Rôles intégrés Azure pour les conteneurs
Cet article répertorie les rôles intégrés Azure dans la catégorie Conteneurs.
AcrDelete
Supprimer des référentiels, des balises ou des manifestes d’un registre de conteneurs.
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/delete | Supprimer l’artefact dans un registre de conteneurs. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
Envoyer (push) des images approuvées vers un registre de conteneurs activé pour l’approbation de contenu ou tirer (pull) des images approuvées d’un tel registre.
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/write | Envoie ou tire des métadonnées d’approbation du contenu pour un registre de conteneurs. |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | Autorise l’envoi (push) ou la publication de collections approuvées du contenu de registre de conteneurs. Similaire à l’action Microsoft.ContainerRegistry/registries/sign/write, sauf qu’il s’agit d’une action de données |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Tirer (pull) des artefacts à partir d’un registre de conteneurs.
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Tire (pull) ou obtient des images à partir d’un registre de conteneurs. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Envoyer (push) des artefacts vers un registre de conteneurs ou tirer (pull) des artefacts d’un tel registre.
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Tire (pull) ou obtient des images à partir d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registries/push/write | Envoie (push) ou écrit des images dans un registre de conteneurs. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Tirer (pull) des images en quarantaine à partir d’un registre de conteneurs.
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | Tire (pull) ou obtient des images en quarantaine à partir du registre de conteneurs |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Autorise le tirage (pull) ou l’obtention d’artefacts mis en quarantaine à partir du registre de conteneurs. Similaire à Microsoft.ContainerRegistry/registries/quarantine/read, sauf qu’il s’agit d’une action de données |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Envoyer (push) des images en quarantaine vers un registre de conteneurs ou extraire des images en quarantaine d’un tel registre.
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | Tire (pull) ou obtient des images en quarantaine à partir du registre de conteneurs |
| Microsoft.ContainerRegistry/registries/quarantine/write | Écrit ou modifie l’état des images en quarantaine |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Autorise le tirage (pull) ou l’obtention d’artefacts mis en quarantaine à partir du registre de conteneurs. Similaire à Microsoft.ContainerRegistry/registries/quarantine/read, sauf qu’il s’agit d’une action de données |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Autorise l’écriture ou la mise à jour de l’état de quarantaine d’artefacts mis en quarantaine. Similaire à l’action Microsoft.ContainerRegistry/registries/quarantine/write, sauf qu’il s’agit d’une action de données |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rôle d'utilisateur de cluster Kubernetes avec Azure Arc
Répertorie les actions relatives aux informations d'identification de l'utilisateur du cluster.
| Actions | Description |
|---|---|
| Microsoft.Resources/deployments/write | Crée ou met à jour un déploiement. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | Liste les informations d’identification clusterUser (préversion) |
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Insights/alertRules/* | Créer et gérer une alerte de métrique classique |
| Microsoft.Support/* | Créer et mettre à jour un ticket de support |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Liste les informations d'identification clusterUser |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Admin
Gérez toutes les ressources sous cluster/espace de noms, à l’exception de la mise à jour ou de la suppression de quotas de ressources et d’espaces de noms.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Insights/alertRules/* | Créer et gérer une alerte de métrique classique |
| Microsoft.Resources/deployments/write | Crée ou met à jour un déploiement. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.Support/* | Créer et mettre à jour un ticket de support |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lit controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Écrit localsubjectaccessreviews |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lit events |
| Microsoft.Kubernetes/connectedClusters/events/read | Lit events |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Lit limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Lit namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lit resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Cluster Admin
Gérez toutes les ressources du cluster.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Insights/alertRules/* | Créer et gérer une alerte de métrique classique |
| Microsoft.Resources/deployments/write | Crée ou met à jour un déploiement. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.Support/* | Créer et mettre à jour un ticket de support |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/* | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Viewer
Affichez toutes les ressources dans le cluster/l’espace de noms, à l’exception des secrets.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Insights/alertRules/* | Créer et gérer une alerte de métrique classique |
| Microsoft.Resources/deployments/write | Crée ou met à jour un déploiement. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.Support/* | Créer et mettre à jour un ticket de support |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lit controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | Lit daemonsets |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/read | Lit deployments |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | Lit replicasets |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | Lit statefulsets |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | Lit horizontalpodautoscalers |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | Lit cronjobs |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/read | Lit jobs |
| Microsoft.Kubernetes/connectedClusters/configmaps/read | Lit configmaps |
| Microsoft.Kubernetes/connectedClusters/endpoints/read | Lit endpoints |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lit events |
| Microsoft.Kubernetes/connectedClusters/events/read | Lit events |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | Lit daemonsets |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | Lit deployments |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | Lit ingresses |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | Lit networkpolicies |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | Lit replicasets |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Lit limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Lit namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | Lit ingresses |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | Lit networkpolicies |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | Lit persistentvolumeclaims |
| Microsoft.Kubernetes/connectedClusters/pods/read | Lit pods |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | Lit poddisruptionbudgets |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lit replicationcontrollers |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Lit replicationcontrollers |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lit resourcequotas |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | Lit serviceaccounts |
| Microsoft.Kubernetes/connectedClusters/services/read | Lit services |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Writer
Vous permet de mettre à jour tout ce qui se trouve dans le cluster/espace de noms, à l'exception des rôles (de cluster) et des liaisons de rôles (de cluster).
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Insights/alertRules/* | Créer et gérer une alerte de métrique classique |
| Microsoft.Resources/deployments/write | Crée ou met à jour un déploiement. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.Support/* | Créer et mettre à jour un ticket de support |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Lit controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Lit events |
| Microsoft.Kubernetes/connectedClusters/events/read | Lit events |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Lit limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Lit namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Lit resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Contributeur stockage de conteneurs Azure
Installez Azure Container Storage et gérez ses ressources de stockage. Comprend une condition ABAC pour limiter les attributions de rôle.
| Actions | Description |
|---|---|
| Microsoft.KubernetesConfiguration/extensions/write | Crée ou met à jour une ressource d’extension. |
| Microsoft.KubernetesConfiguration/extensions/read | Obtient la ressource d’instance d’extension. |
| Microsoft.KubernetesConfiguration/extensions/delete | Supprime la ressource d’instance d’extension. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Obtient l’état de l’opération asynchrone. |
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Management/managementGroups/read | Répertorie les groupes d’administration de l’utilisateur authentifié. |
| Microsoft.Resources/deployments/* | Créer et gérer un déploiement |
| Microsoft.Support/* | Créer et mettre à jour un ticket de support |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune | |
| Actions | |
| Microsoft.Authorization/roleAssignments/write | Créez une affectation de rôle au niveau de la portée spécifiée. |
| Microsoft.Authorization/roleAssignments/delete | Supprimez une affectation de rôle au niveau de la portée spécifiée. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune | |
| Condition | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments :RoleDefinitionId] ForAnyOfAnyValues :GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND (( !( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments :RoleDefinitionId] ForAnyOfAnyValues :GuidEquals{08d4c71acc634ce4a9c85d251b4d619})) | Ajoutez ou supprimez des attributions de rôles pour les rôles suivants : Opérateur stockage de conteneurs Azure |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Opérateur stockage de conteneurs Azure
Activez une identité managée pour effectuer des opérations de stockage de conteneurs Azure, telles que gérer des machines virtuelles et gérer des réseaux virtuels.
