Inbyggda Azure-roller för containrar
I den här artikeln visas de inbyggda Azure-rollerna i kategorin Containrar.
AcrDelete
Ta bort lagringsplatser, taggar eller manifest från ett containerregister.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/delete | Ta bort artefakt i ett containerregister. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
Skicka betrodda avbildningar till eller hämta betrodda avbildningar från ett containerregister som är aktiverat för innehållsförtroende.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/write | Push/Pull-innehållsförtroendemetadata för ett containerregister. |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | Tillåter push-överföring eller publicering av betrodda samlingar av containerregisterinnehåll. Detta liknar åtgärden Microsoft.ContainerRegistry/registries/sign/write förutom att det här är en dataåtgärd |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Hämta artefakter från ett containerregister.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Hämta eller hämta avbildningar från ett containerregister. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Skicka artefakter till eller hämta artefakter från ett containerregister.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Hämta eller hämta avbildningar från ett containerregister. |
| Microsoft.ContainerRegistry/registries/push/write | Skicka eller skriv avbildningar till ett containerregister. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Hämta avbildningar i karantän från ett containerregister.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | Hämta eller hämta avbildningar i karantän från containerregistret |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Tillåter hämtning eller hämtning av artefakter i karantän från containerregistret. Detta liknar Microsoft.ContainerRegistry/registries/quarantine/read förutom att det är en dataåtgärd |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Skicka avbildningar i karantän till eller hämta avbildningar i karantän från ett containerregister.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | Hämta eller hämta avbildningar i karantän från containerregistret |
| Microsoft.ContainerRegistry/registries/quarantine/write | Skriv/ändra karantäntillstånd för bilder i karantän |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Tillåter hämtning eller hämtning av artefakter i karantän från containerregistret. Detta liknar Microsoft.ContainerRegistry/registries/quarantine/read förutom att det är en dataåtgärd |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Tillåter skrivning eller uppdatering av karantäntillståndet för artefakter i karantän. Detta liknar åtgärden Microsoft.ContainerRegistry/registries/quarantine/write, förutom att det är en dataåtgärd |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Användarroll för Azure Arc-aktiverade Kubernetes-kluster
Visa en lista över autentiseringsuppgifter för klusteranvändare.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | Lista clusterUser-autentiseringsuppgifter (förhandsversion) |
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Lista clusterUser-autentiseringsuppgifter |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes-administratör
Gör att du kan hantera alla resurser under kluster/namnområde, förutom uppdatera eller ta bort resurskvoter och namnområden.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Skriver localsubjectaccessreviews |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Läser limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Läser namnområden |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Läser resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes-klusteradministratör
Gör att du kan hantera alla resurser i klustret.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Viewer
Gör att du kan visa alla resurser i kluster/namnrymd, förutom hemligheter.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/read | Läser distributioner |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | Läser replikeringsuppsättningar |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | Läser tillståndskänsliga datamängder |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | Läser horizontalpodautoscalers |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | Läser cronjobs |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/read | Läser jobb |
| Microsoft.Kubernetes/connectedClusters/configmaps/read | Läser konfigurationsmappar |
| Microsoft.Kubernetes/connectedClusters/endpoints/read | Läser slutpunkter |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | Läser distributioner |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | Läser ingresser |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | Läser replikeringsuppsättningar |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Läser limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Läser namnområden |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | Läser ingresser |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | Läser persistentvolumeclaims |
| Microsoft.Kubernetes/connectedClusters/pods/read | Läser poddar |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | Läser poddisruptionbudgetar |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Läser replikeringskontroller |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Läser replikeringskontroller |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Läser resourcequotas |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | Läser serviceaccounts |
| Microsoft.Kubernetes/connectedClusters/services/read | Läser tjänster |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Writer
Gör att du kan uppdatera allt i kluster/namnområde, förutom (kluster)roller och (kluster)rollbindningar.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/events/read | Läser händelser |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | Läser limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | Läser namnområden |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Läser resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Container Storage-deltagare
Installera Azure Container Storage och hantera dess lagringsresurser. Innehåller ett ABAC-villkor för att begränsa rolltilldelningar.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.KubernetesConfiguration/extensions/write | Skapar eller uppdaterar tilläggsresursen. |
| Microsoft.KubernetesConfiguration/extensions/read | Hämtar tilläggsinstansresurs. |
| Microsoft.KubernetesConfiguration/extensions/delete | Tar bort tilläggsinstansresursen. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Hämtar status för asynkron åtgärd. |
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Management/managementGroups/read | Lista hanteringsgrupper för den autentiserade användaren. |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen | |
| Åtgärder | |
| Microsoft.Authorization/roleAssignments/write | Skapa en rolltilldelning i det angivna omfånget. |
| Microsoft.Authorization/roleAssignments/delete | Ta bort en rolltilldelning i det angivna omfånget. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen | |
| Condition | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Lägg till eller ta bort rolltilldelningar för följande roller: Azure Container Storage-operatör |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Container Storage-operatör
Aktivera en hanterad identitet för att utföra Azure Container Storage-åtgärder, till exempel hantera virtuella datorer och hantera virtuella nätverk.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Avsöker status för en asynkron åtgärd. |
| Microsoft.Network/routeTables/join/action | Ansluter till en routningstabell. Inte aviseringsbar. |
