Rôles intégrés Azure pour les conteneurs

Cet article répertorie les rôles intégrés Azure de la catégorie Conteneurs.

AcrDelete

Supprime des référentiels, des étiquettes ou des manifestes d’un registre de conteneurs.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "acr delete",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/artifacts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrDelete",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrImageSigner

Évitez d’utiliser ce rôle. L’approbation de contenu dans Azure Container Registry et le rôle AcrImageSigner sont déconseillés et seront complètement supprimés le 31 mars 2028. Pour plus d’informations et pour obtenir des conseils sur la transition, consultez https://aka.ms/acr/dctdeprecation.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Planned DEPRECATION on March 31, 2028. Grant the signing permission for content trust. As content trust is being deprecated and will be completely removed on March 31, 2028, this role will also be removed. Refer to https://aka.ms/acr/dctdeprecation for details and transition guidance.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
  "name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/sign/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/trustedCollections/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrImageSigner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPull

Extrait des artefacts à partir d’un registre de conteneurs.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "acr pull",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPull",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPush

Envoie des artefacts vers un registre de conteneurs ou extrait des artefacts de ce registre.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "acr push",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
  "name": "8311e382-0749-4cb8-b61a-304f252e45ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/push/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPush",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineReader

Extrait des images en quarantaine d’un registre de conteneurs.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
  "name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineReader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineWriter

Envoie des images en quarantaine vers un registre de conteneurs ou extrait des images en quarantaine de ce registre.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data writer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read",
        "Microsoft.ContainerRegistry/registries/quarantine/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineWriter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rôle d'utilisateur de cluster Kubernetes avec Azure Arc

Répertorie les actions relatives aux informations d'identification de l'utilisateur du cluster.

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credentials action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrateur Kubernetes Azure Arc

Vous laisse gérer toutes les ressources sous cluster/espace de noms, à l’exception de la mise à jour ou de la suppression des quotas de ressource et des espaces de noms.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrateur de cluster Kubernetes Azure Arc

Vous permet de gérer toutes les ressources du cluster.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Visionneuse Kubernetes Azure Arc

Vous permet de voir toutes les ressources du cluster/de l’espace de noms, à l’exception des secrets.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view all resources in cluster/namespace, except secrets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
  "name": "63f0a09d-1495-4db4-a681-037d84835eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
        "Microsoft.Kubernetes/connectedClusters/configmaps/read",
        "Microsoft.Kubernetes/connectedClusters/endpoints/read",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
        "Microsoft.Kubernetes/connectedClusters/pods/read",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
        "Microsoft.Kubernetes/connectedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Viewer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Auteur Kubernetes Azure Arc

Vous permet de mettre à jour tout ce qui se trouve dans le cluster/espace de noms, à l’exception des rôles (de cluster) et des liaisons de rôles (de cluster).

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
  "name": "5b999177-9696-4545-85c7-50de3797e5a1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rôle contributeur Azure Container Instances

Octroie un accès en lecture/écriture aux groupes de conteneurs fournis par Azure Container Instances

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to container groups provided by Azure Container Instances",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d977122-f97e-4b4d-a52f-6b43003ddb4d",
  "name": "5d977122-f97e-4b4d-a52f-6b43003ddb4d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerInstance/containerGroups/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Container Instances Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur Stockage de conteneurs Azure

Installez Stockage de conteneurs Azure et gérez ses ressources de stockage. Comprend une condition ABAC pour limiter les attributions de rôles.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and manage its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
  "permissions": [
    {
      "actions": [
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Opérateur Stockage de conteneurs Azure

Activez une identité managée pour effectuer des opérations Stockage de conteneurs Azure, telles que la gestion des machines virtuelles et la gestion des réseaux virtuels.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Role required by a Managed Identity for Azure Container Storage operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/virtualMachineScaleSets/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Resources/subscriptions/providers/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Network/virtualNetworks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Container Storage Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Propriétaire Stockage de conteneurs Azure

Installez Stockage de conteneurs Azure, accordez l’accès à ses ressources de stockage et configurez le réseau SAN (Storage Area Network) élastique Azure. Comprend une condition ABAC pour limiter les attributions de rôles.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you install Azure Container Storage and grants access to its storage resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
  "name": "95de85bd-744d-4664-9dde-11430bc34793",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/*",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    },
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
    }
  ],
  "roleName": "Azure Container Storage Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rôle Contributeur Azure Kubernetes Fleet Manager

Accorde un accès en lecture/écriture aux ressources Azure fournies par Azure Kubernetes Fleet Manager, notamment les flottes, les membres de flotte, les stratégies de mise à jour de flotte, les exécutions de mises à jour de flotte, etc.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/fleets/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rôle d’agent Azure Kubernetes Fleet Manager Hub

Accorde l’accès aux ressources Azure nécessaires pour les agents de hub du Azure Kubernetes Fleet Manager.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to Azure resources needed by Azure Kubernetes Fleet Manager hub agents.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/de2b316d-7a2c-4143-b4cd-c148f6a355a1",
  "name": "de2b316d-7a2c-4143-b4cd-c148f6a355a1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/trafficManagerProfiles/read",
        "Microsoft.Network/trafficManagerProfiles/write",
        "Microsoft.Network/trafficManagerProfiles/delete",
        "Microsoft.Network/trafficManagerProfiles/azureEndpoints/read",
        "Microsoft.Network/trafficManagerProfiles/azureEndpoints/write",
        "Microsoft.Network/trafficManagerProfiles/azureEndpoints/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager Hub Agent Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rôle d’utilisateur du cluster Hub Azure Kubernetes Fleet Manager

Accorde l’accès en lecture à Azure Kubernetes Fleet Manager ainsi qu’au fichier de configuration Kubernetes pour se connecter au cluster hub géré par la flotte.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read access to Azure Kubernetes Fleet Manager as well as the Kubernetes config file to connect to the fleet-managed hub cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/850c5848-fc51-4a9a-8823-f220370626e3",
  "name": "850c5848-fc51-4a9a-8823-f220370626e3",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/fleets/listCredentials/action",
        "Microsoft.ContainerService/fleets/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager Hub Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrateur RBAC Azure Kubernetes Fleet Manager

