last sync: 2024-May-24 18:02:49 UTC

Azure Kubernetes Fleet Manager RBAC Writer

Azure BuiltIn RBAC Role definition

NameAzure Kubernetes Fleet Manager RBAC Writer
Id5af6afb3-c06c-4fa4-8848-71a8aee05683
DescriptionGrants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.
CreatedOn2022-08-22 17:29:14 UTC
UpdatedOn2024-03-27 21:09:44 UTC
History
Date/Time (UTC ymd) (i) Change Change detail
2022-08-29 16:36:36 change: Description, DataActions New Description: 'Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.'
Old Description: 'Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.',
DataActions: 'remove Microsoft.ContainerService/fleets/apps/replicasets/*; remove Microsoft.ContainerService/fleets/extensions/replicasets/*; remove Microsoft.ContainerService/fleets/pods/*'
2022-08-22 16:34:26 add: Role 5af6afb3-c06c-4fa4-8848-71a8aee05683
Permissions summary Effective control plane and data plane operations: 99 (unique operations)
•action: 2
•delete: 20
•read: 57
•write: 20

Actions: 6
Resolved control plane operations from Actions: 32
Effective control plane operations: 32
•action: 1
•read: 31

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 15618

DataActions: 27
Resolved data plane operations: 67
Effective data plane operations: 67
•action: 1
•delete: 20
•read: 26
•write: 20

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3093
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.ContainerService/fleets/listCredentials/actionList fleet credentials
Microsoft.ContainerService/fleets/readGet fleet
Microsoft.Resources/subscriptions/operationresults/readGet the subscription operation results.
Microsoft.Resources/subscriptions/readGets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
NotActions n/a
DataActions
Operation Description
Microsoft.ContainerService/fleets/apps/controllerrevisions/readReads controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/*wildcarded / no description
Microsoft.ContainerService/fleets/apps/deployments/*wildcarded / no description
Microsoft.ContainerService/fleets/apps/statefulsets/*wildcarded / no description
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*wildcarded / no description
Microsoft.ContainerService/fleets/batch/cronjobs/*wildcarded / no description
Microsoft.ContainerService/fleets/batch/jobs/*wildcarded / no description
Microsoft.ContainerService/fleets/configmaps/*wildcarded / no description
Microsoft.ContainerService/fleets/endpoints/*wildcarded / no description
Microsoft.ContainerService/fleets/events.k8s.io/events/readReads events
Microsoft.ContainerService/fleets/events/readReads events
Microsoft.ContainerService/fleets/extensions/daemonsets/*wildcarded / no description
Microsoft.ContainerService/fleets/extensions/deployments/*wildcarded / no description
Microsoft.ContainerService/fleets/extensions/ingresses/*wildcarded / no description
Microsoft.ContainerService/fleets/extensions/networkpolicies/*wildcarded / no description
Microsoft.ContainerService/fleets/limitranges/readReads limitranges
Microsoft.ContainerService/fleets/namespaces/readReads namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*wildcarded / no description
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*wildcarded / no description
Microsoft.ContainerService/fleets/persistentvolumeclaims/*wildcarded / no description
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*wildcarded / no description
Microsoft.ContainerService/fleets/replicationcontrollers/*wildcarded / no description
Microsoft.ContainerService/fleets/replicationcontrollers/*wildcarded / no description
Microsoft.ContainerService/fleets/resourcequotas/readReads resourcequotas
Microsoft.ContainerService/fleets/secrets/*wildcarded / no description
Microsoft.ContainerService/fleets/serviceaccounts/*wildcarded / no description
Microsoft.ContainerService/fleets/services/*wildcarded / no description
NotDataActions n/a
Used in
BuiltIn Policy
none
JSON
api-version=2023-07-01-preview
Condition none