| Actions | Description |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Interroge l’état d’une opération asynchrone. |
| Microsoft.Network/routeTables/join/action | Joint une table de routage. Impossible à alerter. |
| Microsoft.Network/networkSecurityGroups/join/action | Joint un groupe de sécurité réseau. Impossible à alerter. |
| Microsoft.Network/virtualNetworks/write | Crée un réseau virtuel ou met à jour un réseau virtuel existant. |
| Microsoft.Network/virtualNetworks/delete | Supprime un réseau virtuel. |
| Microsoft.Network/virtualNetworks/join/action | Joint un réseau virtuel. Impossible à alerter. |
| Microsoft.Network/virtualNetworks/subnets/read | Obtient une définition de sous-réseau de réseau virtuel. |
| Microsoft.Network/virtualNetworks/subnets/write | Crée un sous-réseau de réseau virtuel ou met à jour un sous-réseau de réseau virtuel existant. |
| Microsoft.Compute/virtualMachines/read | Obtenir les propriétés d’une machine virtuelle |
| Microsoft.Compute/virtualMachines/write | Crée une nouvelle machine virtuelle ou met à jour une machine virtuelle existante |
| Microsoft.Compute/virtualMachineScaleSets/read | Obtient les propriétés d’un groupe de machines virtuelles identiques |
| Microsoft.Compute/virtualMachineScaleSets/write | Crée ou met à jour un groupe de machines virtuelles identiques |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | Met à jour les propriétés d’une machine virtuelle dans un groupe de machines virtuelles identiques |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Récupérer les propriétés d’une machine virtuelle dans un groupe de machines virtuelles identiques |
| Microsoft.Resources/subscriptions/providers/read | Obtient ou répertorie les fournisseurs de ressources. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.Network/virtualNetworks/read | Obtenir la définition de réseau virtuel. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Propriétaire du stockage de conteneurs Azure
Installez Stockage Conteneur Azure, accordez l’accès à ses ressources de stockage et configurez le réseau san (Elastic Storage Area Network) Azure. Comprend une condition ABAC pour limiter les attributions de rôle.
| Actions | Description |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Interroge l’état d’une opération asynchrone. |
| Microsoft.KubernetesConfiguration/extensions/write | Crée ou met à jour une ressource d’extension. |
| Microsoft.KubernetesConfiguration/extensions/read | Obtient la ressource d’instance d’extension. |
| Microsoft.KubernetesConfiguration/extensions/delete | Supprime la ressource d’instance d’extension. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Obtient l’état de l’opération asynchrone. |
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Management/managementGroups/read | Répertorie les groupes d’administration de l’utilisateur authentifié. |
| Microsoft.Resources/deployments/* | Créer et gérer un déploiement |
| Microsoft.Support/* | Créer et mettre à jour un ticket de support |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune | |
| Actions | |
| Microsoft.Authorization/roleAssignments/write | Créez une affectation de rôle au niveau de la portée spécifiée. |
| Microsoft.Authorization/roleAssignments/delete | Supprimez une affectation de rôle au niveau de la portée spécifiée. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune | |
| Condition | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments :RoleDefinitionId] ForAnyOfAnyValues :GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND (( !( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments :RoleDefinitionId] ForAnyOfAnyValues :GuidEquals{08d4c71acc634ce4a9c85d251b4d619})) | Ajoutez ou supprimez des attributions de rôles pour les rôles suivants : Opérateur stockage de conteneurs Azure |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rôle contributeur Azure Kubernetes Fleet Manager
Accorde un accès en lecture/écriture aux ressources Azure fournies par Azure Kubernetes Fleet Manager, notamment les flottes, les membres de la flotte, les stratégies de mise à jour de flotte, les exécutions de mises à jour de flotte, etc.
| Actions | Description |
|---|---|
| Microsoft.ContainerService/fleets/* | |
| Microsoft.Resources/deployments/* | Créer et gérer un déploiement |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Admin
Octroie un accès en lecture/écriture aux ressources Kubernetes au sein d’un espace de noms dans le cluster hub géré par la flotte : fournit des autorisations d’écriture sur la plupart des objets d’un espace de noms, à l’exception de l’objet ResourceQuota et de l’objet d’espace de noms lui-même. L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.ContainerService/fleets/read | Obtenir une flotte |
| Microsoft.ContainerService/fleets/listCredentials/action | Répertorier les informations d’identification de la flotte |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lit controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Écrit localsubjectaccessreviews |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lit events |
| Microsoft.ContainerService/fleets/events/read | Lit events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | Lit limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Lit namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | Lit resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Lire la ressource internemembercluster de flotte |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/* | |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Lire la ressource fleetoverridesnapshot |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Lire la ressource de travail de flotte |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Cluster Admin
Accorde un accès en lecture/écriture à toutes les ressources Kubernetes dans le cluster hub géré par la flotte.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.ContainerService/fleets/read | Obtenir une flotte |
| Microsoft.ContainerService/fleets/listCredentials/action | Répertorier les informations d’identification de la flotte |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerService/fleets/* | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Reader
Accorde un accès en lecture seule à la plupart des ressources Kubernetes au sein d’un espace de noms dans le cluster hub géré par la flotte. Ce rôle n’autorise pas l’affichage des rôles ni des liaisons de rôles. Il n’autorise pas l’affichage des secrets, car la lecture du contenu de Secrets donne accès aux informations d’identification ServiceAccount dans l’espace de noms, ce qui permet l’accès aux API comme n’importe quel ServiceAccount dans l’espace de noms (une forme d’élévation de privilèges). L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.ContainerService/fleets/read | Obtenir une flotte |
| Microsoft.ContainerService/fleets/listCredentials/action | Répertorier les informations d’identification de la flotte |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lit controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | Lit daemonsets |
| Microsoft.ContainerService/fleets/apps/deployments/read | Lit deployments |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | Lit statefulsets |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Lit horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | Lit cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | Lit jobs |
| Microsoft.ContainerService/fleets/configmaps/read | Lit configmaps |
| Microsoft.ContainerService/fleets/endpoints/read | Lit endpoints |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lit events |
| Microsoft.ContainerService/fleets/events/read | Lit events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | Lit daemonsets |
| Microsoft.ContainerService/fleets/extensions/deployments/read | Lit deployments |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | Lit ingresses |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Lit networkpolicies |
| Microsoft.ContainerService/fleets/limitranges/read | Lit limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Lit namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Lit ingresses |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Lit networkpolicies |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Lit persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Lit poddisruptionbudgets |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Lit replicationcontrollers |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Lit replicationcontrollers |
| Microsoft.ContainerService/fleets/resourcequotas/read | Lit resourcequotas |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Lit serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | Lit services |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Lire la ressource internemembercluster de flotte |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | Lire la ressource resourceoverride de flotte |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Lire la ressource fleetoverridesnapshot |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Lire la ressource de travail de flotte |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Writer
Accorde l’accès en lecture/écriture à la plupart des ressources Kubernetes au sein d’un espace de noms dans le cluster hub géré par la flotte. Ce rôle n’autorise ni la consultation ni la modification des rôles et des liaisons de rôle. Toutefois, ce rôle permet d’accéder aux secrets comme n’importe quel ServiceAccount de l’espace de noms. Il peut donc être utilisé pour obtenir les niveaux d’accès API de n’importe quel ServiceAccount dans l’espace de noms. L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.ContainerService/fleets/read | Obtenir une flotte |
