AzRoleAdvertizer

last sync: 2024-Nov-25 18:54:42 UTC

Azure Kubernetes Fleet Manager RBAC Reader

Azure BuiltIn RBAC Role definition

NameAzure Kubernetes Fleet Manager RBAC Reader
Id30b27cfc-9c84-438e-b0ce-70e35255df80
DescriptionGrants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.
CreatedOn2022-08-22 17:29:14 UTC
UpdatedOn2024-10-23 18:34:36 UTC
History
Date/Time (UTC ymd) (i) Change Change detail
2024-10-25 17:51:38 change: DataActions DataActions: 'add Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read; add Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read; add Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read; add Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read'
2022-08-29 16:36:36 change: DataActions DataActions: 'remove Microsoft.ContainerService/fleets/apps/replicasets/read; remove Microsoft.ContainerService/fleets/extensions/replicasets/read; remove Microsoft.ContainerService/fleets/pods/read'
2022-08-22 16:34:26 add: Role 30b27cfc-9c84-438e-b0ce-70e35255df80
Permissions summary Effective control plane and data plane operations: 61 (unique operations)
•action: 1
•read: 60

Actions: 6
Resolved control plane operations from Actions: 32
Effective control plane operations: 32
•action: 1
•read: 31

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 16140

DataActions: 30
Resolved data plane operations: 29
Effective data plane operations: 29
•read: 29

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3274
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.ContainerService/fleets/listCredentials/actionList fleet credentials
Microsoft.ContainerService/fleets/readGet fleet
Microsoft.Resources/subscriptions/operationresults/readRuft die Ergebnisse des Abonnementvorgangs ab.
Microsoft.Resources/subscriptions/readRuft die Liste der Abonnements ab.
Microsoft.Resources/subscriptions/resourceGroups/readRuft Ressourcengruppen ab oder listet diese auf.
NotActions n/a
DataActions
Operation Description
Microsoft.ContainerService/fleets/apps/controllerrevisions/readReads controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/readReads daemonsets
Microsoft.ContainerService/fleets/apps/deployments/readReads deployments
Microsoft.ContainerService/fleets/apps/statefulsets/readReads statefulsets
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/readReads horizontalpodautoscalers
Microsoft.ContainerService/fleets/batch/cronjobs/readReads cronjobs
Microsoft.ContainerService/fleets/batch/jobs/readReads jobs
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/readRead fleet internalmembercluster resource
Microsoft.ContainerService/fleets/configmaps/readReads configmaps
Microsoft.ContainerService/fleets/endpoints/readReads endpoints
Microsoft.ContainerService/fleets/events.k8s.io/events/readReads events
Microsoft.ContainerService/fleets/events/readReads events
Microsoft.ContainerService/fleets/extensions/daemonsets/readReads daemonsets
Microsoft.ContainerService/fleets/extensions/deployments/readReads deployments
Microsoft.ContainerService/fleets/extensions/ingresses/readReads ingresses
Microsoft.ContainerService/fleets/extensions/networkpolicies/readReads networkpolicies
Microsoft.ContainerService/fleets/limitranges/readReads limitranges
Microsoft.ContainerService/fleets/namespaces/readReads namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/readReads ingresses
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/readReads networkpolicies
Microsoft.ContainerService/fleets/persistentvolumeclaims/readReads persistentvolumeclaims
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/readRead fleet resourceoverride resource
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/readRead fleet resourceoverridesnapshot resource
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/readRead fleet work resource
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/readReads poddisruptionbudgets
Microsoft.ContainerService/fleets/replicationcontrollers/readReads replicationcontrollers
Microsoft.ContainerService/fleets/replicationcontrollers/readReads replicationcontrollers
Microsoft.ContainerService/fleets/resourcequotas/readReads resourcequotas
Microsoft.ContainerService/fleets/serviceaccounts/readReads serviceaccounts
Microsoft.ContainerService/fleets/services/readReads services
NotDataActions n/a
Used in
BuiltIn Policy		 none
JSON
api-version=2023-07-01-preview
Condition none