Funções internas do Azure para contêineres

Este artigo lista as funções internas do Azure na categoria Contêineres.

AcrDelete

Exclui repositórios, marcas ou manifestos de um registro de contêiner.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "acr delete",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/artifacts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrDelete",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrImageSigner

Evite usar essa função. A confiança de conteúdo no Registro de Contêiner do Azure e na função AcrImageSigner estão sendo preteridas e serão completamente removidas em 31 de março de 2028. Para obter detalhes e diretrizes de transição, consulte https://aka.ms/acr/dctdeprecation.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "acr image signer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
  "name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/sign/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/trustedCollections/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrImageSigner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPull

Efetua pull de artefatos de um registro de contêiner.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "acr pull",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPull",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPush

Efetua push ou pull de artefatos de um registro de contêiner.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "acr push",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
  "name": "8311e382-0749-4cb8-b61a-304f252e45ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/push/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPush",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineReader

Efetua pull de imagens em quarentena de um registro de contêiner.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
  "name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineReader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineWriter

Efetua push ou pull de imagens em quarentena de um registro de contêiner.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data writer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read",
        "Microsoft.ContainerRegistry/registries/quarantine/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineWriter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função Usuário do cluster de Kubernetes habilitado para Azure Arc

Listar a ação das credenciais do usuário do cluster.

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credentials action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do Kubernetes do Azure Arc

Permite gerenciar todos os recursos no cluster ou no namespace, exceto atualizar ou excluir as cotas de recursos e os namespaces.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do cluster de Kubernetes do Azure Arc

Permite gerenciar todos os recursos no cluster.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Visualizador do Kubernetes do Azure Arc

Permite que você veja todos os recursos no cluster ou namespace, exceto os segredos.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view all resources in cluster/namespace, except secrets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
  "name": "63f0a09d-1495-4db4-a681-037d84835eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
        "Microsoft.Kubernetes/connectedClusters/configmaps/read",
        "Microsoft.Kubernetes/connectedClusters/endpoints/read",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
        "Microsoft.Kubernetes/connectedClusters/pods/read",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
        "Microsoft.Kubernetes/connectedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Viewer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gravador do Kubernetes do Azure Arc

Permite que você atualize tudo no cluster ou namespace, exceto as funções (cluster) e associações de função (cluster).

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
  "name": "5b999177-9696-4545-85c7-50de3797e5a1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de Colaborador das Instâncias de Contêiner do Azure

Concede acesso de leitura/gravação a grupos de contêineres fornecidos pelas Instâncias de Contêiner do Azure

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to container groups provided by Azure Container Instances",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d977122-f97e-4b4d-a52f-6b43003ddb4d",
  "name": "5d977122-f97e-4b4d-a52f-6b43003ddb4d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerInstance/containerGroups/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Container Instances Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador do Armazenamento de contêineres do Azure

Instala o Armazenamento de contêineres do Azure e gerencia os recursos de armazenamento. Inclui uma condição do ABAC para restringir atribuições de função.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and manage its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "permissions": [
    {
      "actions": [
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador do Armazenamento de contêineres do Azure

Habilita uma identidade gerenciada a executar operações do Armazenamento de contêineres do Azure, como gerenciar máquinas virtuais e redes virtuais.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Role required by a Managed Identity for Azure Container Storage operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/virtualMachineScaleSets/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Resources/subscriptions/providers/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Network/virtualNetworks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Container Storage Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Proprietário do Armazenamento de contêineres do Azure

Instala o Armazenamento de contêineres do Azure, permite acesso aos recursos de armazenamento e configura o Azure Elastic SAN (rede de área de armazenamento). Inclui uma condição do ABAC para restringir atribuições de função.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and grants access to its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
  "name": "95de85bd-744d-4664-9dde-11430bc34793",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função Colaborador do Gerenciador de Frota de Kubernetes do Azure

Permite acesso de leitura/gravação nos recursos do Azure fornecidos pelo Gerenciador de Frota de Kubernetes do Azure, incluindo frotas, membros da frota, estratégias de atualização da frota, execuções de atualização da frota etc.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/fleets/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função de agente do Hub do Gerenciador de Frotas do Kubernetes do Azure

Permite acesso aos recursos do Azure necessários aos agentes do hub do Azure Kubernetes Fleet Manager.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to Azure resources needed by Azure Kubernetes Fleet Manager hub agents.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/de2b316d-7a2c-4143-b4cd-c148f6a355a1",
  "name": "de2b316d-7a2c-4143-b4cd-c148f6a355a1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/trafficManagerProfiles/read",
        "Microsoft.Network/trafficManagerProfiles/write",
        "Microsoft.Network/trafficManagerProfiles/delete",
        "Microsoft.Network/trafficManagerProfiles/azureEndpoints/read",
        "Microsoft.Network/trafficManagerProfiles/azureEndpoints/write",
        "Microsoft.Network/trafficManagerProfiles/azureEndpoints/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager Hub Agent Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador de RBAC do Gerenciador de Frota de Kubernetes do Azure

