AzRoleAdvertizer

last sync: 2024-Jul-26 18:17:46 UTC

Azure Kubernetes Service RBAC Reader

Azure BuiltIn RBAC Role definition

NameAzure Kubernetes Service RBAC Reader
Id7f6c6a51-bcf8-42ba-9220-52d62157d7db
DescriptionAllows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.
CreatedOn2020-07-02 17:53:05 UTC
UpdatedOn2023-04-24 15:06:51 UTC
History
Date/Time (UTC ymd) (i) Change Change detail
2023-04-25 17:42:26 change: DataActions DataActions: 'add Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read; add Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read; add Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read'
2022-10-13 16:34:55 change: Actions Actions: 'remove Microsoft.Insights/alertRules/*; remove Microsoft.Resources/deployments/write; remove Microsoft.Support/*'
2020-10-23 13:31:33 change: Description, Actions, DataActions, NotDataActions New Description: 'Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.'
Old Description: 'Lets you view all resources in cluster/namespace, except secrets.',
Actions: 'remove Microsoft.ContainerService/managedClusters/listClusterUserCredential/action',
DataActions: 'remove Microsoft.ContainerService/managedClusters/*/read; add Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read; add Microsoft.ContainerService/managedClusters/apps/daemonsets/read; add Microsoft.ContainerService/managedClusters/apps/deployments/read; add Microsoft.ContainerService/managedClusters/apps/replicasets/read; add Microsoft.ContainerService/managedClusters/apps/statefulsets/read; add Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read; add Microsoft.ContainerService/managedClusters/batch/cronjobs/read; add Microsoft.ContainerService/managedClusters/batch/jobs/read; add Microsoft.ContainerService/managedClusters/configmaps/read; add Microsoft.ContainerService/managedClusters/endpoints/read; add Microsoft.ContainerService/managedClusters/events.k8s.io/events/read; add Microsoft.ContainerService/managedClusters/events/read; add Microsoft.ContainerService/managedClusters/extensions/daemonsets/read; add Microsoft.ContainerService/managedClusters/extensions/deployments/read; add Microsoft.ContainerService/managedClusters/extensions/ingresses/read; add Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read; add Microsoft.ContainerService/managedClusters/extensions/replicasets/read; add Microsoft.ContainerService/managedClusters/limitranges/read; add Microsoft.ContainerService/managedClusters/namespaces/read; add Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read; add Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read; add Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read; add Microsoft.ContainerService/managedClusters/pods/read; add Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read; add Microsoft.ContainerService/managedClusters/replicationcontrollers/read; add Microsoft.ContainerService/managedClusters/replicationcontrollers/read; add Microsoft.ContainerService/managedClusters/resourcequotas/read; add Microsoft.ContainerService/managedClusters/serviceaccounts/read; add Microsoft.ContainerService/managedClusters/services/read',
NotDataActions: 'remove Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/*/read; remove Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/*/write; remove Microsoft.ContainerService/managedClusters/secrets/*'
2020-07-03 14:58:03 add: Role 7f6c6a51-bcf8-42ba-9220-52d62157d7db
Permissions summary Effective control plane and data plane operations: 61 (unique operations)
•read: 61

Actions: 4
Resolved control plane operations from Actions: 30
Effective control plane operations: 30
•read: 30

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 15598

DataActions: 31
Resolved data plane operations: 31
Effective data plane operations: 31
•read: 31

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3188
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.Resources/subscriptions/operationresults/readGet the subscription operation results.
Microsoft.Resources/subscriptions/readGets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
NotActions n/a
DataActions
Operation Description
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/readReads controllerrevisions
Microsoft.ContainerService/managedClusters/apps/daemonsets/readReads daemonsets
Microsoft.ContainerService/managedClusters/apps/deployments/readReads deployments
Microsoft.ContainerService/managedClusters/apps/replicasets/readReads replicasets
Microsoft.ContainerService/managedClusters/apps/statefulsets/readReads statefulsets
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/readReads horizontalpodautoscalers
Microsoft.ContainerService/managedClusters/batch/cronjobs/readReads cronjobs
Microsoft.ContainerService/managedClusters/batch/jobs/readReads jobs
Microsoft.ContainerService/managedClusters/configmaps/readReads configmaps
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/readReads endpointslices
Microsoft.ContainerService/managedClusters/endpoints/readReads endpoints
Microsoft.ContainerService/managedClusters/events.k8s.io/events/readReads events
Microsoft.ContainerService/managedClusters/events/readReads events
Microsoft.ContainerService/managedClusters/extensions/daemonsets/readReads daemonsets
Microsoft.ContainerService/managedClusters/extensions/deployments/readReads deployments
Microsoft.ContainerService/managedClusters/extensions/ingresses/readReads ingresses
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/readReads networkpolicies
Microsoft.ContainerService/managedClusters/extensions/replicasets/readReads replicasets
Microsoft.ContainerService/managedClusters/limitranges/readReads limitranges
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/readReads nodes
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/readReads pods
Microsoft.ContainerService/managedClusters/namespaces/readReads namespaces
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/readReads ingresses
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/readReads networkpolicies
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/readReads persistentvolumeclaims
Microsoft.ContainerService/managedClusters/pods/readReads pods
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/readReads poddisruptionbudgets
Microsoft.ContainerService/managedClusters/replicationcontrollers/readReads replicationcontrollers
Microsoft.ContainerService/managedClusters/resourcequotas/readReads resourcequotas
Microsoft.ContainerService/managedClusters/serviceaccounts/readReads serviceaccounts
Microsoft.ContainerService/managedClusters/services/readReads services
NotDataActions n/a
Used in
BuiltIn Policy		 none
JSON
api-version=2023-07-01-preview
Condition none