| Microsoft.Network/networkSecurityGroups/join/action | Ansluter till en nätverkssäkerhetsgrupp. Inte aviseringsbar. |
| Microsoft.Network/virtualNetworks/write | Skapar ett virtuellt nätverk eller uppdaterar ett befintligt virtuellt nätverk |
| Microsoft.Network/virtualNetworks/delete | Tar bort ett virtuellt nätverk |
| Microsoft.Network/virtualNetworks/join/action | Ansluter till ett virtuellt nätverk. Inte aviseringsbar. |
| Microsoft.Network/virtualNetworks/subnets/read | Hämtar en undernätsdefinition för virtuellt nätverk |
| Microsoft.Network/virtualNetworks/subnets/write | Skapar ett virtuellt nätverksundernät eller uppdaterar ett befintligt virtuellt nätverksundernät |
| Microsoft.Compute/virtualMachines/read | Hämta egenskaperna för en virtuell dator |
| Microsoft.Compute/virtualMachines/write | Skapar en ny virtuell dator eller uppdaterar en befintlig virtuell dator |
| Microsoft.Compute/virtualMachineScaleSets/read | Hämta egenskaperna för en VM-skalningsuppsättning |
| Microsoft.Compute/virtualMachineScaleSets/write | Skapar en ny vm-skalningsuppsättning eller uppdaterar en befintlig |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | Uppdaterar egenskaperna för en virtuell dator i en VM-skalningsuppsättning |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Hämtar egenskaperna för en virtuell dator i en VM-skalningsuppsättning |
| Microsoft.Resources/subscriptions/providers/read | Hämtar eller listar resursprovidrar. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Network/virtualNetworks/read | Hämta definitionen för virtuellt nätverk |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Container Storage-ägare
Installera Azure Container Storage, bevilja åtkomst till dess lagringsresurser och konfigurera Azure Elastic Storage Area Network (SAN). Innehåller ett ABAC-villkor för att begränsa rolltilldelningar.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Avsöker status för en asynkron åtgärd. |
| Microsoft.KubernetesConfiguration/extensions/write | Skapar eller uppdaterar tilläggsresursen. |
| Microsoft.KubernetesConfiguration/extensions/read | Hämtar tilläggsinstansresurs. |
| Microsoft.KubernetesConfiguration/extensions/delete | Tar bort tilläggsinstansresursen. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Hämtar status för asynkron åtgärd. |
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Management/managementGroups/read | Lista hanteringsgrupper för den autentiserade användaren. |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen | |
| Åtgärder | |
| Microsoft.Authorization/roleAssignments/write | Skapa en rolltilldelning i det angivna omfånget. |
| Microsoft.Authorization/roleAssignments/delete | Ta bort en rolltilldelning i det angivna omfånget. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen | |
| Condition | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | Lägg till eller ta bort rolltilldelningar för följande roller: Azure Container Storage-operatör |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager-deltagarroll
Ger läs-/skrivåtkomst till Azure-resurser som tillhandahålls av Azure Kubernetes Fleet Manager, inklusive flottor, medlemmar i flottan, uppdateringsstrategier för flottan, uppdateringskörningar för flottan osv.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerService/fleets/* | |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
RBAC-administratör för Azure Kubernetes Fleet Manager
Ger läs-/skrivåtkomst till Kubernetes-resurser i ett namnområde i det flotthanterade hubbklustret – ger skrivbehörigheter för de flesta objekt i ett namnområde, med undantag för ResourceQuota-objektet och själva namnområdesobjektet. Om du använder den här rollen i klusteromfånget får du åtkomst till alla namnområden.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/fleets/read | Hämta vagnpark |
| Microsoft.ContainerService/fleets/listCredentials/action | Lista autentiseringsuppgifter för flottan |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Skriver localsubjectaccessreviews |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | Läser limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Läser namnområden |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | Läser resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Resursen read fleet internalmembercluster |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/* | |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Resursen Read fleet resourceoverridesnapshot |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Läs resurs för vagnparksarbete |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC-klusteradministratör
Ger läs-/skrivåtkomst till alla Kubernetes-resurser i det vagnparkshanterade hubbklustret.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/fleets/read | Hämta vagnpark |
| Microsoft.ContainerService/fleets/listCredentials/action | Lista autentiseringsuppgifter för flottan |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/fleets/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
RBAC-läsare för Azure Kubernetes Fleet Manager
Ger skrivskyddad åtkomst till de flesta Kubernetes-resurser i ett namnområde i det flotthanterade hubbklustret. Det tillåter inte visning av roller eller rollbindningar. Den här rollen tillåter inte visning av hemligheter eftersom läsning av innehållet i Hemligheter ger åtkomst till ServiceAccount-autentiseringsuppgifter i namnområdet, vilket skulle tillåta API-åtkomst som alla ServiceAccount i namnområdet (en form av eskalering av privilegier). Om du använder den här rollen i klusteromfånget får du åtkomst till alla namnområden.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/fleets/read | Hämta vagnpark |
| Microsoft.ContainerService/fleets/listCredentials/action | Lista autentiseringsuppgifter för flottan |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.ContainerService/fleets/apps/deployments/read | Läser distributioner |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | Läser tillståndskänsliga datamängder |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Läser horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | Läser cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | Läser jobb |
| Microsoft.ContainerService/fleets/configmaps/read | Läser konfigurationsmappar |
| Microsoft.ContainerService/fleets/endpoints/read | Läser slutpunkter |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.ContainerService/fleets/extensions/deployments/read | Läser distributioner |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | Läser ingresser |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.ContainerService/fleets/limitranges/read | Läser limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Läser namnområden |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Läser ingresser |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Läser persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Läser poddisruptionbudgetar |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Läser replikeringskontroller |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Läser replikeringskontroller |
| Microsoft.ContainerService/fleets/resourcequotas/read | Läser resourcequotas |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Läser serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | Läser tjänster |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Resursen read fleet internalmembercluster |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | Läs resursen resourceoverride för flottan |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Resursen Read fleet resourceoverridesnapshot |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Läs resurs för vagnparksarbete |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Writer
