2.5. 安装程序置备的基础架构所需的 Azure 权限

当您为服务主体分配 Contributor 和 User Access Administrator 角色时，会自动授予所有所需的权限。

如果机构的安全策略需要更严格的权限集，您可以创建具有所需权限的自定义角色。在 Microsoft Azure 上创建 OpenShift Container Platform 集群需要以下权限。

例 2.1. 创建授权资源所需的权限

Microsoft.Authorization/policies/audit/action
Microsoft.Authorization/policies/auditIfNotExists/action
Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleAssignments/write

例 2.2. 创建计算资源所需的权限

Microsoft.Compute/availabilitySets/read
Microsoft.Compute/availabilitySets/write
Microsoft.Compute/disks/beginGetAccess/action
Microsoft.Compute/disks/delete
Microsoft.Compute/disks/read
Microsoft.Compute/disks/write
Microsoft.Compute/galleries/images/read
Microsoft.Compute/galleries/images/versions/read
Microsoft.Compute/galleries/images/versions/write
Microsoft.Compute/galleries/images/write
Microsoft.Compute/galleries/read
Microsoft.Compute/galleries/write
Microsoft.Compute/snapshots/read
Microsoft.Compute/snapshots/write
Microsoft.Compute/snapshots/delete
Microsoft.Compute/virtualMachines/delete
Microsoft.Compute/virtualMachines/powerOff/action
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write

例 2.3. 创建身份管理资源所需的权限

Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Microsoft.ManagedIdentity/userAssignedIdentities/read
Microsoft.ManagedIdentity/userAssignedIdentities/write

例 2.4. 创建网络资源所需的权限

Microsoft.Network/dnsZones/A/write
Microsoft.Network/dnsZones/CNAME/write
Microsoft.Network/dnszones/CNAME/read
Microsoft.Network/dnszones/read
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/read
Microsoft.Network/loadBalancers/backendAddressPools/write
Microsoft.Network/loadBalancers/read
Microsoft.Network/loadBalancers/write
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkSecurityGroups/securityRules/delete
Microsoft.Network/networkSecurityGroups/securityRules/read
Microsoft.Network/networkSecurityGroups/securityRules/write
Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/privateDnsZones/A/read
Microsoft.Network/privateDnsZones/A/write
Microsoft.Network/privateDnsZones/A/delete
Microsoft.Network/privateDnsZones/SOA/read
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
Microsoft.Network/privateDnsZones/write
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/publicIPAddresses/join/action
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/publicIPAddresses/write
Microsoft.Network/virtualNetworks/join/action
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/write
Microsoft.Network/virtualNetworks/write

注意

在 Azure 上创建私有 OpenShift Container Platform 集群不需要以下权限。

Microsoft.Network/dnsZones/A/write
Microsoft.Network/dnsZones/CNAME/write
Microsoft.Network/dnszones/CNAME/read
Microsoft.Network/dnszones/read

例 2.5. 检查资源健康状况所需的权限

Microsoft.Resourcehealth/healthevent/Activated/action
Microsoft.Resourcehealth/healthevent/InProgress/action
Microsoft.Resourcehealth/healthevent/Pending/action
Microsoft.Resourcehealth/healthevent/Resolved/action
Microsoft.Resourcehealth/healthevent/Updated/action

例 2.6. 创建资源组所需的权限

Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourcegroups/write

例 2.7. 创建资源标签所需的权限

Microsoft.Resources/tags/write

例 2.8. 创建存储资源所需的权限

Microsoft.Storage/storageAccounts/blobServices/read
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Storage/storageAccounts/fileServices/read
Microsoft.Storage/storageAccounts/fileServices/shares/read
Microsoft.Storage/storageAccounts/fileServices/shares/write
Microsoft.Storage/storageAccounts/fileServices/shares/delete
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/write

例 2.9. 创建 marketplace 虚拟机资源的可选权限

Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write

例 2.10. 创建计算资源的可选权限

Microsoft.Compute/availabilitySets/delete
Microsoft.Compute/images/read
Microsoft.Compute/images/write
Microsoft.Compute/images/delete

