你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
Azure 容器内置角色
本文列出了“容器”类别的 Azure 内置角色。
AcrDelete
从容器注册表中删除存储库、标记或清单。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/delete | 删除容器注册表中的项目。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
将受信任的映像推送到为内容信任启用的容器注册表中或从中拉取受信任的映像。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/write | 推送/拉取容器注册表的内容信任元数据。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | 允许推送或发布受信任的容器注册表内容集合。 这类似于 Microsoft.ContainerRegistry/registries/sign/write 操作,只是这是一个数据操作 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
从容器注册表中拉取项目。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | 从容器注册表中拉取或获取映像。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
将项目推送到容器注册表或从中拉取项目。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | 从容器注册表中拉取或获取映像。 |
| Microsoft.ContainerRegistry/registries/push/write | 将映像推送或写入容器注册表。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
从容器注册表中拉取已隔离的映像。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | 从容器注册表中拉取或获取已隔离的映像 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 允许从容器注册表拉取或获取已隔离的项目。 这类似于 Microsoft.ContainerRegistry/registries/quarantine/read,只不过这是一个数据操作 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
将已隔离的映像推送到容器注册表或从中拉取已隔离的映像。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | 从容器注册表中拉取或获取已隔离的映像 |
| Microsoft.ContainerRegistry/registries/quarantine/write | 写入/修改已隔离映像的隔离状态 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 允许从容器注册表拉取或获取已隔离的项目。 这类似于 Microsoft.ContainerRegistry/registries/quarantine/read,只不过这是一个数据操作 |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | 允许写入或更新隔离项目的隔离状态。 这类似于 Microsoft.ContainerRegistry/registries/quarantine/write 操作,只不过这是一个数据操作 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
已启用 Azure Arc 的 Kubernetes 群集用户角色
列出群集用户凭据操作。
| 操作 | 说明 |
|---|---|
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | 列出 clusterUser 凭据(预览版) |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Support/* | 创建和更新支持票证 |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | 列出 clusterUser 凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 管理员
允许管理群集/命名空间下的所有资源,但不能更新或删除资源配额和命名空间。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Support/* | 创建和更新支持票证 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | 写入 localsubjectaccessreviews |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | 读取 limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 读取 namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 读取 resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 群集管理员
允许管理群集中的所有资源。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Support/* | 创建和更新支持票证 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 查看者
允许查看群集/命名空间中除密码之外的所有资源。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Support/* | 创建和更新支持票证 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | 读取 daemonsets |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/read | 读取 deployments |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | 读取 replicasets |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | 读取 statefulsets |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | 读取 horizontalpodautoscalers |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | 读取 cronjobs |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/read | 读取作业 |
| Microsoft.Kubernetes/connectedClusters/configmaps/read | 读取 configmaps |
| Microsoft.Kubernetes/connectedClusters/endpoints/read | 读取 endpoints |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | 读取 daemonsets |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | 读取 deployments |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | 读取 ingresses |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | 读取 networkpolicies |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | 读取 replicasets |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | 读取 limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 读取 namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | 读取 ingresses |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | 读取 networkpolicies |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | 读取 persistentvolumeclaims |
| Microsoft.Kubernetes/connectedClusters/pods/read | 读取 Pod |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | 读取 poddisruptionbudgets |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | 读取 replicationcontrollers |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | 读取 replicationcontrollers |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 读取 resourcequotas |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | 读取 serviceaccounts |
| Microsoft.Kubernetes/connectedClusters/services/read | 读取 services |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 写入者
允许更新群集/命名空间中的所有内容,但 (cluster)role 和 (cluster)role 绑定除外。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Support/* | 创建和更新支持票证 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | 读取 limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 读取 namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 读取 resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 容器存储参与者
安装 Azure 容器存储并管理其存储资源。 包括用于约束角色分配的 ABAC 条件。
| 操作 | 描述 |
|---|---|
| Microsoft.KubernetesConfiguration/extensions/write | 创建或更新扩展资源。 |
| Microsoft.KubernetesConfiguration/extensions/read | 获取扩展实例资源。 |
| Microsoft.KubernetesConfiguration/extensions/delete | 删除扩展实例资源。 |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 获取异步操作状态。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Management/managementGroups/read | 列出已通过身份验证的用户的管理组。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Support/* | 创建和更新支持票证 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 | |