Permite acesso de leitura/gravação nos recursos do Kubernetes em um namespace no cluster hub gerenciado pela frota. Fornece permissões de gravação na maioria dos objetos dentro de um namespace, com exceção do objeto ResourceQuota e do próprio objeto namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do cluster de RBAC do Gerenciador de Frota de Kubernetes do Azure

Permite acesso de leitura/gravação em todos os recursos do Kubernetes no cluster hub gerenciado pela frota.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de RBAC do Gerenciador de Frota de Kubernetes do Azure

Permite acesso somente leitura na maioria dos recursos do Kubernetes em um namespace no cluster hub gerenciado pela frota. Não permite exibir funções nem associações de função. Essa função não permite exibir Segredos, pois a leitura do conteúdo dos Segredos permite acesso às credenciais de ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de elevação de privilégio). A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
  "name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/services/read",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gravador de RBAC do Gerenciador de Frota de Kubernetes do Azure

Permite acesso de leitura/gravação na maioria dos recursos do Kubernetes em um namespace no cluster hub gerenciado pela frota. Essa função não permite visualizar ou modificar funções nem associações de função. No entanto, essa função permite acessar segredos como qualquer conta de serviço no namespace e, portanto, pode ser usada para obter os níveis de acesso da API de qualquer ServiceAccount no namespace.  A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/write",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/deployments/write",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/write",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/write",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/configmaps/write",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/endpoints/write",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/write",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/write",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/write",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/write",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/read",
        "Microsoft.ContainerService/fleets/secrets/write",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/write",
        "Microsoft.ContainerService/fleets/services/read",
        "Microsoft.ContainerService/fleets/services/write",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função Administrador do cluster do Arc do Serviço de Kubernetes do Azure

Lista a ação de credencial de administrador de cluster.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função Usuário do cluster do Arc do Serviço de Kubernetes do Azure

Lista a ação de credencial de usuário de cluster.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
  "name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função Colaborador do Arc do Serviço de Kubernetes do Azure

Permite acesso de leitura/gravação em clusters híbridos do Serviço de Kubernetes do Azure

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
  "name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/Locations/operationStatuses/read",
        "Microsoft.HybridContainerService/Operations/read",
        "Microsoft.HybridContainerService/kubernetesVersions/read",
        "Microsoft.HybridContainerService/kubernetesVersions/write",
        "Microsoft.HybridContainerService/kubernetesVersions/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
        "Microsoft.HybridContainerService/skus/read",
        "Microsoft.HybridContainerService/skus/write",
        "Microsoft.HybridContainerService/skus/delete",
        "Microsoft.HybridContainerService/virtualNetworks/read",
        "Microsoft.HybridContainerService/virtualNetworks/write",
        "Microsoft.HybridContainerService/virtualNetworks/delete",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.Kubernetes/connectedClusters/Read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/Delete",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
        "Microsoft.AzureStackHCI/clusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função Administrador do cluster do Serviço de Kubernetes do Azure

Lista a ação de credencial de administrador de cluster.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/runcommand/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Usuário do monitoramento do cluster do Serviço de Kubernetes do Azure

Lista a ação de credencial do usuário de monitoramento de cluster.

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster monitoring user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Monitoring User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função Usuário do cluster do Serviço de Kubernetes do Azure

Lista a ação de credencial de usuário de cluster.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Função Colaborador do Serviço de Kubernetes do Azure

Permite acesso de leitura/gravação em clusters do Serviço de Kubernetes do Azure

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Service clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerService/locations/*",
        "Microsoft.ContainerService/managedClusters/*",
        "Microsoft.ContainerService/managedclustersnapshots/*",
        "Microsoft.ContainerService/snapshots/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador do Namespace do Serviço de Kubernetes do Azure

Permite que os usuários criem e gerenciem recursos de namespace do Serviço de Kubernetes do Azure.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows users to create and manage Azure Kubernetes Service namespace resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/289d8817-ee69-43f1-a0af-43a45505b488",
  "name": "289d8817-ee69-43f1-a0af-43a45505b488",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/managedNamespaces/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Namespace Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Usuário do Namespace do Serviço de Kubernetes do Azure

Permite que os usuários leiam os recursos do namespace do Serviço de Kubernetes do Azure. O acesso ao namespace no cluster requer ainda a atribuição de funções RBAC do Serviço de Kubernetes do Azure para o recurso de namespace para um cluster habilitado para a ID do Entra.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows users to read Azure Kubernetes Service namespace resources. In-cluster namespace access further requires assignment of Azure Kubernetes Service RBAC roles to the namespace resource for an Entra ID enabled cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c9f76ca8-b262-4b10-8ed2-09cf0948aa35",
  "name": "c9f76ca8-b262-4b10-8ed2-09cf0948aa35",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/managedNamespaces/read",
        "Microsoft.ContainerService/managedClusters/managedNamespaces/listCredential/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Namespace User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador de RBAC do Serviço de Kubernetes do Azure