Ger läs-/skrivåtkomst till de flesta Kubernetes-resurser i ett namnområde i det vagnparkshanterade hubbklustret. Den här rollen tillåter inte visning eller ändring av roller eller rollbindningar. Den här rollen tillåter dock åtkomst till hemligheter som alla ServiceAccount i namnområdet, så den kan användas för att få API-åtkomstnivåerna för alla ServiceAccount i namnområdet. Om du använder den här rollen i klusteromfånget får du åtkomst till alla namnområden.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/fleets/read | Hämta vagnpark |
| Microsoft.ContainerService/fleets/listCredentials/action | Lista autentiseringsuppgifter för flottan |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.ContainerService/fleets/apps/daemonsets/write | Skriver daemonsets |
| Microsoft.ContainerService/fleets/apps/deployments/read | Läser distributioner |
| Microsoft.ContainerService/fleets/apps/deployments/write | Skriver distributioner |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | Läser tillståndskänsliga datamängder |
| Microsoft.ContainerService/fleets/apps/statefulsets/write | Skriver statefulsets |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Läser horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write | Skriver horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | Läser cronjobs |
| Microsoft.ContainerService/fleets/batch/cronjobs/write | Skriver cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | Läser jobb |
| Microsoft.ContainerService/fleets/batch/jobs/write | Skriver jobb |
| Microsoft.ContainerService/fleets/configmaps/read | Läser konfigurationsmappar |
| Microsoft.ContainerService/fleets/configmaps/write | Skriver konfigurationsmappar |
| Microsoft.ContainerService/fleets/endpoints/read | Läser slutpunkter |
| Microsoft.ContainerService/fleets/endpoints/write | Skriver slutpunkter |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/events/read | Läser händelser |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.ContainerService/fleets/extensions/daemonsets/write | Skriver daemonsets |
| Microsoft.ContainerService/fleets/extensions/deployments/read | Läser distributioner |
| Microsoft.ContainerService/fleets/extensions/deployments/write | Skriver distributioner |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | Läser ingresser |
| Microsoft.ContainerService/fleets/extensions/ingresses/write | Skriver ingresser |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/write | Skriver nätverksprinciper |
| Microsoft.ContainerService/fleets/limitranges/read | Läser limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Läser namnområden |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Läser ingresser |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write | Skriver ingresser |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write | Skriver nätverksprinciper |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Läser persistentvolumeclaims |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/write | Skriver persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Läser poddisruptionbudgetar |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write | Skriver poddisruptionbudgetar |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Läser replikeringskontroller |
| Microsoft.ContainerService/fleets/replicationcontrollers/write | Skriver replikeringsstyrenheter |
| Microsoft.ContainerService/fleets/resourcequotas/read | Läser resourcequotas |
| Microsoft.ContainerService/fleets/secrets/read | Läser hemligheter |
| Microsoft.ContainerService/fleets/secrets/write | Skriver hemligheter |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Läser serviceaccounts |
| Microsoft.ContainerService/fleets/serviceaccounts/write | Skriver serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | Läser tjänster |
| Microsoft.ContainerService/fleets/services/write | Skrivtjänster |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | Resursen read fleet internalmembercluster |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | Läs resursen resourceoverride för flottan |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write | Skriva resursresurs för vagnparksresurs |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | Resursen Read fleet resourceoverridesnapshot |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | Läs resurs för vagnparksarbete |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/write",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/deployments/write",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/write",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/write",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/configmaps/write",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/endpoints/write",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/write",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/deployments/write",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/write",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/write",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/read",
"Microsoft.ContainerService/fleets/secrets/write",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/serviceaccounts/write",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/services/write",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administratörsroll för Azure Kubernetes Service Arc-kluster
Visa en lista över åtgärden för klusteradministratörsautentiseringsuppgifter.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Hämtar hybrid-AKS-etablerade klusterinstanser som är associerade med det anslutna klustret |
| Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | Visar en lista över administratörsautentiseringsuppgifterna för en etablerad klusterinstans som endast används i direktläge. |
| Microsoft.Kubernetes/connectedClusters/Read | Läsa connectedClusters |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Användarroll för Azure Kubernetes Service Arc-kluster
Visa en lista över autentiseringsuppgifter för klusteranvändare.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Hämtar hybrid-AKS-etablerade klusterinstanser som är associerade med det anslutna klustret |
| Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | Visar en lista över autentiseringsuppgifterna för AAD-användare för en etablerad klusterinstans som endast används i direktläge. |
| Microsoft.Kubernetes/connectedClusters/Read | Läsa connectedClusters |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Arc-deltagarroll
Ger åtkomst till att läsa och skriva Azure Kubernetes Services-hybridkluster
| Åtgärder | beskrivning |
|---|---|
| Microsoft.HybridContainerService/Locations/operationStatuses/read | read operationStatuses |
| Microsoft.HybridContainerService/Operations/read | läsåtgärder |
| Microsoft.HybridContainerService/kubernetesVersions/read | Visar en lista över kubernetes-versioner som stöds från den underliggande anpassade platsen |
| Microsoft.HybridContainerService/kubernetesVersions/write | Placerar resurstypen kubernetes-version |
| Microsoft.HybridContainerService/kubernetesVersions/delete | Ta bort resurstypen kubernetes-versioner |
| Microsoft.HybridContainerService/provisionedClusterInstances/read | Hämtar hybrid-AKS-etablerade klusterinstanser som är associerade med det anslutna klustret |
| Microsoft.HybridContainerService/provisionedClusterInstances/write | Skapar den hybrid-AKS-etablerade klusterinstansen |
| Microsoft.HybridContainerService/provisionedClusterInstances/delete | Tar bort den hybrid-AKS-etablerade klusterinstansen |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | Hämtar agentpoolerna i hybrid-AKS-etablerad klusterinstans |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | Uppdaterar agentpoolen i hybrid-AKS-etablerad klusterinstans |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | Tar bort agentpoolen i hybrid-AKS-etablerad klusterinstans |
| Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | läs upgradeProfiles |
| Microsoft.HybridContainerService/skus/read | Visar en lista över vm-SKU:er som stöds från den underliggande anpassade platsen |
| Microsoft.HybridContainerService/skus/write | Placerar resurstypen VM-SKU:er |
| Microsoft.HybridContainerService/skus/delete | Tar bort resurstypen Vm SKU |
| Microsoft.HybridContainerService/virtualNetworks/read | Visar en lista över virtuella Hybrid AKS-nätverk efter prenumeration |
| Microsoft.HybridContainerService/virtualNetworks/write | Korrigerar det virtuella Hybrid AKS-nätverket |
| Microsoft.HybridContainerService/virtualNetworks/delete | Tar bort det virtuella Hybrid AKS-nätverket |
| Microsoft.ExtendedLocation/customLocations/deploy/action | Distribuera behörigheter till en anpassad platsresurs |
| Microsoft.ExtendedLocation/customLocations/read | Hämtar en anpassad platsresurs |
| Microsoft.Kubernetes/connectedClusters/Read | Läsa connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Write | Skriver connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Delete | Tar bort anslutnaClustrar |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | Lista clusterUser-autentiseringsuppgifter |
| Microsoft.AzureStackHCI/clusters/read | Hämtar kluster |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administratörsroll för Azure Kubernetes-tjänstkluster
Visa en lista över åtgärden för klusteradministratörsautentiseringsuppgifter.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | Lista klustretAdmin-autentiseringsuppgifter för ett hanterat kluster |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | Hämta en profil för hanterad klusteråtkomst efter rollnamn med hjälp av listautentiseringsuppgifter |
| Microsoft.ContainerService/managedClusters/read | Hämta ett hanterat kluster |
| Microsoft.ContainerService/managedClusters/runcommand/action | Kör användar utfärdat kommando mot hanterad kubernetes-server. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service-klusterövervakningsanvändare
Visa en lista över åtgärder för klusterövervakning av användarautentiseringsuppgifter.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | Lista klustretÖvervakaAnvändarautentiseringsuppgifter för ett hanterat kluster |
| Microsoft.ContainerService/managedClusters/read | Hämta ett hanterat kluster |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Användarroll för Azure Kubernetes Service-kluster
Visa en lista över autentiseringsuppgifter för klusteranvändare.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Visa en lista över klusterAnvändarens autentiseringsuppgifter för ett hanterat kluster |
| Microsoft.ContainerService/managedClusters/read | Hämta ett hanterat kluster |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes-tjänstens deltagarroll
Ger åtkomst till att läsa och skriva Azure Kubernetes Service-kluster
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.ContainerService/locations/* | Läsplatser som är tillgängliga för ContainerService-resurser |
| Microsoft.ContainerService/managedClusters/* | Skapa och hantera ett hanterat kluster |
| Microsoft.ContainerService/managedclustersnapshots/* | Skapa och hantera en ögonblicksbild av ett hanterat kluster |
| Microsoft.ContainerService/snapshots/* | Skapa och hantera en ögonblicksbild |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
RBAC-administratör för Azure Kubernetes Service
Gör att du kan hantera alla resurser under kluster/namnområde, förutom uppdatera eller ta bort resurskvoter och namnområden.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Visa en lista över klusterAnvändarens autentiseringsuppgifter för ett hanterat kluster |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/write | Skriver resourcequotas |
| Microsoft.ContainerService/managedClusters/resourcequotas/delete | Tar bort resourcequotas |
| Microsoft.ContainerService/managedClusters/namespaces/write | Skriver namnområden |
| Microsoft.ContainerService/managedClusters/namespaces/delete | Tar bort namnområden |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
RBAC-klusteradministratör för Azure Kubernetes Service
Gör att du kan hantera alla resurser i klustret.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Visa en lista över klusterAnvändarens autentiseringsuppgifter för ett hanterat kluster |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
RBAC-läsare för Azure Kubernetes Service
Tillåter skrivskyddad åtkomst för att se de flesta objekt i ett namnområde. Det tillåter inte visning av roller eller rollbindningar. Den här rollen tillåter inte visning av hemligheter eftersom läsning av innehållet i Hemligheter ger åtkomst till ServiceAccount-autentiseringsuppgifter i namnområdet, vilket skulle tillåta API-åtkomst som alla ServiceAccount i namnområdet (en form av eskalering av privilegier). Om du använder den här rollen i klusteromfånget får du åtkomst till alla namnområden.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.ContainerService/managedClusters/apps/deployments/read | Läser distributioner |
| Microsoft.ContainerService/managedClusters/apps/replicasets/read | Läser replikeringsuppsättningar |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/read | Läser tillståndskänsliga datamängder |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | Läser horizontalpodautoscalers |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/read | Läser cronjobs |
| Microsoft.ContainerService/managedClusters/batch/jobs/read | Läser jobb |
| Microsoft.ContainerService/managedClusters/configmaps/read | Läser konfigurationsmappar |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Läser slutpunkter |
| Microsoft.ContainerService/managedClusters/endpoints/read | Läser slutpunkter |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Läser händelser |
| Microsoft.ContainerService/managedClusters/events/read | Läser händelser |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | Läser daemonuppsättningar |
| Microsoft.ContainerService/managedClusters/extensions/deployments/read | Läser distributioner |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/read | Läser ingresser |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/read | Läser replikeringsuppsättningar |
| Microsoft.ContainerService/managedClusters/limitranges/read | Läser limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Läser poddar |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Läser noder |
| Microsoft.ContainerService/managedClusters/namespaces/read | Läser namnområden |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | Läser ingresser |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | Läser nätverksprinciper |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | Läser persistentvolumeclaims |
| Microsoft.ContainerService/managedClusters/pods/read | Läser poddar |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | Läser poddisruptionbudgetar |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/read | Läser replikeringskontroller |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Läser resourcequotas |
| Microsoft.ContainerService/managedClusters/serviceaccounts/read | Läser serviceaccounts |
| Microsoft.ContainerService/managedClusters/services/read | Läser tjänster |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Writer
Tillåter läs-/skrivåtkomst till de flesta objekt i ett namnområde. Den här rollen tillåter inte visning eller ändring av roller eller rollbindningar. Den här rollen tillåter dock åtkomst till hemligheter och poddar som alla ServiceAccount i namnområdet, så den kan användas för att få API-åtkomstnivåerna för alla ServiceAccount i namnområdet. Om du använder den här rollen i klusteromfånget får du åtkomst till alla namnområden.