| 操作 | |
| Microsoft.Authorization/roleAssignments/write | 创建指定范围的角色分配。 |
| Microsoft.Authorization/roleAssignments/delete | 删除指定范围的角色分配。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 | |
| 条件 | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | 添加或移除以下角色的角色分配: Azure 容器存储操作员 |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 容器存储操作员
启用托管标识以执行 Azure 容器存储操作,例如管理虚拟机和管理虚拟网络。
| 操作 | 描述 |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | 轮询异步操作的状态。 |
| Microsoft.Network/routeTables/join/action | 加入路由表。 不可发出警报。 |
| Microsoft.Network/networkSecurityGroups/join/action | 加入网络安全组。 不可发出警报。 |
| Microsoft.Network/virtualNetworks/write | 创建虚拟网络,或更新现有的虚拟网络 |
| Microsoft.Network/virtualNetworks/delete | 删除虚拟网络 |
| Microsoft.Network/virtualNetworks/join/action | 加入虚拟网络。 不可发出警报。 |
| Microsoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义 |
| Microsoft.Network/virtualNetworks/subnets/write | 创建虚拟网络子网,或更新现有的虚拟网络子网 |
| Microsoft.Compute/virtualMachines/read | 获取虚拟机的属性 |
| Microsoft.Compute/virtualMachines/write | 创建新的虚拟机,或更新现有的虚拟机 |
| Microsoft.Compute/virtualMachineScaleSets/read | 获取虚拟机规模集的属性 |
| Microsoft.Compute/virtualMachineScaleSets/write | 创建新的或更新现有的虚拟机规模集 |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | 更新 VM 规模集中虚拟机的属性 |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | 检索 VM 规模集中虚拟机的属性 |
| Microsoft.Resources/subscriptions/providers/read | 获取或列出资源提供程序。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 容器存储所有者
安装 Azure 容器存储,授予对其存储资源的访问权限,并配置 Azure 弹性存储区域网络 (SAN)。 包括用于约束角色分配的 ABAC 条件。
| 操作 | 描述 |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | 轮询异步操作的状态。 |
| Microsoft.KubernetesConfiguration/extensions/write | 创建或更新扩展资源。 |
| Microsoft.KubernetesConfiguration/extensions/read | 获取扩展实例资源。 |
| Microsoft.KubernetesConfiguration/extensions/delete | 删除扩展实例资源。 |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 获取异步操作状态。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Management/managementGroups/read | 列出已通过身份验证的用户的管理组。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Support/* | 创建和更新支持票证 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 | |
| 操作 | |
| Microsoft.Authorization/roleAssignments/write | 创建指定范围的角色分配。 |
| Microsoft.Authorization/roleAssignments/delete | 删除指定范围的角色分配。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 | |
| 条件 | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) | 添加或移除以下角色的角色分配: Azure 容器存储操作员 |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 舰队管理器参与者角色
授予对 Azure Kubernetes 舰队管理器提供的 Azure 资源的读/写访问权限,包括舰队、舰队成员、舰队更新策略、舰队更新运行等。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerService/fleets/* | |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 舰队管理器 RBAC 管理员
授予对舰队托管的中心群集中命名空间内的 Kubernetes 资源的读/写访问权限 - 提供对命名空间中的大多数对象的写入权限,但 ResourceQuota 对象和命名空间对象本身除外。 在群集范围内应用此角色将提供对所有命名空间的访问权限。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/fleets/read | 获取机群 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出机群凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | 写入 localsubjectaccessreviews |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | 读取 events |
| Microsoft.ContainerService/fleets/events/read | 读取 events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | 读取 limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | 读取 namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | 读取 resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | 读取 fleet internalmembercluster 资源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/* | |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | 读取 fleet resourceoverridesnapshot 资源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | 读取 fleet work 资源 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 舰队管理器 RBAC 群集管理员
授予对舰队托管的中心群集中所有 Kubernetes 资源的读/写访问权限。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/fleets/read | 获取机群 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出机群凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/fleets/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 舰队管理器 RBAC 读者
授予对舰队托管的中心群集中命名空间内大多数 Kubernetes 资源的只读访问权限。 不允许查看角色或角色绑定。 此角色不允许查看机密,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)。 在群集范围内应用此角色将提供对所有命名空间的访问权限。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/fleets/read | 获取机群 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出机群凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | 读取 daemonsets |
| Microsoft.ContainerService/fleets/apps/deployments/read | 读取 deployments |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | 读取 statefulsets |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | 读取 horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | 读取 cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | 读取作业 |
| Microsoft.ContainerService/fleets/configmaps/read | 读取 configmaps |
| Microsoft.ContainerService/fleets/endpoints/read | 读取 endpoints |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | 读取 events |
| Microsoft.ContainerService/fleets/events/read | 读取 events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | 读取 daemonsets |
| Microsoft.ContainerService/fleets/extensions/deployments/read | 读取 deployments |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | 读取 ingresses |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | 读取 networkpolicies |
