共用方式為


適用於容器的 Azure 內建角色

本文列出容器類別中的 Azure 內建角色。

AcrDelete

從容器登錄中刪除存放庫、標籤或資訊清單。

深入了解

動作 描述
Microsoft.ContainerRegistry/registries/artifacts/delete 刪除容器登錄中的成品。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr delete",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/artifacts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrDelete",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrImageSigner

將受信任的映像推送至或從已啟用內容信任的容器登錄提取信任的映像。

深入了解

動作 描述
Microsoft.ContainerRegistry/registries/sign/write 容器登錄的推送/提取內容信任元數據。
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/trustedCollections/write 允許推送或發佈容器登錄內容的信任集合。 這類似於 Microsoft.ContainerRegistry/registries/sign/write 動作,不同之處在於這是數據動作
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr image signer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
  "name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/sign/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/trustedCollections/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrImageSigner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPull

從容器登錄中提取成品。

深入了解

動作 描述
Microsoft.ContainerRegistry/registries/pull/read 從容器登錄提取或取得映像。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr pull",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPull",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPush

將成品推送至容器登錄,或從容器登錄中提取成品。

深入了解

動作 描述
Microsoft.ContainerRegistry/registries/pull/read 從容器登錄提取或取得映像。
Microsoft.ContainerRegistry/registries/push/write 將映像推送或寫入容器登錄。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr push",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
  "name": "8311e382-0749-4cb8-b61a-304f252e45ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/push/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPush",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineReader

從容器登錄提取隔離的映像。

深入了解

動作 描述
Microsoft.ContainerRegistry/registries/quarantine/read 從容器登錄提取或取得隔離的映像
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read 允許從容器登錄提取或取得隔離的成品。 這類似於 Microsoft.ContainerRegistry/registries/quarantine/read,不同之處在於它是數據動作
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
  "name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineReader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineWriter

將隔離的映像推送至容器登錄,或從容器登錄提取隔離的映像。

深入了解

動作 描述
Microsoft.ContainerRegistry/registries/quarantine/read 從容器登錄提取或取得隔離的映像
Microsoft.ContainerRegistry/registries/quarantine/write 寫入/修改隔離影像的隔離狀態
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read 允許從容器登錄提取或取得隔離的成品。 這類似於 Microsoft.ContainerRegistry/registries/quarantine/read,不同之處在於它是數據動作
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write 允許寫入或更新隔離成品的隔離狀態。 這類似於 Microsoft.ContainerRegistry/registries/quarantine/write 動作,但數據動作除外
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data writer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read",
        "Microsoft.ContainerRegistry/registries/quarantine/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineWriter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

已啟用 Azure Arc 的 Kubernetes 叢集使用者角色

列出叢集使用者認證動作。

動作 描述
Microsoft.Resources/deployments/write 建立或更新部署。
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action 列出 clusterUser 認證(預覽)
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Support/* 建立和更新支援票證
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action 列出 clusterUser 認證
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credentials action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes 系統管理員

可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/write 建立或更新部署。
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read 讀取控制器重新佈建
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write 寫入 localsubjectaccessreviews
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read 讀取事件
Microsoft.Kubernetes/connectedClusters/events/read 讀取事件
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read 讀取 limitranges
Microsoft.Kubernetes/connectedClusters/namespaces/read 讀取命名空間
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes 叢集系統管理員

可讓您管理叢集中的所有資源。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/write 建立或更新部署。
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes 檢視者

可讓您檢視叢集/命名空間中的所有資源,但秘密除外。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/write 建立或更新部署。
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read 讀取控制器重新佈建
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read 讀取精靈集
Microsoft.Kubernetes/connectedClusters/apps/deployments/read 讀取部署
Microsoft.Kubernetes/connectedClusters/apps/replicasets/read 讀取複本集
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read 讀取具狀態集
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read 讀取 horizontalpodautoscalers
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read 讀取 cronjobs
Microsoft.Kubernetes/connectedClusters/batch/jobs/read 讀取作業
Microsoft.Kubernetes/connectedClusters/configmaps/read 讀取 configmaps
Microsoft.Kubernetes/connectedClusters/endpoints/read 讀取端點
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read 讀取事件
Microsoft.Kubernetes/connectedClusters/events/read 讀取事件
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read 讀取精靈集
Microsoft.Kubernetes/connectedClusters/extensions/deployments/read 讀取部署
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read 讀取輸入
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read 讀取網路原則
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read 讀取複本集
Microsoft.Kubernetes/connectedClusters/limitranges/read 讀取 limitranges
Microsoft.Kubernetes/connectedClusters/namespaces/read 讀取命名空間
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read 讀取輸入
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read 讀取網路原則
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read 讀取persistentvolumeclaims
Microsoft.Kubernetes/connectedClusters/pods/read 讀取 Pod
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read 讀取 poddisruptionbudgets
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft.Kubernetes/connectedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft.Kubernetes/connectedClusters/serviceaccounts/read Reads serviceaccounts
Microsoft.Kubernetes/connectedClusters/services/read 讀取服務
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view all resources in cluster/namespace, except secrets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
  "name": "63f0a09d-1495-4db4-a681-037d84835eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
        "Microsoft.Kubernetes/connectedClusters/configmaps/read",
        "Microsoft.Kubernetes/connectedClusters/endpoints/read",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
        "Microsoft.Kubernetes/connectedClusters/pods/read",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
        "Microsoft.Kubernetes/connectedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Viewer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes 寫入者

可讓您更新叢集/命名空間中的所有項目,但 (叢集) 角色和 (叢集) 角色繫結除外。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/write 建立或更新部署。
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
NotActions
none
DataActions
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read 讀取控制器重新佈建
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read 讀取事件
Microsoft.Kubernetes/connectedClusters/events/read 讀取事件
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read 讀取 limitranges
Microsoft.Kubernetes/connectedClusters/namespaces/read 讀取命名空間
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
  "name": "5b999177-9696-4545-85c7-50de3797e5a1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 容器記憶體參與者

安裝 Azure Container Storage 並管理其記憶體資源。 包含用來限制角色指派的 ABAC 條件。

動作 描述
Microsoft.KubernetesConfiguration/extensions/write 建立或更新延伸模組資源。
Microsoft.KubernetesConfiguration/extensions/read 取得擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/delete 刪除擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/operations/read 取得異步作狀態。
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Management/managementGroups/read 列出已驗證使用者的管理群組。
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Support/* 建立和更新支援票證
NotActions
none
DataActions
none
NotDataActions
none
動作
Microsoft.Authorization/roleAssignments/write 建立指定範圍的角色指派。
Microsoft.Authorization/roleAssignments/delete 刪除指定範圍內的角色指派。
NotActions
none
DataActions
none
NotDataActions
none
Condition
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}))OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND (!!ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}) 新增或移除下列角色的角色指派:
Azure 容器記憶體作員
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and manage its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "permissions": [
    {
      "actions": [
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 容器記憶體作員

