Description

The official Helm chart to deploy Apache Airflow, a platform to programmatically author, schedule, and monitor workflows

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
airflow-workerdefault42High
airflow-triggererdefault22Medium
airflow-webserverdefault21Medium
airflow-create-user-jobdefault01
airflow-migrate-database-jobdefault01
airflow-redisdefault01
airflow-schedulerdefault02
airflow-statsddefault01

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 airflow-worker

Namespace: default  |  Automount:

🔑 Permissions (4)

RoleResourceVerbsRiskTags
Role airflow-pod-launcher-rolecore/podscreate · delete · get · list · patch · watchHighLateralMovement Persistence PotentialPrivilegeEscalation WorkloadExecution
Role airflow-pod-launcher-rolecore/pods/execcreate · getHighCodeExecution LateralMovement PodExec PotentialPrivilegeEscalation
Role airflow-pod-launcher-rolecore/pods/loggetMediumDataExposure InformationDisclosure LogAccess
Role airflow-pod-launcher-rolecore/eventslistLow

⚠️ Potential Abuse (4)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
StatefulSetairflow-workerworkerapache/airflow:2.10.5
StatefulSetairflow-workerworker-log-groomerapache/airflow:2.10.5

🤖 airflow-triggerer

Namespace: default  |  Automount:

🔑 Permissions (2)

RoleResourceVerbsRiskTags
Role airflow-pod-log-reader-rolecore/pods/logget · listMediumDataExposure InformationDisclosure LogAccess
Role airflow-pod-log-reader-rolecore/podsget · list · watchLow

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
StatefulSetairflow-triggerertriggererapache/airflow:2.10.5
StatefulSetairflow-triggerertriggerer-log-groomerapache/airflow:2.10.5

🤖 airflow-webserver

Namespace: default  |  Automount:

🔑 Permissions (2)

RoleResourceVerbsRiskTags
Role airflow-pod-log-reader-rolecore/pods/logget · listMediumDataExposure InformationDisclosure LogAccess
Role airflow-pod-log-reader-rolecore/podsget · list · watchLow

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentairflow-webserverwebserverapache/airflow:2.10.5

🤖 airflow-create-user-job

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

KindNameContainerImage
Jobairflow-create-usercreate-userapache/airflow:2.10.5

🤖 airflow-migrate-database-job

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

KindNameContainerImage
Jobairflow-run-airflow-migrationsrun-airflow-migrationsapache/airflow:2.10.5

🤖 airflow-redis

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

KindNameContainerImage
StatefulSetairflow-redisredisredis:7.2-bookworm

🤖 airflow-scheduler

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (2)

KindNameContainerImage
Deploymentairflow-schedulerschedulerapache/airflow:2.10.5
Deploymentairflow-schedulerscheduler-log-groomerapache/airflow:2.10.5

🤖 airflow-statsd

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

KindNameContainerImage
Deploymentairflow-statsdstatsdquay.io/prometheus/statsd-exporter:v0.28.0