Permite gerenciar todos os recursos no cluster ou no namespace, exceto atualizar ou excluir as cotas de recursos e os namespaces.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
  "name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/managedClusters/resourcequotas/write",
        "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
        "Microsoft.ContainerService/managedClusters/namespaces/write",
        "Microsoft.ContainerService/managedClusters/namespaces/delete"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do Cluster do RBAC do Serviço de Kubernetes do Azure

Permite gerenciar todos os recursos no cluster.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de RBAC do Serviço de Kubernetes do Azure

Permite acesso somente leitura para ver a maioria dos objetos em um namespace. Não permite exibir funções nem associações de função. Essa função não permite exibir Segredos, pois a leitura do conteúdo dos Segredos permite acesso às credenciais de ServiceAccount no namespace, o que permitiria o acesso à API como qualquer ServiceAccount no namespace (uma forma de elevação de privilégio). A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/apps/deployments/read",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/read",
        "Microsoft.ContainerService/managedClusters/configmaps/read",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/endpoints/read",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
        "Microsoft.ContainerService/managedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gravador de RBAC do Serviço de Kubernetes do Azure

Permite acesso de leitura/gravação na maioria dos objetos em um namespace. Essa função não permite visualizar ou modificar funções nem associações de função. No entanto, essa função permite acessar os Segredos e executar Pods como qualquer ServiceAccount no namespace, de modo que ela possa ser usada para obter os níveis de acesso de API de qualquer ServiceAccount no namespace. A aplicação dessa função no escopo do cluster fornecerá acesso em todos os namespaces.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/apps/deployments/*",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/*",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/*",
        "Microsoft.ContainerService/managedClusters/configmaps/*",
        "Microsoft.ContainerService/managedClusters/endpoints/*",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/*",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/*",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
        "Microsoft.ContainerService/managedClusters/pods/*",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/secrets/*",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/*",
        "Microsoft.ContainerService/managedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gerenciador do controlador de nuvem do Red Hat OpenShift no Azure

Gerencia e atualiza o gerenciador de controladores de nuvem implantado no OpenShift.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage and update the cloud controller manager deployed on top of OpenShift.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a1f96423-95ce-4224-ab27-4e3dc72facd4",
  "name": "a1f96423-95ce-4224-ab27-4e3dc72facd4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/write",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/publicIPAddresses/write",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/publicIPPrefixes/join/action",
        "Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Cloud Controller Manager",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador de entrada de cluster do Red Hat OpenShift no Azure

Gerencia e configura o roteador do OpenShift.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage and configure the OpenShift router.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0336e1d3-7a87-462b-b6db-342b63f7802c",
  "name": "0336e1d3-7a87-462b-b6db-342b63f7802c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/dnsZones/A/delete",
        "Microsoft.Network/dnsZones/A/write",
        "Microsoft.Network/privateDnsZones/A/delete",
        "Microsoft.Network/privateDnsZones/A/write",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Cluster Ingress Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador de armazenamento em disco do Red Hat OpenShift no Azure

Instala drivers da CSI (Interface de Armazenamento de Contêiner) que permitem que o cluster use os Discos do Azure. Define os padrões de armazenamento em todo o cluster do OpenShift para garantir que exista uma classe de armazenamento padrão para clusters.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Install Container Storage Interface (CSI) drivers that enable your cluster to use Azure Disks. Set OpenShift cluster-wide storage defaults to ensure a default storageclass exists for clusters.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5b7237c5-45e1-49d6-bc18-a1f62f400748",
  "name": "5b7237c5-45e1-49d6-bc18-a1f62f400748",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/snapshots/write",
        "Microsoft.Compute/snapshots/read",
        "Microsoft.Compute/snapshots/delete",
        "Microsoft.Compute/locations/operations/read",
        "Microsoft.Compute/locations/DiskOperations/read",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/delete",
        "Microsoft.Compute/disks/beginGetAccess/action",
        "Microsoft.Compute/diskEncryptionSets/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Disk Storage Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Credencial federada do Red Hat OpenShift no Azure

Cria, atualiza e exclui credenciais federadas em identidades gerenciadas atribuídas pelo usuário para criar uma relação de confiança entre a identidade gerenciada, o OIDC (OpenID Connect) e a conta de serviço.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, update and delete federated credentials on user assigned managed identities in order to build a trust relationship between the managed identity, OpenID Connect (OIDC), and the service account.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ef318e2a-8334-4a05-9e4a-295a196c6a6e",
  "name": "ef318e2a-8334-4a05-9e4a-295a196c6a6e",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Federated Credential",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador de armazenamento de arquivos do Red Hat OpenShift no Azure