啟用受控識別來執行 Azure 容器記憶體作業,例如管理虛擬機和管理虛擬網路。

動作 描述
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/asyncoperations/read 輪詢異步作的狀態。
Microsoft.Network/routeTables/join/action 加入路由表。 不可警示。
Microsoft.Network/networkSecurityGroups/join/action 加入網路安全性群組。 不可警示。
Microsoft.Network/virtualNetworks/write 建立虛擬網路或更新現有的虛擬網路
Microsoft.Network/virtualNetworks/delete 刪除虛擬網路
Microsoft.Network/virtualNetworks/join/action 加入虛擬網路。 不可警示。
Microsoft.Network/virtualNetworks/subnets/read 取得虛擬網路子網路定義
Microsoft.Network/virtualNetworks/subnets/write 建立虛擬網路子網路,或更新現有的虛擬網路子網路
Microsoft.Compute/virtualMachines/read 取得虛擬機器的屬性
Microsoft.Compute/virtualMachines/write 建立新的虛擬機或更新現有的虛擬機
Microsoft.Compute/virtualMachineScaleSets/read 取得虛擬機擴展集的屬性
Microsoft.Compute/virtualMachineScaleSets/write 建立新的虛擬機擴展集或更新現有的虛擬機擴展集
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write 更新 VM 擴展集中虛擬機的屬性
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read 擷取 VM 擴展集中虛擬機的屬性
Microsoft.Resources/subscriptions/providers/read 取得或列出資源提供者。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Network/virtualNetworks/read 取得虛擬網路定義
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role required by a Managed Identity for Azure Container Storage operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/virtualMachineScaleSets/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Resources/subscriptions/providers/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Network/virtualNetworks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Container Storage Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 容器記憶體擁有者

安裝 Azure Container Storage、授與其記憶體資源的存取權,以及設定 Azure 彈性記憶體局域網路 (SAN)。 包含用來限制角色指派的 ABAC 條件。

動作 描述
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/*
Microsoft.ElasticSan/elasticSans/volumeGroups/*
Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*
Microsoft.ElasticSan/locations/asyncoperations/read 輪詢異步作的狀態。
Microsoft.KubernetesConfiguration/extensions/write 建立或更新延伸模組資源。
Microsoft.KubernetesConfiguration/extensions/read 取得擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/delete 刪除擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/operations/read 取得異步作狀態。
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Management/managementGroups/read 列出已驗證使用者的管理群組。
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Support/* 建立和更新支援票證
NotActions
none
DataActions
none
NotDataActions
none
動作
Microsoft.Authorization/roleAssignments/write 建立指定範圍的角色指派。
Microsoft.Authorization/roleAssignments/delete 刪除指定範圍內的角色指派。
NotActions
none
DataActions
none
NotDataActions
none
Condition
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}))OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND (!!ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}) 新增或移除下列角色的角色指派:
Azure 容器記憶體作員
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and grants access to its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
  "name": "95de85bd-744d-4664-9dde-11430bc34793",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Fleet Manager 參與者角色

授與 Azure Kubernetes Fleet Manager 所提供的 Azure 資源的讀取/寫入存取權,包括車隊、車隊成員、車隊更新策略、車隊更新執行等等。

動作 描述
Microsoft.ContainerService/fleets/*
Microsoft.Resources/deployments/* 建立和管理部署
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/fleets/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 機群管理員 RBAC 管理員

授與在佇列管理中樞叢集中命名空間內 Kubernetes 資源的讀取/寫入存取權 - 提供命名空間內大部分物件的寫入許可權,但 ResourceQuota 物件和命名空間物件本身除外。 將此角色套用至叢集範圍將會授與所有命名空間的存取權。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.ContainerService/fleets/read 取得車隊
Microsoft.ContainerService/fleets/listCredentials/action 列出車隊認證
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read 讀取控制器重新佈建
Microsoft.ContainerService/fleets/apps/daemonsets/*
Microsoft.ContainerService/fleets/apps/deployments/*
Microsoft.ContainerService/fleets/apps/statefulsets/*
Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write 寫入 localsubjectaccessreviews
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/fleets/batch/cronjobs/*
Microsoft.ContainerService/fleets/batch/jobs/*
Microsoft.ContainerService/fleets/configmaps/*
Microsoft.ContainerService/fleets/endpoints/*
Microsoft.ContainerService/fleets/events.k8s.io/events/read 讀取事件
Microsoft.ContainerService/fleets/events/read 讀取事件
Microsoft.ContainerService/fleets/extensions/daemonsets/*
Microsoft.ContainerService/fleets/extensions/deployments/*
Microsoft.ContainerService/fleets/extensions/ingresses/*
Microsoft.ContainerService/fleets/extensions/networkpolicies/*
Microsoft.ContainerService/fleets/limitranges/read 讀取 limitranges
Microsoft.ContainerService/fleets/namespaces/read 讀取命名空間
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/fleets/persistentvolumeclaims/*
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/resourcequotas/read 讀取 resourcequotas
Microsoft.ContainerService/fleets/secrets/*
Microsoft.ContainerService/fleets/serviceaccounts/*
Microsoft.ContainerService/fleets/services/*
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read 讀取 fleet internalmembercluster 資源
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read 讀取 fleet resourceoverridesnapshot 資源
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read 讀取車隊工作資源
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 機群管理員 RBAC Cluster 管理員

授與機群受控中樞叢集中所有 Kubernetes 資源的讀取/寫入存取權。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.ContainerService/fleets/read 取得車隊
Microsoft.ContainerService/fleets/listCredentials/action 列出車隊認證
NotActions
none
DataActions
Microsoft.ContainerService/fleets/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 機群管理員 RBAC 讀取者