Octroie un accès en lecture/écriture aux ressources Kubernetes au sein d’un espace de noms dans le cluster hub géré par la flotte : fournit des autorisations en écriture sur la plupart des objets d’un espace de noms, à l’exception de l’objet ResourceQuota et de l’objet namespace lui-même. L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrateur RBAC d'Azure Kubernetes Fleet Manager pour les clusters membres

Ce rôle accorde l’accès administrateur : fournit des autorisations d’écriture sur la plupart des objets d’un espace de noms, à l’exception de l’objet ResourceQuota et de l’objet d’espace de noms lui-même. L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d1f699ed-700a-4c77-a22f-29890ac7b115",
  "name": "d1f699ed-700a-4c77-a22f-29890ac7b115",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/members/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/fleets/members/resourcequotas/write",
        "Microsoft.ContainerService/fleets/members/resourcequotas/delete",
        "Microsoft.ContainerService/fleets/members/namespaces/write",
        "Microsoft.ContainerService/fleets/members/namespaces/delete"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Admin for Member Clusters",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrateur de cluster RBAC Azure Kubernetes Fleet Manager

Accorde un accès en lecture/écriture à toutes les ressources Kubernetes dans le cluster hub géré par la flotte.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/fleets/members/*"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrateur de cluster RBAC Azure Kubernetes Fleet Manager pour les clusters membres

Vous permet de gérer toutes les ressources dans les clusters membres de la flotte.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the member clusters in the fleet.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/79a36d98-eb96-4a76-ae1d-481dc98d2c23",
  "name": "79a36d98-eb96-4a76-ae1d-481dc98d2c23",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/members/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin for Member Clusters",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur RBAC Azure Kubernetes Fleet Manager

Accorde un accès en lecture seule à la plupart des ressources Kubernetes d’un espace de noms dans le cluster hub géré par la flotte. Ce rôle n’autorise pas l’affichage des rôles ni des liaisons de rôles. Il n’autorise pas l’affichage des secrets, car la lecture du contenu de Secrets donne accès aux informations d’identification ServiceAccount dans l’espace de noms, ce qui permet l’accès aux API comme n’importe quel ServiceAccount dans l’espace de noms (une forme d’élévation de privilèges). L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
  "name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/services/read",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur RBAC Azure Kubernetes Fleet Manager pour les clusters membres

Autorise l’accès en lecture seule pour voir la plupart des objets d’un espace de noms. Ce rôle n’autorise pas l’affichage des rôles ni des liaisons de rôles. Il n’autorise pas l’affichage des secrets, car la lecture du contenu de Secrets donne accès aux informations d’identification ServiceAccount dans l’espace de noms, ce qui permet l’accès aux API comme n’importe quel ServiceAccount dans l’espace de noms (une forme d’élévation de privilèges).  L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/463ad26c-fcce-4469-9c7f-5653d8acbab5",
  "name": "463ad26c-fcce-4469-9c7f-5653d8acbab5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/members/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/members/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/members/apps/deployments/read",
        "Microsoft.ContainerService/fleets/members/apps/replicasets/read",
        "Microsoft.ContainerService/fleets/members/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/members/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/members/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/members/batch/jobs/read",
        "Microsoft.ContainerService/fleets/members/configmaps/read",
        "Microsoft.ContainerService/fleets/members/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/fleets/members/endpoints/read",
        "Microsoft.ContainerService/fleets/members/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/members/events/read",
        "Microsoft.ContainerService/fleets/members/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/members/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/members/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/members/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/members/extensions/replicasets/read",
        "Microsoft.ContainerService/fleets/members/limitranges/read",
        "Microsoft.ContainerService/fleets/members/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/fleets/members/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/fleets/members/namespaces/read",
        "Microsoft.ContainerService/fleets/members/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/members/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/members/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/members/pods/read",
        "Microsoft.ContainerService/fleets/members/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/members/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/members/resourcequotas/read",
        "Microsoft.ContainerService/fleets/members/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/members/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Reader for Member Clusters",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Auteur RBAC Azure Kubernetes Fleet Manager

Accorde l’accès en lecture/écriture à la plupart des ressources Kubernetes d’un espace de noms dans le cluster hub géré par la flotte. Ce rôle n’autorise ni la consultation ni la modification des rôles et des liaisons de rôles. Toutefois, ce rôle permet d’accéder aux secrets comme n’importe quel ServiceAccount de l’espace de noms, donc il peut être utilisé pour obtenir les niveaux d’accès d’API de n’importe quel ServiceAccount de l’espace de noms.  L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/write",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/deployments/write",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/write",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/write",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/configmaps/write",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/endpoints/write",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/write",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/write",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/write",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/write",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/read",
        "Microsoft.ContainerService/fleets/secrets/write",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/write",
        "Microsoft.ContainerService/fleets/services/read",
        "Microsoft.ContainerService/fleets/services/write",
        "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
        "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Enregistreur RBAC de Azure Kubernetes Fleet Manager pour les clusters membres

Autorise l’accès en lecture/écriture à la plupart des objets d’un espace de noms. Ce rôle n’autorise ni la consultation ni la modification des rôles et des liaisons de rôles. Toutefois, ce rôle permet d’accéder aux secrets et d’exécuter des pods comme n’importe quel ServiceAccount de l’espace de noms, donc il peut être utilisé pour obtenir les niveaux d’accès d’API de n’importe quel ServiceAccount dans l’espace de noms.  L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/50346970-0998-40f2-b47d-f3b8809840f8",
  "name": "50346970-0998-40f2-b47d-f3b8809840f8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/members/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/members/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/members/apps/deployments/*",
        "Microsoft.ContainerService/fleets/members/apps/replicasets/*",
        "Microsoft.ContainerService/fleets/members/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/members/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/members/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/members/coordination.k8s.io/leases/read",
        "Microsoft.ContainerService/fleets/members/coordination.k8s.io/leases/write",
        "Microsoft.ContainerService/fleets/members/coordination.k8s.io/leases/delete",
        "Microsoft.ContainerService/fleets/members/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/fleets/members/batch/jobs/*",
        "Microsoft.ContainerService/fleets/members/configmaps/*",
        "Microsoft.ContainerService/fleets/members/endpoints/*",
        "Microsoft.ContainerService/fleets/members/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/members/events/*",
        "Microsoft.ContainerService/fleets/members/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/members/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/members/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/members/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/members/extensions/replicasets/*",
        "Microsoft.ContainerService/fleets/members/limitranges/read",
        "Microsoft.ContainerService/fleets/members/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/fleets/members/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/fleets/members/namespaces/read",
        "Microsoft.ContainerService/fleets/members/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/members/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/members/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/members/pods/*",
        "Microsoft.ContainerService/fleets/members/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/members/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/members/resourcequotas/read",
        "Microsoft.ContainerService/fleets/members/secrets/*",
        "Microsoft.ContainerService/fleets/members/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/members/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Writer for Member Clusters",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rôle d’administrateur de cluster Azure Kubernetes Service Arc

