Permissions

The following permissions are required for KubeForenSys to work fully within Azure:

{
  "Name": "<name>",
  "IsCustom": true,
  "Description": "<description>",
  "permissions": [
      {
    "actions": [
        "Microsoft.OperationalInsights/workspaces/write",
        "Microsoft.OperationalInsights/workspaces/tables/write",
        "Microsoft.Insights/dataCollectionEndpoints/write",
        "Microsoft.Insights/dataCollectionRules/write",
        "Microsoft.Insights/dataCollectionRules/read",
        "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
        "Microsoft.ContainerService/managedClusters/read"
    ],
    "notActions": [],
    "dataActions": [
        "Microsoft.Insights/Metrics/Write",
        "Microsoft.Insights/Telemetry/Write"
    ],
    "notDataActions": []
    }
  ],
  "assignableScopes": [
    "/subscriptions/<subscription-id>/resourceGroups/<resource-group>"
  ]
}

Above JSON can be used to create a custom role on Resource Group level. The Security Principal automatically inherits the role to resources created within this Resource Group. The custom role can be created and assigned using the Azure CLI or through using Azure Powershell It is however also possible to achieve above authorizations through default roles provided by Azure. It is however recommended to create a custom-role to adhere to the least privilege principle. The following roles would need to be assigned:

• Log Analytics Contributor: For Log Analytics workspace/table writes and access to sharedKeys

• Monitoring Contributor: For creation of DCRs, DCEs and writing telemetry

• Reader or Kubernetes Service RBAC Viewer: To allow AKS cluster read (Microsoft.ContainerService/managedClusters/read)

For more information, see the Azure documentation.