Azure Kubernetes Fleet Manager RBAC Writer

Role Information

Details and metadata

Role ID

5af6afb3-c06c-4fa4-8848-71a8aee05683

Type

BuiltInRole

Last Updated (Azure)

2024-10-23 15:16:16

Change History

Track all modifications to this role

Updated On

Event Type

Summary & Details

2024-10-23 15:16:16

Initial Scan

Show full JSON

{
  "properties": {
    "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
    "type": "BuiltInRole",
    "description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.\u00a0 Applying this role at cluster scope will give access across all namespaces.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/operationresults/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.ContainerService/fleets/read",
          "Microsoft.ContainerService/fleets/listCredentials/action"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
          "Microsoft.ContainerService/fleets/apps/daemonsets/read",
          "Microsoft.ContainerService/fleets/apps/daemonsets/write",
          "Microsoft.ContainerService/fleets/apps/deployments/read",
          "Microsoft.ContainerService/fleets/apps/deployments/write",
          "Microsoft.ContainerService/fleets/apps/statefulsets/read",
          "Microsoft.ContainerService/fleets/apps/statefulsets/write",
          "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
          "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
          "Microsoft.ContainerService/fleets/batch/cronjobs/read",
          "Microsoft.ContainerService/fleets/batch/cronjobs/write",
          "Microsoft.ContainerService/fleets/batch/jobs/read",
          "Microsoft.ContainerService/fleets/batch/jobs/write",
          "Microsoft.ContainerService/fleets/configmaps/read",
          "Microsoft.ContainerService/fleets/configmaps/write",
          "Microsoft.ContainerService/fleets/endpoints/read",
          "Microsoft.ContainerService/fleets/endpoints/write",
          "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
          "Microsoft.ContainerService/fleets/events/read",
          "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
          "Microsoft.ContainerService/fleets/extensions/daemonsets/write",
          "Microsoft.ContainerService/fleets/extensions/deployments/read",
          "Microsoft.ContainerService/fleets/extensions/deployments/write",
          "Microsoft.ContainerService/fleets/extensions/ingresses/read",
          "Microsoft.ContainerService/fleets/extensions/ingresses/write",
          "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
          "Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
          "Microsoft.ContainerService/fleets/limitranges/read",
          "Microsoft.ContainerService/fleets/namespaces/read",
          "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
          "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
          "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
          "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
          "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
          "Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
          "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
          "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
          "Microsoft.ContainerService/fleets/replicationcontrollers/read",
          "Microsoft.ContainerService/fleets/replicationcontrollers/write",
          "Microsoft.ContainerService/fleets/resourcequotas/read",
          "Microsoft.ContainerService/fleets/secrets/read",
          "Microsoft.ContainerService/fleets/secrets/write",
          "Microsoft.ContainerService/fleets/serviceaccounts/read",
          "Microsoft.ContainerService/fleets/serviceaccounts/write",
          "Microsoft.ContainerService/fleets/services/read",
          "Microsoft.ContainerService/fleets/services/write",
          "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
        ],
        "notDataActions": []
      }
    ],
    "createdOn": "2022-08-22T15:27:28.667Z",
    "updatedOn": "2024-10-23T15:16:16.412Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683"
}