授與機群受控中樞叢集中命名空間內大部分 Kubernetes 資源的唯讀存取權。 它不允許檢視角色或角色繫結。 此角色不允許檢視秘密,因為讀取秘密的內容會允許對命名空間中的 ServiceAccount 認證的存取權,這會允許 API 存取作為命名空間中的任何 ServiceAccount (特殊權限提升形式)。 將此角色套用至叢集範圍將會授與所有命名空間的存取權。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.ContainerService/fleets/read 取得車隊
Microsoft.ContainerService/fleets/listCredentials/action 列出車隊認證
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read 讀取控制器重新佈建
Microsoft.ContainerService/fleets/apps/daemonsets/read 讀取精靈集
Microsoft.ContainerService/fleets/apps/deployments/read 讀取部署
Microsoft.ContainerService/fleets/apps/statefulsets/read 讀取具狀態集
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read 讀取 horizontalpodautoscalers
Microsoft.ContainerService/fleets/batch/cronjobs/read 讀取 cronjobs
Microsoft.ContainerService/fleets/batch/jobs/read 讀取作業
Microsoft.ContainerService/fleets/configmaps/read 讀取 configmaps
Microsoft.ContainerService/fleets/endpoints/read 讀取端點
Microsoft.ContainerService/fleets/events.k8s.io/events/read 讀取事件
Microsoft.ContainerService/fleets/events/read 讀取事件
Microsoft.ContainerService/fleets/extensions/daemonsets/read 讀取精靈集
Microsoft.ContainerService/fleets/extensions/deployments/read 讀取部署
Microsoft.ContainerService/fleets/extensions/ingresses/read 讀取輸入
Microsoft.ContainerService/fleets/extensions/networkpolicies/read 讀取網路原則
Microsoft.ContainerService/fleets/limitranges/read 讀取 limitranges
Microsoft.ContainerService/fleets/namespaces/read 讀取命名空間
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read 讀取輸入
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read 讀取網路原則
Microsoft.ContainerService/fleets/persistentvolumeclaims/read 讀取persistentvolumeclaims
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read 讀取 poddisruptionbudgets
Microsoft.ContainerService/fleets/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft.ContainerService/fleets/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft.ContainerService/fleets/resourcequotas/read 讀取 resourcequotas
Microsoft.ContainerService/fleets/serviceaccounts/read Reads serviceaccounts
Microsoft.ContainerService/fleets/services/read 讀取服務
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read 讀取 fleet internalmembercluster 資源
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read 讀取機隊資源覆寫資源
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read 讀取 fleet resourceoverridesnapshot 資源
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read 讀取車隊工作資源
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
  "name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/services/read",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 機群管理員 RBAC 編寫器

授與佇列管理中樞叢集中命名空間內大部分 Kubernetes 資源的讀取/寫入存取權。 此角色不允許檢視或修改角色或角色繫結。 不過,此角色允許以命名空間中的任何 ServiceAccount 身分存取秘密,因此它可用以取得命名空間中任何 ServiceAccount 的 API 存取層級。  將此角色套用至叢集範圍將會授與所有命名空間的存取權。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.ContainerService/fleets/read 取得車隊
Microsoft.ContainerService/fleets/listCredentials/action 列出車隊認證
NotActions
none
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read 讀取控制器重新佈建
Microsoft.ContainerService/fleets/apps/daemonsets/read 讀取精靈集
Microsoft.ContainerService/fleets/apps/daemonsets/write 寫入精靈集
Microsoft.ContainerService/fleets/apps/deployments/read 讀取部署
Microsoft.ContainerService/fleets/apps/deployments/write 寫入部署
Microsoft.ContainerService/fleets/apps/statefulsets/read 讀取具狀態集
Microsoft.ContainerService/fleets/apps/statefulsets/write 寫入具狀態集
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read 讀取 horizontalpodautoscalers
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write 寫入 horizontalpodautoscalers
Microsoft.ContainerService/fleets/batch/cronjobs/read 讀取 cronjobs
Microsoft.ContainerService/fleets/batch/cronjobs/write 寫入cronjobs
Microsoft.ContainerService/fleets/batch/jobs/read 讀取作業
Microsoft.ContainerService/fleets/batch/jobs/write 寫入作業
Microsoft.ContainerService/fleets/configmaps/read 讀取 configmaps
Microsoft.ContainerService/fleets/configmaps/write 寫入 configmap
Microsoft.ContainerService/fleets/endpoints/read 讀取端點
Microsoft.ContainerService/fleets/endpoints/write 寫入端點
Microsoft.ContainerService/fleets/events.k8s.io/events/read 讀取事件
Microsoft.ContainerService/fleets/events/read 讀取事件
Microsoft.ContainerService/fleets/extensions/daemonsets/read 讀取精靈集
Microsoft.ContainerService/fleets/extensions/daemonsets/write 寫入精靈集
Microsoft.ContainerService/fleets/extensions/deployments/read 讀取部署
Microsoft.ContainerService/fleets/extensions/deployments/write 寫入部署
Microsoft.ContainerService/fleets/extensions/ingresses/read 讀取輸入
Microsoft.ContainerService/fleets/extensions/ingresses/write 寫入輸入
Microsoft.ContainerService/fleets/extensions/networkpolicies/read 讀取網路原則
Microsoft.ContainerService/fleets/extensions/networkpolicies/write 寫入網路原則
Microsoft.ContainerService/fleets/limitranges/read 讀取 limitranges
Microsoft.ContainerService/fleets/namespaces/read 讀取命名空間
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read 讀取輸入
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write 寫入輸入
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read 讀取網路原則
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write 寫入網路原則
Microsoft.ContainerService/fleets/persistentvolumeclaims/read 讀取persistentvolumeclaims
Microsoft.ContainerService/fleets/persistentvolumeclaims/write 寫入persistentvolumeclaims
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read 讀取 poddisruptionbudgets
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write 寫入 poddisruptionbudgets
Microsoft.ContainerService/fleets/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft.ContainerService/fleets/replicationcontrollers/write 寫入 replicationcontrollers
Microsoft.ContainerService/fleets/resourcequotas/read 讀取 resourcequotas
Microsoft.ContainerService/fleets/secrets/read 讀取秘密
Microsoft.ContainerService/fleets/secrets/write 寫入秘密
Microsoft.ContainerService/fleets/serviceaccounts/read Reads serviceaccounts
Microsoft.ContainerService/fleets/serviceaccounts/write 寫入 serviceaccounts
Microsoft.ContainerService/fleets/services/read 讀取服務
Microsoft.ContainerService/fleets/services/write 寫入服務
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read 讀取 fleet internalmembercluster 資源
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read 讀取機隊資源覆寫資源
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write 寫入機隊資源覆寫資源
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read 讀取 fleet resourceoverridesnapshot 資源
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read 讀取車隊工作資源
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/write",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/deployments/write",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/write",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/write",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/configmaps/write",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/endpoints/write",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/write",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/write",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/write",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/write",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/read",
        "Microsoft.ContainerService/fleets/secrets/write",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/write",
        "Microsoft.ContainerService/fleets/services/read",
        "Microsoft.ContainerService/fleets/services/write",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Arc 叢集管理員角色

列出叢集管理員認證動作。

深入了解

動作 描述
Microsoft.HybridContainerService/provisionedClusterInstances/read 取得與聯機叢集相關聯的混合式 AKS 布建叢集實例
Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action 列出只用於直接模式之已布建叢集實例的管理員認證。
Microsoft.Kubernetes/connectedClusters/Read 讀取 connectedClusters
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Arc 叢集使用者角色

