AzRoleAdvertizer

last sync: 2024-Nov-25 18:54:42 UTC

Azure Kubernetes Fleet Manager RBAC Writer

Azure BuiltIn RBAC Role definition

NameAzure Kubernetes Fleet Manager RBAC Writer
Id5af6afb3-c06c-4fa4-8848-71a8aee05683
DescriptionGrants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.
CreatedOn2022-08-22 17:29:14 UTC
UpdatedOn2024-10-21 15:04:47 UTC
History
Date/Time (UTC ymd) (i) Change Change detail
2024-10-21 17:52:38 change: DataActions DataActions: 'remove Microsoft.ContainerService/fleets/apps/daemonsets/*; remove Microsoft.ContainerService/fleets/apps/deployments/*; remove Microsoft.ContainerService/fleets/apps/statefulsets/*; remove Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*; remove Microsoft.ContainerService/fleets/batch/cronjobs/*; remove Microsoft.ContainerService/fleets/batch/jobs/*; remove Microsoft.ContainerService/fleets/configmaps/*; remove Microsoft.ContainerService/fleets/endpoints/*; remove Microsoft.ContainerService/fleets/extensions/daemonsets/*; remove Microsoft.ContainerService/fleets/extensions/deployments/*; remove Microsoft.ContainerService/fleets/extensions/ingresses/*; remove Microsoft.ContainerService/fleets/extensions/networkpolicies/*; remove Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*; remove Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*; remove Microsoft.ContainerService/fleets/persistentvolumeclaims/*; remove Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*; remove Microsoft.ContainerService/fleets/replicationcontrollers/*; remove Microsoft.ContainerService/fleets/replicationcontrollers/*; remove Microsoft.ContainerService/fleets/secrets/*; remove Microsoft.ContainerService/fleets/serviceaccounts/*; remove Microsoft.ContainerService/fleets/services/*; add Microsoft.ContainerService/fleets/apps/daemonsets/read; add Microsoft.ContainerService/fleets/apps/daemonsets/write; add Microsoft.ContainerService/fleets/apps/deployments/read; add Microsoft.ContainerService/fleets/apps/deployments/write; add Microsoft.ContainerService/fleets/apps/statefulsets/read; add Microsoft.ContainerService/fleets/apps/statefulsets/write; add Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read; add Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write; add Microsoft.ContainerService/fleets/batch/cronjobs/read; add Microsoft.ContainerService/fleets/batch/cronjobs/write; add Microsoft.ContainerService/fleets/batch/jobs/read; add Microsoft.ContainerService/fleets/batch/jobs/write; add Microsoft.ContainerService/fleets/configmaps/read; add Microsoft.ContainerService/fleets/configmaps/write; add Microsoft.ContainerService/fleets/endpoints/read; add Microsoft.ContainerService/fleets/endpoints/write; add Microsoft.ContainerService/fleets/extensions/daemonsets/read; add Microsoft.ContainerService/fleets/extensions/daemonsets/write; add Microsoft.ContainerService/fleets/extensions/deployments/read; add Microsoft.ContainerService/fleets/extensions/deployments/write; add Microsoft.ContainerService/fleets/extensions/ingresses/read; add Microsoft.ContainerService/fleets/extensions/ingresses/write; add Microsoft.ContainerService/fleets/extensions/networkpolicies/read; add Microsoft.ContainerService/fleets/extensions/networkpolicies/write; add Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read; add Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write; add Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read; add Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write; add Microsoft.ContainerService/fleets/persistentvolumeclaims/read; add Microsoft.ContainerService/fleets/persistentvolumeclaims/write; add Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read; add Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write; add Microsoft.ContainerService/fleets/replicationcontrollers/read; add Microsoft.ContainerService/fleets/replicationcontrollers/write; add Microsoft.ContainerService/fleets/secrets/read; add Microsoft.ContainerService/fleets/secrets/write; add Microsoft.ContainerService/fleets/serviceaccounts/read; add Microsoft.ContainerService/fleets/serviceaccounts/write; add Microsoft.ContainerService/fleets/services/read; add Microsoft.ContainerService/fleets/services/write; add Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read; add Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read; add Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write; add Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read; add Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read'
2022-08-29 16:36:36 change: Description, DataActions New Description: 'Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.'
Old Description: 'Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.',
DataActions: 'remove Microsoft.ContainerService/fleets/apps/replicasets/*; remove Microsoft.ContainerService/fleets/extensions/replicasets/*; remove Microsoft.ContainerService/fleets/pods/*'
2022-08-22 16:34:26 add: Role 5af6afb3-c06c-4fa4-8848-71a8aee05683
Permissions summary Effective control plane and data plane operations: 83 (unique operations)
•action: 1
•read: 61
•write: 21