Instala drivers da CSI (Interface de Armazenamento de Contêiner) que permitem que o cluster use os Arquivos do Azure. Define os padrões de armazenamento em todo o cluster do OpenShift para garantir que exista uma classe de armazenamento padrão para clusters.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Install Container Storage Interface (CSI) drivers that enable your cluster to use Azure Files. Set OpenShift cluster-wide storage defaults to ensure a default storageclass exists for clusters.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0d7aedc0-15fd-4a67-a412-efad370c947e",
  "name": "0d7aedc0-15fd-4a67-a412-efad370c947e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/delete",
        "Microsoft.Storage/storageAccounts/fileServices/read",
        "Microsoft.Storage/storageAccounts/fileServices/shares/delete",
        "Microsoft.Storage/storageAccounts/fileServices/shares/read",
        "Microsoft.Storage/storageAccounts/fileServices/shares/write",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/natGateways/join/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift File Storage Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador de registro de imagem do Red Hat OpenShift no Azure

Habilita permissões para o operador gerenciar uma instância singleton do registro de imagem do OpenShift. Gerencia toda a configuração do registro, incluindo a criação de armazenamento.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Enables permissions for the operator to manage a singleton instance of the OpenShift image registry. It manages all configuration of the registry, including creating storage.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8b32b316-c2f5-4ddf-b05b-83dacd2d08b5",
  "name": "8b32b316-c2f5-4ddf-b05b-83dacd2d08b5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Storage/storageAccounts/delete",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Resources/tags/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Image Registry Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador de API de computador do Red Hat OpenShift no Azure

Gerencia o ciclo de vida de CRD (definições de recursos personalizados) de finalidade específica, controladores e objetos do RBAC do Azure que estendem a API do Kubernetes para declarar o estado desejado dos computadores em um cluster.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage the lifecycle of specific-purpose custom resource definitions (CRD), controllers, and Azure RBAC objects that extend the Kubernetes API to declares the desired state of machines in a cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0358943c-7e01-48ba-8889-02cc51d78637",
  "name": "0358943c-7e01-48ba-8889-02cc51d78637",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/availabilitySets/delete",
        "Microsoft.Compute/availabilitySets/read",
        "Microsoft.Compute/availabilitySets/write",
        "Microsoft.Compute/diskEncryptionSets/read",
        "Microsoft.Compute/disks/delete",
        "Microsoft.Compute/galleries/images/versions/read",
        "Microsoft.Compute/skus/read",
        "Microsoft.Compute/virtualMachines/delete",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/capacityReservationGroups/deploy/action",
        "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
        "Microsoft.Network/applicationSecurityGroups/read",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/write",
        "Microsoft.Network/networkInterfaces/delete",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkInterfaces/loadBalancers/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/publicIPAddresses/delete",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/publicIPAddresses/write",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action",
        "Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action",
        "Microsoft.Network/loadBalancers/inboundNATRules/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Machine API Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador de rede do Red Hat OpenShift no Azure

Instala e atualiza os componentes de rede em um cluster do OpenShift.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Install and upgrade the networking components on an OpenShift cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/be7a6435-15ae-4171-8f30-4a343eff9e8f",
  "name": "be7a6435-15ae-4171-8f30-4a343eff9e8f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/read",
        "Microsoft.Compute/virtualMachines/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Network Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador de serviço do Red Hat OpenShift no Azure

Mantém a integridade do computador, a configuração de rede, o monitoramento e outros recursos específicos para a funcionalidade contínua de um cluster do OpenShift como um serviço gerenciado.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Maintain machine health, network configuration, monitoring, and other features that are specific to an OpenShift cluster's continued functionality as a managed service.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4436bae4-7702-4c84-919b-c4069ff25ee2",
  "name": "4436bae4-7702-4c84-919b-c4069ff25ee2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/natGateways/join/action",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Service Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de CheckAccess da identidade gerenciada do cluster conectado

Função interna que permite que uma identidade gerenciada do cluster conectado chame a API checkAccess

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Connected Cluster Managed Identity CheckAccess Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador de ConnectedEnvironments dos Aplicativos de Contêiner

Gerenciamento completo de Aplicativos de Contêiner ConnectedEnvironments, incluindo criação, exclusão e atualizações.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Full management of Container Apps ConnectedEnvironments, including creation, deletion, and updates.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6f4fe6fc-f04f-4d97-8528-8bc18c848dca",
  "name": "6f4fe6fc-f04f-4d97-8528-8bc18c848dca",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/connectedEnvironments/*",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/*/write",
        "Microsoft.App/connectedEnvironments/*/delete",
        "Microsoft.App/connectedEnvironments/*/action",
        "Microsoft.App/connectedEnvironments/daprComponents/listSecrets/action",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps ConnectedEnvironments Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de ConnectedEnvironments dos Aplicativos de Contêiner