列出叢集使用者認證動作。

深入了解

動作 描述
Microsoft.HybridContainerService/provisionedClusterInstances/read 取得與聯機叢集相關聯的混合式 AKS 布建叢集實例
Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action 列出只用於直接模式之已布建叢集實例的 AAD 用戶認證。
Microsoft.Kubernetes/connectedClusters/Read 讀取 connectedClusters
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
  "name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Arc 參與者角色

授與讀取和寫入 Azure Kubernetes Services 混合式叢集的存取權

深入了解

動作 描述
Microsoft.HybridContainerService/Locations/operationStatuses/read read operationStatuses
Microsoft.HybridContainerService/Operations/read 讀取作業
Microsoft.HybridContainerService/kubernetesVersions/read 列出基礎自定義位置支援的 kubernetes 版本
Microsoft.HybridContainerService/kubernetesVersions/write 放置 kubernetes 版本資源類型
Microsoft.HybridContainerService/kubernetesVersions/delete 刪除 kubernetes 版本資源類型
Microsoft.HybridContainerService/provisionedClusterInstances/read 取得與聯機叢集相關聯的混合式 AKS 布建叢集實例
Microsoft.HybridContainerService/provisionedClusterInstances/write 建立混合式 AKS 佈建叢集實例
Microsoft.HybridContainerService/provisionedClusterInstances/delete 刪除混合式 AKS 佈建叢集實例
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read 取得混合式 AKS 佈建叢集實例中的代理程式集區
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write 更新混合式 AKS 佈建叢集實例中的代理程式集區
Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete 刪除混合式 AKS 佈建叢集實例中的代理程式集區
Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read read upgradeProfiles
Microsoft.HybridContainerService/skus/read 列出基礎自定義位置中支援的 VM SKU
Microsoft.HybridContainerService/skus/write 放置 VM SKU 資源類型
Microsoft.HybridContainerService/skus/delete 刪除 Vm Sku 資源類型
Microsoft.HybridContainerService/virtualNetworks/read 依訂用帳戶列出混合式 AKS 虛擬網路
Microsoft.HybridContainerService/virtualNetworks/write 修補混合式 AKS 虛擬網路
Microsoft.HybridContainerService/virtualNetworks/delete 刪除混合式 AKS 虛擬網路
Microsoft.ExtendedLocation/customLocations/deploy/action 將權限部署至自訂位置資源
Microsoft.ExtendedLocation/customLocations/read 取得自定義位置資源
Microsoft.Kubernetes/connectedClusters/Read 讀取 connectedClusters
Microsoft.Kubernetes/connectedClusters/Write 寫入 connectedClusters
Microsoft.Kubernetes/connectedClusters/Delete 刪除 connectedClusters
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action 列出 clusterUser 認證
Microsoft.AzureStackHCI/clusters/read 取得叢集
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
  "name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/Locations/operationStatuses/read",
        "Microsoft.HybridContainerService/Operations/read",
        "Microsoft.HybridContainerService/kubernetesVersions/read",
        "Microsoft.HybridContainerService/kubernetesVersions/write",
        "Microsoft.HybridContainerService/kubernetesVersions/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
        "Microsoft.HybridContainerService/skus/read",
        "Microsoft.HybridContainerService/skus/write",
        "Microsoft.HybridContainerService/skus/delete",
        "Microsoft.HybridContainerService/virtualNetworks/read",
        "Microsoft.HybridContainerService/virtualNetworks/write",
        "Microsoft.HybridContainerService/virtualNetworks/delete",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.Kubernetes/connectedClusters/Read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/Delete",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
        "Microsoft.AzureStackHCI/clusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service 叢集管理員角色

列出叢集管理員認證動作。

深入了解

動作 描述
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action 列出受控叢集的 clusterAdmin 認證
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action 使用清單認證依角色名稱取得受控叢集存取配置檔
Microsoft.ContainerService/managedClusters/read 取得受控叢集
Microsoft.ContainerService/managedClusters/runcommand/action 對受控 Kubernetes 伺服器執行用戶發出的命令。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/runcommand/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service 叢集監視使用者

列出叢集監視使用者認證動作。

動作 描述
Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action 列出受控叢集的 clusterMonitoringUser 認證
Microsoft.ContainerService/managedClusters/read 取得受控叢集
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster monitoring user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Monitoring User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service 叢集使用者角色

列出叢集使用者認證動作。

深入了解

動作 描述
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action 列出受控叢集的 clusterUser 認證
Microsoft.ContainerService/managedClusters/read 取得受控叢集
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service 參與者角色

授與讀取和寫入 Azure Kubernetes Service 叢集的存取權

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.ContainerService/locations/* 讀取 ContainerService 資源可用的位置
Microsoft.ContainerService/managedClusters/* 建立和管理受控叢集
Microsoft.ContainerService/managedclustersnapshots/* 建立和管理受控叢集快照集
Microsoft.ContainerService/snapshots/* 建立和管理快照集
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Service clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerService/locations/*",
        "Microsoft.ContainerService/managedClusters/*",
        "Microsoft.ContainerService/managedclustersnapshots/*",
        "Microsoft.ContainerService/snapshots/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 管理員

可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action 列出受控叢集的 clusterUser 認證
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions
Microsoft.ContainerService/managedClusters/resourcequotas/write 寫入 resourcequotas
Microsoft.ContainerService/managedClusters/resourcequotas/delete 刪除 resourcequotas
Microsoft.ContainerService/managedClusters/namespaces/write 寫入命名空間
Microsoft.ContainerService/managedClusters/namespaces/delete 刪除命名空間
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
  "name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/managedClusters/resourcequotas/write",
        "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
        "Microsoft.ContainerService/managedClusters/namespaces/write",
        "Microsoft.ContainerService/managedClusters/namespaces/delete"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 叢集管理員

可讓您管理叢集中的所有資源。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action 列出受控叢集的 clusterUser 認證
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 讀取者

