AzRoleAdvertizer

last sync: 2024-Jul-26 18:17:46 UTC

Azure Kubernetes Fleet Manager RBAC Reader

Azure BuiltIn RBAC Role definition

NameAzure Kubernetes Fleet Manager RBAC Reader
Id30b27cfc-9c84-438e-b0ce-70e35255df80
DescriptionGrants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.
CreatedOn2022-08-22 17:29:14 UTC
UpdatedOn2024-03-27 21:09:44 UTC
History
Date/Time (UTC ymd) (i) Change Change detail
2022-08-29 16:36:36 change: DataActions DataActions: 'remove Microsoft.ContainerService/fleets/apps/replicasets/read; remove Microsoft.ContainerService/fleets/extensions/replicasets/read; remove Microsoft.ContainerService/fleets/pods/read'
2022-08-22 16:34:26 add: Role 30b27cfc-9c84-438e-b0ce-70e35255df80
Permissions summary Effective control plane and data plane operations: 57 (unique operations)
•action: 1
•read: 56

Actions: 6
Resolved control plane operations from Actions: 32
Effective control plane operations: 32
•action: 1
•read: 31

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 15596

DataActions: 26
Resolved data plane operations: 25
Effective data plane operations: 25
•read: 25

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3194
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.ContainerService/fleets/listCredentials/actionList fleet credentials
Microsoft.ContainerService/fleets/readGet fleet
Microsoft.Resources/subscriptions/operationresults/readGet the subscription operation results.
Microsoft.Resources/subscriptions/readGets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
NotActions n/a
DataActions
Operation Description
Microsoft.ContainerService/fleets/apps/controllerrevisions/readReads controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/readReads daemonsets
Microsoft.ContainerService/fleets/apps/deployments/readReads deployments
Microsoft.ContainerService/fleets/apps/statefulsets/readReads statefulsets
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/readReads horizontalpodautoscalers
Microsoft.ContainerService/fleets/batch/cronjobs/readReads cronjobs
Microsoft.ContainerService/fleets/batch/jobs/readReads jobs
Microsoft.ContainerService/fleets/configmaps/readReads configmaps
Microsoft.ContainerService/fleets/endpoints/readReads endpoints
Microsoft.ContainerService/fleets/events.k8s.io/events/readReads events
Microsoft.ContainerService/fleets/events/readReads events
Microsoft.ContainerService/fleets/extensions/daemonsets/readReads daemonsets
Microsoft.ContainerService/fleets/extensions/deployments/readReads deployments
Microsoft.ContainerService/fleets/extensions/ingresses/readReads ingresses
Microsoft.ContainerService/fleets/extensions/networkpolicies/readReads networkpolicies
Microsoft.ContainerService/fleets/limitranges/readReads limitranges
Microsoft.ContainerService/fleets/namespaces/readReads namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/readReads ingresses
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/readReads networkpolicies
Microsoft.ContainerService/fleets/persistentvolumeclaims/readReads persistentvolumeclaims
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/readReads poddisruptionbudgets
Microsoft.ContainerService/fleets/replicationcontrollers/readReads replicationcontrollers
Microsoft.ContainerService/fleets/replicationcontrollers/readReads replicationcontrollers
Microsoft.ContainerService/fleets/resourcequotas/readReads resourcequotas
Microsoft.ContainerService/fleets/serviceaccounts/readReads serviceaccounts
Microsoft.ContainerService/fleets/services/readReads services
NotDataActions n/a
Used in
BuiltIn Policy		 none
JSON
api-version=2023-07-01-preview
Condition none