| Microsoft.ContainerService/fleets/listCredentials/action | Répertorier les informations d’identification de la flotte |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Lit controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | Lit daemonsets |
| Microsoft.ContainerService/fleets/apps/daemonsets/write | Écrit daemonsets |
| Microsoft.ContainerService/fleets/apps/deployments/read | Lit deployments |
| Microsoft.ContainerService/fleets/apps/deployments/write | Écrit deployments |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | Lit statefulsets |
| Microsoft.ContainerService/fleets/apps/statefulsets/write | Écrit statefulsets |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Lit horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write | Écrit horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | Lit cronjobs |
| Microsoft.ContainerService/fleets/batch/cronjobs/write | Écrit cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | Lit jobs |
| Microsoft.ContainerService/fleets/batch/jobs/write | Écrit jobs |
| Microsoft.ContainerService/fleets/configmaps/read | Lit configmaps |
| Microsoft.ContainerService/fleets/configmaps/write | Écrit configmaps |
| Microsoft.ContainerService/fleets/endpoints/read | Lit endpoints |
| Microsoft.ContainerService/fleets/endpoints/write | Écrit endpoints |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Lit events |
| Microsoft.ContainerService/fleets/events/read | Lit events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | Lit daemonsets |
| Microsoft.ContainerService/fleets/extensions/daemonsets/write | Écrit daemonsets |
| Microsoft.ContainerService/fleets/extensions/deployments/read | Lit deployments |
| Microsoft.ContainerService/fleets/extensions/deployments/write | Écrit deployments |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | Lit ingresses |
| Microsoft.ContainerService/fleets/extensions/ingresses/write | Écrit ingresses |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Lit networkpolicies |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/write | Écrit networkpolicies |
| Microsoft.ContainerService/fleets/limitranges/read | Lit limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Lit namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Lit ingresses |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write | Écrit ingresses |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Lit networkpolicies |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write | Écrit networkpolicies |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Lit persistentvolumeclaims |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/write | Écrit persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Lit poddisruptionbudgets |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write | Écrit poddisruptionbudgets |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Lit replicationcontrollers |
| Microsoft.ContainerService/fleets/replicationcontrollers/write | Écrit replicationcontrollers |
| Microsoft.ContainerService/fleets/resourcequotas/read | Lit resourcequotas |
| Microsoft.ContainerService/fleets/secrets/read | Lit secrets |
| Microsoft.ContainerService/fleets/secrets/write | Écrit secrets |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Lit serviceaccounts |
| Microsoft.ContainerService/fleets/serviceaccounts/write | Écrit serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | Lit services |
| Microsoft.ContainerService/fleets/services/write | Écrit services |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Lire la ressource internemembercluster de flotte |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | Lire la ressource resourceoverride de flotte |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write | Écrire une ressource resourceoverride de flotte |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Lire la ressource fleetoverridesnapshot |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Lire la ressource de travail de flotte |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/write",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/deployments/write",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/write",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/write",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/configmaps/write",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/endpoints/write",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/write",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/deployments/write",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/write",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/write",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/read",
"Microsoft.ContainerService/fleets/secrets/write",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/serviceaccounts/write",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/services/write",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rôle d’administrateur de cluster Azure Kubernetes Service Arc
Répertorie les actions relatives aux informations d’identification de l’administrateur du cluster.
| Actions | Description |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtient les instances de cluster provisionnés AKS hybrides associées au cluster connecté |
| Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | Répertorie les informations d’identification d’administrateur d’une instance de cluster provisionnée utilisée uniquement en mode direct. |
| Microsoft.Kubernetes/connectedClusters/Read | Lit les connectedClusters |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rôle d’utilisateur du cluster Azure Kubernetes Service Arc
Répertorie les actions relatives aux informations d’identification de l’utilisateur du cluster.
| Actions | Description |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtient les instances de cluster provisionnés AKS hybrides associées au cluster connecté |
| Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | Répertorie les informations d’identification de l’utilisateur AAD d’une instance de cluster provisionnée utilisée uniquement en mode direct. |
| Microsoft.Kubernetes/connectedClusters/Read | Lit les connectedClusters |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rôle Contributeur Azure Kubernetes Service Arc
Accorde l’accès aux clusters hybrides Azure Kubernetes Services en lecture et en écriture
| Actions | Description |
|---|---|
| Microsoft.HybridContainerService/Locations/operationStatuses/read | read operationStatuses |
| Microsoft.HybridContainerService/Operations/read | Opérations de lecture |
| Microsoft.HybridContainerService/kubernetesVersions/read | Répertorie les versions kubernetes prises en charge à partir de l’emplacement personnalisé sous-jacent |
| Microsoft.HybridContainerService/kubernetesVersions/write | Place le type de ressource de version kubernetes |
| Microsoft.HybridContainerService/kubernetesVersions/delete | Supprimer le type de ressource des versions kubernetes |
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Obtient les instances de cluster provisionnés AKS hybrides associées au cluster connecté |
| Microsoft.HybridContainerService/provisionedClusterInstances/write | Crée l’instance de cluster provisionnée AKS hybride |
| Microsoft.HybridContainerService/provisionedClusterInstances/delete | Supprime l’instance de cluster provisionnée AKS hybride |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | Obtient les pools d’agents dans l’instance de cluster provisionnée AKS hybride |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | Met à jour le pool d’agents dans l’instance de cluster provisionnée AKS hybride |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | Supprime le pool d’agents dans l’instance de cluster provisionnée AKS hybride |
| Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | lire upgradeProfiles |
| Microsoft.HybridContainerService/skus/read | Répertorie les références SKU de machine virtuelle prises en charge à partir de l’emplacement personnalisé sous-jacent |
| Microsoft.HybridContainerService/skus/write | Place le type de ressource SKU de machine virtuelle |
| Microsoft.HybridContainerService/skus/delete | Supprime le type de ressource de référence SKU de machine virtuelle |
| Microsoft.HybridContainerService/virtualNetworks/read | Répertorie les réseaux virtuels AKS hybrides par abonnement |
| Microsoft.HybridContainerService/virtualNetworks/write | Met à jour le réseau virtuel AKS hybride |
| Microsoft.HybridContainerService/virtualNetworks/delete | Supprime le réseau virtuel AKS hybride |
| Microsoft.ExtendedLocation/customLocations/deploy/action | Déploie des autorisations sur une ressource de localisation personnalisée |
| Microsoft.ExtendedLocation/customLocations/read | Obtient une ressource d’emplacement personnalisé |
| Microsoft.Kubernetes/connectedClusters/Read | Lit les connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Write | Écrit les connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Delete | Supprime les connectedClusters |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Liste les informations d'identification clusterUser |
| Microsoft.AzureStackHCI/clusters/read | Obtient les clusters |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rôle d’administrateur de cluster Azure Kubernetes Service
Répertorie les actions relatives aux informations d’identification de l’administrateur du cluster.