允許唯讀存取來查看命名空間中的大部分物件。 它不允許檢視角色或角色繫結。 此角色不允許檢視秘密,因為讀取秘密的內容會允許對命名空間中的 ServiceAccount 認證的存取權,這會允許 API 存取作為命名空間中的任何 ServiceAccount (特殊權限提升形式)。 將此角色套用至叢集範圍將會授與所有命名空間的存取權。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read 讀取控制器重新佈建
Microsoft.ContainerService/managedClusters/apps/daemonsets/read 讀取精靈集
Microsoft.ContainerService/managedClusters/apps/deployments/read 讀取部署
Microsoft.ContainerService/managedClusters/apps/replicasets/read 讀取複本集
Microsoft.ContainerService/managedClusters/apps/statefulsets/read 讀取具狀態集
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read 讀取 horizontalpodautoscalers
Microsoft.ContainerService/managedClusters/batch/cronjobs/read 讀取 cronjobs
Microsoft.ContainerService/managedClusters/batch/jobs/read 讀取作業
Microsoft.ContainerService/managedClusters/configmaps/read 讀取 configmaps
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read 讀取 endpointslices
Microsoft.ContainerService/managedClusters/endpoints/read 讀取端點
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read 讀取事件
Microsoft.ContainerService/managedClusters/events/read 讀取事件
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read 讀取精靈集
Microsoft.ContainerService/managedClusters/extensions/deployments/read 讀取部署
Microsoft.ContainerService/managedClusters/extensions/ingresses/read 讀取輸入
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read 讀取網路原則
Microsoft.ContainerService/managedClusters/extensions/replicasets/read 讀取複本集
Microsoft.ContainerService/managedClusters/limitranges/read 讀取 limitranges
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read 讀取 Pod
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read 讀取節點
Microsoft.ContainerService/managedClusters/namespaces/read 讀取命名空間
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read 讀取輸入
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read 讀取網路原則
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read 讀取persistentvolumeclaims
Microsoft.ContainerService/managedClusters/pods/read 讀取 Pod
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read 讀取 poddisruptionbudgets
Microsoft.ContainerService/managedClusters/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft.ContainerService/managedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft.ContainerService/managedClusters/serviceaccounts/read Reads serviceaccounts
Microsoft.ContainerService/managedClusters/services/read 讀取服務
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/apps/deployments/read",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/read",
        "Microsoft.ContainerService/managedClusters/configmaps/read",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/endpoints/read",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
        "Microsoft.ContainerService/managedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 寫入者

允許命名空間中大部分物件的讀取/寫入存取權。 此角色不允許檢視或修改角色或角色繫結。 不過,此角色允許以命名空間中的任何 ServiceAccount 身分存取秘密並執行 Pod,因此它可用以取得命名空間中任何 ServiceAccount 的 API 存取層級。 將此角色套用至叢集範圍將會授與所有命名空間的存取權。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
none
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read 讀取控制器重新佈建
Microsoft.ContainerService/managedClusters/apps/daemonsets/*
Microsoft.ContainerService/managedClusters/apps/deployments/*
Microsoft.ContainerService/managedClusters/apps/replicasets/*
Microsoft.ContainerService/managedClusters/apps/statefulsets/*
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/managedClusters/batch/cronjobs/*
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read 讀取租用
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write 寫入租用
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete 刪除租用
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read 讀取 endpointslices
Microsoft.ContainerService/managedClusters/batch/jobs/*
Microsoft.ContainerService/managedClusters/configmaps/*
Microsoft.ContainerService/managedClusters/endpoints/*
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read 讀取事件
Microsoft.ContainerService/managedClusters/events/*
Microsoft.ContainerService/managedClusters/extensions/daemonsets/*
Microsoft.ContainerService/managedClusters/extensions/deployments/*
Microsoft.ContainerService/managedClusters/extensions/ingresses/*
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*
Microsoft.ContainerService/managedClusters/extensions/replicasets/*
Microsoft.ContainerService/managedClusters/limitranges/read 讀取 limitranges
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read 讀取 Pod
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read 讀取節點
Microsoft.ContainerService/managedClusters/namespaces/read 讀取命名空間
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*
Microsoft.ContainerService/managedClusters/pods/*
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*
Microsoft.ContainerService/managedClusters/replicationcontrollers/*
Microsoft.ContainerService/managedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft.ContainerService/managedClusters/secrets/*
Microsoft.ContainerService/managedClusters/serviceaccounts/*
Microsoft.ContainerService/managedClusters/services/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/apps/deployments/*",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/*",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/*",
        "Microsoft.ContainerService/managedClusters/configmaps/*",
        "Microsoft.ContainerService/managedClusters/endpoints/*",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/*",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/*",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
        "Microsoft.ContainerService/managedClusters/pods/*",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/secrets/*",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/*",
        "Microsoft.ContainerService/managedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

線上的叢集受控識別檢查Access讀取器

可讓連線叢集受控識別呼叫 checkAccess API 的內建角色

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Connected Cluster Managed Identity CheckAccess Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Container Registry 設定讀取器和數據存取設定讀取器

提供列出容器登錄和登錄組態屬性的許可權。 提供列出數據存取設定的許可權,例如系統管理使用者認證、範圍對應和令牌,可用來讀取、寫入或刪除存放庫和映像。 不提供讀取、列出或寫入登錄內容的直接許可權,包括存放庫和映像。 不提供修改數據平面內容的許可權,例如匯入、成品快取或同步處理,以及傳輸管線。 不提供管理工作的許可權。

動作 描述
Microsoft.ContainerRegistry/registries/operationStatuses/read 取得登錄異步作狀態
Microsoft.ContainerRegistry/registries/read 取得指定容器登錄的屬性,或列出指定資源群組或訂用帳戶下的所有容器登錄。
Microsoft.ContainerRegistry/registries/privateEndpointConnections/read 取得私人端點連線的屬性,或列出指定容器登錄的所有私人端點連線
Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read 取得私人端點連線異步作狀態
Microsoft.ContainerRegistry/registries/listCredentials/action 列出指定容器登錄的登入認證。
Microsoft.ContainerRegistry/registries/tokens/read 取得指定之令牌的屬性,或列出指定容器登錄的所有令牌。
Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read 取得令牌異步作狀態。
Microsoft.ContainerRegistry/registries/scopeMaps/read 取得指定範圍對應的屬性,或列出指定容器登錄的所有範圍對應。
Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read 取得範圍對應異步作狀態。
Microsoft.ContainerRegistry/registries/webhooks/read 取得指定 Webhook 的屬性,或列出指定容器登錄的所有 Webhook。
Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action 取得 Webhook 的服務 URI 和自定義標頭組態。
Microsoft.ContainerRegistry/registries/webhooks/listEvents/action 列出指定 Webhook 的最新事件。
Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read 取得 Webhook 異步作狀態
Microsoft.ContainerRegistry/registries/replications/read 取得指定複寫的屬性,或列出指定容器登錄的所有複寫。
Microsoft.ContainerRegistry/registries/replications/operationStatuses/read 取得複寫異步作狀態
Microsoft.ContainerRegistry/registries/connectedRegistries/read 取得指定之連線登錄的屬性,或列出指定之容器登錄的所有已連線登錄。
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read 取得資源的診斷設定
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write 建立或更新資源的診斷設定
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read 取得 Microsoft ContainerRegistry 的可用記錄
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read 取得 Microsoft ContainerRegistry 的可用計量
Microsoft.Insights/AlertRules/Write 建立或更新傳統計量警示
Microsoft.Insights/AlertRules/Delete 刪除傳統計量警示
Microsoft.Insights/AlertRules/Read 讀取傳統計量警示
Microsoft.Insights/AlertRules/Activated/Action 已啟動傳統計量警示
Microsoft.Insights/AlertRules/Resolved/Action 已解決傳統計量警示
Microsoft.Insights/AlertRules/Throttled/Action 傳統計量警示規則已節流
Microsoft.Insights/AlertRules/Incidents/Read 讀取傳統計量警示事件
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/69b07be0-09bf-439a-b9a6-e73de851bd59",
  "name": "69b07be0-09bf-439a-b9a6-e73de851bd59",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/listCredentials/action",
        "Microsoft.ContainerRegistry/registries/tokens/read",
        "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/webhooks/read",
        "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
        "Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
        "Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/replications/read",
        "Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Configuration Reader and Data Access Configuration Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Container Registry 參與者和數據存取設定管理員