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Läser kontrollantrevisioner |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Läser lån |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Skriver lån |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Tar bort lån |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Läser slutpunkter |
| Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Läser händelser |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/read | Läser limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Läser poddar |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Läser noder |
| Microsoft.ContainerService/managedClusters/namespaces/read | Läser namnområden |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Läser resourcequotas |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Ansluten klusterhanterad identitet CheckAccess-läsare
Inbyggd roll som gör att en hanterad identitet för anslutet kluster kan anropa checkAccess-API:et
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Konfigurationsläsare för containerregister och konfigurationsläsare för dataåtkomst
Ger behörighet att lista containerregister och registerkonfigurationsegenskaper. Ger behörighet att lista konfiguration av dataåtkomst, till exempel autentiseringsuppgifter för administratörsanvändare, omfångskartor och token, som kan användas för att läsa, skriva eller ta bort lagringsplatser och avbildningar. Ger inte direkt behörighet att läsa, lista eller skriva registerinnehåll, inklusive lagringsplatser och avbildningar. Ger inte behörighet att ändra dataplansinnehåll som import, Artefaktcache eller Synkronisering och Överföringspipelines. Ger inte behörighet för att hantera uppgifter.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/operationStatuses/read | Hämtar status för en asynkron registeråtgärd |
| Microsoft.ContainerRegistry/registries/read | Hämtar egenskaperna för det angivna containerregistret eller visar alla containerregister under den angivna resursgruppen eller prenumerationen. |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/read | Hämtar egenskaperna för privat slutpunktsanslutning eller listar alla privata slutpunktsanslutningar för det angivna containerregistret |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read | Hämta status för Async-åtgärd för privat slutpunktsanslutning |
| Microsoft.ContainerRegistry/registries/listCredentials/action | Visar en lista över inloggningsuppgifterna för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/tokens/read | Hämtar egenskaperna för den angivna token eller visar alla token för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read | Hämtar status för en tokenasynkron åtgärd. |
| Microsoft.ContainerRegistry/registries/scopeMaps/read | Hämtar egenskaperna för den angivna omfångskartan eller visar alla omfångskartor för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read | Hämtar status för en asynkron omfångskarta. |
| Microsoft.ContainerRegistry/registries/webhooks/read | Hämtar egenskaperna för den angivna webhooken eller visar alla webhooks för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | Hämtar konfigurationen av tjänst-URI och anpassade huvuden för webhooken. |
| Microsoft.ContainerRegistry/registries/webhooks/listEvents/action | Visar en lista över de senaste händelserna för den angivna webhooken. |
| Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read | Hämtar status för en webhook-asynkron åtgärd |
| Microsoft.ContainerRegistry/registries/replications/read | Hämtar egenskaperna för den angivna replikeringen eller visar alla replikering för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/replications/operationStatuses/read | Hämtar status för en replikeringsasynkron åtgärd |
| Microsoft.ContainerRegistry/registries/connectedRegistries/read | Hämtar egenskaperna för det angivna anslutna registret eller visar alla anslutna register för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read | Hämtar diagnostikinställningen för resursen |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write | Skapar eller uppdaterar diagnostikinställningen för resursen |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read | Hämtar tillgängliga loggar för Microsoft ContainerRegistry |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read | Hämtar tillgängliga mått för Microsoft ContainerRegistry |
| Microsoft.Insights/AlertRules/Write | Skapa eller uppdatera en klassisk måttavisering |
| Microsoft.Insights/AlertRules/Delete | Ta bort en klassisk måttavisering |
| Microsoft.Insights/AlertRules/Read | Läsa en klassisk måttavisering |
| Microsoft.Insights/AlertRules/Activated/Action | Klassisk måttavisering aktiverad |
| Microsoft.Insights/AlertRules/Resolved/Action | Den klassiska måttaviseringen har lösts |
| Microsoft.Insights/AlertRules/Throttled/Action | Regelbegränsning för klassisk måttavisering |
| Microsoft.Insights/AlertRules/Incidents/Read | Läsa en klassisk måttaviseringsincident |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69b07be0-09bf-439a-b9a6-e73de851bd59",
"name": "69b07be0-09bf-439a-b9a6-e73de851bd59",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Configuration Reader and Data Access Configuration Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry-deltagare och konfigurationsadministratör för dataåtkomst
Ger behörighet att skapa, lista och uppdatera egenskaper för containerregister och registerkonfiguration. Ger behörighet att konfigurera dataåtkomst, till exempel autentiseringsuppgifter för administratörsanvändare, omfångskartor och token, som kan användas för att läsa, skriva eller ta bort lagringsplatser och bilder. Ger inte direkt behörighet att läsa, lista eller skriva registerinnehåll, inklusive lagringsplatser och avbildningar. Ger inte behörighet att ändra dataplansinnehåll som import, Artefaktcache eller Synkronisering och Överföringspipelines. Ger inte behörighet för att hantera uppgifter.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerRegistry/registries/operationStatuses/read | Hämtar status för en asynkron registeråtgärd |
| Microsoft.ContainerRegistry/registries/read | Hämtar egenskaperna för det angivna containerregistret eller visar alla containerregister under den angivna resursgruppen eller prenumerationen. |
| Microsoft.ContainerRegistry/registries/write | Skapar eller uppdaterar ett containerregister med de angivna parametrarna. |
| Microsoft.ContainerRegistry/registries/delete | Tar bort ett containerregister. |
| Microsoft.ContainerRegistry/registries/listCredentials/action | Visar en lista över inloggningsuppgifterna för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/regenerateCredential/action | Återskapar en av inloggningsuppgifterna för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/generateCredentials/action | Generera nycklar för en token för ett angivet containerregister. |
| Microsoft.ContainerRegistry/registries/replications/read | Hämtar egenskaperna för den angivna replikeringen eller visar alla replikering för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/replications/write | Skapar eller uppdaterar en replikering för ett containerregister med de angivna parametrarna. |
| Microsoft.ContainerRegistry/registries/replications/delete | Tar bort en replikering från ett containerregister. |
| Microsoft.ContainerRegistry/registries/replications/operationStatuses/read | Hämtar status för en replikeringsasynkron åtgärd |
| Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action | Godkänner automatiskt en privat slutpunktsanslutning |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/read | Hämtar egenskaperna för privat slutpunktsanslutning eller listar alla privata slutpunktsanslutningar för det angivna containerregistret |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/write | Godkänner/avvisar den privata slutpunktsanslutningen |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete | Tar bort den privata slutpunktsanslutningen |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read | Hämta status för Async-åtgärd för privat slutpunktsanslutning |
| Microsoft.ContainerRegistry/registries/tokens/read | Hämtar egenskaperna för den angivna token eller visar alla token för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/tokens/write | Skapar eller uppdaterar en token för ett containerregister med de angivna parametrarna. |
| Microsoft.ContainerRegistry/registries/tokens/delete | Tar bort en token från ett containerregister. |
| Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read | Hämtar status för en tokenasynkron åtgärd. |
| Microsoft.ContainerRegistry/registries/scopeMaps/read | Hämtar egenskaperna för den angivna omfångskartan eller visar alla omfångskartor för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/scopeMaps/write | Skapar eller uppdaterar en omfångskarta för ett containerregister med de angivna parametrarna. |
| Microsoft.ContainerRegistry/registries/scopeMaps/delete | Tar bort en omfångskarta från ett containerregister. |
| Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read | Hämtar status för en asynkron omfångskarta. |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read | Hämtar diagnostikinställningen för resursen |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write | Skapar eller uppdaterar diagnostikinställningen för resursen |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read | Hämtar tillgängliga loggar för Microsoft ContainerRegistry |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read | Hämtar tillgängliga mått för Microsoft ContainerRegistry |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.ContainerRegistry/registries/connectedRegistries/read | Hämtar egenskaperna för det angivna anslutna registret eller visar alla anslutna register för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/connectedRegistries/write | Skapar eller uppdaterar ett anslutet register för ett containerregister med de angivna parametrarna. |
| Microsoft.ContainerRegistry/registries/connectedRegistries/delete | Tar bort ett anslutet register från ett containerregister. |
| Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action | Inaktiverar ett anslutet register för ett containerregister |
| Microsoft.ContainerRegistry/registries/webhooks/read | Hämtar egenskaperna för den angivna webhooken eller visar alla webhooks för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/webhooks/write | Skapar eller uppdaterar en webhook för ett containerregister med de angivna parametrarna. |
| Microsoft.ContainerRegistry/registries/webhooks/delete | Tar bort en webhook från ett containerregister. |
| Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | Hämtar konfigurationen av tjänst-URI och anpassade huvuden för webhooken. |
| Microsoft.ContainerRegistry/registries/webhooks/ping/action | Utlöser en ping-händelse som ska skickas till webhooken. |
| Microsoft.ContainerRegistry/registries/webhooks/listEvents/action | Visar en lista över de senaste händelserna för den angivna webhooken. |
| Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read | Hämtar status för en webhook-asynkron åtgärd |
| Microsoft.Insights/AlertRules/Write | Skapa eller uppdatera en klassisk måttavisering |
| Microsoft.Insights/AlertRules/Delete | Ta bort en klassisk måttavisering |
| Microsoft.Insights/AlertRules/Read | Läsa en klassisk måttavisering |
| Microsoft.Insights/AlertRules/Activated/Action | Klassisk måttavisering aktiverad |
| Microsoft.Insights/AlertRules/Resolved/Action | Den klassiska måttaviseringen har lösts |
| Microsoft.Insights/AlertRules/Throttled/Action | Regelbegränsning för klassisk måttavisering |
| Microsoft.Insights/AlertRules/Incidents/Read | Läsa en klassisk måttaviseringsincident |
| Microsoft.ContainerRegistry/locations/operationResults/read | Hämtar ett asynkront åtgärdsresultat |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Kopplar resurser som lagringskonto eller SQL-databas till ett undernät. Inte aviseringsbar. |
| Microsoft.Network/virtualNetworks/subnets/read | Hämtar en undernätsdefinition för virtuellt nätverk |
| Microsoft.Network/virtualNetworks/subnets/write | Skapar ett virtuellt nätverksundernät eller uppdaterar ett befintligt virtuellt nätverksundernät |
| Microsoft.Network/virtualNetworks/read | Hämta definitionen för virtuellt nätverk |
| Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write | Skapar en ny tjänstproxy för privat länk eller uppdaterar en befintlig privat länktjänstproxy. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
"name": "3bc748fc-213d-45c1-8d91-9da5725539b9",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/write",
"Microsoft.ContainerRegistry/registries/delete",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/regenerateCredential/action",
"Microsoft.ContainerRegistry/registries/generateCredentials/action",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/write",
"Microsoft.ContainerRegistry/registries/replications/delete",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/write",
"Microsoft.ContainerRegistry/registries/tokens/delete",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/write",
"Microsoft.ContainerRegistry/registries/scopeMaps/delete",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/write",
"Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
"Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/write",
"Microsoft.ContainerRegistry/registries/webhooks/delete",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/ping/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.ContainerRegistry/locations/operationResults/read",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Contributor and Data Access Configuration Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry Data Importer och Data Reader
Ger möjlighet att importera avbildningar till ett register via registerimportåtgärden. Ger möjlighet att lista lagringsplatser, visa bilder och taggar, hämta manifest och hämta bilder. Ger inte behörighet att importera avbildningar genom att konfigurera pipelines för registeröverföring, till exempel import- och exportpipelines. Ger inte behörighet att importera genom att konfigurera artefaktcache- eller synkroniseringsregler.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/importImage/action | Importera Avbildning till containerregistret med de angivna parametrarna. |
| Microsoft.ContainerRegistry/registries/read | Hämtar egenskaperna för det angivna containerregistret eller visar alla containerregister under den angivna resursgruppen eller prenumerationen. |
| Microsoft.ContainerRegistry/registries/pull/read | Hämta eller hämta avbildningar från ett containerregister. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"name": "577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/importImage/action",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Data Importer and Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kataloglista för containerregisterlagringsplats
Tillåter att alla lagringsplatser listas i ett Azure Container Registry. Den här rollen är i förhandsversion och kan komma att ändras.
| Åtgärder | Description |
|---|---|
| ingen | |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/catalog/read | Lista lagringsplatser i ett containerregister. |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"name": "bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/catalog/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Catalog Lister",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry Repository-deltagare
Tillåter läs-, skriv- och borttagningsåtkomst till Azure Container Registry-lagringsplatser, men exklusive kataloglista. Den här rollen är i förhandsversion och kan komma att ändras.
| Åtgärder | Description |
|---|---|
| ingen | |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | Hämtar metadata för en specifik lagringsplats för ett containerregister |
| Microsoft.ContainerRegistry/registries/repositories/content/read | Hämta eller hämta avbildningar från ett containerregister. |
| Microsoft.ContainerRegistry/registries/repositories/metadata/write | Uppdaterar metadata för en lagringsplats för ett containerregister |
| Microsoft.ContainerRegistry/registries/repositories/content/write | Skicka eller skriv avbildningar till ett containerregister. |
| Microsoft.ContainerRegistry/registries/repositories/metadata/delete | Ta bort metadata för en lagringsplats för ett containerregister |
| Microsoft.ContainerRegistry/registries/repositories/content/delete | Ta bort artefakt i ett containerregister. |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"name": "2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write",
"Microsoft.ContainerRegistry/registries/repositories/metadata/delete",
"Microsoft.ContainerRegistry/registries/repositories/content/delete"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry Repository Reader
Tillåter läsåtkomst till Azure Container Registry-lagringsplatser, men exklusive kataloglista. Den här rollen är i förhandsversion och kan komma att ändras.