Répertorie l’action relative aux informations d’identification de l’administrateur de cluster.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rôle Utilisateur de cluster Azure Kubernetes Service Arc

Répertorie l’action relative aux informations d’identification de l’utilisateur de cluster.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-42ff-9fba-87ef12d6b55f",
  "name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action",
        "Microsoft.Kubernetes/connectedClusters/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rôle Contributeur Azure Kubernetes Service Arc

Accorde l’accès aux clusters hybrides Azure Kubernetes Services en lecture et en écriture

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Services hybrid clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-4d08-bb4a-477695db5f82",
  "name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridContainerService/Locations/operationStatuses/read",
        "Microsoft.HybridContainerService/Locations/operationStatuses/write",
        "Microsoft.HybridContainerService/Operations/read",
        "Microsoft.HybridContainerService/kubernetesVersions/read",
        "Microsoft.HybridContainerService/kubernetesVersions/write",
        "Microsoft.HybridContainerService/kubernetesVersions/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write",
        "Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read",
        "Microsoft.HybridContainerService/skus/read",
        "Microsoft.HybridContainerService/skus/write",
        "Microsoft.HybridContainerService/skus/delete",
        "Microsoft.HybridContainerService/virtualNetworks/read",
        "Microsoft.HybridContainerService/virtualNetworks/write",
        "Microsoft.HybridContainerService/virtualNetworks/delete",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.Kubernetes/connectedClusters/Read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/Delete",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
        "Microsoft.AzureStackHCI/clusters/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/deployments/delete",
        "Microsoft.Resources/deployments/cancel/action",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Resources/deployments/whatIf/action",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.HybridContainerService/provisionedClusterInstances/hybridIdentityMetadata/delete",
        "Microsoft.HybridContainerService/provisionedClusterInstances/hybridIdentityMetadata/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Arc Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rôle d’administrateur de cluster Azure Kubernetes Service

Répertorie l’action relative aux informations d’identification de l’administrateur de cluster.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/runcommand/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Utilisateur de surveillance de cluster Azure Kubernetes Service

Action Lister les informations d’identification de l’utilisateur de surveillance de cluster.

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster monitoring user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Monitoring User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rôle Utilisateur de cluster Azure Kubernetes Service

Répertorie l’action relative aux informations d’identification de l’utilisateur de cluster.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Rôle Contributeur Azure Kubernetes Service

Octroie l’accès en lecture et en écriture aux clusters Azure Kubernetes Service

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Service clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerService/locations/*",
        "Microsoft.ContainerService/managedClusters/*",
        "Microsoft.ContainerService/managedclustersnapshots/*",
        "Microsoft.ContainerService/snapshots/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/deploymentSafeguards/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur de l’espace de noms Azure Kubernetes Service

Permet aux utilisateurs de créer et de gérer des ressources d’espace de noms Azure Kubernetes Service.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows users to create and manage Azure Kubernetes Service namespace resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/289d8817-ee69-43f1-a0af-43a45505b488",
  "name": "289d8817-ee69-43f1-a0af-43a45505b488",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/managedNamespaces/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Namespace Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Utilisateur de l’espace de noms Azure Kubernetes Service

Permet aux utilisateurs de lire les ressources d’espace de noms Azure Kubernetes Service. L’accès à l’espace de noms dans le cluster nécessite davantage l’attribution de rôles RBAC Azure Kubernetes Service à la ressource d’espace de noms pour un cluster Entra ID activé.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows users to read Azure Kubernetes Service namespace resources. In-cluster namespace access further requires assignment of Azure Kubernetes Service RBAC roles to the namespace resource for an Entra ID enabled cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c9f76ca8-b262-4b10-8ed2-09cf0948aa35",
  "name": "c9f76ca8-b262-4b10-8ed2-09cf0948aa35",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/managedNamespaces/read",
        "Microsoft.ContainerService/managedClusters/managedNamespaces/listCredential/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Namespace User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrateur RBAC Azure Kubernetes Service

Vous laisse gérer toutes les ressources sous cluster/espace de noms, à l’exception de la mise à jour ou de la suppression des quotas de ressource et des espaces de noms.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
  "name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/managedClusters/resourcequotas/write",
        "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
        "Microsoft.ContainerService/managedClusters/namespaces/write",
        "Microsoft.ContainerService/managedClusters/namespaces/delete"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrateur de cluster RBAC Azure Kubernetes Service

Vous permet de gérer toutes les ressources du cluster.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur RBAC Azure Kubernetes Service

Autorise l’accès en lecture seule pour voir la plupart des objets d’un espace de noms. Ce rôle n’autorise pas l’affichage des rôles ni des liaisons de rôles. Il n’autorise pas l’affichage des secrets, car la lecture du contenu de Secrets donne accès aux informations d’identification ServiceAccount dans l’espace de noms, ce qui permet l’accès aux API comme n’importe quel ServiceAccount dans l’espace de noms (une forme d’élévation de privilèges). L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/apps/deployments/read",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/read",
        "Microsoft.ContainerService/managedClusters/configmaps/read",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/endpoints/read",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
        "Microsoft.ContainerService/managedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Auteur RBAC Azure Kubernetes Service