Acesso de leitura nos ConnectedEnvironments dos Aplicativos de Contêiner.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read access to Container Apps ConnectedEnvironments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5adeb5b-107f-4aca-99ea-4e3f4fc008d5",
  "name": "d5adeb5b-107f-4aca-99ea-4e3f4fc008d5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.App/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps ConnectedEnvironments Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador dos Aplicativos de Contêiner

Gerenciamento completo de Aplicativos de Contêiner, incluindo criação, exclusão e atualizações.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Full management of Container Apps, including creation, deletion, and updates.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/358470bc-b998-42bd-ab17-a7e34c199c0f",
  "name": "358470bc-b998-42bd-ab17-a7e34c199c0f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/containerApps/*/read",
        "Microsoft.App/containerApps/*/write",
        "Microsoft.App/containerApps/*/delete",
        "Microsoft.App/containerApps/*/action",
        "Microsoft.App/managedEnvironments/read",
        "Microsoft.App/managedEnvironments/*/read",
        "Microsoft.App/managedEnvironments/join/action",
        "Microsoft.App/managedEnvironments/checknameavailability/action",
        "Microsoft.App/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/join/action",
        "Microsoft.App/connectedEnvironments/checknameavailability/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador de trabalhos dos Aplicativos de Contêiner

Gerenciamento completo de "Container Apps" jobs, incluindo a criação, exclusão e atualizações.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Full management of Container Apps jobs, including creation, deletion, and updates.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4e3d2b60-56ae-4dc6-a233-09c8e5a82e68",
  "name": "4e3d2b60-56ae-4dc6-a233-09c8e5a82e68",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "microsoft.app/jobs/read",
        "Microsoft.App/jobs/*/read",
        "Microsoft.App/jobs/*/action",
        "Microsoft.App/jobs/write",
        "Microsoft.App/jobs/delete",
        "Microsoft.app/managedenvironments/read",
        "Microsoft.App/managedenvironments/*/read",
        "Microsoft.App/managedenvironments/join/action",
        "Microsoft.App/managedenvironments/checknameavailability/action",
        "Microsoft.app/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/join/action",
        "Microsoft.App/connectedEnvironments/checknameavailability/action",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps Jobs Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador de trabalhos dos Aplicativos de Contêiner

Lê, inicia e interrompe trabalhos dos Aplicativos de Contêiner.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read, start, and stop Container Apps jobs.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b9a307c4-5aa3-4b52-ba60-2b17c136cd7b",
  "name": "b9a307c4-5aa3-4b52-ba60-2b17c136cd7b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "microsoft.app/jobs/read",
        "Microsoft.App/jobs/*/read",
        "Microsoft.App/jobs/*/action",
        "Microsoft.app/managedenvironments/read",
        "Microsoft.App/managedenvironments/*/read",
        "Microsoft.App/managedenvironments/join/action",
        "Microsoft.App/managedenvironments/checknameavailability/action",
        "Microsoft.app/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/join/action",
        "Microsoft.App/connectedEnvironments/checknameavailability/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.App/jobs/logstream/action",
        "Microsoft.App/jobs/exec/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps Jobs Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de trabalhos dos Aplicativos de Contêiner

Acesso de leitura nos trabalhos dos Aplicativos de Contêiner

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read access to ContainerApps jobs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/edd66693-d32a-450b-997d-0158c03976b0",
  "name": "edd66693-d32a-450b-997d-0158c03976b0",
  "permissions": [
    {
      "actions": [
        "microsoft.app/jobs/read",
        "Microsoft.App/jobs/*/read",
        "Microsoft.App/managedenvironments/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps Jobs Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador de ManagedEnvironments dos Aplicativos de Contêiner

Gestão completa dos ambientes gerenciados de aplicativos de contêiner, incluindo criação, exclusão e atualizações.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Full management of Container Apps ManagedEnvironments, including creation, deletion, and updates.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/57cc5028-e6a7-4284-868d-0611c5923f8d",
  "name": "57cc5028-e6a7-4284-868d-0611c5923f8d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/managedEnvironments/*/read",
        "Microsoft.App/managedEnvironments/*/write",
        "Microsoft.App/managedEnvironments/*/delete",
        "Microsoft.App/managedEnvironments/*/action",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps ManagedEnvironments Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de ManagedEnvironments dos Aplicativos de Contêiner

Acesso de leitura nos ambientes gerenciados dos Aplicativos de Contêiner.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read access to ContainerApps managedenvironments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1b32c00b-7eff-4c22-93e6-93d11d72d2d8",
  "name": "1b32c00b-7eff-4c22-93e6-93d11d72d2d8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/managedEnvironments/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps ManagedEnvironments Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador dos Aplicativos de Contêiner

