You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/role-based-access-control/built-in-roles.md
+9Lines changed: 9 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -210,6 +210,15 @@ The following table provides a brief description of each built-in role. Click th
210
210
> | <aname='azure-kubernetes-service-rbac-cluster-admin'></a>[Azure Kubernetes Service RBAC Cluster Admin](./built-in-roles/containers.md#azure-kubernetes-service-rbac-cluster-admin)| Lets you manage all resources in the cluster. | b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b |
211
211
> | <aname='azure-kubernetes-service-rbac-reader'></a>[Azure Kubernetes Service RBAC Reader](./built-in-roles/containers.md#azure-kubernetes-service-rbac-reader)| Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 7f6c6a51-bcf8-42ba-9220-52d62157d7db |
212
212
> | <aname='azure-kubernetes-service-rbac-writer'></a>[Azure Kubernetes Service RBAC Writer](./built-in-roles/containers.md#azure-kubernetes-service-rbac-writer)| Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb |
213
+
> | <aname='azure-red-hat-openshift-cloud-controller-manager'></a>[Azure Red Hat OpenShift Cloud Controller Manager](./built-in-roles/containers.md#azure-red-hat-openshift-cloud-controller-manager)| Manage and update the cloud controller manager deployed on top of OpenShift. | a1f96423-95ce-4224-ab27-4e3dc72facd4 |
214
+
> | <aname='azure-red-hat-openshift-cluster-ingress-operator'></a>[Azure Red Hat OpenShift Cluster Ingress Operator](./built-in-roles/containers.md#azure-red-hat-openshift-cluster-ingress-operator)| Manage and configure the OpenShift router. | 0336e1d3-7a87-462b-b6db-342b63f7802c |
215
+
> | <aname='azure-red-hat-openshift-disk-storage-operator'></a>[Azure Red Hat OpenShift Disk Storage Operator](./built-in-roles/containers.md#azure-red-hat-openshift-disk-storage-operator)| Install Container Storage Interface (CSI) drivers that enable your cluster to use Azure Disks. Set OpenShift cluster-wide storage defaults to ensure a default storageclass exists for clusters. | 5b7237c5-45e1-49d6-bc18-a1f62f400748 |
216
+
> | <aname='azure-red-hat-openshift-federated-credential'></a>[Azure Red Hat OpenShift Federated Credential](./built-in-roles/containers.md#azure-red-hat-openshift-federated-credential)| Update cluster managed identities with a federated credential to build a trust relationship between the managed identity, OpenID Connect (OIDC), and the service account. | ef318e2a-8334-4a05-9e4a-295a196c6a6e |
217
+
> | <aname='azure-red-hat-openshift-file-storage-operator'></a>[Azure Red Hat OpenShift File Storage Operator](./built-in-roles/containers.md#azure-red-hat-openshift-file-storage-operator)| Install Container Storage Interface (CSI) drivers that enable your cluster to use Azure Files. Set OpenShift cluster-wide storage defaults to ensure a default storageclass exists for clusters. | 0d7aedc0-15fd-4a67-a412-efad370c947e |
218
+
> | <aname='azure-red-hat-openshift-image-registry-operator'></a>[Azure Red Hat OpenShift Image Registry Operator](./built-in-roles/containers.md#azure-red-hat-openshift-image-registry-operator)| Enables permissions for the operator to manage a singleton instance of the OpenShift image registry. It manages all configuration of the registry, including creating storage. | 8b32b316-c2f5-4ddf-b05b-83dacd2d08b5 |
219
+
> | <aname='azure-red-hat-openshift-machine-api-operator'></a>[Azure Red Hat OpenShift Machine API Operator](./built-in-roles/containers.md#azure-red-hat-openshift-machine-api-operator)| Manage the lifecycle of specific-purpose custom resource definitions (CRD), controllers, and Azure RBAC objects that extend the Kubernetes API to declares the desired state of machines in a cluster. | 0358943c-7e01-48ba-8889-02cc51d78637 |
220
+
> | <aname='azure-red-hat-openshift-network-operator'></a>[Azure Red Hat OpenShift Network Operator](./built-in-roles/containers.md#azure-red-hat-openshift-network-operator)| Install and upgrade the networking components on an OpenShift cluster. | be7a6435-15ae-4171-8f30-4a343eff9e8f |
221
+
> | <aname='azure-red-hat-openshift-service-operator'></a>[Azure Red Hat OpenShift Service Operator](./built-in-roles/containers.md#azure-red-hat-openshift-service-operator)| Maintain machine health, network configuration, monitoring, and other features that are specific to an OpenShift cluster's continued functionality as a managed service. | 4436bae4-7702-4c84-919b-c4069ff25ee2 |
213
222
> | <aname='connected-cluster-managed-identity-checkaccess-reader'></a>[Connected Cluster Managed Identity CheckAccess Reader](./built-in-roles/containers.md#connected-cluster-managed-identity-checkaccess-reader)| Built-in role that allows a Connected Cluster managed identity to call the checkAccess API | 65a14201-8f6c-4c28-bec4-12619c5a9aaa |
214
223
> | <aname='container-registry-configuration-reader-and-data-access-configuration-reader'></a>[Container Registry Configuration Reader and Data Access Configuration Reader](./built-in-roles/containers.md#container-registry-configuration-reader-and-data-access-configuration-reader)| Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks. | 69b07be0-09bf-439a-b9a6-e73de851bd59 |
215
224
> | <aname='container-registry-contributor-and-data-access-configuration-administrator'></a>[Container Registry Contributor and Data Access Configuration Administrator](./built-in-roles/containers.md#container-registry-contributor-and-data-access-configuration-administrator)| Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks. | 3bc748fc-213d-45c1-8d91-9da5725539b9 |
0 commit comments