Azure 容器内置角色
本文列出了“容器”类别的 Azure 内置角色。
AcrDelete
从容器注册表中删除存储库、标记或清单。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/delete | 删除容器注册表中的项目。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
将受信任的映像推送到为内容信任启用的容器注册表中或从中拉取受信任的映像。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/write | 推送/拉取容器注册表的内容信任元数据。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | 允许推送或发布受信任的容器注册表内容集合。 这类似于 Microsoft.ContainerRegistry/registries/sign/write 操作,只是这是一个数据操作 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
从容器注册表中拉取项目。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | 从容器注册表中拉取或获取映像。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
将项目推送到容器注册表或从中拉取项目。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | 从容器注册表中拉取或获取映像。 |
| Microsoft.ContainerRegistry/registries/push/write | 将映像推送或写入容器注册表。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
从容器注册表中拉取已隔离的映像。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | 从容器注册表中拉取或获取已隔离的映像 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 允许从容器注册表拉取或获取已隔离的项目。 这类似于 Microsoft.ContainerRegistry/registries/quarantine/read,只不过这是一个数据操作 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
将已隔离的映像推送到容器注册表或从中拉取已隔离的映像。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | 从容器注册表中拉取或获取已隔离的映像 |
| Microsoft.ContainerRegistry/registries/quarantine/write | 写入/修改已隔离映像的隔离状态 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 允许从容器注册表拉取或获取已隔离的项目。 这类似于 Microsoft.ContainerRegistry/registries/quarantine/read,只不过这是一个数据操作 |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | 允许写入或更新隔离项目的隔离状态。 这类似于 Microsoft.ContainerRegistry/registries/quarantine/write 操作,只不过这是一个数据操作 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
已启用 Azure Arc 的 Kubernetes 群集用户角色
列出群集用户凭据操作。
| 操作 | 说明 |
|---|---|
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | 列出 clusterUser 凭据(预览版) |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | 列出 clusterUser 凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 管理员
允许管理群集/命名空间下的所有资源,但不能更新或删除资源配额和命名空间。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | 写入 localsubjectaccessreviews |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | 读取 limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 读取 namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 读取 resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 群集管理员
允许管理群集中的所有资源。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 查看者
允许查看群集/命名空间中除密码之外的所有资源。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | 读取 daemonsets |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/read | 读取 deployments |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | 读取 replicasets |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | 读取 statefulsets |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | 读取 horizontalpodautoscalers |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | 读取 cronjobs |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/read | 读取作业 |
| Microsoft.Kubernetes/connectedClusters/configmaps/read | 读取 configmaps |
| Microsoft.Kubernetes/connectedClusters/endpoints/read | 读取 endpoints |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | 读取 daemonsets |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | 读取 deployments |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | 读取 ingresses |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | 读取 networkpolicies |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | 读取 replicasets |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | 读取 limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 读取 namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | 读取 ingresses |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | 读取 networkpolicies |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | 读取 persistentvolumeclaims |
| Microsoft.Kubernetes/connectedClusters/pods/read | 读取 Pod |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | 读取 poddisruptionbudgets |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | 读取 replicationcontrollers |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | 读取 replicationcontrollers |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 读取 resourcequotas |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | 读取 serviceaccounts |
| Microsoft.Kubernetes/connectedClusters/services/read | 读取 services |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 写入者
允许更新群集/命名空间中的所有内容,但 (cluster)role 和 (cluster)role 绑定除外。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
| Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
| Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
| Microsoft.Kubernetes/connectedClusters/configmaps/* | |
| Microsoft.Kubernetes/connectedClusters/endpoints/* | |
| Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/events/read | 读取 events |
| Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
| Microsoft.Kubernetes/connectedClusters/limitranges/read | 读取 limitranges |
| Microsoft.Kubernetes/connectedClusters/namespaces/read | 读取 namespaces |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
| Microsoft.Kubernetes/connectedClusters/pods/* | |
| Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
| Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 读取 resourcequotas |
| Microsoft.Kubernetes/connectedClusters/secrets/* | |
| Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