例 2.11. 启用用户管理加密的可选权限

Microsoft.Compute/diskEncryptionSets/read
Microsoft.Compute/diskEncryptionSets/write
Microsoft.Compute/diskEncryptionSets/delete
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/write
Microsoft.KeyVault/vaults/delete
Microsoft.KeyVault/vaults/deploy/action
Microsoft.KeyVault/vaults/keys/read
Microsoft.KeyVault/vaults/keys/write
Microsoft.Features/providers/features/register/action

例 2.12. 使用 Azure 网络地址转换 (NAT) 安装私有集群的可选权限

Microsoft.Network/natGateways/join/action
Microsoft.Network/natGateways/read
Microsoft.Network/natGateways/write

例 2.13. 使用 Azure 防火墙安装私有集群的可选权限

Microsoft.Network/azureFirewalls/applicationRuleCollections/write
Microsoft.Network/azureFirewalls/read
Microsoft.Network/azureFirewalls/write
Microsoft.Network/routeTables/join/action
Microsoft.Network/routeTables/read
Microsoft.Network/routeTables/routes/read
Microsoft.Network/routeTables/routes/write
Microsoft.Network/routeTables/write
Microsoft.Network/virtualNetworks/peer/action
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write

例 2.14. 运行收集 bootstrap 的可选权限

Microsoft.Compute/virtualMachines/instanceView/read

删除 Microsoft Azure 上的 OpenShift Container Platform 集群需要以下权限。您可以使用相同的权限删除 Azure 上的私有 OpenShift Container Platform 集群。

例 2.15. 删除授权资源所需的权限

Microsoft.Authorization/roleAssignments/delete

例 2.16. 删除计算资源所需的权限

Microsoft.Compute/disks/delete
Microsoft.Compute/galleries/delete
Microsoft.Compute/galleries/images/delete
Microsoft.Compute/galleries/images/versions/delete
Microsoft.Compute/virtualMachines/delete

例 2.17. 删除身份管理资源所需的权限

Microsoft.ManagedIdentity/userAssignedIdentities/delete

例 2.18. 删除网络资源所需的权限

Microsoft.Network/dnszones/read
Microsoft.Network/dnsZones/A/read
Microsoft.Network/dnsZones/A/delete
Microsoft.Network/dnsZones/CNAME/read
Microsoft.Network/dnsZones/CNAME/delete
Microsoft.Network/loadBalancers/delete
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/networkSecurityGroups/delete
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/A/read
Microsoft.Network/privateDnsZones/delete
Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/virtualNetworks/delete

注意

在 Azure 上删除私有 OpenShift Container Platform 集群不需要以下权限。

Microsoft.Network/dnszones/read
Microsoft.Network/dnsZones/A/read
Microsoft.Network/dnsZones/A/delete
Microsoft.Network/dnsZones/CNAME/read
Microsoft.Network/dnsZones/CNAME/delete

例 2.19. 检查资源健康状况所需的权限

Microsoft.Resourcehealth/healthevent/Activated/action
Microsoft.Resourcehealth/healthevent/Resolved/action
Microsoft.Resourcehealth/healthevent/Updated/action

例 2.20. 删除资源组所需的权限

Microsoft.Resources/subscriptions/resourcegroups/delete

例 2.21. 删除存储资源所需的权限

Microsoft.Storage/storageAccounts/delete
Microsoft.Storage/storageAccounts/listKeys/action

注意

要在 Azure 上安装 OpenShift Container Platform，您必须将权限范围到您的订阅。之后，您可以将这些权限重新限定到安装程序创建的资源组。如果其他资源组中存在公共 DNS 区域，则必须始终将网络 DNS 区域相关权限应用到您的订阅。默认情况下，OpenShift Container Platform 安装程序分配 Contributor 角色的 Azure 身份。

在删除 OpenShift Container Platform 集群时，您可以将订阅的所有权限限定到您的订阅。

2.5. 安装程序置备的基础架构所需的 Azure 权限

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Red Hat legal and privacy links

Red Hat legal and privacy links