| Actions | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | Répertorier les informations d’identification clusterAdmin d’un cluster géré |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | Obtient un profil d’accès au cluster géré en fonction du nom de rôle à l’aide des informations d’identification de la liste |
| Microsoft.ContainerService/managedClusters/read | Obtient un cluster géré |
| Microsoft.ContainerService/managedClusters/runcommand/action | Exécute la commande émise par l’utilisateur sur le serveur kubernetes managé. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Utilisateur de surveillance des clusters Azure Kubernetes Service
Répertoriez l’action d’informations d’identification de l’utilisateur de surveillance des clusters.
| Actions | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | Répertorie les informations d’identification clusterMonitoringUser d’un cluster managé |
| Microsoft.ContainerService/managedClusters/read | Obtient un cluster géré |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rôle d’utilisateur de cluster Azure Kubernetes Service
Répertorie les actions relatives aux informations d’identification de l’utilisateur du cluster.
| Actions | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Répertorier les informations d’identification clusterAdmin d’un cluster géré |
| Microsoft.ContainerService/managedClusters/read | Obtient un cluster géré |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Rôle Contributeur Azure Kubernetes Service
Octroie l’accès en lecture et en écriture aux clusters Azure Kubernetes Service
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.ContainerService/locations/* | Lire les emplacements disponibles pour les ressources ContainerService |
| Microsoft.ContainerService/managedClusters/* | Créer et gérer un cluster managé |
| Microsoft.ContainerService/managedclustersnapshots/* | Créer et gérer un instantané de cluster managé |
| Microsoft.ContainerService/snapshots/* | Créer et gérer un instantané |
| Microsoft.Insights/alertRules/* | Créer et gérer une alerte de métrique classique |
| Microsoft.Resources/deployments/* | Créer et gérer un déploiement |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Admin
Gérez toutes les ressources sous cluster/espace de noms, à l’exception de la mise à jour ou de la suppression de quotas de ressources et d’espaces de noms.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Répertorier les informations d’identification clusterAdmin d’un cluster géré |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/write | Écrit resourcequotas |
| Microsoft.ContainerService/managedClusters/resourcequotas/delete | Supprime resourcequotas |
| Microsoft.ContainerService/managedClusters/namespaces/write | Écrit namespaces |
| Microsoft.ContainerService/managedClusters/namespaces/delete | Supprime namespaces |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Cluster Admin
Gérez toutes les ressources du cluster.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Répertorier les informations d’identification clusterAdmin d’un cluster géré |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Reader
Autorise l’accès en lecture seule pour voir la plupart des objets dans un espace de noms. Ce rôle n’autorise pas l’affichage des rôles ni des liaisons de rôles. Il n’autorise pas l’affichage des secrets, car la lecture du contenu de Secrets donne accès aux informations d’identification ServiceAccount dans l’espace de noms, ce qui permet l’accès aux API comme n’importe quel ServiceAccount dans l’espace de noms (une forme d’élévation de privilèges). L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lit controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/read | Lit daemonsets |
| Microsoft.ContainerService/managedClusters/apps/deployments/read | Lit deployments |
| Microsoft.ContainerService/managedClusters/apps/replicasets/read | Lit replicasets |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/read | Lit statefulsets |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | Lit horizontalpodautoscalers |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/read | Lit cronjobs |
| Microsoft.ContainerService/managedClusters/batch/jobs/read | Lit jobs |
| Microsoft.ContainerService/managedClusters/configmaps/read | Lit configmaps |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lit les points de terminaison |
| Microsoft.ContainerService/managedClusters/endpoints/read | Lit endpoints |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lit events |
| Microsoft.ContainerService/managedClusters/events/read | Lit events |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | Lit daemonsets |
| Microsoft.ContainerService/managedClusters/extensions/deployments/read | Lit deployments |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/read | Lit ingresses |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | Lit networkpolicies |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/read | Lit replicasets |
| Microsoft.ContainerService/managedClusters/limitranges/read | Lit limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lit pods |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lit nodes |
| Microsoft.ContainerService/managedClusters/namespaces/read | Lit namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | Lit ingresses |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | Lit networkpolicies |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | Lit persistentvolumeclaims |
| Microsoft.ContainerService/managedClusters/pods/read | Lit pods |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | Lit poddisruptionbudgets |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/read | Lit replicationcontrollers |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Lit resourcequotas |
| Microsoft.ContainerService/managedClusters/serviceaccounts/read | Lit serviceaccounts |
| Microsoft.ContainerService/managedClusters/services/read | Lit services |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Writer
Autorise l’accès en lecture/écriture pour la plupart des objets dans un espace de noms. Ce rôle n’autorise ni la consultation ni la modification des rôles et des liaisons de rôle. Toutefois, ce rôle permet d’accéder aux secrets et aux pods en cours d’exécution comme n’importe quel ServiceAccount de l’espace de noms. Il peut donc être utilisé pour obtenir les niveaux d’accès API de n’importe quel ServiceAccount dans l’espace de noms. L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Lit controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Lit leases |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Écrit leases |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Supprime leases |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Lit les points de terminaison |
| Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Lit events |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/read | Lit limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Lit pods |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Lit nodes |
| Microsoft.ContainerService/managedClusters/namespaces/read | Lit namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Lit resourcequotas |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lecteur Managed Identity CheckAccess du cluster connecté
Rôle intégré qui permet à une identité managée de cluster connecté d’appeler l’API checkAccess
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lecteur de configuration de Registre de conteneurs et lecteur de configuration d’accès aux données
Fournit des autorisations pour répertorier les registres de conteneurs et les propriétés de configuration du Registre. Fournit des autorisations pour répertorier la configuration d’accès aux données, telles que les informations d’identification de l’utilisateur administrateur, les mappages d’étendue et les jetons, qui peuvent être utilisés pour lire, écrire ou supprimer des référentiels et des images. Ne fournit pas d’autorisations directes pour lire, répertorier ou écrire le contenu du Registre, y compris les référentiels et les images. Ne fournit pas d’autorisations pour modifier le contenu du plan de données, comme les importations, le cache d’artefacts ou la synchronisation et les pipelines de transfert. Ne fournit pas d’autorisations pour la gestion des tâches.
