適用於容器的 Azure 內建角色
本文列出容器類別中的 Azure 內建角色。
AcrDelete
從容器登錄中刪除存放庫、標籤或資訊清單。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/delete | 刪除容器登錄中的成品。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
將受信任的映像推送至或從已啟用內容信任的容器登錄提取信任的映像。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/write | 容器登錄的推送/提取內容信任元數據。 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | 允許推送或發佈容器登錄內容的信任集合。 這類似於 Microsoft.ContainerRegistry/registries/sign/write 動作,不同之處在於這是數據動作 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
從容器登錄中提取成品。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | 從容器登錄提取或取得映像。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
將成品推送至容器登錄,或從容器登錄中提取成品。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | 從容器登錄提取或取得映像。 |
| Microsoft.ContainerRegistry/registries/push/write | 將映像推送或寫入容器登錄。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
從容器登錄提取隔離的映像。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | 從容器登錄提取或取得隔離的映像 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 允許從容器登錄提取或取得隔離的成品。 這類似於 Microsoft.ContainerRegistry/registries/quarantine/read,不同之處在於它是數據動作 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
將隔離的映像推送至容器登錄,或從容器登錄提取隔離的映像。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | 從容器登錄提取或取得隔離的映像 |
| Microsoft.ContainerRegistry/registries/quarantine/write | 寫入/修改隔離影像的隔離狀態 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 允許從容器登錄提取或取得隔離的成品。 這類似於 Microsoft.ContainerRegistry/registries/quarantine/read,不同之處在於它是數據動作 |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | 允許寫入或更新隔離成品的隔離狀態。 這類似於 Microsoft.ContainerRegistry/registries/quarantine/write 動作,但數據動作除外 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
已啟用 Azure Arc 的 Kubernetes 叢集使用者角色
列出叢集使用者認證動作。
| 動作 | 描述 |
|---|---|
| Microsoft.Resources/deployments/write | 建立或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | 列出 clusterUser 認證(預覽) |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Support/* | 建立和更新支援票證 |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | 列出 clusterUser 認證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 系統管理員
可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/write | 建立或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 讀取控制器重新佈建 |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | 寫入 localsubjectaccessreviews |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 讀取事件 |
| Microsoft.Kubernetes/connectedClusters/events/read | 讀取事件 |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | 讀取 limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 讀取命名空間 |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 讀取 resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 叢集系統管理員
可讓您管理叢集中的所有資源。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/write | 建立或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 檢視者
可讓您檢視叢集/命名空間中的所有資源,但秘密除外。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/write | 建立或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 讀取控制器重新佈建 |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | 讀取精靈集 |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/read | 讀取部署 |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | 讀取複本集 |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | 讀取具狀態集 |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | 讀取 horizontalpodautoscalers |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | 讀取 cronjobs |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/read | 讀取作業 |
| Microsoft.Kubernetes/connectedClusters/configmaps/read | 讀取 configmaps |
| Microsoft.Kubernetes/connectedClusters/endpoints/read | 讀取端點 |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 讀取事件 |
| Microsoft.Kubernetes/connectedClusters/events/read | 讀取事件 |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | 讀取精靈集 |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | 讀取部署 |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | 讀取輸入 |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | 讀取網路原則 |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | 讀取複本集 |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | 讀取 limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 讀取命名空間 |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | 讀取輸入 |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | 讀取網路原則 |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | 讀取persistentvolumeclaims |
| Microsoft.Kubernetes/connectedClusters/pods/read | 讀取 Pod |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | 讀取 poddisruptionbudgets |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | 讀取 replicationcontrollers |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | 讀取 replicationcontrollers |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 讀取 resourcequotas |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | Reads serviceaccounts |
| Microsoft.Kubernetes/connectedClusters/services/read | 讀取服務 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 寫入者
可讓您更新叢集/命名空間中的所有項目,但 (叢集) 角色和 (叢集) 角色繫結除外。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/write | 建立或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 讀取控制器重新佈建 |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 讀取事件 |
| Microsoft.Kubernetes/connectedClusters/events/read | 讀取事件 |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | 讀取 limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 讀取命名空間 |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 讀取 resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 容器記憶體參與者
安裝 Azure Container Storage 並管理其記憶體資源。 包含用來限制角色指派的 ABAC 條件。
| 動作 | 描述 |
|---|---|
| Microsoft.KubernetesConfiguration/extensions/write | 建立或更新延伸模組資源。 |
| Microsoft.KubernetesConfiguration/extensions/read | 取得擴充實例資源。 |