| Microsoft.ContainerService/fleets/limitranges/read | 读取 limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | 读取 namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | 读取 ingresses |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | 读取 networkpolicies |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | 读取 persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | 读取 poddisruptionbudgets |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | 读取 replicationcontrollers |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | 读取 replicationcontrollers |
| Microsoft.ContainerService/fleets/resourcequotas/read | 读取 resourcequotas |
| Microsoft.ContainerService/fleets/serviceaccounts/read | 读取 serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | 读取 services |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | 读取 fleet internalmembercluster 资源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | 读取 fleet resourceoverride 资源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | 读取 fleet resourceoverridesnapshot 资源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | 读取 fleet work 资源 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 舰队管理器 RBAC 编写者
授予对舰队托管的中心群集中命名空间内大多数 Kubernetes 资源的读/写访问权限。 此角色不允许查看或修改角色或角色绑定。 但是,允许此角色以命名空间中任何 ServiceAccount 的身份访问机密,因此可用它获取命名空间中任何 ServiceAccount 的 API 访问级别。 在群集范围内应用此角色将提供对所有命名空间的访问权限。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/fleets/read | 获取机群 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出机群凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | 读取 daemonsets |
| Microsoft.ContainerService/fleets/apps/daemonsets/write | 写入 daemonsets |
| Microsoft.ContainerService/fleets/apps/deployments/read | 读取 deployments |
| Microsoft.ContainerService/fleets/apps/deployments/write | 写入 deployments |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | 读取 statefulsets |
| Microsoft.ContainerService/fleets/apps/statefulsets/write | 写入 statefulsets |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | 读取 horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write | 写入 horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | 读取 cronjobs |
| Microsoft.ContainerService/fleets/batch/cronjobs/write | 写入 cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | 读取作业 |
| Microsoft.ContainerService/fleets/batch/jobs/write | 写入 jobs |
| Microsoft.ContainerService/fleets/configmaps/read | 读取 configmaps |
| Microsoft.ContainerService/fleets/configmaps/write | 写入 configmaps |
| Microsoft.ContainerService/fleets/endpoints/read | 读取 endpoints |
| Microsoft.ContainerService/fleets/endpoints/write | 写入 endpoints |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | 读取 events |
| Microsoft.ContainerService/fleets/events/read | 读取 events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | 读取 daemonsets |
| Microsoft.ContainerService/fleets/extensions/daemonsets/write | 写入 daemonsets |
| Microsoft.ContainerService/fleets/extensions/deployments/read | 读取 deployments |
| Microsoft.ContainerService/fleets/extensions/deployments/write | 写入 deployments |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | 读取 ingresses |
| Microsoft.ContainerService/fleets/extensions/ingresses/write | 写入 ingresses |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | 读取 networkpolicies |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/write | 写入 networkpolicies |
| Microsoft.ContainerService/fleets/limitranges/read | 读取 limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | 读取 namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | 读取 ingresses |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write | 写入 ingresses |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | 读取 networkpolicies |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write | 写入 networkpolicies |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | 读取 persistentvolumeclaims |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/write | 写入 persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | 读取 poddisruptionbudgets |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write | 写入 poddisruptionbudgets |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | 读取 replicationcontrollers |
| Microsoft.ContainerService/fleets/replicationcontrollers/write | 写入 replicationcontrollers |
| Microsoft.ContainerService/fleets/resourcequotas/read | 读取 resourcequotas |
| Microsoft.ContainerService/fleets/secrets/read | 读取 secrets |
| Microsoft.ContainerService/fleets/secrets/write | 写入 secrets |
| Microsoft.ContainerService/fleets/serviceaccounts/read | 读取 serviceaccounts |
| Microsoft.ContainerService/fleets/serviceaccounts/write | 写入 serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | 读取 services |
| Microsoft.ContainerService/fleets/services/write | 写入 services |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | 读取 fleet internalmembercluster 资源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | 读取 fleet resourceoverride 资源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write | 编写 fleet resourceoverride 资源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | 读取 fleet resourceoverridesnapshot 资源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | 读取 fleet work 资源 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/write",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/deployments/write",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/write",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/write",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/configmaps/write",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/endpoints/write",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/write",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/deployments/write",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/write",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/write",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/read",