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registrys/operationStatuses/read | Obtient un état d’opération asynchrone du registre |
| Microsoft.ContainerRegistry/registrys/read | Obtient les propriétés du registre de conteneurs spécifié ou affiche tous les registres de conteneurs sous le groupe de ressources ou l’abonnement spécifiés. |
| Microsoft.ContainerRegistry/registrys/privateEndpointConnections/read | Obtient les propriétés de la connexion de point de terminaison privé ou répertorie toutes les connexions de point de terminaison privé pour le registre de conteneurs spécifié |
| Microsoft.ContainerRegistry/registrys/privateEndpointConnections/operationStatuses/read | Obtenir l’état de l’opération asynchrone de connexion de point de terminaison privé |
| Microsoft.ContainerRegistry/registrys/listCredentials/action | Répertorie les informations d’identification pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/tokens/read | Obtient les propriétés du jeton spécifié ou répertorie tous les jetons pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/tokens/operationStatuses/read | Obtient un état de l’opération asynchrone du jeton. |
| Microsoft.ContainerRegistry/registrys/scopeMaps/read | Obtient les propriétés du mappage d’étendue spécifié ou répertorie tous les mappages d’étendue pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/scopeMaps/operationStatuses/read | Obtient un état de l’opération asynchrone du mappage d’étendue. |
| Microsoft.ContainerRegistry/registrys/webhooks/read | Obtient les propriétés du webhook spécifié ou affiche tous les webhooks pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/webhooks/getCallbackConfig/action | Obtient la configuration de l’URI de service et les en-têtes personnalisés pour le webhook. |
| Microsoft.ContainerRegistry/registrys/webhooks/listEvents/action | Affiche les événements récents pour le webhook spécifié. |
| Microsoft.ContainerRegistry/registrys/webhooks/operationStatuses/read | Obtient un état de l’opération asynchrone de webhook |
| Microsoft.ContainerRegistry/registrys/replications/read | Obtient les propriétés de la réplication spécifiée ou affiche toutes les réplications pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/replications/operationStatuses/read | Obtient un état d’opération asynchrone de réplication |
| Microsoft.ContainerRegistry/registrys/connectedRegistries/read | Obtient les propriétés du registre connecté spécifié ou liste tous les registres connectés pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/providers/Microsoft.Insights/diagnosticSettings/read | Récupère le paramètre de diagnostic pour la ressource. |
| Microsoft.ContainerRegistry/registrys/providers/Microsoft.Insights/diagnosticSettings/write | Crée ou met à jour le paramètre de diagnostic pour la ressource |
| Microsoft.ContainerRegistry/registrys/providers/Microsoft.Insights/logDefinitions/read | Obtient les journaux d’activité disponibles pour Microsoft Container Registry |
| Microsoft.ContainerRegistry/registrys/providers/Microsoft.Insights/metricDefinitions/read | Obtient les métriques disponibles pour Microsoft Container Registry |
| Microsoft.Insights/AlertRules/Write | Créer ou mettre à jour une alerte de métrique classique |
| Microsoft.Insights/AlertRules/Delete | Supprimer une alerte de métrique classique |
| Microsoft.Insights/AlertRules/Read | Lire une alerte de métrique classique |
| Microsoft.Insights/AlertRules/Activated/Action | Activer les alertes de métrique classique |
| Microsoft.Insights/AlertRules/Resolved/Action | Résoudre une alerte de métrique classique |
| Microsoft.Insights/AlertRules/Throttled/Action | Limiter une règle d'alerte de métrique classique |
| Microsoft.Insights/AlertRules/Incidents/Read | Lire un incident d'alerte de métrique classique |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69b07be0-09bf-439a-b9a6-e73de851bd59",
"name": "69b07be0-09bf-439a-b9a6-e73de851bd59",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Configuration Reader and Data Access Configuration Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Contributeur de Registre de conteneurs et administrateur de configuration de l’accès aux données
Fournit des autorisations pour créer, répertorier et mettre à jour des registres de conteneurs et des propriétés de configuration de Registre. Fournit des autorisations pour configurer l’accès aux données, tels que les informations d’identification de l’utilisateur administrateur, les mappages d’étendue et les jetons, qui peuvent être utilisés pour lire, écrire ou supprimer des référentiels et des images. Ne fournit pas d’autorisations directes pour lire, répertorier ou écrire le contenu du Registre, y compris les référentiels et les images. Ne fournit pas d’autorisations pour modifier le contenu du plan de données, comme les importations, le cache d’artefacts ou la synchronisation et les pipelines de transfert. Ne fournit pas d’autorisations pour la gestion des tâches.
