubernetesConfiguration/extensions/read | Obtiene el recurso de instancia de extensión. |
| Microsoft.KubernetesConfiguration/extensions/delete | Elimina el recurso de instancia de extensión. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Obtiene el estado de la operación asincrónica. |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes Extension Contributor
Puede crear, actualizar, obtener, enumerar y eliminar extensiones de Kubernetes y obtener operaciones asincrónicas de extensión.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Resources/deployments/* | Creación y administración de una implementación |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.KubernetesConfiguration/extensions/write | Crea o actualiza un recurso de extensión. |
| Microsoft.KubernetesConfiguration/extensions/read | Obtiene el recurso de instancia de extensión. |
| Microsoft.KubernetesConfiguration/extensions/delete | Elimina el recurso de instancia de extensión. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Obtiene el estado de la operación asincrónica. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador del clúster de Service Fabric
Administre los recursos del clúster de Service Fabric. Incluye clústeres, tipos de aplicación, versiones de tipo de aplicación, aplicaciones y servicios. Necesitará permisos adicionales para implementar y administrar los recursos subyacentes del clúster, como conjuntos de escalado de máquinas virtuales, cuentas de almacenamiento, redes, etc.
| Acciones | Descripción |
|---|---|
| Microsoft.ServiceFabric/clusters/* | |
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Resources/deployments/* | Creación y administración de una implementación |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",
"name": "b6efc156-f0da-4e90-a50a-8c000140b017",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/clusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador del clúster administrado de Service Fabric
Implemente y administre los recursos del clúster administrado de Service Fabric. Incluye clústeres administrados, tipos de nodo, tipos de aplicación, versiones de tipo de aplicación, aplicaciones y servicios.
| Acciones | Descripción |
|---|---|
| Microsoft.ServiceFabric/managedclusters/* | |
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Resources/deployments/* | Creación y administración de una implementación |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",
"name": "83f80186-3729-438c-ad2d-39e94d718838",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/managedclusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Managed Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}