| Microsoft.KubernetesConfiguration/extensions/delete | 刪除擴充實例資源。 |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 取得異步作狀態。 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Management/managementGroups/read | 列出已驗證使用者的管理群組。 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| 動作 | |
| Microsoft.Authorization/roleAssignments/write | 建立指定範圍的角色指派。 |
| Microsoft.Authorization/roleAssignments/delete | 刪除指定範圍內的角色指派。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Condition | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}))OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND (!!ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}) | 新增或移除下列角色的角色指派: Azure 容器記憶體作員 |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 容器記憶體作員
啟用受控識別來執行 Azure 容器記憶體作業,例如管理虛擬機和管理虛擬網路。
| 動作 | 描述 |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | 輪詢異步作的狀態。 |
| Microsoft.Network/routeTables/join/action | 加入路由表。 不可警示。 |
| Microsoft.Network/networkSecurityGroups/join/action | 加入網路安全性群組。 不可警示。 |
| Microsoft.Network/virtualNetworks/write | 建立虛擬網路或更新現有的虛擬網路 |
| Microsoft.Network/virtualNetworks/delete | 刪除虛擬網路 |
| Microsoft.Network/virtualNetworks/join/action | 加入虛擬網路。 不可警示。 |
| Microsoft.Network/virtualNetworks/subnets/read | 取得虛擬網路子網路定義 |
| Microsoft.Network/virtualNetworks/subnets/write | 建立虛擬網路子網路,或更新現有的虛擬網路子網路 |
| Microsoft.Compute/virtualMachines/read | 取得虛擬機器的屬性 |
| Microsoft.Compute/virtualMachines/write | 建立新的虛擬機或更新現有的虛擬機 |
| Microsoft.Compute/virtualMachineScaleSets/read | 取得虛擬機擴展集的屬性 |
| Microsoft.Compute/virtualMachineScaleSets/write | 建立新的虛擬機擴展集或更新現有的虛擬機擴展集 |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | 更新 VM 擴展集中虛擬機的屬性 |
| Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | 擷取 VM 擴展集中虛擬機的屬性 |
| Microsoft.Resources/subscriptions/providers/read | 取得或列出資源提供者。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 容器記憶體擁有者
安裝 Azure Container Storage、授與其記憶體資源的存取權,以及設定 Azure 彈性記憶體局域網路 (SAN)。 包含用來限制角色指派的 ABAC 條件。
| 動作 | 描述 |
|---|---|
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
| Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | 輪詢異步作的狀態。 |
| Microsoft.KubernetesConfiguration/extensions/write | 建立或更新延伸模組資源。 |
| Microsoft.KubernetesConfiguration/extensions/read | 取得擴充實例資源。 |
| Microsoft.KubernetesConfiguration/extensions/delete | 刪除擴充實例資源。 |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 取得異步作狀態。 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Management/managementGroups/read | 列出已驗證使用者的管理群組。 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| 動作 | |
| Microsoft.Authorization/roleAssignments/write | 建立指定範圍的角色指派。 |
| Microsoft.Authorization/roleAssignments/delete | 刪除指定範圍內的角色指派。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Condition | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}))OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND (!!ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}) | 新增或移除下列角色的角色指派: Azure 容器記憶體作員 |
{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager 參與者角色
授與 Azure Kubernetes Fleet Manager 所提供的 Azure 資源的讀取/寫入存取權,包括車隊、車隊成員、車隊更新策略、車隊更新執行等等。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerService/fleets/* | |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 機群管理員 RBAC 管理員
授與在佇列管理中樞叢集中命名空間內 Kubernetes 資源的讀取/寫入存取權 - 提供命名空間內大部分物件的寫入許可權,但 ResourceQuota 物件和命名空間物件本身除外。 將此角色套用至叢集範圍將會授與所有命名空間的存取權。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.ContainerService/fleets/read | 取得車隊 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出車隊認證 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | 讀取控制器重新佈建 |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | 寫入 localsubjectaccessreviews |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | 讀取事件 |
| Microsoft.ContainerService/fleets/events/read | 讀取事件 |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | 讀取 limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | 讀取命名空間 |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | 讀取 resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | 讀取 fleet internalmembercluster 資源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/* | |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | 讀取 fleet resourceoverridesnapshot 資源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | 讀取車隊工作資源 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 機群管理員 RBAC Cluster 管理員
授與機群受控中樞叢集中所有 Kubernetes 資源的讀取/寫入存取權。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.ContainerService/fleets/read | 取得車隊 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出車隊認證 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 機群管理員 RBAC 讀取者
授與機群受控中樞叢集中命名空間內大部分 Kubernetes 資源的唯讀存取權。 它不允許檢視角色或角色繫結。 此角色不允許檢視秘密,因為讀取秘密的內容會允許對命名空間中的 ServiceAccount 認證的存取權,這會允許 API 存取作為命名空間中的任何 ServiceAccount (特殊權限提升形式)。 將此角色套用至叢集範圍將會授與所有命名空間的存取權。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.ContainerService/fleets/read | 取得車隊 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出車隊認證 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | 讀取控制器重新佈建 |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | 讀取精靈集 |
| Microsoft.ContainerService/fleets/apps/deployments/read | 讀取部署 |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | 讀取具狀態集 |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | 讀取 horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | 讀取 cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | 讀取作業 |
| Microsoft.ContainerService/fleets/configmaps/read | 讀取 configmaps |
| Microsoft.ContainerService/fleets/endpoints/read | 讀取端點 |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | 讀取事件 |
| Microsoft.ContainerService/fleets/events/read | 讀取事件 |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | 讀取精靈集 |
| Microsoft.ContainerService/fleets/extensions/deployments/read | 讀取部署 |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | 讀取輸入 |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | 讀取網路原則 |