| Actions | Description |
|---|---|
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.ContainerRegistry/registrys/operationStatuses/read | Obtient un état d’opération asynchrone du registre |
| Microsoft.ContainerRegistry/registrys/read | Obtient les propriétés du registre de conteneurs spécifié ou affiche tous les registres de conteneurs sous le groupe de ressources ou l’abonnement spécifiés. |
| Microsoft.ContainerRegistry/registrys/write | Crée ou met à jour un registre de conteneurs avec les paramètres spécifiés. |
| Microsoft.ContainerRegistry/registrys/delete | Supprime un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/listCredentials/action | Répertorie les informations d’identification pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/regenerateCredential/action | Régénère l’une des informations d’identification pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/generateCredentials/action | Génère des clés pour le jeton d’un registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/replications/read | Obtient les propriétés de la réplication spécifiée ou affiche toutes les réplications pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/replications/write | Crée ou met à jour une réplication pour un registre de conteneurs avec les paramètres spécifiés. |
| Microsoft.ContainerRegistry/registrys/replications/delete | Supprime une réplication d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/replications/operationStatuses/read | Obtient un état d’opération asynchrone de réplication |
| Microsoft.ContainerRegistry/registrys/privateEndpointConnectionsApproval/action | Approuve automatiquement une connexion de point de terminaison privé |
| Microsoft.ContainerRegistry/registrys/privateEndpointConnections/read | Obtient les propriétés de la connexion de point de terminaison privé ou répertorie toutes les connexions de point de terminaison privé pour le registre de conteneurs spécifié |
| Microsoft.ContainerRegistry/registrys/privateEndpointConnections/write | Approuve/refusela connexion de point de terminaison privé |
| Microsoft.ContainerRegistry/registrys/privateEndpointConnections/delete | Supprime la connexion de point de terminaison privé |
| Microsoft.ContainerRegistry/registrys/privateEndpointConnections/operationStatuses/read | Obtenir l’état de l’opération asynchrone de connexion de point de terminaison privé |
| Microsoft.ContainerRegistry/registrys/tokens/read | Obtient les propriétés du jeton spécifié ou répertorie tous les jetons pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/tokens/write | Crée ou met à jour un jeton pour un registre de conteneurs avec les paramètres spécifiés. |
| Microsoft.ContainerRegistry/registrys/tokens/delete | Supprime un jeton d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/tokens/operationStatuses/read | Obtient un état de l’opération asynchrone du jeton. |
| Microsoft.ContainerRegistry/registrys/scopeMaps/read | Obtient les propriétés du mappage d’étendue spécifié ou répertorie tous les mappages d’étendue pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/scopeMaps/write | Crée ou met à jour un mappage d’étendue pour un registre de conteneurs avec les paramètres spécifiés. |
| Microsoft.ContainerRegistry/registrys/scopeMaps/delete | Supprime un mappage d’étendue d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/scopeMaps/operationStatuses/read | Obtient un état de l’opération asynchrone du mappage d’étendue. |
| Microsoft.ContainerRegistry/registrys/providers/Microsoft.Insights/diagnosticSettings/read | Récupère le paramètre de diagnostic pour la ressource. |
| Microsoft.ContainerRegistry/registrys/providers/Microsoft.Insights/diagnosticSettings/write | Crée ou met à jour le paramètre de diagnostic pour la ressource |
| Microsoft.ContainerRegistry/registrys/providers/Microsoft.Insights/logDefinitions/read | Obtient les journaux d’activité disponibles pour Microsoft Container Registry |
| Microsoft.ContainerRegistry/registrys/providers/Microsoft.Insights/metricDefinitions/read | Obtient les métriques disponibles pour Microsoft Container Registry |
| Microsoft.Resources/deployments/* | Créer et gérer un déploiement |
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.ContainerRegistry/registrys/connectedRegistries/read | Obtient les propriétés du registre connecté spécifié ou liste tous les registres connectés pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/connectedRegistries/write | Crée ou met à jour un registre connecté pour un registre de conteneurs avec les paramètres spécifiés. |
| Microsoft.ContainerRegistry/registrys/connectedRegistries/delete | Supprime un registre connecté d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/connectedRegistries/deactivate/action | Désactive un registre connecté pour un registre de conteneurs |
| Microsoft.ContainerRegistry/registrys/webhooks/read | Obtient les propriétés du webhook spécifié ou affiche tous les webhooks pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/webhooks/write | Crée ou met à jour un webhook pour un registre de conteneurs avec les paramètres spécifiés. |
| Microsoft.ContainerRegistry/registrys/webhooks/delete | Supprime un webhook d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/webhooks/getCallbackConfig/action | Obtient la configuration de l’URI de service et les en-têtes personnalisés pour le webhook. |
| Microsoft.ContainerRegistry/registrys/webhooks/ping/action | Déclenche un événement de test ping à envoyer au webhook. |
| Microsoft.ContainerRegistry/registrys/webhooks/listEvents/action | Affiche les événements récents pour le webhook spécifié. |
| Microsoft.ContainerRegistry/registrys/webhooks/operationStatuses/read | Obtient un état de l’opération asynchrone de webhook |
| Microsoft.Insights/AlertRules/Write | Créer ou mettre à jour une alerte de métrique classique |
| Microsoft.Insights/AlertRules/Delete | Supprimer une alerte de métrique classique |
| Microsoft.Insights/AlertRules/Read | Lire une alerte de métrique classique |
| Microsoft.Insights/AlertRules/Activated/Action | Activer les alertes de métrique classique |
| Microsoft.Insights/AlertRules/Resolved/Action | Résoudre une alerte de métrique classique |
| Microsoft.Insights/AlertRules/Throttled/Action | Limiter une règle d'alerte de métrique classique |
| Microsoft.Insights/AlertRules/Incidents/Read | Lire un incident d'alerte de métrique classique |
| Microsoft.ContainerRegistry/locations/operationResults/read | Obtient un résultat d’opération asynchrone |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joint des ressources telles qu’un compte de stockage ou une base de données SQL à un sous-réseau. Impossible à alerter. |
| Microsoft.Network/virtualNetworks/subnets/read | Obtient une définition de sous-réseau de réseau virtuel. |
| Microsoft.Network/virtualNetworks/subnets/write | Crée un sous-réseau de réseau virtuel ou met à jour un sous-réseau de réseau virtuel existant. |
| Microsoft.Network/virtualNetworks/read | Obtenir la définition de réseau virtuel. |
| Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write | Crée ou met à jour un proxy de service de liaison privée. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
"name": "3bc748fc-213d-45c1-8d91-9da5725539b9",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/write",
"Microsoft.ContainerRegistry/registries/delete",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/regenerateCredential/action",
"Microsoft.ContainerRegistry/registries/generateCredentials/action",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/write",
"Microsoft.ContainerRegistry/registries/replications/delete",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/write",
"Microsoft.ContainerRegistry/registries/tokens/delete",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/write",
"Microsoft.ContainerRegistry/registries/scopeMaps/delete",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/write",
"Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
"Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/write",
"Microsoft.ContainerRegistry/registries/webhooks/delete",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/ping/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.ContainerRegistry/locations/operationResults/read",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Contributor and Data Access Configuration Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Importateur de données et lecteur de données container Registry
Permet d’importer des images dans un registre via l’opération d’importation du Registre. Permet de répertorier les référentiels, d’afficher des images et des balises, d’obtenir des manifestes et d’extraire des images. Ne fournit pas d’autorisations pour l’importation d’images par le biais de la configuration de pipelines de transfert de Registre tels que les pipelines d’importation et d’exportation. Ne fournit pas d’autorisations pour l’importation par le biais de la configuration du cache d’artefacts ou des règles de synchronisation.
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registrys/importImage/action | Importe une image vers un registre de conteneurs avec les paramètres spécifiés. |
| Microsoft.ContainerRegistry/registrys/read | Obtient les propriétés du registre de conteneurs spécifié ou affiche tous les registres de conteneurs sous le groupe de ressources ou l’abonnement spécifiés. |
| Microsoft.ContainerRegistry/registries/pull/read | Tire (pull) ou obtient des images à partir d’un registre de conteneurs. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"name": "577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/importImage/action",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Data Importer and Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lister du catalogue du référentiel de registre de conteneurs
Permet de répertorier tous les référentiels dans Azure Container Registry. Ce rôle est en préversion et susceptible d’être changé.
| Actions | Description |
|---|---|
| aucune | |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerRegistry/registrys/catalog/read | Répertorier les référentiels dans un registre de conteneurs. |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"name": "bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/catalog/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Catalog Lister",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Contributeur du référentiel de registre de conteneurs
Permet de lire, d’écrire et de supprimer l’accès aux référentiels Azure Container Registry, mais à l’exclusion de la liste des catalogues. Ce rôle est en préversion et susceptible d’être changé.