| Åtgärder | Description |
|---|---|
| ingen | |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | Hämtar metadata för en specifik lagringsplats för ett containerregister |
| Microsoft.ContainerRegistry/registries/repositories/content/read | Hämta eller hämta avbildningar från ett containerregister. |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b93aa761-3e63-49ed-ac28-beffa264f7ac",
"name": "b93aa761-3e63-49ed-ac28-beffa264f7ac",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry Repository Writer
Tillåter läs- och skrivåtkomst till Azure Container Registry-lagringsplatser, men exklusive kataloglista. Den här rollen är i förhandsversion och kan komma att ändras.
| Åtgärder | Description |
|---|---|
| ingen | |
| NotActions | |
| ingen | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | Hämtar metadata för en specifik lagringsplats för ett containerregister |
| Microsoft.ContainerRegistry/registries/repositories/content/read | Hämta eller hämta avbildningar från ett containerregister. |
| Microsoft.ContainerRegistry/registries/repositories/metadata/write | Uppdaterar metadata för en lagringsplats för ett containerregister |
| Microsoft.ContainerRegistry/registries/repositories/content/write | Skicka eller skriv avbildningar till ett containerregister. |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a1e307c-b015-4ebd-883e-5b7698a07328",
"name": "2a1e307c-b015-4ebd-883e-5b7698a07328",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Deltagare i containerregisteruppgifter
Ger behörighet att konfigurera, läsa, lista, utlösa eller avbryta containerregisteruppgifter, aktivitetskörningar, aktivitetsloggar, snabbkörningar, snabbversioner och aktivitetsagentpooler. Behörigheter som beviljas för hantering av uppgifter kan användas för fullständiga behörigheter för registerdataplan, inklusive läsning/skrivning/borttagning av containeravbildningar i register. Behörigheter som beviljas för hantering av uppgifter kan också användas för att köra kundskapade byggdirektiv och köra skript för att skapa programvaruartefakter.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/agentpools/read | Hämta en agentpool för ett containerregister eller visa en lista över alla agentpooler. |
| Microsoft.ContainerRegistry/registries/agentpools/write | Skapa eller uppdatera en agentpool för ett containerregister. |
| Microsoft.ContainerRegistry/registries/agentpools/delete | Ta bort en agentpool för ett containerregister. |
| Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action | Visa en lista över alla köstatusar för en agentpool för ett containerregister. |
| Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read | Hämtar resultatstatus för agentpoolens asynkrona åtgärd |
| Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read | Hämtar status för en agentpoolsasynkron åtgärd |
| Microsoft.ContainerRegistry/registries/tasks/read | Hämtar en uppgift för ett containerregister eller visar en lista över alla aktiviteter. |
| Microsoft.ContainerRegistry/registries/tasks/write | Skapar eller uppdaterar en uppgift för ett containerregister. |
| Microsoft.ContainerRegistry/registries/tasks/delete | Tar bort en uppgift för ett containerregister. |
| Microsoft.ContainerRegistry/registries/tasks/listDetails/action | Visa en lista med all information om en uppgift för ett containerregister. |
| Microsoft.ContainerRegistry/registries/scheduleRun/action | Schemalägg en körning mot ett containerregister. |
| Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action | Hämta url-platsen för källuppladdning för ett containerregister. |
| Microsoft.ContainerRegistry/registries/runs/read | Hämtar egenskaperna för en körning mot ett containerregister eller en lista som körs. |
| Microsoft.ContainerRegistry/registries/runs/write | Uppdaterar en körning. |
| Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action | Hämtar LOGG-SAS-URL:en för en körning. |
| Microsoft.ContainerRegistry/registries/runs/cancel/action | Avbryt en befintlig körning. |
| Microsoft.ContainerRegistry/registries/taskruns/read | Hämta en aktivitetskörning för ett containerregister eller visa en lista över alla aktivitetskörningar. |
| Microsoft.ContainerRegistry/registries/taskruns/write | Skapa eller uppdatera en aktivitetskörning för ett containerregister. |
| Microsoft.ContainerRegistry/registries/taskruns/delete | Ta bort en aktivitetskörning för ett containerregister. |
| Microsoft.ContainerRegistry/registries/taskruns/listDetails/action | Visa en lista med all information om en aktivitetskörning för ett containerregister. |
| Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read | Hämtar status för asynkron aktivitetskörning |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.ContainerRegistry/registries/read | Hämtar egenskaperna för det angivna containerregistret eller visar alla containerregister under den angivna resursgruppen eller prenumerationen. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb382eab-e894-4461-af04-94435c366c3f",
"name": "fb382eab-e894-4461-af04-94435c366c3f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/agentpools/read",
"Microsoft.ContainerRegistry/registries/agentpools/write",
"Microsoft.ContainerRegistry/registries/agentpools/delete",
"Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action",
"Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read",
"Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tasks/read",
"Microsoft.ContainerRegistry/registries/tasks/write",
"Microsoft.ContainerRegistry/registries/tasks/delete",
"Microsoft.ContainerRegistry/registries/tasks/listDetails/action",
"Microsoft.ContainerRegistry/registries/scheduleRun/action",
"Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action",
"Microsoft.ContainerRegistry/registries/runs/read",
"Microsoft.ContainerRegistry/registries/runs/write",
"Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action",
"Microsoft.ContainerRegistry/registries/runs/cancel/action",
"Microsoft.ContainerRegistry/registries/taskruns/read",
"Microsoft.ContainerRegistry/registries/taskruns/write",
"Microsoft.ContainerRegistry/registries/taskruns/delete",
"Microsoft.ContainerRegistry/registries/taskruns/listDetails/action",
"Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Tasks Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry Transfer Pipeline-deltagare