| Microsoft.Kubernetes/connectedClusters/services/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 舰队管理器参与者角色
授予对 Azure Kubernetes 舰队管理器提供的 Azure 资源的读/写访问权限,包括舰队、舰队成员、舰队更新策略、舰队更新运行等。
| 操作 | 说明 |
|---|---|
| Microsoft.ContainerService/fleets/* | |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 舰队管理器 RBAC 管理员
授予对舰队托管的中心群集中命名空间内的 Kubernetes 资源的读/写访问权限 - 提供对命名空间中的大多数对象的写入权限,但 ResourceQuota 对象和命名空间对象本身除外。 在群集范围内应用此角色将提供对所有命名空间的访问权限。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/fleets/read | 获取机群 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出机群凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | 写入 localsubjectaccessreviews |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | 读取 events |
| Microsoft.ContainerService/fleets/events/read | 读取 events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | 读取 limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | 读取 namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | 读取 resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 舰队管理器 RBAC 群集管理员
授予对舰队托管的中心群集中所有 Kubernetes 资源的读/写访问权限。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/fleets/read | 获取机群 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出机群凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/fleets/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 舰队管理器 RBAC 读者
授予对舰队托管的中心群集中命名空间内大多数 Kubernetes 资源的只读访问权限。 不允许查看角色或角色绑定。 此角色不允许查看机密,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)。 在群集范围内应用此角色将提供对所有命名空间的访问权限。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/fleets/read | 获取机群 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出机群凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | 读取 daemonsets |
| Microsoft.ContainerService/fleets/apps/deployments/read | 读取 deployments |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | 读取 statefulsets |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | 读取 horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | 读取 cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | 读取作业 |
| Microsoft.ContainerService/fleets/configmaps/read | 读取 configmaps |
| Microsoft.ContainerService/fleets/endpoints/read | 读取 endpoints |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | 读取 events |
| Microsoft.ContainerService/fleets/events/read | 读取 events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | 读取 daemonsets |
| Microsoft.ContainerService/fleets/extensions/deployments/read | 读取 deployments |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | 读取 ingresses |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | 读取 networkpolicies |
| Microsoft.ContainerService/fleets/limitranges/read | 读取 limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | 读取 namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | 读取 ingresses |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | 读取 networkpolicies |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | 读取 persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | 读取 poddisruptionbudgets |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | 读取 replicationcontrollers |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | 读取 replicationcontrollers |
| Microsoft.ContainerService/fleets/resourcequotas/read | 读取 resourcequotas |
| Microsoft.ContainerService/fleets/serviceaccounts/read | 读取 serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | 读取 services |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 舰队管理器 RBAC 编写者
授予对舰队托管的中心群集中命名空间内大多数 Kubernetes 资源的读/写访问权限。 此角色不允许查看或修改角色或角色绑定。 但是,允许此角色以命名空间中任何 ServiceAccount 的身份访问机密,因此可用它获取命名空间中任何 ServiceAccount 的 API 访问级别。 在群集范围内应用此角色将提供对所有命名空间的访问权限。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/fleets/read | 获取机群 |
| Microsoft.ContainerService/fleets/listCredentials/action | 列出机群凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | 读取 events |
| Microsoft.ContainerService/fleets/events/read | 读取 events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | 读取 limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | 读取 namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | 读取 resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务群集管理员角色
列出群集管理员凭据操作。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | 列出托管群集的 clusterAdmin 凭据 |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | 使用列表凭据按角色名称获取托管的群集访问配置文件 |
| Microsoft.ContainerService/managedClusters/read | 获取托管的群集 |
| Microsoft.ContainerService/managedClusters/runcommand/action | 针对托管 kubernetes 服务器运行用户发出的命令。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务群集监视用户
列出群集监视用户凭据操作。
| 操作 | 说明 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | 列出托管群集的 clusterMonitoringUser 凭据 |
| Microsoft.ContainerService/managedClusters/read | 获取托管的群集 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务群集用户角色
列出群集用户凭据操作。
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出托管群集的 clusterUser 凭据 |
| Microsoft.ContainerService/managedClusters/read | 获取托管的群集 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务参与者角色
授予对 Azure Kubernetes 服务群集的读写访问权限
| 操作 | 描述 |
|---|---|
| Microsoft.ContainerService/managedClusters/read | 获取托管的群集 |
| Microsoft.ContainerService/managedClusters/write | 创建新的或更新现有的托管的群集 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 管理员
允许管理群集/命名空间下的所有资源,但不能更新或删除资源配额和命名空间。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出托管群集的 clusterUser 凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/write | 写入 resourcequotas |