"Microsoft.ContainerService/fleets/secrets/write",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/serviceaccounts/write",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/services/write",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 Arc 群集管理员角色
列出群集管理员凭据操作。
| 操作 | 描述 |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | 获取与连接的群集关联的混合 AKS 预配群集实例 |
| Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | 列出仅在直接模式下使用的预配群集实例的管理员凭据。 |
| Microsoft.Kubernetes/connectedClusters/Read | 读取 connectedClusters |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 Arc 群集用户角色
列出群集用户凭据操作。
| 操作 | 描述 |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | 获取与连接的群集关联的混合 AKS 预配群集实例 |
| Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | 列出仅在直接模式下使用的预配群集实例的 AAD 用户凭据。 |
| Microsoft.Kubernetes/connectedClusters/Read | 读取 connectedClusters |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 Arc 参与者角色
授予讀取和寫入 Azure Kubernetes 服務混合叢集的存取權限
| 操作 | 描述 |
|---|---|
| Microsoft.HybridContainerService/Locations/operationStatuses/read | 读取 OperationStatuses |
| Microsoft.HybridContainerService/Operations/read | 读取操作 |
| Microsoft.HybridContainerService/kubernetesVersions/read | 列出基础自定义位置中受支持的 kubernetes 版本 |
| Microsoft.HybridContainerService/kubernetesVersions/write | 放置 Kubernetes 版本资源类型 |
| Microsoft.HybridContainerService/kubernetesVersions/delete | 删除 kubernetes 版本资源类型 |
| Microsoft.HybridContainerService/provisionedClusterInstances/read | 获取与连接的群集关联的混合 AKS 预配群集实例 |
| Microsoft.HybridContainerService/provisionedClusterInstances/write | 创建混合 AKS 预配的群集实例 |
| Microsoft.HybridContainerService/provisionedClusterInstances/delete | 删除混合 AKS 预配的群集实例 |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | 在混合 AKS 预配的群集实例中获取代理池 |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | 在混合 AKS 预配的群集实例中更新代理池 |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | 在混合 AKS 预配的群集实例中删除代理池 |
| Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | 读取 upgradeProfiles |
| Microsoft.HybridContainerService/skus/read | 列出基础自定义位置中受支持的 VM SKU |
| Microsoft.HybridContainerService/skus/write | 放置 VM SKU 资源类型 |
| Microsoft.HybridContainerService/skus/delete | 删除 Vm Sku 资源类型 |
| Microsoft.HybridContainerService/virtualNetworks/read | 按订阅列出混合 AKS 虚拟网络 |
| Microsoft.HybridContainerService/virtualNetworks/write | 修补混合 AKS 虚拟网络 |
| Microsoft.HybridContainerService/virtualNetworks/delete | 删除混合 AKS 虚拟网络 |
| Microsoft.ExtendedLocation/customLocations/deploy/action | 部署自定义位置资源的权限 |
| Microsoft.ExtendedLocation/customLocations/read | 获取自定义位置资源 |
| Microsoft.Kubernetes/connectedClusters/Read | 读取 connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Write | 写入 connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Delete | 删除 connectedClusters |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | 列出 clusterUser 凭据 |
| Microsoft.AzureStackHCI/clusters/read | 获取群集 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务群集管理员角色
列出群集管理员凭据操作。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | 列出托管群集的 clusterAdmin 凭据 |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | 使用列表凭据按角色名称获取托管的群集访问配置文件 |
| Microsoft.ContainerService/managedClusters/read | 获取托管的群集 |
| Microsoft.ContainerService/managedClusters/runcommand/action | 针对托管 kubernetes 服务器运行用户发出的命令。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务群集监视用户
列出群集监视用户凭据操作。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | 列出托管群集的 clusterMonitoringUser 凭据 |
| Microsoft.ContainerService/managedClusters/read | 获取托管的群集 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务群集用户角色
列出群集用户凭据操作。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出托管群集的 clusterUser 凭据 |
| Microsoft.ContainerService/managedClusters/read | 获取托管的群集 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务参与者角色
授予对 Azure Kubernetes 服务群集的读写访问权限
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.ContainerService/locations/* | 读取 ContainerService 资源可用的位置 |
| Microsoft.ContainerService/managedClusters/* | 创建和管理托管集群 |
| Microsoft.ContainerService/managedclustersnapshots/* | 创建和管理托管集群快照 |
| Microsoft.ContainerService/snapshots/* | 创建和管理快照 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 管理员
允许管理群集/命名空间下的所有资源,但不能更新或删除资源配额和命名空间。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出托管群集的 clusterUser 凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/write | 写入 resourcequotas |
| Microsoft.ContainerService/managedClusters/resourcequotas/delete | 删除 resourcequotas |
| Microsoft.ContainerService/managedClusters/namespaces/write | 写入 namespaces |
| Microsoft.ContainerService/managedClusters/namespaces/delete | 删除 namespaces |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 群集管理员
允许管理群集中的所有资源。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出托管群集的 clusterUser 凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 读取者
允许进行只读访问并查看命名空间中的大多数对象。 不允许查看角色或角色绑定。 此角色不允许查看机密,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)。 在群集范围内应用此角色将提供对所有命名空间的访问权限。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/read | 读取 daemonsets |
| Microsoft.ContainerService/managedClusters/apps/deployments/read | 读取 deployments |
