2.5. 설치 관리자 프로비저닝 인프라에 필요한 Azure 권한

Contributor 및 User Access Administrator 역할을 서비스 주체에 할당하면 필요한 모든 권한을 자동으로 부여합니다.

조직의 보안 정책에 보다 제한적인 권한 세트가 필요한 경우 필요한 권한으로 사용자 지정 역할을 생성할 수 있습니다. Microsoft Azure에서 OpenShift Container Platform 클러스터를 생성하려면 다음 권한이 필요합니다.

예 2.1. 권한 부여 리소스 생성에 필요한 권한

Microsoft.Authorization/policies/audit/action
Microsoft.Authorization/policies/auditIfNotExists/action
Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleAssignments/write

예 2.2. 컴퓨팅 리소스 생성에 필요한 권한

Microsoft.Compute/availabilitySets/read
Microsoft.Compute/availabilitySets/write
Microsoft.Compute/disks/beginGetAccess/action
Microsoft.Compute/disks/delete
Microsoft.Compute/disks/read
Microsoft.Compute/disks/write
Microsoft.Compute/galleries/images/read
Microsoft.Compute/galleries/images/versions/read
Microsoft.Compute/galleries/images/versions/write
Microsoft.Compute/galleries/images/write
Microsoft.Compute/galleries/read
Microsoft.Compute/galleries/write
Microsoft.Compute/snapshots/read
Microsoft.Compute/snapshots/write
Microsoft.Compute/snapshots/delete
Microsoft.Compute/virtualMachines/delete
Microsoft.Compute/virtualMachines/powerOff/action
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write

예 2.3. ID 관리 리소스를 생성하는 데 필요한 권한

Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Microsoft.ManagedIdentity/userAssignedIdentities/read
Microsoft.ManagedIdentity/userAssignedIdentities/write

예 2.4. 네트워크 리소스 생성에 필요한 권한

Microsoft.Network/dnsZones/A/write
Microsoft.Network/dnsZones/CNAME/write
Microsoft.Network/dnszones/CNAME/read
Microsoft.Network/dnszones/read
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/read
Microsoft.Network/loadBalancers/backendAddressPools/write
Microsoft.Network/loadBalancers/read
Microsoft.Network/loadBalancers/write
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkSecurityGroups/securityRules/delete
Microsoft.Network/networkSecurityGroups/securityRules/read
Microsoft.Network/networkSecurityGroups/securityRules/write
Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/privateDnsZones/A/read
Microsoft.Network/privateDnsZones/A/write
Microsoft.Network/privateDnsZones/A/delete
Microsoft.Network/privateDnsZones/SOA/read
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
Microsoft.Network/privateDnsZones/write
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/publicIPAddresses/join/action
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/publicIPAddresses/write
Microsoft.Network/virtualNetworks/join/action
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/write
Microsoft.Network/virtualNetworks/write

참고

Azure에서 프라이빗 OpenShift Container Platform 클러스터를 생성하는 데 다음 권한이 필요하지 않습니다.

Microsoft.Network/dnsZones/A/write
Microsoft.Network/dnsZones/CNAME/write
Microsoft.Network/dnszones/CNAME/read
Microsoft.Network/dnszones/read

예 2.5. 리소스 상태를 확인하는 데 필요한 권한

Microsoft.Resourcehealth/healthevent/Activated/action
Microsoft.Resourcehealth/healthevent/InProgress/action
Microsoft.Resourcehealth/healthevent/Pending/action
Microsoft.Resourcehealth/healthevent/Resolved/action
Microsoft.Resourcehealth/healthevent/Updated/action

예 2.6. 리소스 그룹을 생성하는 데 필요한 권한

Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourcegroups/write

예 2.7. 리소스 태그를 생성하는 데 필요한 권한

Microsoft.Resources/tags/write

예 2.8. 스토리지 리소스 생성에 필요한 권한

Microsoft.Storage/storageAccounts/blobServices/read
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Storage/storageAccounts/fileServices/read
Microsoft.Storage/storageAccounts/fileServices/shares/read
Microsoft.Storage/storageAccounts/fileServices/shares/write
Microsoft.Storage/storageAccounts/fileServices/shares/delete
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/write

예 2.9. Marketplace 가상 머신 리소스 생성을 위한 선택적 권한

Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write

예 2.10. 컴퓨팅 리소스 생성을 위한 선택적 권한

Microsoft.Compute/availabilitySets/delete
Microsoft.Compute/images/read
Microsoft.Compute/images/write
Microsoft.Compute/images/delete