Lê, faz logstream e exec em Aplicativos de Contêiner.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read, logstream and exec into Container Apps.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f3bd1b5c-91fa-40e7-afe7-0c11d331232c",
  "name": "f3bd1b5c-91fa-40e7-afe7-0c11d331232c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/containerApps/*/read",
        "Microsoft.App/containerApps/*/action",
        "Microsoft.App/managedEnvironments/read",
        "Microsoft.App/managedEnvironments/*/read",
        "Microsoft.App/managedEnvironments/join/action",
        "Microsoft.App/managedEnvironments/checknameavailability/action",
        "Microsoft.App/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/join/action",
        "Microsoft.App/connectedEnvironments/checknameavailability/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.App/containerApps/logstream/action",
        "Microsoft.App/containerApps/exec/action",
        "Microsoft.App/containerApps/debug/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador de SessionPools dos Aplicativos de Contêiner

Gerenciamento completo de SessionPools dos Aplicativos de Contêiner, incluindo criação, exclusão e atualizações.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Full management of Container Apps SessionPools, including creation, deletion, and updates.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f7669afb-68b2-44b4-9c5f-6d2a47fddda0",
  "name": "f7669afb-68b2-44b4-9c5f-6d2a47fddda0",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/sessionPools/*/read",
        "Microsoft.App/sessionPools/*/write",
        "Microsoft.App/sessionPools/*/delete",
        "Microsoft.App/sessionPools/*/action",
        "microsoft.App/managedEnvironments/read",
        "Microsoft.App/managedEnvironments/*/read",
        "Microsoft.App/managedEnvironments/join/action",
        "Microsoft.App/managedEnvironments/checknameavailability/action",
        "microsoft.App/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/join/action",
        "Microsoft.App/connectedEnvironments/checknameavailability/action",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps SessionPools Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de SessionPools dos Aplicativos de Contêiner

Acesso de leitura nos sessionpools dos Aplicativos de Contêiner.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read access to ContainerApps sessionpools.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/af61e8fc-2633-4b95-bed3-421ad6826515",
  "name": "af61e8fc-2633-4b95-bed3-421ad6826515",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/sessionPools/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps SessionPools Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador de regras de cache do registro de contêiner

Criar, ler, atualizar e excluir regras de cache no Registro de Contêiner. Essa função não concede permissões para gerenciar Conjuntos de Credenciais.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete Cache Rules in Container Registry. This role doesn't grant permissions to manage Credential Sets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/df87f177-bb12-4db1-9793-a413691eff94",
  "name": "df87f177-bb12-4db1-9793-a413691eff94",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/cacheRules/read",
        "Microsoft.ContainerRegistry/registries/cacheRules/write",
        "Microsoft.ContainerRegistry/registries/cacheRules/delete",
        "Microsoft.ContainerRegistry/registries/cacheRules/operationStatuses/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Cache Rule Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor de regra de cache do Registro de Contêiner

Leia a configuração das regras de cache no Registro de Contêiner. Essa permissão não concede permissão para ler Conjuntos de Credenciais.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read the configuration of Cache Rules in Container Registry. This permission doesn't grant permission to read Credential Sets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c357b964-0002-4b64-a50d-7a28f02edc52",
  "name": "c357b964-0002-4b64-a50d-7a28f02edc52",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/cacheRules/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Cache Rule Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor da configuração do registro de contêiner e Leitor da configuração de acesso a dados

Fornece permissões para listar registros de contêiner e propriedades de configuração do registro. Fornece permissões para listar a configuração de acesso a dados, como credenciais de usuário administrador, mapas de escopo e tokens, que podem ser usados para ler, gravar ou excluir repositórios e imagens. Não fornece permissões diretas para ler, listar ou gravar conteúdos do registro, incluindo repositórios e imagens. Não fornece permissões para modificar o conteúdo do plano de dados, como importações, o cache de artefato ou a sincronização e a transferência de pipelines. Não fornece permissões para gerenciar tarefas.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/69b07be0-09bf-439a-b9a6-e73de851bd59",
  "name": "69b07be0-09bf-439a-b9a6-e73de851bd59",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/listCredentials/action",
        "Microsoft.ContainerRegistry/registries/tokens/read",
        "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/webhooks/read",
        "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
        "Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
        "Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/replications/read",
        "Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Configuration Reader and Data Access Configuration Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador do registro de contêiner e Administrador da configuração de acesso a dados