| Actions | Description |
|---|---|
| aucune | |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerRegistry/registrys/repository/metadata/read | Obtient les métadonnées d’un référentiel spécifique pour un registre de conteneurs |
| Microsoft.ContainerRegistry/registrys/repository/content/read | Tire (pull) ou obtient des images à partir d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/repository/metadata/write | Met à jour les métadonnées d’un référentiel pour un registre de conteneurs |
| Microsoft.ContainerRegistry/registrys/repositorys/content/write | Envoie (push) ou écrit des images dans un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/repository/metadata/delete | Supprimer les métadonnées d’un référentiel pour un registre de conteneurs |
| Microsoft.ContainerRegistry/registrys/repository/content/delete | Supprimer l’artefact dans un registre de conteneurs. |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"name": "2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write",
"Microsoft.ContainerRegistry/registries/repositories/metadata/delete",
"Microsoft.ContainerRegistry/registries/repositories/content/delete"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lecteur du référentiel de registre de conteneurs
Autorise l’accès en lecture aux référentiels Azure Container Registry, mais à l’exclusion de la liste des catalogues. Ce rôle est en préversion et susceptible d’être changé.
| Actions | Description |
|---|---|
| aucune | |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerRegistry/registrys/repository/metadata/read | Obtient les métadonnées d’un référentiel spécifique pour un registre de conteneurs |
| Microsoft.ContainerRegistry/registrys/repository/content/read | Tire (pull) ou obtient des images à partir d’un registre de conteneurs. |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b93aa761-3e63-49ed-ac28-beffa264f7ac",
"name": "b93aa761-3e63-49ed-ac28-beffa264f7ac",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Enregistreur de référentiel de registre de conteneurs
Permet l’accès en lecture et en écriture aux référentiels Azure Container Registry, mais à l’exclusion de la liste des catalogues. Ce rôle est en préversion et susceptible d’être changé.
| Actions | Description |
|---|---|
| aucune | |
| NotActions | |
| aucune | |
| DataActions | |
| Microsoft.ContainerRegistry/registrys/repository/metadata/read | Obtient les métadonnées d’un référentiel spécifique pour un registre de conteneurs |
| Microsoft.ContainerRegistry/registrys/repository/content/read | Tire (pull) ou obtient des images à partir d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/repository/metadata/write | Met à jour les métadonnées d’un référentiel pour un registre de conteneurs |
| Microsoft.ContainerRegistry/registrys/repositorys/content/write | Envoie (push) ou écrit des images dans un registre de conteneurs. |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a1e307c-b015-4ebd-883e-5b7698a07328",
"name": "2a1e307c-b015-4ebd-883e-5b7698a07328",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Contributeur des tâches de Registre de conteneurs
Fournit des autorisations pour configurer, lire, lister, déclencher ou annuler des tâches de Registre de conteneurs, des exécutions de tâches, des journaux des tâches, des exécutions rapides, des builds rapides et des pools d’agents de tâches. Les autorisations accordées pour la gestion des tâches peuvent être utilisées pour les autorisations complètes du plan de données du Registre, notamment la lecture/écriture/la suppression d’images conteneur dans les registres. Les autorisations accordées pour la gestion des tâches peuvent également être utilisées pour exécuter des directives de génération créées par le client et exécuter des scripts pour générer des artefacts logiciels.
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registrys/agentpools/read | Obtient un pool d’agents pour un registre de conteneurs ou une liste de tous les pool d’agents. |
| Microsoft.ContainerRegistry/registrys/agentpools/write | Crée ou met à jour un pool d’agents pour un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/agentpools/delete | Supprime un pool d’agents pour un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/agentpools/listQueueStatus/action | Répertorie tous les états de file d’attente d’un pool d’agents pour un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/agentpools/operationResults/status/read | Obtient un état de résultat d’opération asynchrone du pool d’agents |
| Microsoft.ContainerRegistry/registrys/agentpools/operationStatuses/read | Obtient un état d’opération asynchrone de pool d’agents |
| Microsoft.ContainerRegistry/registrys/tasks/read | Obtient une tâche pour un registre de conteneurs, ou répertorie toutes les tâches. |
| Microsoft.ContainerRegistry/registrys/tasks/write | Crée ou met à jour une tâche pour un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/tasks/delete | Supprime une tâche pour un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/tasks/listDetails/action | Répertorie tous les détails d’une tâche pour un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/scheduleRun/action | Planifie une exécution par rapport à un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/listBuildSourceUploadUrl/action | Obtenir l’emplacement de l’url de chargement de la source pour un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/runs/read | Obtient les propriétés d’une exécution par rapport à un registre de conteneurs, ou répertorie les exécutions. |
| Microsoft.ContainerRegistry/registrys/runs/write | Met à jour une exécution. |
| Microsoft.ContainerRegistry/registrys/runs/listLogSasUrl/action | Obtient l’URL SAP des journaux pour une exécution. |
| Microsoft.ContainerRegistry/registrys/runs/cancel/action | Annule une exécution existante. |
| Microsoft.ContainerRegistry/registrys/taskruns/read | Obtient une exécution de tâche pour un registre de conteneurs ou liste toutes les exécutions de tâche. |
| Microsoft.ContainerRegistry/registrys/taskruns/write | Créez ou mettez à jour une exécution de tâche pour un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/taskruns/delete | Supprime une exécution de tâche d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/taskruns/listDetails/action | Répertorie tous les détails d’une exécution de tâche pour un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/taskruns/operationStatuses/read | Obtient un état d’opération asynchrone d’exécution de tâche |
| Microsoft.Resources/deployments/* | Créer et gérer un déploiement |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.ContainerRegistry/registrys/read | Obtient les propriétés du registre de conteneurs spécifié ou affiche tous les registres de conteneurs sous le groupe de ressources ou l’abonnement spécifiés. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb382eab-e894-4461-af04-94435c366c3f",
"name": "fb382eab-e894-4461-af04-94435c366c3f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/agentpools/read",
"Microsoft.ContainerRegistry/registries/agentpools/write",
"Microsoft.ContainerRegistry/registries/agentpools/delete",
"Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action",
"Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read",
"Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tasks/read",
"Microsoft.ContainerRegistry/registries/tasks/write",
"Microsoft.ContainerRegistry/registries/tasks/delete",
"Microsoft.ContainerRegistry/registries/tasks/listDetails/action",
"Microsoft.ContainerRegistry/registries/scheduleRun/action",
"Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action",
"Microsoft.ContainerRegistry/registries/runs/read",
"Microsoft.ContainerRegistry/registries/runs/write",
"Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action",
"Microsoft.ContainerRegistry/registries/runs/cancel/action",
"Microsoft.ContainerRegistry/registries/taskruns/read",
"Microsoft.ContainerRegistry/registries/taskruns/write",
"Microsoft.ContainerRegistry/registries/taskruns/delete",
"Microsoft.ContainerRegistry/registries/taskruns/listDetails/action",
"Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Tasks Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Contributeur du pipeline de transfert de registre de conteneurs
Permet de transférer, d’importer et d’exporter des artefacts via la configuration des pipelines de transfert de Registre qui impliquent des comptes de stockage intermédiaires et des coffres de clés. Ne fournit pas d’autorisations pour envoyer (push) ou extraire des images. Ne fournit pas d’autorisations pour créer, gérer ou répertorier des comptes de stockage ou des coffres de clés. Ne fournit pas d’autorisations pour effectuer des attributions de rôle.