Autorise l’accès en lecture/écriture à la plupart des objets d’un espace de noms. Ce rôle n’autorise ni la consultation ni la modification des rôles et des liaisons de rôles. Toutefois, ce rôle permet d’accéder aux secrets et d’exécuter des pods comme n’importe quel ServiceAccount de l’espace de noms, donc il peut être utilisé pour obtenir les niveaux d’accès d’API de n’importe quel ServiceAccount dans l’espace de noms. L’application de ce rôle à l’étendue du cluster fournit un accès à tous les espaces de noms.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/apps/deployments/*",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/*",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/*",
        "Microsoft.ContainerService/managedClusters/configmaps/*",
        "Microsoft.ContainerService/managedClusters/endpoints/*",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/*",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/*",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
        "Microsoft.ContainerService/managedClusters/pods/*",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/secrets/*",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/*",
        "Microsoft.ContainerService/managedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Red Hat OpenShift Cloud Controller Manager

Gérez et mettez à jour le gestionnaire de contrôleurs cloud déployé sur OpenShift.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage and update the cloud controller manager deployed on top of OpenShift.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a1f96423-95ce-4224-ab27-4e3dc72facd4",
  "name": "a1f96423-95ce-4224-ab27-4e3dc72facd4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/write",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/publicIPAddresses/write",
        "Microsoft.Network/publicIPAddresses/delete",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/publicIPPrefixes/join/action",
        "Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/privatelinkservices/write",
        "Microsoft.Network/privatelinkservices/read",
        "Microsoft.Network/privatelinkservices/delete",
        "Microsoft.Network/loadBalancers/loadBalancingRules/read",
        "Microsoft.Network/serviceEndpointPolicies/join/action",
        "Microsoft.Network/natGateways/join/action",
        "Microsoft.Network/networkIntentPolicies/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/networkManagers/ipamPools/associateResourcesToPool/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Cloud Controller Manager",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Opérateur d’entrée de cluster Azure Red Hat OpenShift

Gérez et configurez le routeur OpenShift.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage and configure the OpenShift router.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0336e1d3-7a87-462b-b6db-342b63f7802c",
  "name": "0336e1d3-7a87-462b-b6db-342b63f7802c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/dnsZones/A/delete",
        "Microsoft.Network/dnsZones/A/write",
        "Microsoft.Network/privateDnsZones/A/delete",
        "Microsoft.Network/privateDnsZones/A/write",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Cluster Ingress Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Opérateur de stockage de disque Azure Red Hat OpenShift

Installez des pilotes CSI (Container Storage Interface) qui permettent à votre cluster d’utiliser des disques Azure. Définissez les valeurs par défaut du stockage à l’échelle du cluster OpenShift pour garantir qu’une classe de stockage par défaut existe pour les clusters.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Install Container Storage Interface (CSI) drivers that enable your cluster to use Azure Disks. Set OpenShift cluster-wide storage defaults to ensure a default storageclass exists for clusters.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5b7237c5-45e1-49d6-bc18-a1f62f400748",
  "name": "5b7237c5-45e1-49d6-bc18-a1f62f400748",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/snapshots/write",
        "Microsoft.Compute/snapshots/read",
        "Microsoft.Compute/snapshots/delete",
        "Microsoft.Compute/locations/operations/read",
        "Microsoft.Compute/locations/DiskOperations/read",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/delete",
        "Microsoft.Compute/disks/beginGetAccess/action",
        "Microsoft.Compute/diskEncryptionSets/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Disk Storage Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Informations d’identification fédérées Azure Red Hat OpenShift

Créez, mettez à jour et supprimez des informations d’identification fédérées sur les identités managées affectées par l’utilisateur afin de créer une relation d’approbation entre l’identité managée, OpenID Connect (OIDC) et le compte de service.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, update and delete federated credentials on user assigned managed identities in order to build a trust relationship between the managed identity, OpenID Connect (OIDC), and the service account.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ef318e2a-8334-4a05-9e4a-295a196c6a6e",
  "name": "ef318e2a-8334-4a05-9e4a-295a196c6a6e",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Federated Credential",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Opérateur de stockage de fichiers Azure Red Hat OpenShift

Installez des pilotes CSI (Container Storage Interface) qui permettent à votre cluster d’utiliser Azure Files. Définissez les valeurs par défaut du stockage à l’échelle du cluster OpenShift pour garantir qu’une classe de stockage par défaut existe pour les clusters.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Install Container Storage Interface (CSI) drivers that enable your cluster to use Azure Files. Set OpenShift cluster-wide storage defaults to ensure a default storageclass exists for clusters.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0d7aedc0-15fd-4a67-a412-efad370c947e",
  "name": "0d7aedc0-15fd-4a67-a412-efad370c947e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/delete",
        "Microsoft.Storage/storageAccounts/fileServices/read",
        "Microsoft.Storage/storageAccounts/fileServices/shares/delete",
        "Microsoft.Storage/storageAccounts/fileServices/shares/read",
        "Microsoft.Storage/storageAccounts/fileServices/shares/write",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/natGateways/join/action",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/privateEndpoints/write",
        "Microsoft.Network/networkManagers/ipamPools/associateResourcesToPool/action",
        "Microsoft.Network/networkIntentPolicies/join/action",
        "Microsoft.Network/serviceEndpointPolicies/join/action",
        "Microsoft.Network/locations/operations/read",
        "Microsoft.Network/privateDnsOperationStatuses/read",
        "Microsoft.Network/privateDnsZones/read",
        "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
        "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
        "Microsoft.Network/privateDnsZones/write",
        "Microsoft.Network/privateDnsZones/join/action",
        "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",
        "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",
        "Microsoft.Network/privateEndpoints/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift File Storage Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Opérateur de registre d’images Azure Red Hat OpenShift

Permet à l’opérateur de gérer une instance singleton du registre d’images OpenShift. Il gère toutes les configurations du registre, notamment la création d’un stockage.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Enables permissions for the operator to manage a singleton instance of the OpenShift image registry. It manages all configuration of the registry, including creating storage.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8b32b316-c2f5-4ddf-b05b-83dacd2d08b5",
  "name": "8b32b316-c2f5-4ddf-b05b-83dacd2d08b5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Storage/storageAccounts/delete",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",
        "Microsoft.Resources/tags/write",
        "Microsoft.Network/privateEndpoints/write",
        "Microsoft.Network/privateEndpoints/read",
        "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",
        "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",
        "Microsoft.Network/privateDnsZones/read",
        "Microsoft.Network/privateDnsZones/write",
        "Microsoft.Network/privateDnsZones/join/action",
        "Microsoft.Network/privateDnsZones/A/write",
        "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
        "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/join/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Image Registry Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Opérateur d’API de machine Azure Red Hat OpenShift