| Microsoft.ContainerService/managedClusters/apps/replicasets/read | 读取 replicasets |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/read | 读取 statefulsets |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | 读取 horizontalpodautoscalers |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/read | 读取 cronjobs |
| Microsoft.ContainerService/managedClusters/batch/jobs/read | 读取作业 |
| Microsoft.ContainerService/managedClusters/configmaps/read | 读取 configmaps |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | 读取 endpointslices |
| Microsoft.ContainerService/managedClusters/endpoints/read | 读取 endpoints |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | 读取 events |
| Microsoft.ContainerService/managedClusters/events/read | 读取 events |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | 读取 daemonsets |
| Microsoft.ContainerService/managedClusters/extensions/deployments/read | 读取 deployments |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/read | 读取 ingresses |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | 读取 networkpolicies |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/read | 读取 replicasets |
| Microsoft.ContainerService/managedClusters/limitranges/read | 读取 limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | 读取 Pod |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | 读取 nodes |
| Microsoft.ContainerService/managedClusters/namespaces/read | 读取 namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | 读取 ingresses |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | 读取 networkpolicies |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | 读取 persistentvolumeclaims |
| Microsoft.ContainerService/managedClusters/pods/read | 读取 Pod |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | 读取 poddisruptionbudgets |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/read | 读取 replicationcontrollers |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | 读取 resourcequotas |
| Microsoft.ContainerService/managedClusters/serviceaccounts/read | 读取 serviceaccounts |
| Microsoft.ContainerService/managedClusters/services/read | 读取 services |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 写入者
允许对命名空间中的大多数对象进行读/写访问。 此角色不允许查看或修改角色或角色绑定。 但是,允许此角色以命名空间中任何 ServiceAccount 的身份访问机密和运行 Pod,因此可用它获取命名空间中任何 ServiceAccount 的 API 访问级别。 在群集范围内应用此角色将提供对所有命名空间的访问权限。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | 读取 leases |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | 写入 leases |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | 删除 leases |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | 读取 endpointslices |
| Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | 读取 events |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/read | 读取 limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | 读取 Pod |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | 读取 nodes |
| Microsoft.ContainerService/managedClusters/namespaces/read | 读取 namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | 读取 resourcequotas |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
联网集群托管身份 CheckAccess 读取器
允许连接丛集托管身分呼叫 checkAccess API 的内建角色
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
容器注册表配置读取器和数据访问配置读取器
提供列出容器注册表和注册表配置属性的权限。 提供列出数据访问配置的权限,例如管理员用户凭据、范围映射和令牌,可用于读取、写入或删除存储库和映像。 不提供读取、列出或写入注册表内容的直接权限,包括存储库和映像。 不提供修改数据平面内容(如导入、项目缓存或同步和传输管道)的权限。 不提供管理任务的权限。
| 操作 | 说明 |
|---|---|
| Microsoft.ContainerRegistry/registries/operationStatuses/read | 获取注册表异步操作状态 |
| Microsoft.ContainerRegistry/registries/read | 获取指定容器注册表的属性,或列出指定资源组或订阅下的所有容器注册表。 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/read | 获取专用终结点连接的属性,或列出指定容器注册表的所有专用终结点连接 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read | 获取专用终结点连接异步操作状态 |
| Microsoft.ContainerRegistry/registries/listCredentials/action | 列出指定容器注册表的登录凭据。 |
| Microsoft.ContainerRegistry/registries/tokens/read | 获取指定令牌的属性,或列出指定容器注册表的所有令牌。 |
| Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read | 获取令牌异步操作状态。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/read | 获取指定范围映射的属性,或列出指定容器注册表的所有范围映射。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read | 获取范围映射异步操作状态。 |
| Microsoft.ContainerRegistry/registries/webhooks/read | 获取指定 Webhook 的属性,或列出指定容器注册表的所有 Webhook。 |
| Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | 获取服务 URI 的配置和 Webhook 的自定义标头。 |
| Microsoft.ContainerRegistry/registries/webhooks/listEvents/action | 列出指定 Webhook 的最新事件。 |
| Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read | 获取 Webhook 异步操作状态 |
| Microsoft.ContainerRegistry/registries/replications/read | 获取指定复制的属性,或列出指定容器注册表的所有复制。 |
| Microsoft.ContainerRegistry/registries/replications/operationStatuses/read | 获取复制步操作状态 |
| Microsoft.ContainerRegistry/registries/connectedRegistries/read | 获取指定的已连接注册表的属性,或列出指定容器注册表的所有已连接注册表。 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read | 获取资源的诊断设置 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write | 创建或更新资源的诊断设置 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read | 获取 Microsoft ContainerRegistry 的可用日志 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read | 获取 Microsoft ContainerRegistry 的可用指标。 |
| Microsoft.Insights/AlertRules/Write | 创建或更新经典指标警报 |
| Microsoft.Insights/AlertRules/Delete | 删除经典指标警报 |
| Microsoft.Insights/AlertRules/Read | 读取经典指标警报 |
| Microsoft.Insights/AlertRules/Activated/Action | 经典指标警报已激活 |
| Microsoft.Insights/AlertRules/Resolved/Action | 经典指标警报已解决 |
| Microsoft.Insights/AlertRules/Throttled/Action | 经典指标预警规则已中止 |
| Microsoft.Insights/AlertRules/Incidents/Read | 读取经典指标警报事件 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69b07be0-09bf-439a-b9a6-e73de851bd59",