提供建立、列出及更新容器登錄和登錄組態屬性的許可權。 提供許可權來設定數據存取,例如系統管理員使用者認證、範圍對應和令牌,可用來讀取、寫入或刪除存放庫和映像。 不提供讀取、列出或寫入登錄內容的直接許可權,包括存放庫和映像。 不提供修改數據平面內容的許可權,例如匯入、成品快取或同步處理,以及傳輸管線。 不提供管理工作的許可權。

動作 描述
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.ContainerRegistry/registries/operationStatuses/read 取得登錄異步作狀態
Microsoft.ContainerRegistry/registries/read 取得指定容器登錄的屬性,或列出指定資源群組或訂用帳戶下的所有容器登錄。
Microsoft.ContainerRegistry/registries/write 使用指定的參數建立或更新容器登錄。
Microsoft.ContainerRegistry/registries/delete 刪除容器登錄。
Microsoft.ContainerRegistry/registries/listCredentials/action 列出指定容器登錄的登入認證。
Microsoft.ContainerRegistry/registries/regenerateCredential/action 重新產生指定容器登錄的其中一個登入認證。
Microsoft.ContainerRegistry/registries/generateCredentials/action 產生指定容器登錄之令牌的金鑰。
Microsoft.ContainerRegistry/registries/replications/read 取得指定複寫的屬性,或列出指定容器登錄的所有複寫。
Microsoft.ContainerRegistry/registries/replications/write 使用指定的參數建立或更新容器登錄的複寫。
Microsoft.ContainerRegistry/registries/replications/delete 從容器登錄刪除複寫。
Microsoft.ContainerRegistry/registries/replications/operationStatuses/read 取得複寫異步作狀態
Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action 自動核准私人端點連線
Microsoft.ContainerRegistry/registries/privateEndpointConnections/read 取得私人端點連線的屬性,或列出指定容器登錄的所有私人端點連線
Microsoft.ContainerRegistry/registries/privateEndpointConnections/write 核准/拒絕私人端點連線
Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete 刪除私人端點連線
Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read 取得私人端點連線異步作狀態
Microsoft.ContainerRegistry/registries/tokens/read 取得指定之令牌的屬性,或列出指定容器登錄的所有令牌。
Microsoft.ContainerRegistry/registries/tokens/write 使用指定的參數建立或更新容器登錄的令牌。
Microsoft.ContainerRegistry/registries/tokens/delete 從容器登錄中刪除令牌。
Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read 取得令牌異步作狀態。
Microsoft.ContainerRegistry/registries/scopeMaps/read 取得指定範圍對應的屬性,或列出指定容器登錄的所有範圍對應。
Microsoft.ContainerRegistry/registries/scopeMaps/write 使用指定的參數,建立或更新容器登錄的範圍對應。
Microsoft.ContainerRegistry/registries/scopeMaps/delete 從容器登錄刪除範圍對應。
Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read 取得範圍對應異步作狀態。
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read 取得資源的診斷設定
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write 建立或更新資源的診斷設定
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read 取得 Microsoft ContainerRegistry 的可用記錄
Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read 取得 Microsoft ContainerRegistry 的可用計量
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.ContainerRegistry/registries/connectedRegistries/read 取得指定之連線登錄的屬性,或列出指定之容器登錄的所有已連線登錄。
Microsoft.ContainerRegistry/registries/connectedRegistries/write 使用指定的參數,為容器登錄建立或更新連接的登錄。
Microsoft.ContainerRegistry/registries/connectedRegistries/delete 從容器登錄中刪除連接的登錄。
Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action 停用容器登錄的連線登錄
Microsoft.ContainerRegistry/registries/webhooks/read 取得指定 Webhook 的屬性,或列出指定容器登錄的所有 Webhook。
Microsoft.ContainerRegistry/registries/webhooks/write 使用指定的參數建立或更新容器登錄的 Webhook。
Microsoft.ContainerRegistry/registries/webhooks/delete 從容器登錄中刪除 Webhook。
Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action 取得 Webhook 的服務 URI 和自定義標頭組態。
Microsoft.ContainerRegistry/registries/webhooks/ping/action 觸發要傳送至 Webhook 的 Ping 事件。
Microsoft.ContainerRegistry/registries/webhooks/listEvents/action 列出指定 Webhook 的最新事件。
Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read 取得 Webhook 異步作狀態
Microsoft.Insights/AlertRules/Write 建立或更新傳統計量警示
Microsoft.Insights/AlertRules/Delete 刪除傳統計量警示
Microsoft.Insights/AlertRules/Read 讀取傳統計量警示
Microsoft.Insights/AlertRules/Activated/Action 已啟動傳統計量警示
Microsoft.Insights/AlertRules/Resolved/Action 已解決傳統計量警示
Microsoft.Insights/AlertRules/Throttled/Action 傳統計量警示規則已節流
Microsoft.Insights/AlertRules/Incidents/Read 讀取傳統計量警示事件
Microsoft.ContainerRegistry/locations/operationResults/read 取得異步作結果
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。
Microsoft.Network/virtualNetworks/subnets/read 取得虛擬網路子網路定義
Microsoft.Network/virtualNetworks/subnets/write 建立虛擬網路子網路,或更新現有的虛擬網路子網路
Microsoft.Network/virtualNetworks/read 取得虛擬網路定義
Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write 建立新的私人連結服務 Proxy,或更新現有的私人連結服務 Proxy。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
  "name": "3bc748fc-213d-45c1-8d91-9da5725539b9",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerRegistry/registries/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/write",
        "Microsoft.ContainerRegistry/registries/delete",
        "Microsoft.ContainerRegistry/registries/listCredentials/action",
        "Microsoft.ContainerRegistry/registries/regenerateCredential/action",
        "Microsoft.ContainerRegistry/registries/generateCredentials/action",
        "Microsoft.ContainerRegistry/registries/replications/read",
        "Microsoft.ContainerRegistry/registries/replications/write",
        "Microsoft.ContainerRegistry/registries/replications/delete",
        "Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/tokens/read",
        "Microsoft.ContainerRegistry/registries/tokens/write",
        "Microsoft.ContainerRegistry/registries/tokens/delete",
        "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/write",
        "Microsoft.ContainerRegistry/registries/scopeMaps/delete",
        "Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/write",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
        "Microsoft.ContainerRegistry/registries/webhooks/read",
        "Microsoft.ContainerRegistry/registries/webhooks/write",
        "Microsoft.ContainerRegistry/registries/webhooks/delete",
        "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
        "Microsoft.ContainerRegistry/registries/webhooks/ping/action",
        "Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
        "Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.ContainerRegistry/locations/operationResults/read",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Contributor and Data Access Configuration Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Container Registry 數據匯入工具和數據讀取器