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registrys/exportPipelines/read | Obtient les propriétés du pipeline d’exportation spécifié ou liste tous les pipeline d’exportation pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/exportPipelines/write | Crée ou met à jour un pipeline d’exportation pour un registre de conteneurs avec les paramètres spécifiés. |
| Microsoft.ContainerRegistry/registrys/exportPipelines/delete | Supprime un pipeline d’exportation d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/importPipelines/read | Obtient les propriétés du pipeline d’importation spécifié ou liste tous les pipeline d’importation pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/importPipelines/write | Crée ou met à jour un pipeline d’importation pour un registre de conteneurs avec les paramètres spécifiés. |
| Microsoft.ContainerRegistry/registrys/importPipelines/delete | Supprime un pipeline d’importation d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/pipelineRuns/read | Obtient les propriétés de l’exécution de pipeline spécifiée ou liste toutes les exécution de pipeline pour le registre de conteneurs spécifié. |
| Microsoft.ContainerRegistry/registrys/pipelineRuns/write | Crée ou met à jour une exécution de pipeline pour un registre de conteneurs avec les paramètres spécifiés. |
| Microsoft.ContainerRegistry/registrys/pipelineRuns/delete | Supprime une exécution de pipeline d’un registre de conteneurs. |
| Microsoft.ContainerRegistry/registrys/pipelineRuns/operationStatuses/read | Obtient l’état de l’opération asynchrone d’une exécution de pipeline. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"name": "bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/exportPipelines/read",
"Microsoft.ContainerRegistry/registries/exportPipelines/write",
"Microsoft.ContainerRegistry/registries/exportPipelines/delete",
"Microsoft.ContainerRegistry/registries/importPipelines/read",
"Microsoft.ContainerRegistry/registries/importPipelines/write",
"Microsoft.ContainerRegistry/registries/importPipelines/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/read",
"Microsoft.ContainerRegistry/registries/pipelineRuns/write",
"Microsoft.ContainerRegistry/registries/pipelineRuns/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Transfer Pipeline Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Opérateur sans agent Kubernetes
Octroie à Microsoft Defender pour le cloud l’accès à Azure Kubernetes Services
| Actions | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Créer ou mettre à jour des liaisons de rôle d’accès approuvé pour un cluster managé |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Obtenir des liaisons de rôle d’accès approuvé pour un cluster managé |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Supprimer les liaisons de rôle d’accès approuvé pour le cluster managé |
| Microsoft.ContainerService/managedClusters/read | Obtient un cluster géré |
| Microsoft.Features/features/read | Afficher les fonctionnalités d’un abonnement |
| Microsoft.Features/providers/features/read | Afficher les fonctionnalités d’un abonnement pour un fournisseur de ressources donné |
| Microsoft.Features/providers/features/register/action | Enregistrer les fonctionnalités d’un abonnement pour un fournisseur de ressources donné |
| Microsoft.Security/pricings/securityoperators/read | Obtient les opérateurs de sécurité pour l’étendue |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cluster Kubernetes – Intégration Azure Arc
Définition de rôle pour autoriser tout utilisateur/service à créer une ressource connectedClusters
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Insights/alertRules/* | Créer et gérer une alerte de métrique classique |
| Microsoft.Resources/deployments/write | Crée ou met à jour un déploiement. |
| Microsoft.Resources/subscriptions/operationresults/read | Obtenir les résultats de l’opération de l’abonnement. |
| Microsoft.Resources/subscriptions/read | Obtient la liste des abonnements. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.Kubernetes/connectedClusters/Write | Écrit les connectedClusters |
| Microsoft.Kubernetes/connectedClusters/read | Lit les connectedClusters |
| Microsoft.KubernetesConfiguration/extensions/write | Crée ou met à jour une ressource d’extension. |
| Microsoft.KubernetesConfiguration/extensions/read | Obtient la ressource d’instance d’extension. |
| Microsoft.KubernetesConfiguration/extensions/delete | Supprime la ressource d’instance d’extension. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Obtient l’état de l’opération asynchrone. |
| Microsoft.Support/* | Créer et mettre à jour un ticket de support |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Contributeur d’extension Kubernetes
Peut créer, mettre à jour, obtenir, répertorier et supprimer des extensions Kubernetes, et obtenir des opérations asynchrones d’extension
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Insights/alertRules/* | Créer et gérer une alerte de métrique classique |
| Microsoft.Resources/deployments/* | Créer et gérer un déploiement |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| Microsoft.KubernetesConfiguration/extensions/write | Crée ou met à jour une ressource d’extension. |
| Microsoft.KubernetesConfiguration/extensions/read | Obtient la ressource d’instance d’extension. |
| Microsoft.KubernetesConfiguration/extensions/delete | Supprime la ressource d’instance d’extension. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Obtient l’état de l’opération asynchrone. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Contributeur de cluster Service Fabric
Gérez vos ressources de cluster Service Fabric. Inclut des clusters, des types d’applications, des versions de type d’application, des applications et des services. Vous aurez besoin d’autorisations supplémentaires pour déployer et gérer les ressources sous-jacentes du cluster, telles que les groupes de machines virtuelles identiques, les comptes de stockage, les réseaux, etc.
| Actions | Description |
|---|---|
| Microsoft.ServiceFabric/clusters/* | |
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Insights/alertRules/* | Créer et gérer une alerte de métrique classique |
| Microsoft.Resources/deployments/* | Créer et gérer un déploiement |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",
"name": "b6efc156-f0da-4e90-a50a-8c000140b017",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/clusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Contributeur de cluster managé Service Fabric
Déployez et gérez vos ressources de cluster managé Service Fabric. Inclut des clusters managés, des types de nœuds, des types d’application, des versions de type d’application, des applications et des services.
| Actions | Description |
|---|---|
| Microsoft.ServiceFabric/managedclusters/* | |
| Microsoft.Authorization/*/read | Lire les rôles et les affectations de rôles |
| Microsoft.Insights/alertRules/* | Créer et gérer une alerte de métrique classique |
| Microsoft.Resources/deployments/* | Créer et gérer un déploiement |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtient ou répertorie les groupes de ressources. |
| NotActions | |
| aucune | |
| DataActions | |
| aucune | |
| NotDataActions | |
| aucune |
{
"assignableScopes": [
"/"
],
"description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",
"name": "83f80186-3729-438c-ad2d-39e94d718838",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/managedclusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Managed Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}