"name": "69b07be0-09bf-439a-b9a6-e73de851bd59",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Configuration Reader and Data Access Configuration Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
容器注册表参与者和数据访问配置管理员
提供创建、列出和更新容器注册表和注册表配置属性的权限。 提供配置数据访问的权限,例如管理员用户凭据、范围映射和令牌,可用于读取、写入或删除存储库和映像。 不提供读取、列出或写入注册表内容的直接权限,包括存储库和映像。 不提供修改数据平面内容(如导入、项目缓存或同步和传输管道)的权限。 不提供管理任务的权限。
| 操作 | 说明 |
|---|---|
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerRegistry/registries/operationStatuses/read | 获取注册表异步操作状态 |
| Microsoft.ContainerRegistry/registries/read | 获取指定容器注册表的属性,或列出指定资源组或订阅下的所有容器注册表。 |
| Microsoft.ContainerRegistry/registries/write | 使用指定参数创建或更新容器注册表。 |
| Microsoft.ContainerRegistry/registries/delete | 删除容器注册表。 |
| Microsoft.ContainerRegistry/registries/listCredentials/action | 列出指定容器注册表的登录凭据。 |
| Microsoft.ContainerRegistry/registries/regenerateCredential/action | 为指定容器注册表重新生成一个登录凭据。 |
| Microsoft.ContainerRegistry/registries/generateCredentials/action | 生成指定容器注册表的令牌的密钥。 |
| Microsoft.ContainerRegistry/registries/replications/read | 获取指定复制的属性,或列出指定容器注册表的所有复制。 |
| Microsoft.ContainerRegistry/registries/replications/write | 使用指定参数创建或更新容器注册表的复制。 |
| Microsoft.ContainerRegistry/registries/replications/delete | 从容器注册表中删除复制。 |
| Microsoft.ContainerRegistry/registries/replications/operationStatuses/read | 获取复制步操作状态 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action | 自动批准专用终结点连接 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/read | 获取专用终结点连接的属性,或列出指定容器注册表的所有专用终结点连接 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/write | 批准/拒绝专用终结点连接 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete | 删除专用终结点连接 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read | 获取专用终结点连接异步操作状态 |
| Microsoft.ContainerRegistry/registries/tokens/read | 获取指定令牌的属性,或列出指定容器注册表的所有令牌。 |
| Microsoft.ContainerRegistry/registries/tokens/write | 使用指定参数创建或更新容器注册表的令牌。 |
| Microsoft.ContainerRegistry/registries/tokens/delete | 从容器注册表中删除令牌。 |
| Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read | 获取令牌异步操作状态。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/read | 获取指定范围映射的属性,或列出指定容器注册表的所有范围映射。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/write | 使用指定参数创建或更新容器注册表的范围映射。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/delete | 从容器注册表中删除范围映射。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read | 获取范围映射异步操作状态。 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read | 获取资源的诊断设置 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write | 创建或更新资源的诊断设置 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read | 获取 Microsoft ContainerRegistry 的可用日志 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read | 获取 Microsoft ContainerRegistry 的可用指标。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.ContainerRegistry/registries/connectedRegistries/read | 获取指定的已连接注册表的属性,或列出指定容器注册表的所有已连接注册表。 |
| Microsoft.ContainerRegistry/registries/connectedRegistries/write | 使用指定参数创建或更新容器注册表的已连接注册表。 |
| Microsoft.ContainerRegistry/registries/connectedRegistries/delete | 从容器注册表中删除已连接注册表。 |
| Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action | 停用容器注册表的已连接注册表 |
| Microsoft.ContainerRegistry/registries/webhooks/read | 获取指定 Webhook 的属性,或列出指定容器注册表的所有 Webhook。 |
| Microsoft.ContainerRegistry/registries/webhooks/write | 使用指定参数创建或更新容器注册表的 Webhook。 |
| Microsoft.ContainerRegistry/registries/webhooks/delete | 从容器注册表中删除 Webhook。 |
| Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | 获取服务 URI 的配置和 Webhook 的自定义标头。 |
| Microsoft.ContainerRegistry/registries/webhooks/ping/action | 触发一个将发送到 Webhook 的 ping 事件。 |
| Microsoft.ContainerRegistry/registries/webhooks/listEvents/action | 列出指定 Webhook 的最新事件。 |
| Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read | 获取 Webhook 异步操作状态 |
| Microsoft.Insights/AlertRules/Write | 创建或更新经典指标警报 |
| Microsoft.Insights/AlertRules/Delete | 删除经典指标警报 |
| Microsoft.Insights/AlertRules/Read | 读取经典指标警报 |
| Microsoft.Insights/AlertRules/Activated/Action | 经典指标警报已激活 |
| Microsoft.Insights/AlertRules/Resolved/Action | 经典指标警报已解决 |
| Microsoft.Insights/AlertRules/Throttled/Action | 经典指标预警规则已中止 |
| Microsoft.Insights/AlertRules/Incidents/Read | 读取经典指标警报事件 |
| Microsoft.ContainerRegistry/locations/operationResults/read | 获取异步操作结果 |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 将存储帐户或 SQL 数据库等资源加入到子网。 不可发出警报。 |
| Microsoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义 |
| Microsoft.Network/virtualNetworks/subnets/write | 创建虚拟网络子网,或更新现有的虚拟网络子网 |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write | 创建新的专用链接服务代理,或更新现有的专用链接服务代理。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
"name": "3bc748fc-213d-45c1-8d91-9da5725539b9",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/write",
"Microsoft.ContainerRegistry/registries/delete",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/regenerateCredential/action",
"Microsoft.ContainerRegistry/registries/generateCredentials/action",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/write",
"Microsoft.ContainerRegistry/registries/replications/delete",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/write",
"Microsoft.ContainerRegistry/registries/tokens/delete",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/write",
"Microsoft.ContainerRegistry/registries/scopeMaps/delete",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/write",
"Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
"Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/write",