2024-10-23 15:16:16 Initial Scan

View details

{
  "properties": {
    "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
    "type": "BuiltInRole",
    "description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.\u00a0 Applying this role at cluster scope will give access across all namespaces.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/operationresults/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.ContainerService/fleets/read",
          "Microsoft.ContainerService/fleets/listCredentials/action"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
          "Microsoft.ContainerService/fleets/apps/daemonsets/read",
          "Microsoft.ContainerService/fleets/apps/daemonsets/write",
          "Microsoft.ContainerService/fleets/apps/deployments/read",
          "Microsoft.ContainerService/fleets/apps/deployments/write",
          "Microsoft.ContainerService/fleets/apps/statefulsets/read",
          "Microsoft.ContainerService/fleets/apps/statefulsets/write",
          "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
          "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
          "Microsoft.ContainerService/fleets/batch/cronjobs/read",
          "Microsoft.ContainerService/fleets/batch/cronjobs/write",
          "Microsoft.ContainerService/fleets/batch/jobs/read",
          "Microsoft.ContainerService/fleets/batch/jobs/write",
          "Microsoft.ContainerService/fleets/configmaps/read",
          "Microsoft.ContainerService/fleets/configmaps/write",
          "Microsoft.ContainerService/fleets/endpoints/read",
          "Microsoft.ContainerService/fleets/endpoints/write",
          "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
          "Microsoft.ContainerService/fleets/events/read",
          "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
          "Microsoft.ContainerService/fleets/extensions/daemonsets/write",
          "Microsoft.ContainerService/fleets/extensions/deployments/read",
          "Microsoft.ContainerService/fleets/extensions/deployments/write",
          "Microsoft.ContainerService/fleets/extensions/ingresses/read",
          "Microsoft.ContainerService/fleets/extensions/ingresses/write",
          "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
          "Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
          "Microsoft.ContainerService/fleets/limitranges/read",
          "Microsoft.ContainerService/fleets/namespaces/read",
          "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
          "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
          "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
          "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
          "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
          "Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
          "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
          "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
          "Microsoft.ContainerService/fleets/replicationcontrollers/read",
          "Microsoft.ContainerService/fleets/replicationcontrollers/write",
          "Microsoft.ContainerService/fleets/resourcequotas/read",
          "Microsoft.ContainerService/fleets/secrets/read",
          "Microsoft.ContainerService/fleets/secrets/write",
          "Microsoft.ContainerService/fleets/serviceaccounts/read",
          "Microsoft.ContainerService/fleets/serviceaccounts/write",
          "Microsoft.ContainerService/fleets/services/read",
          "Microsoft.ContainerService/fleets/services/write",
          "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
        ],
        "notDataActions": []
      }
    ],
    "createdOn": "2022-08-22T15:27:28.667Z",
    "updatedOn": "2024-10-23T15:16:16.412Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683"
}

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
    "type": "BuiltInRole",
    "description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.\u00a0 Applying this role at cluster scope will give access across all namespaces.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/operationresults/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.ContainerService/fleets/read",
          "Microsoft.ContainerService/fleets/listCredentials/action"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
          "Microsoft.ContainerService/fleets/apps/daemonsets/read",
          "Microsoft.ContainerService/fleets/apps/daemonsets/write",
          "Microsoft.ContainerService/fleets/apps/deployments/read",
          "Microsoft.ContainerService/fleets/apps/deployments/write",
          "Microsoft.ContainerService/fleets/apps/statefulsets/read",
          "Microsoft.ContainerService/fleets/apps/statefulsets/write",
          "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
          "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write",
          "Microsoft.ContainerService/fleets/batch/cronjobs/read",
          "Microsoft.ContainerService/fleets/batch/cronjobs/write",
          "Microsoft.ContainerService/fleets/batch/jobs/read",
          "Microsoft.ContainerService/fleets/batch/jobs/write",
          "Microsoft.ContainerService/fleets/configmaps/read",
          "Microsoft.ContainerService/fleets/configmaps/write",
          "Microsoft.ContainerService/fleets/endpoints/read",
          "Microsoft.ContainerService/fleets/endpoints/write",
          "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
          "Microsoft.ContainerService/fleets/events/read",
          "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
          "Microsoft.ContainerService/fleets/extensions/daemonsets/write",
          "Microsoft.ContainerService/fleets/extensions/deployments/read",
          "Microsoft.ContainerService/fleets/extensions/deployments/write",
          "Microsoft.ContainerService/fleets/extensions/ingresses/read",
          "Microsoft.ContainerService/fleets/extensions/ingresses/write",
          "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
          "Microsoft.ContainerService/fleets/extensions/networkpolicies/write",
          "Microsoft.ContainerService/fleets/limitranges/read",
          "Microsoft.ContainerService/fleets/namespaces/read",
          "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
          "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write",
          "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
          "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write",
          "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
          "Microsoft.ContainerService/fleets/persistentvolumeclaims/write",
          "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
          "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write",
          "Microsoft.ContainerService/fleets/replicationcontrollers/read",
          "Microsoft.ContainerService/fleets/replicationcontrollers/write",
          "Microsoft.ContainerService/fleets/resourcequotas/read",
          "Microsoft.ContainerService/fleets/secrets/read",
          "Microsoft.ContainerService/fleets/secrets/write",
          "Microsoft.ContainerService/fleets/serviceaccounts/read",
          "Microsoft.ContainerService/fleets/serviceaccounts/write",
          "Microsoft.ContainerService/fleets/services/read",
          "Microsoft.ContainerService/fleets/services/write",
          "Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read",
          "Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read"
        ],
        "notDataActions": []
      }
    ],
    "createdOn": "2022-08-22T15:27:28.667Z",
    "updatedOn": "2024-10-23T15:16:16.412Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683"
}

