Azure Kubernetes Fleet Manager RBAC Reader

{
  "properties": {
    "roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
    "type": "BuiltInRole",
    "description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  Applying this role at cluster scope will give access across all namespaces.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/operationresults/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.ContainerService/fleets/read",
          "Microsoft.ContainerService/fleets/listCredentials/action"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
          "Microsoft.ContainerService/fleets/apps/daemonsets/read",
          "Microsoft.ContainerService/fleets/apps/deployments/read",
          "Microsoft.ContainerService/fleets/apps/statefulsets/read",
          "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
          "Microsoft.ContainerService/fleets/batch/cronjobs/read",
          "Microsoft.ContainerService/fleets/batch/jobs/read",
          "Microsoft.ContainerService/fleets/configmaps/read",
          "Microsoft.ContainerService/fleets/endpoints/read",
          "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
          "Microsoft.ContainerService/fleets/events/read",
          "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
          "Microsoft.ContainerService/fleets/extensions/deployments/read",
          "Microsoft.ContainerService/fleets/extensions/ingresses/read",
          "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
          "Microsoft.ContainerService/fleets/limitranges/read",
          "Microsoft.ContainerService/fleets/namespaces/read",
          "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
          "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
          "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
          "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
          "Microsoft.ContainerService/fleets/replicationcontrollers/read",
          "Microsoft.ContainerService/fleets/replicationcontrollers/read",
          "Microsoft.ContainerService/fleets/resourcequotas/read",
          "Microsoft.ContainerService/fleets/serviceaccounts/read",
          "Microsoft.ContainerService/fleets/services/read",
          "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
        ],
        "notDataActions": []
      }
    ],
    "createdOn": "2022-08-22T15:27:28.667Z",
    "updatedOn": "2024-10-25T18:52:28.006Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "30b27cfc-9c84-438e-b0ce-70e35255df80"
}