"Microsoft.ContainerRegistry/registries/webhooks/delete",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/ping/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.ContainerRegistry/locations/operationResults/read",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Contributor and Data Access Configuration Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
容器注册表数据导入程序和数据读取器
提供通过注册表导入作将映像导入注册表的功能。 提供列出存储库、查看映像和标记、获取清单和拉取映像的功能。 不提供通过配置注册表传输管道(如导入和导出管道)导入映像的权限。 不提供通过配置项目缓存或同步规则进行导入的权限。
| 操作 | 说明 |
|---|---|
| Microsoft.ContainerRegistry/registries/importImage/action | 使用指定的参数将映像导入到容器注册表中。 |
| Microsoft.ContainerRegistry/registries/read | 获取指定容器注册表的属性,或列出指定资源组或订阅下的所有容器注册表。 |
| Microsoft.ContainerRegistry/registries/pull/read | 从容器注册表中拉取或获取映像。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"name": "577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/importImage/action",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Data Importer and Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
容器注册表存储库目录列表程序
允许列出Azure 容器注册表中的所有存储库。 此角色处于预览版阶段,可能会有所更改。
| 操作 | 说明 |
|---|---|
| 无 | |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/catalog/read | 列出容器注册表中的存储库。 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"name": "bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/catalog/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Catalog Lister",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
容器注册表存储库参与者
允许读取、写入和删除对Azure 容器注册表存储库的访问权限,但不包括目录列表。 此角色处于预览版阶段,可能会有所更改。
| 操作 | 说明 |
|---|---|
| 无 | |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | 获取容器注册表的特定存储库的元数据 |
| Microsoft.ContainerRegistry/registries/repositories/content/read | 从容器注册表中拉取或获取映像。 |
| Microsoft.ContainerRegistry/registries/存储库/元数据/写入 | 更新容器注册表的存储库的元数据 |
| Microsoft.ContainerRegistry/registries/存储库/内容/写入 | 将映像推送或写入容器注册表。 |
| Microsoft.ContainerRegistry/registries/repositories/metadata/delete | 删除容器注册表的存储库的元数据 |
| Microsoft.ContainerRegistry/registries/存储库/content/delete | 删除容器注册表中的项目。 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"name": "2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write",
"Microsoft.ContainerRegistry/registries/repositories/metadata/delete",
"Microsoft.ContainerRegistry/registries/repositories/content/delete"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
容器注册表存储库读取者
允许对Azure 容器注册表存储库进行读取访问,但不包括目录列表。 此角色处于预览版阶段,可能会有所更改。
| 操作 | 说明 |
|---|---|
| 无 | |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | 获取容器注册表的特定存储库的元数据 |
| Microsoft.ContainerRegistry/registries/repositories/content/read | 从容器注册表中拉取或获取映像。 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b93aa761-3e63-49ed-ac28-beffa264f7ac",
"name": "b93aa761-3e63-49ed-ac28-beffa264f7ac",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
容器注册表存储库编写器
允许对Azure 容器注册表存储库进行读取和写入访问,但不包括目录列表。 此角色处于预览版阶段,可能会有所更改。
| 操作 | 说明 |
|---|---|
| 无 | |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | 获取容器注册表的特定存储库的元数据 |
| Microsoft.ContainerRegistry/registries/repositories/content/read | 从容器注册表中拉取或获取映像。 |
| Microsoft.ContainerRegistry/registries/存储库/元数据/写入 | 更新容器注册表的存储库的元数据 |
| Microsoft.ContainerRegistry/registries/存储库/内容/写入 | 将映像推送或写入容器注册表。 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a1e307c-b015-4ebd-883e-5b7698a07328",
"name": "2a1e307c-b015-4ebd-883e-5b7698a07328",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
容器注册表任务参与者
提供配置、读取、列出、触发或取消容器注册表任务、任务运行、任务日志、快速运行、快速生成和任务代理池的权限。 为任务管理授予的权限可用于完整的注册表数据平面权限,包括读取/写入/删除注册表中的容器映像。 为任务管理授予的权限还可用于运行客户创作的生成指令,并运行脚本来生成软件项目。
| 操作 | 说明 |
|---|---|
| Microsoft.ContainerRegistry/registries/agentpools/read | 获取容器注册表的代理池,或列出所有代理池。 |
| Microsoft.ContainerRegistry/registries/agentpools/write | 创建或更新容器注册表的代理池。 |
| Microsoft.ContainerRegistry/registries/agentpools/delete | 删除容器注册表的代理池。 |
| Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action | 列出容器注册表的代理池的所有队列状态。 |
| Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read | 获取 agentpool 异步操作结果状态 |
| Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read | 获取 agentpool 异步操作状态 |
| Microsoft.ContainerRegistry/registries/tasks/read | 获取容器注册表的任务,或列出所有任务。 |
| Microsoft.ContainerRegistry/registries/tasks/write | 创建或更新容器注册表的任务。 |
| Microsoft.ContainerRegistry/registries/tasks/delete | 删除容器注册表的任务。 |
| Microsoft.ContainerRegistry/registries/tasks/listDetails/action | 列出容器注册表的任务的所有详细信息。 |
| Microsoft.ContainerRegistry/registries/scheduleRun/action | 计划针对容器注册表的运行。 |
| Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action | 获取容器注册表的源上传 URL 位置。 |
| Microsoft.ContainerRegistry/registries/runs/read | 获取针对容器注册表的运行的属性,或列出运行。 |
| Microsoft.ContainerRegistry/registries/runs/write | 更新运行。 |
| Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action | 获取运行的日志 SAS URL。 |
| Microsoft.ContainerRegistry/registries/runs/cancel/action | 取消现有的运行。 |
| Microsoft.ContainerRegistry/registries/taskruns/read | 获取容器注册表的任务运行,或列出所有任务运行。 |
| Microsoft.ContainerRegistry/registries/taskruns/write | 创建或更新容器注册表的任务运行。 |
| Microsoft.ContainerRegistry/registries/taskruns/delete | 删除容器注册表的任务运行。 |
| Microsoft.ContainerRegistry/registries/taskruns/listDetails/action | 列出容器注册表的任务运行的所有详细信息。 |
| Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read | 获取 taskrun 异步操作状态 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerRegistry/registries/read | 获取指定容器注册表的属性,或列出指定资源组或订阅下的所有容器注册表。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb382eab-e894-4461-af04-94435c366c3f",
"name": "fb382eab-e894-4461-af04-94435c366c3f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/agentpools/read",