예 2.11. 사용자 관리 암호화를 활성화하는 선택적 권한

Microsoft.Compute/diskEncryptionSets/read
Microsoft.Compute/diskEncryptionSets/write
Microsoft.Compute/diskEncryptionSets/delete
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/write
Microsoft.KeyVault/vaults/delete
Microsoft.KeyVault/vaults/deploy/action
Microsoft.KeyVault/vaults/keys/read
Microsoft.KeyVault/vaults/keys/write
Microsoft.Features/providers/features/register/action

예 2.12. NAT(Azure Network Address Translation)를 사용하여 프라이빗 클러스터를 설치하기 위한 선택적 권한

Microsoft.Network/natGateways/join/action
Microsoft.Network/natGateways/read
Microsoft.Network/natGateways/write

예 2.13. Azure 방화벽으로 프라이빗 클러스터를 설치하기 위한 선택적 권한

Microsoft.Network/azureFirewalls/applicationRuleCollections/write
Microsoft.Network/azureFirewalls/read
Microsoft.Network/azureFirewalls/write
Microsoft.Network/routeTables/join/action
Microsoft.Network/routeTables/read
Microsoft.Network/routeTables/routes/read
Microsoft.Network/routeTables/routes/write
Microsoft.Network/routeTables/write
Microsoft.Network/virtualNetworks/peer/action
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write

예 2.14. 수집 부트스트랩을 실행하기 위한 선택적 권한

Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action

Microsoft Azure에서 OpenShift Container Platform 클러스터를 삭제하려면 다음 권한이 필요합니다. 동일한 권한을 사용하여 Azure에서 프라이빗 OpenShift Container Platform 클러스터를 삭제할 수 있습니다.

예 2.15. 권한 부여 리소스 삭제에 필요한 권한

Microsoft.Authorization/roleAssignments/delete

예 2.16. 컴퓨팅 리소스 삭제에 필요한 권한

Microsoft.Compute/disks/delete
Microsoft.Compute/galleries/delete
Microsoft.Compute/galleries/images/delete
Microsoft.Compute/galleries/images/versions/delete
Microsoft.Compute/virtualMachines/delete

예 2.17. ID 관리 리소스 삭제에 필요한 권한

Microsoft.ManagedIdentity/userAssignedIdentities/delete

예 2.18. 네트워크 리소스 삭제에 필요한 권한

Microsoft.Network/dnszones/read
Microsoft.Network/dnsZones/A/read
Microsoft.Network/dnsZones/A/delete
Microsoft.Network/dnsZones/CNAME/read
Microsoft.Network/dnsZones/CNAME/delete
Microsoft.Network/loadBalancers/delete
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/networkSecurityGroups/delete
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/A/read
Microsoft.Network/privateDnsZones/delete
Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/virtualNetworks/delete

참고

Azure에서 프라이빗 OpenShift Container Platform 클러스터를 삭제하는 데 다음 권한이 필요하지 않습니다.

Microsoft.Network/dnszones/read
Microsoft.Network/dnsZones/A/read
Microsoft.Network/dnsZones/A/delete
Microsoft.Network/dnsZones/CNAME/read
Microsoft.Network/dnsZones/CNAME/delete

예 2.19. 리소스 상태를 확인하는 데 필요한 권한

Microsoft.Resourcehealth/healthevent/Activated/action
Microsoft.Resourcehealth/healthevent/Resolved/action
Microsoft.Resourcehealth/healthevent/Updated/action

예 2.20. 리소스 그룹 삭제에 필요한 권한

Microsoft.Resources/subscriptions/resourcegroups/delete

예 2.21. 스토리지 리소스 삭제에 필요한 권한

Microsoft.Storage/storageAccounts/delete
Microsoft.Storage/storageAccounts/listKeys/action

참고

Azure에 OpenShift Container Platform을 설치하려면 서브스크립션의 권한 범위를 지정해야 합니다. 나중에 설치 프로그램에서 생성한 리소스 그룹에 대해 이러한 권한의 범위를 다시 지정할 수 있습니다. 퍼블릭 DNS 영역이 다른 리소스 그룹에 있는 경우 항상 네트워크 DNS 영역 관련 권한을 서브스크립션에 적용해야 합니다. 기본적으로 OpenShift Container Platform 설치 프로그램에서 Azure ID를 Contributor 역할을 할당합니다.

OpenShift Container Platform 클러스터를 삭제할 때 서브스크립션에 대한 모든 권한의 범위를 지정할 수 있습니다.

2.5. 설치 관리자 프로비저닝 인프라에 필요한 Azure 권한

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Red Hat legal and privacy links

Red Hat legal and privacy links