Actions: 6
Resolved control plane operations from Actions: 32
Effective control plane operations: 32
•action: 1
•read: 31

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 16140

DataActions: 51
Resolved data plane operations: 51
Effective data plane operations: 51
•read: 30
•write: 21

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3252
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.ContainerService/fleets/listCredentials/actionList fleet credentials
Microsoft.ContainerService/fleets/readGet fleet
Microsoft.Resources/subscriptions/operationresults/readRuft die Ergebnisse des Abonnementvorgangs ab.
Microsoft.Resources/subscriptions/readRuft die Liste der Abonnements ab.
Microsoft.Resources/subscriptions/resourceGroups/readRuft Ressourcengruppen ab oder listet diese auf.
NotActions n/a
DataActions
Operation Description
Microsoft.ContainerService/fleets/apps/controllerrevisions/readReads controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/readReads daemonsets
Microsoft.ContainerService/fleets/apps/daemonsets/writeWrites daemonsets
Microsoft.ContainerService/fleets/apps/deployments/readReads deployments
Microsoft.ContainerService/fleets/apps/deployments/writeWrites deployments
Microsoft.ContainerService/fleets/apps/statefulsets/readReads statefulsets
Microsoft.ContainerService/fleets/apps/statefulsets/writeWrites statefulsets
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/readReads horizontalpodautoscalers
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/writeWrites horizontalpodautoscalers
Microsoft.ContainerService/fleets/batch/cronjobs/readReads cronjobs
Microsoft.ContainerService/fleets/batch/cronjobs/writeWrites cronjobs
Microsoft.ContainerService/fleets/batch/jobs/readReads jobs
Microsoft.ContainerService/fleets/batch/jobs/writeWrites jobs
Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/readRead fleet internalmembercluster resource
Microsoft.ContainerService/fleets/configmaps/readReads configmaps
Microsoft.ContainerService/fleets/configmaps/writeWrites configmaps
Microsoft.ContainerService/fleets/endpoints/readReads endpoints
Microsoft.ContainerService/fleets/endpoints/writeWrites endpoints
Microsoft.ContainerService/fleets/events.k8s.io/events/readReads events
Microsoft.ContainerService/fleets/events/readReads events
Microsoft.ContainerService/fleets/extensions/daemonsets/readReads daemonsets
Microsoft.ContainerService/fleets/extensions/daemonsets/writeWrites daemonsets
Microsoft.ContainerService/fleets/extensions/deployments/readReads deployments
Microsoft.ContainerService/fleets/extensions/deployments/writeWrites deployments
Microsoft.ContainerService/fleets/extensions/ingresses/readReads ingresses
Microsoft.ContainerService/fleets/extensions/ingresses/writeWrites ingresses
Microsoft.ContainerService/fleets/extensions/networkpolicies/readReads networkpolicies
Microsoft.ContainerService/fleets/extensions/networkpolicies/writeWrites networkpolicies
Microsoft.ContainerService/fleets/limitranges/readReads limitranges
Microsoft.ContainerService/fleets/namespaces/readReads namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/readReads ingresses
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/writeWrites ingresses
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/readReads networkpolicies
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/writeWrites networkpolicies
Microsoft.ContainerService/fleets/persistentvolumeclaims/readReads persistentvolumeclaims
Microsoft.ContainerService/fleets/persistentvolumeclaims/writeWrites persistentvolumeclaims
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/readRead fleet resourceoverride resource
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/writeWrite fleet resourceoverride resource
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/readRead fleet resourceoverridesnapshot resource
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/readRead fleet work resource
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/readReads poddisruptionbudgets
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/writeWrites poddisruptionbudgets
Microsoft.ContainerService/fleets/replicationcontrollers/readReads replicationcontrollers
Microsoft.ContainerService/fleets/replicationcontrollers/writeWrites replicationcontrollers
Microsoft.ContainerService/fleets/resourcequotas/readReads resourcequotas
Microsoft.ContainerService/fleets/secrets/readReads secrets
Microsoft.ContainerService/fleets/secrets/writeWrites secrets
Microsoft.ContainerService/fleets/serviceaccounts/readReads serviceaccounts
Microsoft.ContainerService/fleets/serviceaccounts/writeWrites serviceaccounts
Microsoft.ContainerService/fleets/services/readReads services
Microsoft.ContainerService/fleets/services/writeWrites services
NotDataActions n/a
Used in
BuiltIn Policy		 none
JSON
api-version=2023-07-01-preview
Condition none