提供透過登錄匯入作業將映像匯入登錄的功能。 提供列出存放庫、檢視映像和標籤、取得指令清單和提取映像的功能。 不提供透過設定登錄傳輸管線來匯入映像的許可權,例如匯入和匯出管線。 不提供透過設定成品快取或同步處理規則匯入的許可權。

動作 描述
Microsoft.ContainerRegistry/registries/importImage/action 使用指定的參數將映像匯入容器登錄。
Microsoft.ContainerRegistry/registries/read 取得指定容器登錄的屬性,或列出指定資源群組或訂用帳戶下的所有容器登錄。
Microsoft.ContainerRegistry/registries/pull/read 從容器登錄提取或取得映像。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/577a9874-89fd-4f24-9dbd-b5034d0ad23a",
  "name": "577a9874-89fd-4f24-9dbd-b5034d0ad23a",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/importImage/action",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Data Importer and Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Container Registry 存放庫目錄清單器

允許列出 Azure Container Registry 中的所有存放庫。 此角色處於預覽狀態,且可能會變更。

動作 描述
none
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/catalog/read 列出容器登錄中的存放庫。
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
  "name": "bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/catalog/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Catalog Lister",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Container Registry 存放庫參與者

允許讀取、寫入和刪除 Azure Container Registry 存放庫的存取權,但不包括目錄清單。 此角色處於預覽狀態,且可能會變更。

動作 描述
none
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/repositories/metadata/read 取得容器登錄之特定存放庫的元數據
Microsoft.ContainerRegistry/registries/repositories/content/read 從容器登錄提取或取得映像。
Microsoft.ContainerRegistry/registries/repositories/metadata/write 更新容器登錄存放庫的元數據
Microsoft.ContainerRegistry/registries/repositories/content/write 將映像推送或寫入容器登錄。
Microsoft.ContainerRegistry/registries/repositories/metadata/delete 刪除容器登錄存放庫的元數據
Microsoft.ContainerRegistry/registries/repositories/content/delete 刪除容器登錄中的成品。
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2efddaa5-3f1f-4df3-97df-af3f13818f4c",
  "name": "2efddaa5-3f1f-4df3-97df-af3f13818f4c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/write",
        "Microsoft.ContainerRegistry/registries/repositories/content/write",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/delete",
        "Microsoft.ContainerRegistry/registries/repositories/content/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Container Registry 存放庫讀取器

允許讀取 Azure Container Registry 存放庫的存取權,但不包括目錄清單。 此角色處於預覽狀態,且可能會變更。

動作 描述
none
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/repositories/metadata/read 取得容器登錄之特定存放庫的元數據
Microsoft.ContainerRegistry/registries/repositories/content/read 從容器登錄提取或取得映像。
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b93aa761-3e63-49ed-ac28-beffa264f7ac",
  "name": "b93aa761-3e63-49ed-ac28-beffa264f7ac",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Container Registry 存放庫寫入器

允許讀取和寫入 Azure Container Registry 存放庫,但不包括目錄清單。 此角色處於預覽狀態,且可能會變更。

動作 描述
none
NotActions
none
DataActions
Microsoft.ContainerRegistry/registries/repositories/metadata/read 取得容器登錄之特定存放庫的元數據
Microsoft.ContainerRegistry/registries/repositories/content/read 從容器登錄提取或取得映像。
Microsoft.ContainerRegistry/registries/repositories/metadata/write 更新容器登錄存放庫的元數據
Microsoft.ContainerRegistry/registries/repositories/content/write 將映像推送或寫入容器登錄。
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2a1e307c-b015-4ebd-883e-5b7698a07328",
  "name": "2a1e307c-b015-4ebd-883e-5b7698a07328",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/write",
        "Microsoft.ContainerRegistry/registries/repositories/content/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Container Registry 工作參與者

提供設定、讀取、列出、觸發程式或取消 Container Registry 工作、工作執行、工作記錄、快速執行、快速建置和工作代理程式集區的許可權。 授與工作管理的許可權可用於完整的登錄數據平面許可權,包括登錄中的讀取/寫入/刪除容器映像。 授與工作管理的許可權也可以用來執行客戶撰寫的組建指示詞,以及執行腳本來建置軟體成品。