Gérez le cycle de vie des définitions de ressources personnalisées à usage spécifique (CRD), des contrôleurs et des objets RBAC Azure qui étendent l’API Kubernetes pour déclarer l’état souhaité des machines dans un cluster.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage the lifecycle of specific-purpose custom resource definitions (CRD), controllers, and Azure RBAC objects that extend the Kubernetes API to declares the desired state of machines in a cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0358943c-7e01-48ba-8889-02cc51d78637",
  "name": "0358943c-7e01-48ba-8889-02cc51d78637",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/availabilitySets/delete",
        "Microsoft.Compute/availabilitySets/read",
        "Microsoft.Compute/availabilitySets/write",
        "Microsoft.Compute/diskEncryptionSets/read",
        "Microsoft.Compute/disks/delete",
        "Microsoft.Compute/galleries/images/versions/read",
        "Microsoft.Compute/skus/read",
        "Microsoft.Compute/virtualMachines/delete",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/capacityReservationGroups/deploy/action",
        "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
        "Microsoft.Network/applicationSecurityGroups/read",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/write",
        "Microsoft.Network/networkInterfaces/delete",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkInterfaces/loadBalancers/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/publicIPAddresses/delete",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/publicIPAddresses/write",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action",
        "Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action",
        "Microsoft.Network/loadBalancers/inboundNATRules/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Machine API Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Opérateur réseau Azure Red Hat OpenShift

Installez et mettez à niveau les composants réseau sur un cluster OpenShift.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Install and upgrade the networking components on an OpenShift cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/be7a6435-15ae-4171-8f30-4a343eff9e8f",
  "name": "be7a6435-15ae-4171-8f30-4a343eff9e8f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/read",
        "Microsoft.Compute/virtualMachines/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Network Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Opérateur de service Azure Red Hat OpenShift

Gérez l’intégrité de la machine, la configuration réseau, la surveillance et d’autres fonctionnalités spécifiques au fonctionnement continu d’un cluster OpenShift en tant que service managé.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Maintain machine health, network configuration, monitoring, and other features that are specific to an OpenShift cluster's continued functionality as a managed service.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4436bae4-7702-4c84-919b-c4069ff25ee2",
  "name": "4436bae4-7702-4c84-919b-c4069ff25ee2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/natGateways/join/action",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/serviceEndpointPolicies/join/action",
        "Microsoft.Network/networkIntentPolicies/join/action",
        "Microsoft.Network/networkManagers/ipamPools/associateResourcesToPool/action",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Red Hat OpenShift Service Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur CheckAccess d’identité managée de cluster connecté

Rôle intégré qui permet à une identité managée de cluster connecté d’appeler l’API checkAccess

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Connected Cluster Managed Identity CheckAccess Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur de Container Apps ConnectedEnvironments

Gestion complète de Container Apps ConnectedEnvironments, notamment la création, la suppression et les mises à jour.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Full management of Container Apps ConnectedEnvironments, including creation, deletion, and updates.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6f4fe6fc-f04f-4d97-8528-8bc18c848dca",
  "name": "6f4fe6fc-f04f-4d97-8528-8bc18c848dca",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/connectedEnvironments/*",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/*/write",
        "Microsoft.App/connectedEnvironments/*/delete",
        "Microsoft.App/connectedEnvironments/*/action",
        "Microsoft.App/connectedEnvironments/daprComponents/listSecrets/action",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps ConnectedEnvironments Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur ConnectedEnvironments Container Apps

Accès en lecture aux environnements connectés Container Apps.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read access to Container Apps ConnectedEnvironments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5adeb5b-107f-4aca-99ea-4e3f4fc008d5",
  "name": "d5adeb5b-107f-4aca-99ea-4e3f4fc008d5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.App/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps ConnectedEnvironments Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur Container Apps

Gestion complète de Container Apps, notamment la création, la suppression et les mises à jour.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Full management of Container Apps, including creation, deletion, and updates.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/358470bc-b998-42bd-ab17-a7e34c199c0f",
  "name": "358470bc-b998-42bd-ab17-a7e34c199c0f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/containerApps/*/read",
        "Microsoft.App/containerApps/*/write",
        "Microsoft.App/containerApps/*/delete",
        "Microsoft.App/containerApps/*/action",
        "Microsoft.App/managedEnvironments/read",
        "Microsoft.App/managedEnvironments/*/read",
        "Microsoft.App/managedEnvironments/join/action",
        "Microsoft.App/managedEnvironments/checknameavailability/action",
        "Microsoft.App/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/join/action",
        "Microsoft.App/connectedEnvironments/checknameavailability/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur aux travaux Container Apps

Gestion complète des travaux Container Apps, notamment la création, la suppression et les mises à jour.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Full management of Container Apps jobs, including creation, deletion, and updates.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4e3d2b60-56ae-4dc6-a233-09c8e5a82e68",
  "name": "4e3d2b60-56ae-4dc6-a233-09c8e5a82e68",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "microsoft.app/jobs/read",
        "Microsoft.App/jobs/*/read",
        "Microsoft.App/jobs/*/action",
        "Microsoft.App/jobs/write",
        "Microsoft.App/jobs/delete",
        "Microsoft.app/managedenvironments/read",
        "Microsoft.App/managedenvironments/*/read",
        "Microsoft.App/managedenvironments/join/action",
        "Microsoft.App/managedenvironments/checknameavailability/action",
        "Microsoft.app/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/join/action",
        "Microsoft.App/connectedEnvironments/checknameavailability/action",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps Jobs Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Opérateur de travaux Container Apps