Fornece permissões para criar, listar e atualizar registros de contêiner e propriedades de configuração do registro. Fornece permissões para configurar o acesso a dados, como credenciais de usuário administrador, mapas de escopo e tokens, que podem ser usados para ler, gravar ou excluir repositórios e imagens. Não fornece permissões diretas para ler, listar ou gravar conteúdos do registro, incluindo repositórios e imagens. Não fornece permissões para modificar o conteúdo do plano de dados, como importações, o cache de artefato ou a sincronização e a transferência de pipelines. Não fornece permissões para gerenciar tarefas.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
  "name": "3bc748fc-213d-45c1-8d91-9da5725539b9",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerRegistry/registries/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/write",
        "Microsoft.ContainerRegistry/registries/delete",
        "Microsoft.ContainerRegistry/registries/listCredentials/action",
        "Microsoft.ContainerRegistry/registries/regenerateCredential/action",
        "Microsoft.ContainerRegistry/registries/generateCredentials/action",
        "Microsoft.ContainerRegistry/registries/replications/read",
        "Microsoft.ContainerRegistry/registries/replications/write",
        "Microsoft.ContainerRegistry/registries/replications/delete",
        "Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/tokens/read",
        "Microsoft.ContainerRegistry/registries/tokens/write",
        "Microsoft.ContainerRegistry/registries/tokens/delete",
        "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/write",
        "Microsoft.ContainerRegistry/registries/scopeMaps/delete",
        "Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/write",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
        "Microsoft.ContainerRegistry/registries/webhooks/read",
        "Microsoft.ContainerRegistry/registries/webhooks/write",
        "Microsoft.ContainerRegistry/registries/webhooks/delete",
        "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
        "Microsoft.ContainerRegistry/registries/webhooks/ping/action",
        "Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
        "Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.ContainerRegistry/locations/operationResults/read",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Contributor and Data Access Configuration Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrador do Conjunto de Credenciais do Registro de Contêiner

Criar, ler, atualizar e excluir conjuntos de credenciais no Registro de Contêiner. Essa função não afeta as permissões necessárias para armazenar conteúdo dentro do Azure Key Vault. Essa função também não concede permissões para gerenciar regras de cache.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete Credential Sets in Container Registry. This role doesn't affect the needed permissions for storing content inside Azure Key Vault. This role also doesn't grant permissions to manage Cache Rules.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f094fb07-0703-4400-ad6a-e16dd8000e14",
  "name": "f094fb07-0703-4400-ad6a-e16dd8000e14",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/credentialSets/read",
        "Microsoft.ContainerRegistry/registries/credentialSets/write",
        "Microsoft.ContainerRegistry/registries/credentialSets/delete",
        "Microsoft.ContainerRegistry/registries/credentialSets/operationStatuses/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Credential Set Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor do conjunto de credenciais do Registro de Contêiner

Leia a configuração dos Conjuntos de Credenciais no Registro de Contêiner. Essa permissão não permite permissão para ver o conteúdo dentro do Azure Key Vault somente o conteúdo dentro do Registro de Contêiner. Essa permissão não concede permissão para ler regras de cache.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read the configuration of Credential Sets in Container Registry. This permission doesn't allow permission to see content inside Azure Key vault only the content inside Container Registry. This permission doesn't grant permission to read Cache Rules.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/29093635-9924-4f2c-913b-650a12949526",
  "name": "29093635-9924-4f2c-913b-650a12949526",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/credentialSets/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Credential Set Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Importador de dados do registro de contêiner e Leitor de dados

Fornece a capacidade de importar imagens para um registro por meio da operação de importação do registro. Fornece a capacidade de listar repositórios, exibir imagens e marcas, obter manifestos e efetuar pull de imagens. Não fornece permissões para importar imagens por meio da configuração de pipelines de transferência do registro, como pipelines de importação e exportação. Não fornece permissões para importação por meio da configuração de regras de sincronização ou do cache de artefato.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/577a9874-89fd-4f24-9dbd-b5034d0ad23a",
  "name": "577a9874-89fd-4f24-9dbd-b5034d0ad23a",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/importImage/action",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/content/read",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/catalog/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Data Importer and Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Ouvinte do catálogo de repositório do registro de contêiner

Permite a listagem de todos os repositórios de um registro de contêiner do Azure. Essa função está em versão prévia e sujeita a alterações.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
  "name": "bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/catalog/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Catalog Lister",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador do repositório do registro de contêiner

Permite acesso de leitura, gravação e exclusão em repositórios do Registro de Contêiner do Azure, exceto a listagem de catálogo. Essa função está em versão prévia e sujeita a alterações.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2efddaa5-3f1f-4df3-97df-af3f13818f4c",
  "name": "2efddaa5-3f1f-4df3-97df-af3f13818f4c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/write",
        "Microsoft.ContainerRegistry/registries/repositories/content/write",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/delete",
        "Microsoft.ContainerRegistry/registries/repositories/content/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Leitor do repositório do registro de contêiner

Permite acesso de leitura nos repositórios do Registro de Contêiner do Azure, exceto a listagem de catálogo. Essa função está em versão prévia e sujeita a alterações.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b93aa761-3e63-49ed-ac28-beffa264f7ac",
  "name": "b93aa761-3e63-49ed-ac28-beffa264f7ac",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Gravador do repositório do registro de contêiner