Ger möjlighet att överföra, importera och exportera artefakter genom att konfigurera pipelines för registeröverföring som omfattar mellanliggande lagringskonton och nyckelvalv. Ger inte behörighet att skicka eller hämta bilder. Ger inte behörighet att skapa, hantera eller lista lagringskonton eller nyckelvalv. Ger inte behörighet att utföra rolltilldelningar.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerRegistry/registries/exportPipelines/read | Hämtar egenskaperna för den angivna exportpipelinen eller visar alla exportpipelines för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/exportPipelines/write | Skapar eller uppdaterar en exportpipeline för ett containerregister med de angivna parametrarna. |
| Microsoft.ContainerRegistry/registries/exportPipelines/delete | Tar bort en exportpipeline från ett containerregister. |
| Microsoft.ContainerRegistry/registries/importPipelines/read | Hämtar egenskaperna för den angivna importpipelinen eller visar alla importpipelines för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/importPipelines/write | Skapar eller uppdaterar en importpipeline för ett containerregister med de angivna parametrarna. |
| Microsoft.ContainerRegistry/registries/importPipelines/delete | Tar bort en importpipeline från ett containerregister. |
| Microsoft.ContainerRegistry/registries/pipelineRuns/read | Hämtar egenskaperna för den angivna pipelinekörningen eller visar alla pipelinekörningar för det angivna containerregistret. |
| Microsoft.ContainerRegistry/registries/pipelineRuns/write | Skapar eller uppdaterar en pipelinekörning för ett containerregister med de angivna parametrarna. |
| Microsoft.ContainerRegistry/registries/pipelineRuns/delete | Tar bort en pipelinekörning från ett containerregister. |
| Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read | Hämtar status för en pipelinekörningsasynkron åtgärd. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"name": "bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/exportPipelines/read",
"Microsoft.ContainerRegistry/registries/exportPipelines/write",
"Microsoft.ContainerRegistry/registries/exportPipelines/delete",
"Microsoft.ContainerRegistry/registries/importPipelines/read",
"Microsoft.ContainerRegistry/registries/importPipelines/write",
"Microsoft.ContainerRegistry/registries/importPipelines/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/read",
"Microsoft.ContainerRegistry/registries/pipelineRuns/write",
"Microsoft.ContainerRegistry/registries/pipelineRuns/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Transfer Pipeline Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes Agentless Operator
Beviljar Microsoft Defender för molnet åtkomst till Azure Kubernetes Services
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Skapa eller uppdatera rollbindningar för betrodd åtkomst för hanterat kluster |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Hämta rollbindningar för betrodd åtkomst för hanterat kluster |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Ta bort rollbindningar för betrodd åtkomst för hanterat kluster |
| Microsoft.ContainerService/managedClusters/read | Hämta ett hanterat kluster |
| Microsoft.Features/features/read | Hämtar funktionerna i en prenumeration. |
| Microsoft.Features/providers/features/read | Hämtar funktionen för en prenumeration i en viss resursprovider. |
| Microsoft.Features/providers/features/register/action | Registrerar funktionen för en prenumeration i en viss resursprovider. |
| Microsoft.Security/pricings/securityoperators/read | Hämtar säkerhetsoperatorerna för omfånget |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes-kluster – Azure Arc-registrering
Rolldefinition för att auktorisera alla användare/tjänster för att skapa en anslutenKlusterresurs
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/write | Skapar eller uppdaterar en distribution. |
| Microsoft.Resources/subscriptions/operationresults/read | Hämta resultatet av prenumerationsåtgärden. |
| Microsoft.Resources/subscriptions/read | Hämtar listan över prenumerationer. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.Kubernetes/connectedClusters/Write | Skriver connectedClusters |
| Microsoft.Kubernetes/connectedClusters/read | Läsa connectedClusters |
| Microsoft.KubernetesConfiguration/extensions/write | Skapar eller uppdaterar tilläggsresursen. |
| Microsoft.KubernetesConfiguration/extensions/read | Hämtar tilläggsinstansresurs. |
| Microsoft.KubernetesConfiguration/extensions/delete | Tar bort tilläggsinstansresursen. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Hämtar status för asynkron åtgärd. |
| Microsoft.Support/* | Skapa och uppdatera ett supportärende |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes-tilläggsdeltagare
Kan skapa, uppdatera, hämta, lista och ta bort Kubernetes-tillägg och hämta asynkrona tilläggsåtgärder
| Åtgärder | Beskrivning |
|---|---|
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| Microsoft.KubernetesConfiguration/extensions/write | Skapar eller uppdaterar tilläggsresursen. |
| Microsoft.KubernetesConfiguration/extensions/read | Hämtar tilläggsinstansresurs. |
| Microsoft.KubernetesConfiguration/extensions/delete | Tar bort tilläggsinstansresursen. |
| Microsoft.KubernetesConfiguration/extensions/operations/read | Hämtar status för asynkron åtgärd. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Service Fabric-klusterdeltagare
Hantera dina Service Fabric-klusterresurser. Innehåller kluster, programtyper, programtypsversioner, program och tjänster. Du behöver ytterligare behörigheter för att distribuera och hantera klustrets underliggande resurser, till exempel vm-skalningsuppsättningar, lagringskonton, nätverk osv.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ServiceFabric/clusters/* | |
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",
"name": "b6efc156-f0da-4e90-a50a-8c000140b017",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/clusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Service Fabric Managed Cluster-deltagare
Distribuera och hantera dina Service Fabric Managed Cluster-resurser. Innehåller hanterade kluster, nodtyper, programtyper, programtypsversioner, program och tjänster.
| Åtgärder | beskrivning |
|---|---|
| Microsoft.ServiceFabric/managedclusters/* | |
| Microsoft.Authorization/*/read | Läsa roller och rolltilldelningar |
| Microsoft.Insights/alertRules/* | Skapa och hantera en klassisk måttavisering |
| Microsoft.Resources/deployments/* | Skapa och hantera en distribution |
| Microsoft.Resources/subscriptions/resourceGroups/read | Hämtar eller listar resursgrupper. |
| NotActions | |
| ingen | |
| DataActions | |
| ingen | |
| NotDataActions | |
| ingen |
{
"assignableScopes": [
"/"
],
"description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",
"name": "83f80186-3729-438c-ad2d-39e94d718838",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/managedclusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Managed Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}