Effective Permissions

Operations granted by this role (87 total)

Permission Patterns (from role definition)

Actions 6 patterns

Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.ContainerService/fleets/read Microsoft.ContainerService/fleets/listCredentials/action

Data Actions 51 patterns

Microsoft.ContainerService/fleets/apps/controllerrevisions/read Microsoft.ContainerService/fleets/apps/daemonsets/read Microsoft.ContainerService/fleets/apps/daemonsets/write Microsoft.ContainerService/fleets/apps/deployments/read Microsoft.ContainerService/fleets/apps/deployments/write Microsoft.ContainerService/fleets/apps/statefulsets/read Microsoft.ContainerService/fleets/apps/statefulsets/write Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write Microsoft.ContainerService/fleets/batch/cronjobs/read Microsoft.ContainerService/fleets/batch/cronjobs/write Microsoft.ContainerService/fleets/batch/jobs/read Microsoft.ContainerService/fleets/batch/jobs/write Microsoft.ContainerService/fleets/configmaps/read Microsoft.ContainerService/fleets/configmaps/write Microsoft.ContainerService/fleets/endpoints/read Microsoft.ContainerService/fleets/endpoints/write Microsoft.ContainerService/fleets/events.k8s.io/events/read Microsoft.ContainerService/fleets/events/read Microsoft.ContainerService/fleets/extensions/daemonsets/read Microsoft.ContainerService/fleets/extensions/daemonsets/write Microsoft.ContainerService/fleets/extensions/deployments/read Microsoft.ContainerService/fleets/extensions/deployments/write Microsoft.ContainerService/fleets/extensions/ingresses/read Microsoft.ContainerService/fleets/extensions/ingresses/write Microsoft.ContainerService/fleets/extensions/networkpolicies/read Microsoft.ContainerService/fleets/extensions/networkpolicies/write Microsoft.ContainerService/fleets/limitranges/read Microsoft.ContainerService/fleets/namespaces/read Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write Microsoft.ContainerService/fleets/persistentvolumeclaims/read Microsoft.ContainerService/fleets/persistentvolumeclaims/write Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write Microsoft.ContainerService/fleets/replicationcontrollers/read Microsoft.ContainerService/fleets/replicationcontrollers/write Microsoft.ContainerService/fleets/resourcequotas/read Microsoft.ContainerService/fleets/secrets/read Microsoft.ContainerService/fleets/secrets/write Microsoft.ContainerService/fleets/serviceaccounts/read Microsoft.ContainerService/fleets/serviceaccounts/write Microsoft.ContainerService/fleets/services/read Microsoft.ContainerService/fleets/services/write Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read

Role Information

Change History

Latest Role JSON

Effective Permissions

Permission Patterns (from role definition)

Control Plane Operations (36)

Data Plane Operations (51)