Permite acesso de leitura/gravação nos repositórios do Registro de Contêiner do Azure, exceto a listagem de catálogo. Essa função está em versão prévia e sujeita a alterações.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2a1e307c-b015-4ebd-883e-5b7698a07328",
  "name": "2a1e307c-b015-4ebd-883e-5b7698a07328",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/write",
        "Microsoft.ContainerRegistry/registries/repositories/content/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador de tarefas do registro de contêiner

Fornece permissões para configurar, ler, listar, disparar ou cancelar tarefas do registro de contêiner, execuções de tarefa, logs de tarefas, execuções rápidas, builds rápidos e pools do agente de tarefas. As permissões concedidas para o gerenciamento de tarefas podem ser usadas para permissões completas do plano de dados do registro, incluindo leitura/gravação/exclusão de imagens de contêiner em registros. As permissões concedidas para o gerenciamento de tarefas também podem ser usadas para executar diretivas de build criadas pelo cliente e executar scripts para criar artefatos de software.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fb382eab-e894-4461-af04-94435c366c3f",
  "name": "fb382eab-e894-4461-af04-94435c366c3f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/agentpools/read",
        "Microsoft.ContainerRegistry/registries/agentpools/write",
        "Microsoft.ContainerRegistry/registries/agentpools/delete",
        "Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action",
        "Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read",
        "Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/tasks/read",
        "Microsoft.ContainerRegistry/registries/tasks/write",
        "Microsoft.ContainerRegistry/registries/tasks/delete",
        "Microsoft.ContainerRegistry/registries/tasks/listDetails/action",
        "Microsoft.ContainerRegistry/registries/scheduleRun/action",
        "Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action",
        "Microsoft.ContainerRegistry/registries/runs/read",
        "Microsoft.ContainerRegistry/registries/runs/write",
        "Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action",
        "Microsoft.ContainerRegistry/registries/runs/cancel/action",
        "Microsoft.ContainerRegistry/registries/taskruns/read",
        "Microsoft.ContainerRegistry/registries/taskruns/write",
        "Microsoft.ContainerRegistry/registries/taskruns/delete",
        "Microsoft.ContainerRegistry/registries/taskruns/listDetails/action",
        "Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerRegistry/registries/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Tasks Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador do pipeline de transferência do registro de contêiner

Fornece a capacidade de transferir, importar e exportar artefatos por meio da configuração de pipelines de transferência de registro que envolvem contas de armazenamento intermediárias e cofres de chaves. Não fornece permissões para efetuar push ou pull de imagens. Não fornece permissões para criar, gerenciar ou lista contas de armazenamento ou cofres de chaves. Não fornece permissões para executar atribuições de função.

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
  "name": "bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/exportPipelines/read",
        "Microsoft.ContainerRegistry/registries/exportPipelines/write",
        "Microsoft.ContainerRegistry/registries/exportPipelines/delete",
        "Microsoft.ContainerRegistry/registries/importPipelines/read",
        "Microsoft.ContainerRegistry/registries/importPipelines/write",
        "Microsoft.ContainerRegistry/registries/importPipelines/delete",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/read",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/write",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/delete",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Transfer Pipeline Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Operador sem agente do Kubernetes

Permite ao Microsoft Defender para Nuvem acesso aos Serviços de Kubernetes do Azure

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Features/providers/features/register/action",
        "Microsoft.Security/pricings/securityoperators/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Agentless Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Cluster de Kubernetes – Integração ao Azure Arc

Definição de função para autorizar qualquer usuário ou serviço a criar um recurso connectedClusters

Saiba mais

{
  "assignableScopes": [
    "/"
  ],
  "description": "Role definition to authorize any user/service to create connectedClusters resource",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Cluster - Azure Arc Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador da Extensão de Kubernetes

Pode criar, atualizar, obter, listar e excluir Extensões Kubernetes e obter operações assíncronas de extensão

{
  "assignableScopes": [
    "/"
  ],
  "description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
  "name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Extension Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Colaborador do cluster do Service Fabric

Gerencia os recursos do Cluster do Service Fabric. Inclui clusters, tipos de aplicativo, versões de tipo de aplicativo, aplicativos e serviços. Você precisará de permissões adicionais para implantar e gerenciar os recursos subjacentes do cluster, como conjuntos de dimensionamento de máquinas virtuais, contas de armazenamento, redes etc.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",
  "name": "b6efc156-f0da-4e90-a50a-8c000140b017",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceFabric/clusters/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Service Fabric Cluster Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Configuração de cluster gerenciado do Service Fabric

Implanta e gerencia os recursos do Cluster Gerenciado do Service Fabric. Inclui clusters gerenciados, tipos de nó, tipos de aplicativo, versões de tipo de aplicativo, aplicativos e serviços.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",
  "name": "83f80186-3729-438c-ad2d-39e94d718838",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceFabric/managedclusters/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Service Fabric Managed Cluster Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Próximas etapas

• Atribuir funções do Azure usando o portal do Azure