Lisez, démarrez et arrêtez des travaux Container Apps.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read, start, and stop Container Apps jobs.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b9a307c4-5aa3-4b52-ba60-2b17c136cd7b",
  "name": "b9a307c4-5aa3-4b52-ba60-2b17c136cd7b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "microsoft.app/jobs/read",
        "Microsoft.App/jobs/*/read",
        "Microsoft.App/jobs/*/action",
        "Microsoft.app/managedenvironments/read",
        "Microsoft.App/managedenvironments/*/read",
        "Microsoft.App/managedenvironments/join/action",
        "Microsoft.App/managedenvironments/checknameavailability/action",
        "Microsoft.app/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/join/action",
        "Microsoft.App/connectedEnvironments/checknameavailability/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.App/jobs/logstream/action",
        "Microsoft.App/jobs/exec/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps Jobs Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur de travaux Container Apps

Accès en lecture aux travaux ContainerApps

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read access to ContainerApps jobs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/edd66693-d32a-450b-997d-0158c03976b0",
  "name": "edd66693-d32a-450b-997d-0158c03976b0",
  "permissions": [
    {
      "actions": [
        "microsoft.app/jobs/read",
        "Microsoft.App/jobs/*/read",
        "Microsoft.App/managedenvironments/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps Jobs Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur aux environnements managés Container Apps

Gestion complète de Container Apps ManagedEnvironments, notamment la création, la suppression et les mises à jour.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Full management of Container Apps ManagedEnvironments, including creation, deletion, and updates.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/57cc5028-e6a7-4284-868d-0611c5923f8d",
  "name": "57cc5028-e6a7-4284-868d-0611c5923f8d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/managedEnvironments/*/read",
        "Microsoft.App/managedEnvironments/*/write",
        "Microsoft.App/managedEnvironments/*/delete",
        "Microsoft.App/managedEnvironments/*/action",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps ManagedEnvironments Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur des environnements managés Container Apps

Accédez en lecture aux environnements managés Container Apps.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read access to ContainerApps managedenvironments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1b32c00b-7eff-4c22-93e6-93d11d72d2d8",
  "name": "1b32c00b-7eff-4c22-93e6-93d11d72d2d8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/managedEnvironments/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps ManagedEnvironments Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Opérateur Container Apps

Lisez, créez des flux de journaux et exécutez dans Container Apps.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read, logstream and exec into Container Apps.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f3bd1b5c-91fa-40e7-afe7-0c11d331232c",
  "name": "f3bd1b5c-91fa-40e7-afe7-0c11d331232c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/containerApps/*/read",
        "Microsoft.App/containerApps/*/action",
        "Microsoft.App/managedEnvironments/read",
        "Microsoft.App/managedEnvironments/*/read",
        "Microsoft.App/managedEnvironments/join/action",
        "Microsoft.App/managedEnvironments/checknameavailability/action",
        "Microsoft.App/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/join/action",
        "Microsoft.App/connectedEnvironments/checknameavailability/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.App/containerApps/logstream/action",
        "Microsoft.App/containerApps/exec/action",
        "Microsoft.App/containerApps/debug/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur aux pools de sessions Container Apps

Gestion complète des pools de sessions Container Apps, notamment la création, la suppression et les mises à jour.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Full management of Container Apps SessionPools, including creation, deletion, and updates.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f7669afb-68b2-44b4-9c5f-6d2a47fddda0",
  "name": "f7669afb-68b2-44b4-9c5f-6d2a47fddda0",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/sessionPools/*/read",
        "Microsoft.App/sessionPools/*/write",
        "Microsoft.App/sessionPools/*/delete",
        "Microsoft.App/sessionPools/*/action",
        "microsoft.App/managedEnvironments/read",
        "Microsoft.App/managedEnvironments/*/read",
        "Microsoft.App/managedEnvironments/join/action",
        "Microsoft.App/managedEnvironments/checknameavailability/action",
        "microsoft.App/connectedEnvironments/read",
        "Microsoft.App/connectedEnvironments/*/read",
        "Microsoft.App/connectedEnvironments/join/action",
        "Microsoft.App/connectedEnvironments/checknameavailability/action",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [
        "Microsoft.App/sessionPools/fetchMcpServerCredentials/action",
        "Microsoft.App/sessionPools/rotateMcpServerCredentials/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps SessionPools Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur de pools de session Container Apps

Accédez en lecture aux pools de session Container Apps.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read access to ContainerApps sessionpools.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/af61e8fc-2633-4b95-bed3-421ad6826515",
  "name": "af61e8fc-2633-4b95-bed3-421ad6826515",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.App/sessionPools/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Apps SessionPools Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrateur de règle de cache de Registre de conteneurs

Créez, lisez, mettez à jour et supprimez des règles de cache dans Container Registry. Ce rôle n’accorde pas d’autorisations pour gérer les ensembles d'identifiants.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete Cache Rules in Container Registry. This role doesn't grant permissions to manage Credential Sets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/df87f177-bb12-4db1-9793-a413691eff94",
  "name": "df87f177-bb12-4db1-9793-a413691eff94",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/cacheRules/read",
        "Microsoft.ContainerRegistry/registries/cacheRules/write",
        "Microsoft.ContainerRegistry/registries/cacheRules/delete",
        "Microsoft.ContainerRegistry/registries/cacheRules/operationStatuses/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Cache Rule Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur de règle de cache du Registre de conteneurs

Lisez la configuration des règles de cache dans Container Registry. Cette autorisation n’accorde pas l’autorisation de lire les ensembles d'identifiants.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read the configuration of Cache Rules in Container Registry. This permission doesn't grant permission to read Credential Sets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c357b964-0002-4b64-a50d-7a28f02edc52",
  "name": "c357b964-0002-4b64-a50d-7a28f02edc52",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/cacheRules/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Cache Rule Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur de configuration de registre de conteneurs et lecteur de configuration d’accès aux données