動作 描述
Microsoft.ContainerRegistry/registries/agentpools/read 取得容器登錄的代理程式集池,或列出所有代理程式集區。
Microsoft.ContainerRegistry/registries/agentpools/write 建立或更新容器登錄的代理程式集池。
Microsoft.ContainerRegistry/registries/agentpools/delete 刪除容器登錄的 Agentpool。
Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action 列出容器登錄之 Agentpool 的所有佇列狀態。
Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read 取得 Agentpool 異步作結果狀態
Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read 取得 Agentpool 異步作狀態
Microsoft.ContainerRegistry/registries/tasks/read 取得容器登錄的工作,或列出所有工作。
Microsoft.ContainerRegistry/registries/tasks/write 建立或更新容器登錄的工作。
Microsoft.ContainerRegistry/registries/tasks/delete 刪除容器登錄的工作。
Microsoft.ContainerRegistry/registries/tasks/listDetails/action 列出容器登錄工作的所有詳細數據。
Microsoft.ContainerRegistry/registries/scheduleRun/action 針對容器登錄排程執行。
Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action 取得容器登錄的來源上傳 URL 位置。
Microsoft.ContainerRegistry/registries/runs/read 取得針對容器登錄或清單執行的回合屬性。
Microsoft.ContainerRegistry/registries/runs/write 更新執行。
Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action 取得執行的記錄 SAS URL。
Microsoft.ContainerRegistry/registries/runs/cancel/action 取消現有的執行。
Microsoft.ContainerRegistry/registries/taskruns/read 取得容器登錄的工作執行,或列出所有工作執行。
Microsoft.ContainerRegistry/registries/taskruns/write 建立或更新容器登錄的工作執行。
Microsoft.ContainerRegistry/registries/taskruns/delete 刪除容器登錄的工作執行。
Microsoft.ContainerRegistry/registries/taskruns/listDetails/action 列出容器登錄之工作執行的所有詳細數據。
Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read 取得工作執行異步作業狀態
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.ContainerRegistry/registries/read 取得指定容器登錄的屬性,或列出指定資源群組或訂用帳戶下的所有容器登錄。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fb382eab-e894-4461-af04-94435c366c3f",
  "name": "fb382eab-e894-4461-af04-94435c366c3f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/agentpools/read",
        "Microsoft.ContainerRegistry/registries/agentpools/write",
        "Microsoft.ContainerRegistry/registries/agentpools/delete",
        "Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action",
        "Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read",
        "Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/tasks/read",
        "Microsoft.ContainerRegistry/registries/tasks/write",
        "Microsoft.ContainerRegistry/registries/tasks/delete",
        "Microsoft.ContainerRegistry/registries/tasks/listDetails/action",
        "Microsoft.ContainerRegistry/registries/scheduleRun/action",
        "Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action",
        "Microsoft.ContainerRegistry/registries/runs/read",
        "Microsoft.ContainerRegistry/registries/runs/write",
        "Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action",
        "Microsoft.ContainerRegistry/registries/runs/cancel/action",
        "Microsoft.ContainerRegistry/registries/taskruns/read",
        "Microsoft.ContainerRegistry/registries/taskruns/write",
        "Microsoft.ContainerRegistry/registries/taskruns/delete",
        "Microsoft.ContainerRegistry/registries/taskruns/listDetails/action",
        "Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerRegistry/registries/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Tasks Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Container Registry 傳輸管線參與者

透過設定涉及中繼記憶體帳戶和密鑰保存庫的登錄傳輸管線,提供傳輸、匯入和導出成品的能力。 不提供推送或提取映像的許可權。 不提供建立、管理或列出記憶體帳戶或金鑰保存庫的許可權。 不提供執行角色指派的許可權。

動作 描述
Microsoft.ContainerRegistry/registries/exportPipelines/read 取得指定之導出管線的屬性,或列出指定容器登錄的所有匯出管線。
Microsoft.ContainerRegistry/registries/exportPipelines/write 使用指定的參數,建立或更新容器登錄的導出管線。
Microsoft.ContainerRegistry/registries/exportPipelines/delete 從容器登錄刪除匯出管線。
Microsoft.ContainerRegistry/registries/importPipelines/read 取得指定匯入管線的屬性,或列出指定容器登錄的所有匯入管線。
Microsoft.ContainerRegistry/registries/importPipelines/write 使用指定的參數,建立或更新容器登錄的匯入管線。
Microsoft.ContainerRegistry/registries/importPipelines/delete 從容器登錄刪除匯入管線。
Microsoft.ContainerRegistry/registries/pipelineRuns/read 取得指定管線執行的屬性,或列出指定容器登錄的所有管線執行。
Microsoft.ContainerRegistry/registries/pipelineRuns/write 使用指定的參數建立或更新容器登錄的管線執行。
Microsoft.ContainerRegistry/registries/pipelineRuns/delete 從容器登錄中刪除管線執行。
Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read 取得管線執行異步作業狀態。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
  "name": "bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/exportPipelines/read",
        "Microsoft.ContainerRegistry/registries/exportPipelines/write",
        "Microsoft.ContainerRegistry/registries/exportPipelines/delete",
        "Microsoft.ContainerRegistry/registries/importPipelines/read",
        "Microsoft.ContainerRegistry/registries/importPipelines/write",
        "Microsoft.ContainerRegistry/registries/importPipelines/delete",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/read",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/write",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/delete",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Transfer Pipeline Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Kubernetes 無代理程式操作員

授與適用於雲端的 Microsoft Defender 對 Azure Kubernetes Services 的存取權

深入了解

動作 描述
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write 建立或更新受控叢集的受信任存取角色系結
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read 取得受控叢集的信任存取角色系結
Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete 刪除受控叢集的信任存取角色系結
Microsoft.ContainerService/managedClusters/read 取得受控叢集
Microsoft.Features/features/read 取得訂用帳戶的功能。
Microsoft.Features/providers/features/read 取得指定資源提供者中訂用帳戶的功能。
Microsoft.Features/providers/features/register/action 在指定的資源提供者中註冊訂用帳戶的功能。
Microsoft.Security/pricings/securityoperators/read 取得範圍的安全性運算元
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Features/providers/features/register/action",
        "Microsoft.Security/pricings/securityoperators/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Agentless Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Kubernetes 叢集 - Azure Arc 上線

授權任何使用者/服務建立 connectedClusters 資源的角色定義

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/write 建立或更新部署。
Microsoft.Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Kubernetes/connectedClusters/Write 寫入 connectedClusters
Microsoft.Kubernetes/connectedClusters/read 讀取 connectedClusters
Microsoft.KubernetesConfiguration/extensions/write 建立或更新延伸模組資源。
Microsoft.KubernetesConfiguration/extensions/read 取得擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/delete 刪除擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/operations/read 取得異步作狀態。
Microsoft.Support/* 建立和更新支援票證
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role definition to authorize any user/service to create connectedClusters resource",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Cluster - Azure Arc Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Kubernetes 擴充功能參與者

可以建立、更新、取得、列出和刪除 Kubernetes 擴充功能並取得擴充功能異步操作

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.KubernetesConfiguration/extensions/write 建立或更新延伸模組資源。
Microsoft.KubernetesConfiguration/extensions/read 取得擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/delete 刪除擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/operations/read 取得異步作狀態。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
  "name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Extension Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Service Fabric 叢集參與者

管理 Service Fabric 叢集資源。 包括叢集、應用程式類型、應用程式類型版本、應用程式和服務。 您需要額外的許可權,才能部署和管理叢集的基礎資源,例如虛擬機擴展集、記憶體帳戶、網路等。

動作 描述
Microsoft.ServiceFabric/clusters/*
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",
  "name": "b6efc156-f0da-4e90-a50a-8c000140b017",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceFabric/clusters/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Service Fabric Cluster Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Service Fabric 受控叢集參與者

部署和管理 Service Fabric 受控叢集資源。 包含受控叢集、節點類型、應用程式類型、應用程式類型版本、應用程式和服務。

動作 描述
Microsoft.ServiceFabric/managedclusters/*
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",
  "name": "83f80186-3729-438c-ad2d-39e94d718838",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceFabric/managedclusters/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Service Fabric Managed Cluster Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

下一步