| Microsoft.ContainerService/fleets/limitranges/read | 讀取 limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | 讀取命名空間 |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | 讀取輸入 |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | 讀取網路原則 |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | 讀取persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | 讀取 poddisruptionbudgets |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | 讀取 replicationcontrollers |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | 讀取 replicationcontrollers |
| Microsoft.ContainerService/fleets/resourcequotas/read | 讀取 resourcequotas |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Reads serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | 讀取服務 |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | 讀取 fleet internalmembercluster 資源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | 讀取機隊資源覆寫資源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | 讀取 fleet resourceoverridesnapshot 資源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | 讀取車隊工作資源 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 機群管理員 RBAC 編寫器
授與佇列管理中樞叢集中命名空間內大部分 Kubernetes 資源的讀取/寫入存取權。 此角色不允許檢視或修改角色或角色繫結。 不過,此角色允許以命名空間中的任何 ServiceAccount 身分存取秘密,因此它可用以取得命名空間中任何 ServiceAccount 的 API 存取層級。 將此角色套用至叢集範圍將會授與所有命名空間的存取權。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.ContainerService/fleets/read | 取得車隊 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出車隊認證 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | 讀取控制器重新佈建 |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | 讀取精靈集 |
| Microsoft.ContainerService/fleets/apps/daemonsets/write | 寫入精靈集 |
| Microsoft.ContainerService/fleets/apps/deployments/read | 讀取部署 |
| Microsoft.ContainerService/fleets/apps/deployments/write | 寫入部署 |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | 讀取具狀態集 |
| Microsoft.ContainerService/fleets/apps/statefulsets/write | 寫入具狀態集 |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | 讀取 horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write | 寫入 horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | 讀取 cronjobs |
| Microsoft.ContainerService/fleets/batch/cronjobs/write | 寫入cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | 讀取作業 |
| Microsoft.ContainerService/fleets/batch/jobs/write | 寫入作業 |
| Microsoft.ContainerService/fleets/configmaps/read | 讀取 configmaps |
| Microsoft.ContainerService/fleets/configmaps/write | 寫入 configmap |
| Microsoft.ContainerService/fleets/endpoints/read | 讀取端點 |
| Microsoft.ContainerService/fleets/endpoints/write | 寫入端點 |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | 讀取事件 |
| Microsoft.ContainerService/fleets/events/read | 讀取事件 |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | 讀取精靈集 |
| Microsoft.ContainerService/fleets/extensions/daemonsets/write | 寫入精靈集 |
| Microsoft.ContainerService/fleets/extensions/deployments/read | 讀取部署 |
| Microsoft.ContainerService/fleets/extensions/deployments/write | 寫入部署 |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | 讀取輸入 |
| Microsoft.ContainerService/fleets/extensions/ingresses/write | 寫入輸入 |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | 讀取網路原則 |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/write | 寫入網路原則 |
| Microsoft.ContainerService/fleets/limitranges/read | 讀取 limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | 讀取命名空間 |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | 讀取輸入 |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write | 寫入輸入 |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | 讀取網路原則 |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write | 寫入網路原則 |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | 讀取persistentvolumeclaims |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/write | 寫入persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | 讀取 poddisruptionbudgets |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write | 寫入 poddisruptionbudgets |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | 讀取 replicationcontrollers |
| Microsoft.ContainerService/fleets/replicationcontrollers/write | 寫入 replicationcontrollers |
| Microsoft.ContainerService/fleets/resourcequotas/read | 讀取 resourcequotas |
| Microsoft.ContainerService/fleets/secrets/read | 讀取秘密 |
| Microsoft.ContainerService/fleets/secrets/write | 寫入秘密 |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Reads serviceaccounts |
| Microsoft.ContainerService/fleets/serviceaccounts/write | 寫入 serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | 讀取服務 |
| Microsoft.ContainerService/fleets/services/write | 寫入服務 |
| Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read | 讀取 fleet internalmembercluster 資源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read | 讀取機隊資源覆寫資源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write | 寫入機隊資源覆寫資源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read | 讀取 fleet resourceoverridesnapshot 資源 |
| Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read | 讀取車隊工作資源 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/write",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/deployments/write",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/write",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/write",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/configmaps/write",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/endpoints/write",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/write",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/deployments/write",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/write",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/write",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/read",