Fournit des autorisations pour lister les registres de conteneurs et les propriétés de configuration des registres. Fournit des autorisations pour lister la configuration d’accès aux données, telles que les informations d’identification de l’utilisateur administrateur, les mappages d’étendue et les jetons, qui peuvent être utilisées pour lire, écrire ou supprimer des référentiels et des images. Ne fournit pas d’autorisations directes pour lire, lister ou écrire du contenu de registre, y compris les référentiels et les images. Ne fournit pas d’autorisations pour modifier le contenu du plan de données, comme les importations, le cache d’artefacts ou la synchronisation et les pipelines de transfert. Ne fournit pas d’autorisations pour la gestion des tâches.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/69b07be0-09bf-439a-b9a6-e73de851bd59",
  "name": "69b07be0-09bf-439a-b9a6-e73de851bd59",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/listCredentials/action",
        "Microsoft.ContainerRegistry/registries/tokens/read",
        "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/webhooks/read",
        "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
        "Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
        "Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/replications/read",
        "Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Configuration Reader and Data Access Configuration Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur au registre de conteneurs et administrateur de configuration de l’accès aux données

Fournit des autorisations pour créer, lister et mettre à jour des registres de conteneurs et des propriétés de configuration de registre. Fournit des autorisations pour configurer l’accès aux données, telles que les informations d’identification de l’utilisateur administrateur, les mappages d’étendue et les jetons, qui peuvent être utilisées pour lire, écrire ou supprimer des référentiels et des images. Ne fournit pas d’autorisations directes pour lire, lister ou écrire du contenu de registre, y compris les référentiels et les images. Ne fournit pas d’autorisations pour modifier le contenu du plan de données, comme les importations, le cache d’artefacts ou la synchronisation et les pipelines de transfert. Ne fournit pas d’autorisations pour la gestion des tâches.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
  "name": "3bc748fc-213d-45c1-8d91-9da5725539b9",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerRegistry/registries/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/write",
        "Microsoft.ContainerRegistry/registries/delete",
        "Microsoft.ContainerRegistry/registries/listCredentials/action",
        "Microsoft.ContainerRegistry/registries/regenerateCredential/action",
        "Microsoft.ContainerRegistry/registries/generateCredentials/action",
        "Microsoft.ContainerRegistry/registries/replications/read",
        "Microsoft.ContainerRegistry/registries/replications/write",
        "Microsoft.ContainerRegistry/registries/replications/delete",
        "Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
        "Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/tokens/read",
        "Microsoft.ContainerRegistry/registries/tokens/write",
        "Microsoft.ContainerRegistry/registries/tokens/delete",
        "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/read",
        "Microsoft.ContainerRegistry/registries/scopeMaps/write",
        "Microsoft.ContainerRegistry/registries/scopeMaps/delete",
        "Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
        "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/read",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/write",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
        "Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
        "Microsoft.ContainerRegistry/registries/webhooks/read",
        "Microsoft.ContainerRegistry/registries/webhooks/write",
        "Microsoft.ContainerRegistry/registries/webhooks/delete",
        "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
        "Microsoft.ContainerRegistry/registries/webhooks/ping/action",
        "Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
        "Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.ContainerRegistry/locations/operationResults/read",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Contributor and Data Access Configuration Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Administrateur du jeu d’informations d’identification du Registre de conteneurs

Créez, lisez, mettez à jour et supprimez des jeux d’informations d’identification dans Container Registry. Ce rôle n’affecte pas les autorisations nécessaires pour stocker du contenu dans Azure Key Vault. Ce rôle n’accorde pas non plus d’autorisations pour gérer les règles de cache.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete Credential Sets in Container Registry. This role doesn't affect the needed permissions for storing content inside Azure Key Vault. This role also doesn't grant permissions to manage Cache Rules.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f094fb07-0703-4400-ad6a-e16dd8000e14",
  "name": "f094fb07-0703-4400-ad6a-e16dd8000e14",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/credentialSets/read",
        "Microsoft.ContainerRegistry/registries/credentialSets/write",
        "Microsoft.ContainerRegistry/registries/credentialSets/delete",
        "Microsoft.ContainerRegistry/registries/credentialSets/operationStatuses/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Credential Set Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur du jeu d’informations d’identification de Container Registry

Lisez la configuration des jeux d’informations d’identification dans Container Registry. Cette autorisation n’autorise pas l’affichage du contenu à l’intérieur d'Azure Key Vault, mais uniquement le contenu au sein de Container Registry. Cette autorisation n’accorde pas l’autorisation de lire les règles de cache.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read the configuration of Credential Sets in Container Registry. This permission doesn't allow permission to see content inside Azure Key vault only the content inside Container Registry. This permission doesn't grant permission to read Cache Rules.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/29093635-9924-4f2c-913b-650a12949526",
  "name": "29093635-9924-4f2c-913b-650a12949526",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/credentialSets/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Credential Set Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Importateur de données et lecteur de données Container Registry

Permet d’importer des images dans un registre via l’opération d’importation de registre. Permet de lister les référentiels, de voir les images et les étiquettes, d’obtenir les manifestes et d’extraire les images. Ne fournit pas d’autorisations pour l’importation d’images par le biais de la configuration de pipelines de transfert de registre tels que les pipelines d’importation et d’exportation. Ne fournit pas d’autorisations pour l’importation par le biais de la configuration du cache d’artefacts ou des règles de synchronisation.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/577a9874-89fd-4f24-9dbd-b5034d0ad23a",
  "name": "577a9874-89fd-4f24-9dbd-b5034d0ad23a",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/importImage/action",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/content/read",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/catalog/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Data Importer and Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Listeur de catalogues de référentiels de registre de conteneurs

Permet de lister tous les référentiels d’un registre Azure Container Registry.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for listing all repositories in an Azure Container Registry.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
  "name": "bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/catalog/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Catalog Lister",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur aux référentiels Container Registry

Permet de lire, d’écrire et de supprimer l’accès aux référentiels Azure Container Registry, à l’exclusion du listing de catalogues.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2efddaa5-3f1f-4df3-97df-af3f13818f4c",
  "name": "2efddaa5-3f1f-4df3-97df-af3f13818f4c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/write",
        "Microsoft.ContainerRegistry/registries/repositories/content/write",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/delete",
        "Microsoft.ContainerRegistry/registries/repositories/content/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Lecteur de référentiels Container Registry

Autorise l’accès en lecture aux référentiels Azure Container Registry, à l’exclusion du listing de catalogues.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Container Registry repositories, but excluding catalog listing.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b93aa761-3e63-49ed-ac28-beffa264f7ac",
  "name": "b93aa761-3e63-49ed-ac28-beffa264f7ac",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Auteur de référentiels Container Registry