| Microsoft.ContainerService/managedClusters/resourcequotas/delete | 删除 resourcequotas |
| Microsoft.ContainerService/managedClusters/namespaces/write | 写入 namespaces |
| Microsoft.ContainerService/managedClusters/namespaces/delete | 删除 namespaces |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 群集管理员
允许管理群集中的所有资源。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出托管群集的 clusterUser 凭据 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 读取者
允许进行只读访问并查看命名空间中的大多数对象。 不允许查看角色或角色绑定。 此角色不允许查看机密,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)。 在群集范围内应用此角色将提供对所有命名空间的访问权限。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/read | 读取 daemonsets |
| Microsoft.ContainerService/managedClusters/apps/deployments/read | 读取 deployments |
| Microsoft.ContainerService/managedClusters/apps/replicasets/read | 读取 replicasets |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/read | 读取 statefulsets |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | 读取 horizontalpodautoscalers |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/read | 读取 cronjobs |
| Microsoft.ContainerService/managedClusters/batch/jobs/read | 读取作业 |
| Microsoft.ContainerService/managedClusters/configmaps/read | 读取 configmaps |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | 读取 endpointslices |
| Microsoft.ContainerService/managedClusters/endpoints/read | 读取 endpoints |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | 读取 events |
| Microsoft.ContainerService/managedClusters/events/read | 读取 events |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | 读取 daemonsets |
| Microsoft.ContainerService/managedClusters/extensions/deployments/read | 读取 deployments |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/read | 读取 ingresses |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | 读取 networkpolicies |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/read | 读取 replicasets |
| Microsoft.ContainerService/managedClusters/limitranges/read | 读取 limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | 读取 Pod |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | 读取 nodes |
| Microsoft.ContainerService/managedClusters/namespaces/read | 读取 namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | 读取 ingresses |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | 读取 networkpolicies |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | 读取 persistentvolumeclaims |
| Microsoft.ContainerService/managedClusters/pods/read | 读取 Pod |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | 读取 poddisruptionbudgets |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/read | 读取 replicationcontrollers |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | 读取 resourcequotas |
| Microsoft.ContainerService/managedClusters/serviceaccounts/read | 读取 serviceaccounts |
| Microsoft.ContainerService/managedClusters/services/read | 读取 services |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 写入者
允许对命名空间中的大多数对象进行读/写访问。 此角色不允许查看或修改角色或角色绑定。 但是,允许此角色以命名空间中任何 ServiceAccount 的身份访问机密和运行 Pod,因此可用它获取命名空间中任何 ServiceAccount 的 API 访问级别。 在群集范围内应用此角色将提供对所有命名空间的访问权限。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | 读取 controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | 读取 leases |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | 写入 leases |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | 删除 leases |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | 读取 endpointslices |
| Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | 读取 events |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/read | 读取 limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | 读取 Pod |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | 读取 nodes |
| Microsoft.ContainerService/managedClusters/namespaces/read | 读取 namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | 读取 resourcequotas |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 无代理操作员
授予 Microsoft Defender for Cloud 对 Azure Kubernetes 服务的访问权限
| 操作 | 说明 |
|---|---|
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | 为托管群集创建或更新受信任的访问角色绑定 |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | 获取托管群集的受信任访问角色绑定 |
| Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | 删除托管群集的受信任访问角色绑定 |
| Microsoft.ContainerService/managedClusters/read | 获取托管的群集 |
| Microsoft.Features/features/read | 获取订阅的功能。 |
| Microsoft.Features/providers/features/read | 获取给定资源提供程序中某个订阅的功能。 |
| Microsoft.Features/providers/features/register/action | 在给定的资源提供程序中注册某个订阅的功能。 |
| Microsoft.Security/pricings/securityoperators/read | 获取范围的安全操作员 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 群集 - Azure Arc 载入
授权任何用户/服务创建 connectedClusters 资源的角色定义
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Kubernetes/connectedClusters/Write | 写入 connectedClusters |
| Microsoft.Kubernetes/connectedClusters/read | 读取 connectedClusters |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 扩展参与者
可以创建、更新、获取、列出和删除 Kubernetes 扩展,以及获取扩展异步操作
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.KubernetesConfiguration/extensions/write | 创建或更新扩展资源。 |
| Microsoft.KubernetesConfiguration/extensions/read | 获取扩展实例资源。 |
| Microsoft.KubernetesConfiguration/extensions/delete | 删除扩展实例资源。 |
| Microsoft.KubernetesConfiguration/extensions/operations/read | 获取异步操作状态。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}