"Microsoft.ContainerService/fleets/secrets/write",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/serviceaccounts/write",
"Microsoft.ContainerService/fleets/services/read",
"Microsoft.ContainerService/fleets/services/write",
"Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
"Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Arc 叢集管理員角色
列出叢集管理員認證動作。
| 動作 | 描述 |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | 取得與聯機叢集相關聯的混合式 AKS 布建叢集實例 |
| Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action | 列出只用於直接模式之已布建叢集實例的管理員認證。 |
| Microsoft.Kubernetes/connectedClusters/Read | 讀取 connectedClusters |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Arc 叢集使用者角色
列出叢集使用者認證動作。
| 動作 | 描述 |
|---|---|
| Microsoft.HybridContainerService/provisionedClusterInstances/read | 取得與聯機叢集相關聯的混合式 AKS 布建叢集實例 |
| Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action | 列出只用於直接模式之已布建叢集實例的 AAD 用戶認證。 |
| Microsoft.Kubernetes/connectedClusters/Read | 讀取 connectedClusters |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Arc 參與者角色
授與讀取和寫入 Azure Kubernetes Services 混合式叢集的存取權
| 動作 | 描述 |
|---|---|
| Microsoft.HybridContainerService/Locations/operationStatuses/read | read operationStatuses |
| Microsoft.HybridContainerService/Operations/read | 讀取作業 |
| Microsoft.HybridContainerService/kubernetesVersions/read | 列出基礎自定義位置支援的 kubernetes 版本 |
| Microsoft.HybridContainerService/kubernetesVersions/write | 放置 kubernetes 版本資源類型 |
| Microsoft.HybridContainerService/kubernetesVersions/delete | 刪除 kubernetes 版本資源類型 |
| Microsoft.HybridContainerService/provisionedClusterInstances/read | 取得與聯機叢集相關聯的混合式 AKS 布建叢集實例 |
| Microsoft.HybridContainerService/provisionedClusterInstances/write | 建立混合式 AKS 佈建叢集實例 |
| Microsoft.HybridContainerService/provisionedClusterInstances/delete | 刪除混合式 AKS 佈建叢集實例 |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read | 取得混合式 AKS 佈建叢集實例中的代理程式集區 |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write | 更新混合式 AKS 佈建叢集實例中的代理程式集區 |
| Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete | 刪除混合式 AKS 佈建叢集實例中的代理程式集區 |
| Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read | read upgradeProfiles |
| Microsoft.HybridContainerService/skus/read | 列出基礎自定義位置中支援的 VM SKU |
| Microsoft.HybridContainerService/skus/write | 放置 VM SKU 資源類型 |
| Microsoft.HybridContainerService/skus/delete | 刪除 Vm Sku 資源類型 |
| Microsoft.HybridContainerService/virtualNetworks/read | 依訂用帳戶列出混合式 AKS 虛擬網路 |
| Microsoft.HybridContainerService/virtualNetworks/write | 修補混合式 AKS 虛擬網路 |
| Microsoft.HybridContainerService/virtualNetworks/delete | 刪除混合式 AKS 虛擬網路 |
| Microsoft.ExtendedLocation/customLocations/deploy/action | 將權限部署至自訂位置資源 |
| Microsoft.ExtendedLocation/customLocations/read | 取得自定義位置資源 |
| Microsoft.Kubernetes/connectedClusters/Read | 讀取 connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Write | 寫入 connectedClusters |
| Microsoft.Kubernetes/connectedClusters/Delete | 刪除 connectedClusters |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | 列出 clusterUser 認證 |
| Microsoft.AzureStackHCI/clusters/read | 取得叢集 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 叢集管理員角色
列出叢集管理員認證動作。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | 列出受控叢集的 clusterAdmin 認證 |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | 使用清單認證依角色名稱取得受控叢集存取配置檔 |
| Microsoft.ContainerService/managedClusters/read | 取得受控叢集 |
| Microsoft.ContainerService/managedClusters/runcommand/action | 對受控 Kubernetes 伺服器執行用戶發出的命令。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 叢集監視使用者
列出叢集監視使用者認證動作。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | 列出受控叢集的 clusterMonitoringUser 認證 |
| Microsoft.ContainerService/managedClusters/read | 取得受控叢集 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 叢集使用者角色
列出叢集使用者認證動作。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出受控叢集的 clusterUser 認證 |
| Microsoft.ContainerService/managedClusters/read | 取得受控叢集 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 參與者角色
授與讀取和寫入 Azure Kubernetes Service 叢集的存取權
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.ContainerService/locations/* | 讀取 ContainerService 資源可用的位置 |
| Microsoft.ContainerService/managedClusters/* | 建立和管理受控叢集 |
| Microsoft.ContainerService/managedclustersnapshots/* | 建立和管理受控叢集快照集 |
| Microsoft.ContainerService/snapshots/* | 建立和管理快照集 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 管理員
可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出受控叢集的 clusterUser 認證 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/write | 寫入 resourcequotas |
| Microsoft.ContainerService/managedClusters/resourcequotas/delete | 刪除 resourcequotas |
| Microsoft.ContainerService/managedClusters/namespaces/write | 寫入命名空間 |
| Microsoft.ContainerService/managedClusters/namespaces/delete | 刪除命名空間 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 叢集管理員
可讓您管理叢集中的所有資源。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出受控叢集的 clusterUser 認證 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 讀取者
允許唯讀存取來查看命名空間中的大部分物件。 它不允許檢視角色或角色繫結。 此角色不允許檢視秘密,因為讀取秘密的內容會允許對命名空間中的 ServiceAccount 認證的存取權,這會允許 API 存取作為命名空間中的任何 ServiceAccount (特殊權限提升形式)。 將此角色套用至叢集範圍將會授與所有命名空間的存取權。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | 讀取控制器重新佈建 |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/read | 讀取精靈集 |
| Microsoft.ContainerService/managedClusters/apps/deployments/read | 讀取部署 |
| Microsoft.ContainerService/managedClusters/apps/replicasets/read | 讀取複本集 |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/read | 讀取具狀態集 |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | 讀取 horizontalpodautoscalers |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/read | 讀取 cronjobs |
| Microsoft.ContainerService/managedClusters/batch/jobs/read | 讀取作業 |