Permet l’accès en lecture et en écriture aux référentiels Azure Container Registry, à l’exclusion du listing de catalogues.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2a1e307c-b015-4ebd-883e-5b7698a07328",
  "name": "2a1e307c-b015-4ebd-883e-5b7698a07328",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/repositories/metadata/read",
        "Microsoft.ContainerRegistry/registries/repositories/content/read",
        "Microsoft.ContainerRegistry/registries/repositories/metadata/write",
        "Microsoft.ContainerRegistry/registries/repositories/content/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Repository Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur aux tâches Container Registry

Fournit des autorisations pour configurer, lire, lister, déclencher ou annuler des tâches, des exécutions de tâches, des journaux de tâches, des exécutions rapides, des générations rapides et des pools d’agents de tâches Container Registry. Les autorisations accordées pour la gestion des tâches peuvent être utilisées pour les autorisations complètes de plan de données de registre, notamment la lecture/écriture/suppression d’images conteneur dans les registres. Les autorisations accordées pour la gestion des tâches peuvent également être utilisées pour exécuter des directives de génération créées par le client et exécuter des scripts pour générer des artefacts logiciels.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fb382eab-e894-4461-af04-94435c366c3f",
  "name": "fb382eab-e894-4461-af04-94435c366c3f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/agentpools/read",
        "Microsoft.ContainerRegistry/registries/agentpools/write",
        "Microsoft.ContainerRegistry/registries/agentpools/delete",
        "Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action",
        "Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read",
        "Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read",
        "Microsoft.ContainerRegistry/registries/tasks/read",
        "Microsoft.ContainerRegistry/registries/tasks/write",
        "Microsoft.ContainerRegistry/registries/tasks/delete",
        "Microsoft.ContainerRegistry/registries/tasks/listDetails/action",
        "Microsoft.ContainerRegistry/registries/scheduleRun/action",
        "Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action",
        "Microsoft.ContainerRegistry/registries/runs/read",
        "Microsoft.ContainerRegistry/registries/runs/write",
        "Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action",
        "Microsoft.ContainerRegistry/registries/runs/cancel/action",
        "Microsoft.ContainerRegistry/registries/taskruns/read",
        "Microsoft.ContainerRegistry/registries/taskruns/write",
        "Microsoft.ContainerRegistry/registries/taskruns/delete",
        "Microsoft.ContainerRegistry/registries/taskruns/listDetails/action",
        "Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerRegistry/registries/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Tasks Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur aux pipelines de transfert Container Registry

Permet de transférer, d’importer et d’exporter des artefacts via la configuration de pipelines de transfert de registre qui impliquent des comptes de stockage et des coffres de clés intermédiaires. Ne fournit pas d’autorisations pour envoyer ou extraire des images. Ne fournit pas d’autorisations pour créer, gérer ou lister des comptes de stockage ou des coffres de clés. Ne fournit pas d’autorisations pour effectuer des attributions de rôles.

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
  "name": "bf94e731-3a51-4a7c-8c54-a1ab9971dfc1",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/exportPipelines/read",
        "Microsoft.ContainerRegistry/registries/exportPipelines/write",
        "Microsoft.ContainerRegistry/registries/exportPipelines/delete",
        "Microsoft.ContainerRegistry/registries/importPipelines/read",
        "Microsoft.ContainerRegistry/registries/importPipelines/write",
        "Microsoft.ContainerRegistry/registries/importPipelines/delete",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/read",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/write",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/delete",
        "Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Container Registry Transfer Pipeline Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Accès à l’API Kubernetes Defender

Octroie à Microsoft Defender for Cloud l’accès à Azure Kubernetes Services

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Features/providers/features/register/action",
        "Microsoft.Security/pricings/securityoperators/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Defender Kubernetes API Access",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Cluster Kubernetes – Intégration Azure Arc

Définition de rôle pour autoriser tout utilisateur/service à créer une ressource connectedClusters

En savoir plus

{
  "assignableScopes": [
    "/"
  ],
  "description": "Role definition to authorize any user/service to create connectedClusters resource",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Cluster - Azure Arc Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur aux extensions Kubernetes

Peut créer, mettre à jour, obtenir, répertorier et supprimer des extensions Kubernetes, et obtenir des opérations asynchrones d’extension

{
  "assignableScopes": [
    "/"
  ],
  "description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
  "name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.KubernetesConfiguration/register/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Extension Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur aux clusters Service Fabric

Gérez vos ressources de cluster Service Fabric. Inclut des clusters, des types d’applications, des versions de type d’application, des applications et des services. Vous aurez besoin d’autorisations supplémentaires pour déployer et gérer les ressources sous-jacentes du cluster, telles que les groupes de machines virtuelles identiques, les comptes de stockage, les réseaux, etc.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",
  "name": "b6efc156-f0da-4e90-a50a-8c000140b017",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceFabric/clusters/*",
        "Microsoft.ServiceFabric/operations/read",
        "Microsoft.ServiceFabric/locations/clusterVersions/read",
        "Microsoft.ServiceFabric/locations/environments/clusterVersions/read",
        "Microsoft.ServiceFabric/locations/operationresults/read",
        "Microsoft.ServiceFabric/locations/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Service Fabric Cluster Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Contributeur aux clusters managés Service Fabric

Déployez et gérez vos ressources de cluster managé Service Fabric. Inclut des clusters managés, des types de nœuds, des types d’application, des versions de type d’application, des applications et des services.

{
  "assignableScopes": [
    "/"
  ],
  "description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",
  "name": "83f80186-3729-438c-ad2d-39e94d718838",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceFabric/managedclusters/*",
        "Microsoft.ServiceFabric/operations/read",
        "Microsoft.ServiceFabric/locations/clusterVersions/read",
        "Microsoft.ServiceFabric/locations/environments/clusterVersions/read",
        "Microsoft.ServiceFabric/locations/operationresults/read",
        "Microsoft.ServiceFabric/locations/operations/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Service Fabric Managed Cluster Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Étapes suivantes

• Attribuer des rôles Azure à l’aide du portail Azure