"Microsoft.ContainerRegistry/registries/agentpools/write",
"Microsoft.ContainerRegistry/registries/agentpools/delete",
"Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action",
"Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read",
"Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tasks/read",
"Microsoft.ContainerRegistry/registries/tasks/write",
"Microsoft.ContainerRegistry/registries/tasks/delete",
"Microsoft.ContainerRegistry/registries/tasks/listDetails/action",
"Microsoft.ContainerRegistry/registries/scheduleRun/action",
"Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action",
"Microsoft.ContainerRegistry/registries/runs/read",
"Microsoft.ContainerRegistry/registries/runs/write",
"Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action",
"Microsoft.ContainerRegistry/registries/runs/cancel/action",
"Microsoft.ContainerRegistry/registries/taskruns/read",
"Microsoft.ContainerRegistry/registries/taskruns/write",
"Microsoft.ContainerRegistry/registries/taskruns/delete",
"Microsoft.ContainerRegistry/registries/taskruns/listDetails/action",
"Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Tasks Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
容器注册表传输管道参与者
通过配置涉及中间存储帐户和密钥保管库的注册表传输管道,提供传输、导入和导出项目的功能。 不提供推送或拉取映像的权限。 不提供创建、管理或列出存储帐户或密钥保管库的权限。 不提供执行角色分配的权限。
| 操作 | 说明 |
|---|---|
| Microsoft.ContainerRegistry/registries/exportPipelines/read | 获取指定导出管道的属性,或列出指定容器注册表的所有导出管道。 |
| Microsoft.ContainerRegistry/registries/exportPipelines/write | 使用指定参数创建或更新容器注册表的导出管道。 |
| Microsoft.ContainerRegistry/registries/exportPipelines/delete | 从容器注册表中删除导出管道。 |
| Microsoft.ContainerRegistry/registries/importPipelines/read | 获取指定导入管道的属性,或列出指定容器注册表的所有导入管道。 |
| Microsoft.ContainerRegistry/registries/importPipelines/write | 使用指定参数创建或更新容器注册表的导入管道。 |
| Microsoft.ContainerRegistry/registries/importPipelines/delete | 从容器注册表中删除导入管道。 |
| Microsoft.ContainerRegistry/registries/pipelineRuns/read | 获取指定管道运行的属性,或列出指定容器注册表的所有管道运行。 |
| Microsoft.ContainerRegistry/registries/pipelineRuns/write | 使用指定参数创建或更新容器注册表的管道运行。 |
| Microsoft.ContainerRegistry/registries/pipelineRuns/delete | 从容器注册表中删除管道运行。 |
| Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read | 获取管道运行异步操作状态。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"name": "bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/exportPipelines/read",
"Microsoft.ContainerRegistry/registries/exportPipelines/write",
"Microsoft.ContainerRegistry/registries/exportPipelines/delete",
"Microsoft.ContainerRegistry/registries/importPipelines/read",
"Microsoft.ContainerRegistry/registries/importPipelines/write",
"Microsoft.ContainerRegistry/registries/importPipelines/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/read",
"Microsoft.ContainerRegistry/registries/pipelineRuns/write",
"Microsoft.ContainerRegistry/registries/pipelineRuns/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Transfer Pipeline Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 无代理操作员
授予 Microsoft Defender for Cloud 对 Azure Kubernetes 服务的访问权限
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | 为托管群集创建或更新受信任的访问角色绑定 |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | 获取托管群集的受信任访问角色绑定 |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | 删除托管群集的受信任访问角色绑定 |
| Microsoft.ContainerService/managedClusters/read | 获取托管的群集 |
| Microsoft.Features/features/read | 获取订阅的功能。 |
| Microsoft.Features/providers/features/read | 获取给定资源提供程序中某个订阅的功能。 |
| Microsoft.Features/providers/features/register/action | 在给定的资源提供程序中注册某个订阅的功能。 |
| Microsoft.Security/pricings/securityoperators/read | 获取范围的安全操作员 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 群集 - Azure Arc 载入
授权任何用户/服务创建 connectedClusters 资源的角色定义
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Kubernetes/connectedClusters/Write | 写入 connectedClusters |
| Microsoft.Kubernetes/connectedClusters/read | 读取 connectedClusters |
| Microsoft.KubernetesConfiguration/extensions/write | 创建或更新扩展资源。 |
| Microsoft.KubernetesConfiguration/extensions/read | 获取扩展实例资源。 |
| Microsoft.KubernetesConfiguration/extensions/delete | 删除扩展实例资源。 |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 获取异步操作状态。 |
| Microsoft.Support/* | 创建和更新支持票证 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 扩展参与者
可以创建、更新、获取、列出和删除 Kubernetes 扩展,以及获取扩展异步操作
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.KubernetesConfiguration/extensions/write | 创建或更新扩展资源。 |
| Microsoft.KubernetesConfiguration/extensions/read | 获取扩展实例资源。 |
| Microsoft.KubernetesConfiguration/extensions/delete | 删除扩展实例资源。 |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 获取异步操作状态。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Service Fabric 群集参与者
管理 Service Fabric 群集资源。 包括群集、应用程序类型、应用程序类型版本、应用程序和服务。 将需要额外权限才能部署和管理群集的基础资源,例如虚拟机规模集、存储帐户、网络等。
| 操作 | 说明 |
|---|---|
| Microsoft.ServiceFabric/clusters/* | |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",
"name": "b6efc156-f0da-4e90-a50a-8c000140b017",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/clusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Service Fabric 托管群集参与者
部署和管理 Service Fabric 托管群集资源。 包括托管群集、节点类型、应用程序类型、应用程序类型版本、应用程序和服务。
| 操作 | 说明 |
|---|---|
| Microsoft.ServiceFabric/managedclusters/* | |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",
"name": "83f80186-3729-438c-ad2d-39e94d718838",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/managedclusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Managed Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}