| Microsoft.ContainerService/managedClusters/configmaps/read | 讀取 configmaps |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | 讀取 endpointslices |
| Microsoft.ContainerService/managedClusters/endpoints/read | 讀取端點 |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | 讀取事件 |
| Microsoft.ContainerService/managedClusters/events/read | 讀取事件 |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | 讀取精靈集 |
| Microsoft.ContainerService/managedClusters/extensions/deployments/read | 讀取部署 |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/read | 讀取輸入 |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | 讀取網路原則 |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/read | 讀取複本集 |
| Microsoft.ContainerService/managedClusters/limitranges/read | 讀取 limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | 讀取 Pod |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | 讀取節點 |
| Microsoft.ContainerService/managedClusters/namespaces/read | 讀取命名空間 |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | 讀取輸入 |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | 讀取網路原則 |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | 讀取persistentvolumeclaims |
| Microsoft.ContainerService/managedClusters/pods/read | 讀取 Pod |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | 讀取 poddisruptionbudgets |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/read | 讀取 replicationcontrollers |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | 讀取 resourcequotas |
| Microsoft.ContainerService/managedClusters/serviceaccounts/read | Reads serviceaccounts |
| Microsoft.ContainerService/managedClusters/services/read | 讀取服務 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 寫入者
允許命名空間中大部分物件的讀取/寫入存取權。 此角色不允許檢視或修改角色或角色繫結。 不過,此角色允許以命名空間中的任何 ServiceAccount 身分存取秘密並執行 Pod,因此它可用以取得命名空間中任何 ServiceAccount 的 API 存取層級。 將此角色套用至叢集範圍將會授與所有命名空間的存取權。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | 讀取控制器重新佈建 |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | 讀取租用 |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | 寫入租用 |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | 刪除租用 |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | 讀取 endpointslices |
| Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | 讀取事件 |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/read | 讀取 limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | 讀取 Pod |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | 讀取節點 |
| Microsoft.ContainerService/managedClusters/namespaces/read | 讀取命名空間 |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | 讀取 resourcequotas |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
線上的叢集受控識別檢查Access讀取器
可讓連線叢集受控識別呼叫 checkAccess API 的內建角色
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry 設定讀取器和數據存取設定讀取器
提供列出容器登錄和登錄組態屬性的許可權。 提供列出數據存取設定的許可權,例如系統管理使用者認證、範圍對應和令牌,可用來讀取、寫入或刪除存放庫和映像。 不提供讀取、列出或寫入登錄內容的直接許可權,包括存放庫和映像。 不提供修改數據平面內容的許可權,例如匯入、成品快取或同步處理,以及傳輸管線。 不提供管理工作的許可權。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/operationStatuses/read | 取得登錄異步作狀態 |
| Microsoft.ContainerRegistry/registries/read | 取得指定容器登錄的屬性,或列出指定資源群組或訂用帳戶下的所有容器登錄。 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/read | 取得私人端點連線的屬性,或列出指定容器登錄的所有私人端點連線 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read | 取得私人端點連線異步作狀態 |
| Microsoft.ContainerRegistry/registries/listCredentials/action | 列出指定容器登錄的登入認證。 |
| Microsoft.ContainerRegistry/registries/tokens/read | 取得指定之令牌的屬性,或列出指定容器登錄的所有令牌。 |
| Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read | 取得令牌異步作狀態。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/read | 取得指定範圍對應的屬性,或列出指定容器登錄的所有範圍對應。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read | 取得範圍對應異步作狀態。 |
| Microsoft.ContainerRegistry/registries/webhooks/read | 取得指定 Webhook 的屬性,或列出指定容器登錄的所有 Webhook。 |
| Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | 取得 Webhook 的服務 URI 和自定義標頭組態。 |
| Microsoft.ContainerRegistry/registries/webhooks/listEvents/action | 列出指定 Webhook 的最新事件。 |
| Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read | 取得 Webhook 異步作狀態 |
| Microsoft.ContainerRegistry/registries/replications/read | 取得指定複寫的屬性,或列出指定容器登錄的所有複寫。 |
| Microsoft.ContainerRegistry/registries/replications/operationStatuses/read | 取得複寫異步作狀態 |
| Microsoft.ContainerRegistry/registries/connectedRegistries/read | 取得指定之連線登錄的屬性,或列出指定之容器登錄的所有已連線登錄。 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read | 取得資源的診斷設定 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write | 建立或更新資源的診斷設定 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read | 取得 Microsoft ContainerRegistry 的可用記錄 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read | 取得 Microsoft ContainerRegistry 的可用計量 |
| Microsoft.Insights/AlertRules/Write | 建立或更新傳統計量警示 |
| Microsoft.Insights/AlertRules/Delete | 刪除傳統計量警示 |
| Microsoft.Insights/AlertRules/Read | 讀取傳統計量警示 |
| Microsoft.Insights/AlertRules/Activated/Action | 已啟動傳統計量警示 |
| Microsoft.Insights/AlertRules/Resolved/Action | 已解決傳統計量警示 |
| Microsoft.Insights/AlertRules/Throttled/Action | 傳統計量警示規則已節流 |
| Microsoft.Insights/AlertRules/Incidents/Read | 讀取傳統計量警示事件 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69b07be0-09bf-439a-b9a6-e73de851bd59",
"name": "69b07be0-09bf-439a-b9a6-e73de851bd59",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Configuration Reader and Data Access Configuration Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry 參與者和數據存取設定管理員
提供建立、列出及更新容器登錄和登錄組態屬性的許可權。 提供許可權來設定數據存取,例如系統管理員使用者認證、範圍對應和令牌,可用來讀取、寫入或刪除存放庫和映像。 不提供讀取、列出或寫入登錄內容的直接許可權,包括存放庫和映像。 不提供修改數據平面內容的許可權,例如匯入、成品快取或同步處理,以及傳輸管線。 不提供管理工作的許可權。
| 動作 | 描述 |
|---|---|
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.ContainerRegistry/registries/operationStatuses/read | 取得登錄異步作狀態 |
| Microsoft.ContainerRegistry/registries/read | 取得指定容器登錄的屬性,或列出指定資源群組或訂用帳戶下的所有容器登錄。 |
| Microsoft.ContainerRegistry/registries/write | 使用指定的參數建立或更新容器登錄。 |
| Microsoft.ContainerRegistry/registries/delete | 刪除容器登錄。 |
| Microsoft.ContainerRegistry/registries/listCredentials/action | 列出指定容器登錄的登入認證。 |
| Microsoft.ContainerRegistry/registries/regenerateCredential/action | 重新產生指定容器登錄的其中一個登入認證。 |
| Microsoft.ContainerRegistry/registries/generateCredentials/action | 產生指定容器登錄之令牌的金鑰。 |
| Microsoft.ContainerRegistry/registries/replications/read | 取得指定複寫的屬性,或列出指定容器登錄的所有複寫。 |
| Microsoft.ContainerRegistry/registries/replications/write | 使用指定的參數建立或更新容器登錄的複寫。 |
| Microsoft.ContainerRegistry/registries/replications/delete | 從容器登錄刪除複寫。 |
| Microsoft.ContainerRegistry/registries/replications/operationStatuses/read | 取得複寫異步作狀態 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action | 自動核准私人端點連線 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/read | 取得私人端點連線的屬性,或列出指定容器登錄的所有私人端點連線 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/write | 核准/拒絕私人端點連線 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete | 刪除私人端點連線 |
| Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read | 取得私人端點連線異步作狀態 |
| Microsoft.ContainerRegistry/registries/tokens/read | 取得指定之令牌的屬性,或列出指定容器登錄的所有令牌。 |
| Microsoft.ContainerRegistry/registries/tokens/write | 使用指定的參數建立或更新容器登錄的令牌。 |
| Microsoft.ContainerRegistry/registries/tokens/delete | 從容器登錄中刪除令牌。 |
| Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read | 取得令牌異步作狀態。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/read | 取得指定範圍對應的屬性,或列出指定容器登錄的所有範圍對應。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/write | 使用指定的參數,建立或更新容器登錄的範圍對應。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/delete | 從容器登錄刪除範圍對應。 |
| Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read | 取得範圍對應異步作狀態。 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read | 取得資源的診斷設定 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write | 建立或更新資源的診斷設定 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read | 取得 Microsoft ContainerRegistry 的可用記錄 |
| Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read | 取得 Microsoft ContainerRegistry 的可用計量 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.ContainerRegistry/registries/connectedRegistries/read | 取得指定之連線登錄的屬性,或列出指定之容器登錄的所有已連線登錄。 |
| Microsoft.ContainerRegistry/registries/connectedRegistries/write | 使用指定的參數,為容器登錄建立或更新連接的登錄。 |
| Microsoft.ContainerRegistry/registries/connectedRegistries/delete | 從容器登錄中刪除連接的登錄。 |
| Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action | 停用容器登錄的連線登錄 |
| Microsoft.ContainerRegistry/registries/webhooks/read | 取得指定 Webhook 的屬性,或列出指定容器登錄的所有 Webhook。 |
| Microsoft.ContainerRegistry/registries/webhooks/write | 使用指定的參數建立或更新容器登錄的 Webhook。 |
| Microsoft.ContainerRegistry/registries/webhooks/delete | 從容器登錄中刪除 Webhook。 |
| Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | 取得 Webhook 的服務 URI 和自定義標頭組態。 |
| Microsoft.ContainerRegistry/registries/webhooks/ping/action | 觸發要傳送至 Webhook 的 Ping 事件。 |
| Microsoft.ContainerRegistry/registries/webhooks/listEvents/action | 列出指定 Webhook 的最新事件。 |
| Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read | 取得 Webhook 異步作狀態 |
| Microsoft.Insights/AlertRules/Write | 建立或更新傳統計量警示 |
| Microsoft.Insights/AlertRules/Delete | 刪除傳統計量警示 |
| Microsoft.Insights/AlertRules/Read | 讀取傳統計量警示 |
| Microsoft.Insights/AlertRules/Activated/Action | 已啟動傳統計量警示 |
| Microsoft.Insights/AlertRules/Resolved/Action | 已解決傳統計量警示 |
| Microsoft.Insights/AlertRules/Throttled/Action | 傳統計量警示規則已節流 |
| Microsoft.Insights/AlertRules/Incidents/Read | 讀取傳統計量警示事件 |
| Microsoft.ContainerRegistry/locations/operationResults/read | 取得異步作結果 |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。 |
| Microsoft.Network/virtualNetworks/subnets/read | 取得虛擬網路子網路定義 |
| Microsoft.Network/virtualNetworks/subnets/write | 建立虛擬網路子網路,或更新現有的虛擬網路子網路 |
| Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
| Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write | 建立新的私人連結服務 Proxy,或更新現有的私人連結服務 Proxy。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
"name": "3bc748fc-213d-45c1-8d91-9da5725539b9",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/write",
"Microsoft.ContainerRegistry/registries/delete",
"Microsoft.ContainerRegistry/registries/listCredentials/action",
"Microsoft.ContainerRegistry/registries/regenerateCredential/action",
"Microsoft.ContainerRegistry/registries/generateCredentials/action",
"Microsoft.ContainerRegistry/registries/replications/read",
"Microsoft.ContainerRegistry/registries/replications/write",
"Microsoft.ContainerRegistry/registries/replications/delete",
"Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
"Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tokens/read",
"Microsoft.ContainerRegistry/registries/tokens/write",
"Microsoft.ContainerRegistry/registries/tokens/delete",
"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/read",
"Microsoft.ContainerRegistry/registries/scopeMaps/write",
"Microsoft.ContainerRegistry/registries/scopeMaps/delete",
"Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/read",
"Microsoft.ContainerRegistry/registries/connectedRegistries/write",
"Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
"Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
"Microsoft.ContainerRegistry/registries/webhooks/read",
"Microsoft.ContainerRegistry/registries/webhooks/write",
"Microsoft.ContainerRegistry/registries/webhooks/delete",
"Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
"Microsoft.ContainerRegistry/registries/webhooks/ping/action",
"Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
"Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.ContainerRegistry/locations/operationResults/read",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Contributor and Data Access Configuration Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry 數據匯入工具和數據讀取器
提供透過登錄匯入作業將映像匯入登錄的功能。 提供列出存放庫、檢視映像和標籤、取得指令清單和提取映像的功能。 不提供透過設定登錄傳輸管線來匯入映像的許可權,例如匯入和匯出管線。 不提供透過設定成品快取或同步處理規則匯入的許可權。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/importImage/action | 使用指定的參數將映像匯入容器登錄。 |
| Microsoft.ContainerRegistry/registries/read | 取得指定容器登錄的屬性,或列出指定資源群組或訂用帳戶下的所有容器登錄。 |
| Microsoft.ContainerRegistry/registries/pull/read | 從容器登錄提取或取得映像。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"name": "577a9874-89fd-4f24-9dbd-b5034d0ad23a",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/importImage/action",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Data Importer and Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry 存放庫目錄清單器
允許列出 Azure Container Registry 中的所有存放庫。 此角色處於預覽狀態,且可能會變更。
| 動作 | 描述 |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/catalog/read | 列出容器登錄中的存放庫。 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"name": "bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/catalog/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Catalog Lister",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry 存放庫參與者
允許讀取、寫入和刪除 Azure Container Registry 存放庫的存取權,但不包括目錄清單。 此角色處於預覽狀態,且可能會變更。
| 動作 | 描述 |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | 取得容器登錄之特定存放庫的元數據 |
| Microsoft.ContainerRegistry/registries/repositories/content/read | 從容器登錄提取或取得映像。 |
| Microsoft.ContainerRegistry/registries/repositories/metadata/write | 更新容器登錄存放庫的元數據 |
| Microsoft.ContainerRegistry/registries/repositories/content/write | 將映像推送或寫入容器登錄。 |
| Microsoft.ContainerRegistry/registries/repositories/metadata/delete | 刪除容器登錄存放庫的元數據 |
| Microsoft.ContainerRegistry/registries/repositories/content/delete | 刪除容器登錄中的成品。 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"name": "2efddaa5-3f1f-4df3-97df-af3f13818f4c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write",
"Microsoft.ContainerRegistry/registries/repositories/metadata/delete",
"Microsoft.ContainerRegistry/registries/repositories/content/delete"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry 存放庫讀取器
允許讀取 Azure Container Registry 存放庫的存取權,但不包括目錄清單。 此角色處於預覽狀態,且可能會變更。
| 動作 | 描述 |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | 取得容器登錄之特定存放庫的元數據 |
| Microsoft.ContainerRegistry/registries/repositories/content/read | 從容器登錄提取或取得映像。 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b93aa761-3e63-49ed-ac28-beffa264f7ac",
"name": "b93aa761-3e63-49ed-ac28-beffa264f7ac",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry 存放庫寫入器
允許讀取和寫入 Azure Container Registry 存放庫,但不包括目錄清單。 此角色處於預覽狀態,且可能會變更。
| 動作 | 描述 |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/repositories/metadata/read | 取得容器登錄之特定存放庫的元數據 |
| Microsoft.ContainerRegistry/registries/repositories/content/read | 從容器登錄提取或取得映像。 |
| Microsoft.ContainerRegistry/registries/repositories/metadata/write | 更新容器登錄存放庫的元數據 |
| Microsoft.ContainerRegistry/registries/repositories/content/write | 將映像推送或寫入容器登錄。 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a1e307c-b015-4ebd-883e-5b7698a07328",
"name": "2a1e307c-b015-4ebd-883e-5b7698a07328",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/repositories/metadata/read",
"Microsoft.ContainerRegistry/registries/repositories/content/read",
"Microsoft.ContainerRegistry/registries/repositories/metadata/write",
"Microsoft.ContainerRegistry/registries/repositories/content/write"
],
"notDataActions": []
}
],
"roleName": "Container Registry Repository Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry 工作參與者
提供設定、讀取、列出、觸發程式或取消 Container Registry 工作、工作執行、工作記錄、快速執行、快速建置和工作代理程式集區的許可權。 授與工作管理的許可權可用於完整的登錄數據平面許可權,包括登錄中的讀取/寫入/刪除容器映像。 授與工作管理的許可權也可以用來執行客戶撰寫的組建指示詞,以及執行腳本來建置軟體成品。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/agentpools/read | 取得容器登錄的代理程式集池,或列出所有代理程式集區。 |
| Microsoft.ContainerRegistry/registries/agentpools/write | 建立或更新容器登錄的代理程式集池。 |
| Microsoft.ContainerRegistry/registries/agentpools/delete | 刪除容器登錄的 Agentpool。 |
| Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action | 列出容器登錄之 Agentpool 的所有佇列狀態。 |
| Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read | 取得 Agentpool 異步作結果狀態 |
| Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read | 取得 Agentpool 異步作狀態 |
| Microsoft.ContainerRegistry/registries/tasks/read | 取得容器登錄的工作,或列出所有工作。 |
| Microsoft.ContainerRegistry/registries/tasks/write | 建立或更新容器登錄的工作。 |
| Microsoft.ContainerRegistry/registries/tasks/delete | 刪除容器登錄的工作。 |
| Microsoft.ContainerRegistry/registries/tasks/listDetails/action | 列出容器登錄工作的所有詳細數據。 |
| Microsoft.ContainerRegistry/registries/scheduleRun/action | 針對容器登錄排程執行。 |
| Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action | 取得容器登錄的來源上傳 URL 位置。 |
| Microsoft.ContainerRegistry/registries/runs/read | 取得針對容器登錄或清單執行的回合屬性。 |
| Microsoft.ContainerRegistry/registries/runs/write | 更新執行。 |
| Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action | 取得執行的記錄 SAS URL。 |
| Microsoft.ContainerRegistry/registries/runs/cancel/action | 取消現有的執行。 |
| Microsoft.ContainerRegistry/registries/taskruns/read | 取得容器登錄的工作執行,或列出所有工作執行。 |
| Microsoft.ContainerRegistry/registries/taskruns/write | 建立或更新容器登錄的工作執行。 |
| Microsoft.ContainerRegistry/registries/taskruns/delete | 刪除容器登錄的工作執行。 |
| Microsoft.ContainerRegistry/registries/taskruns/listDetails/action | 列出容器登錄之工作執行的所有詳細數據。 |
| Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read | 取得工作執行異步作業狀態 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.ContainerRegistry/registries/read | 取得指定容器登錄的屬性,或列出指定資源群組或訂用帳戶下的所有容器登錄。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb382eab-e894-4461-af04-94435c366c3f",
"name": "fb382eab-e894-4461-af04-94435c366c3f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/agentpools/read",
"Microsoft.ContainerRegistry/registries/agentpools/write",
"Microsoft.ContainerRegistry/registries/agentpools/delete",
"Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action",
"Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read",
"Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read",
"Microsoft.ContainerRegistry/registries/tasks/read",
"Microsoft.ContainerRegistry/registries/tasks/write",
"Microsoft.ContainerRegistry/registries/tasks/delete",
"Microsoft.ContainerRegistry/registries/tasks/listDetails/action",
"Microsoft.ContainerRegistry/registries/scheduleRun/action",
"Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action",
"Microsoft.ContainerRegistry/registries/runs/read",
"Microsoft.ContainerRegistry/registries/runs/write",
"Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action",
"Microsoft.ContainerRegistry/registries/runs/cancel/action",
"Microsoft.ContainerRegistry/registries/taskruns/read",
"Microsoft.ContainerRegistry/registries/taskruns/write",
"Microsoft.ContainerRegistry/registries/taskruns/delete",
"Microsoft.ContainerRegistry/registries/taskruns/listDetails/action",
"Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerRegistry/registries/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Tasks Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Container Registry 傳輸管線參與者
透過設定涉及中繼記憶體帳戶和密鑰保存庫的登錄傳輸管線,提供傳輸、匯入和導出成品的能力。 不提供推送或提取映像的許可權。 不提供建立、管理或列出記憶體帳戶或金鑰保存庫的許可權。 不提供執行角色指派的許可權。
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/exportPipelines/read | 取得指定之導出管線的屬性,或列出指定容器登錄的所有匯出管線。 |
| Microsoft.ContainerRegistry/registries/exportPipelines/write | 使用指定的參數,建立或更新容器登錄的導出管線。 |
| Microsoft.ContainerRegistry/registries/exportPipelines/delete | 從容器登錄刪除匯出管線。 |
| Microsoft.ContainerRegistry/registries/importPipelines/read | 取得指定匯入管線的屬性,或列出指定容器登錄的所有匯入管線。 |
| Microsoft.ContainerRegistry/registries/importPipelines/write | 使用指定的參數,建立或更新容器登錄的匯入管線。 |
| Microsoft.ContainerRegistry/registries/importPipelines/delete | 從容器登錄刪除匯入管線。 |
| Microsoft.ContainerRegistry/registries/pipelineRuns/read | 取得指定管線執行的屬性,或列出指定容器登錄的所有管線執行。 |
| Microsoft.ContainerRegistry/registries/pipelineRuns/write | 使用指定的參數建立或更新容器登錄的管線執行。 |
| Microsoft.ContainerRegistry/registries/pipelineRuns/delete | 從容器登錄中刪除管線執行。 |
| Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read | 取得管線執行異步作業狀態。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"name": "bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/exportPipelines/read",
"Microsoft.ContainerRegistry/registries/exportPipelines/write",
"Microsoft.ContainerRegistry/registries/exportPipelines/delete",
"Microsoft.ContainerRegistry/registries/importPipelines/read",
"Microsoft.ContainerRegistry/registries/importPipelines/write",
"Microsoft.ContainerRegistry/registries/importPipelines/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/read",
"Microsoft.ContainerRegistry/registries/pipelineRuns/write",
"Microsoft.ContainerRegistry/registries/pipelineRuns/delete",
"Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Container Registry Transfer Pipeline Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 無代理程式操作員
授與適用於雲端的 Microsoft Defender 對 Azure Kubernetes Services 的存取權
| 動作 | 描述 |
|---|---|
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | 建立或更新受控叢集的受信任存取角色系結 |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | 取得受控叢集的信任存取角色系結 |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | 刪除受控叢集的信任存取角色系結 |
| Microsoft.ContainerService/managedClusters/read | 取得受控叢集 |
| Microsoft.Features/features/read | 取得訂用帳戶的功能。 |
| Microsoft.Features/providers/features/read | 取得指定資源提供者中訂用帳戶的功能。 |
| Microsoft.Features/providers/features/register/action | 在指定的資源提供者中註冊訂用帳戶的功能。 |
| Microsoft.Security/pricings/securityoperators/read | 取得範圍的安全性運算元 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 叢集 - Azure Arc 上線
授權任何使用者/服務建立 connectedClusters 資源的角色定義
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/write | 建立或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Kubernetes/connectedClusters/Write | 寫入 connectedClusters |
| Microsoft.Kubernetes/connectedClusters/read | 讀取 connectedClusters |
| Microsoft.KubernetesConfiguration/extensions/write | 建立或更新延伸模組資源。 |
| Microsoft.KubernetesConfiguration/extensions/read | 取得擴充實例資源。 |
| Microsoft.KubernetesConfiguration/extensions/delete | 刪除擴充實例資源。 |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 取得異步作狀態。 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 擴充功能參與者
可以建立、更新、取得、列出和刪除 Kubernetes 擴充功能並取得擴充功能異步操作
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.KubernetesConfiguration/extensions/write | 建立或更新延伸模組資源。 |
| Microsoft.KubernetesConfiguration/extensions/read | 取得擴充實例資源。 |
| Microsoft.KubernetesConfiguration/extensions/delete | 刪除擴充實例資源。 |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 取得異步作狀態。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Service Fabric 叢集參與者
管理 Service Fabric 叢集資源。 包括叢集、應用程式類型、應用程式類型版本、應用程式和服務。 您需要額外的許可權,才能部署和管理叢集的基礎資源,例如虛擬機擴展集、記憶體帳戶、網路等。
| 動作 | 描述 |
|---|---|
| Microsoft.ServiceFabric/clusters/* | |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",
"name": "b6efc156-f0da-4e90-a50a-8c000140b017",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/clusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Service Fabric 受控叢集參與者
部署和管理 Service Fabric 受控叢集資源。 包含受控叢集、節點類型、應用程式類型、應用程式類型版本、應用程式和服務。
| 動作 | 描述 |
|---|---|
| Microsoft.ServiceFabric/managedclusters/* | |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",
"name": "83f80186-3729-438c-ad2d-39e94d718838",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/managedclusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Managed Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}