Description

The Solr Operator enables easy management of Solr resources within Kubernetes.

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
solr-operatordefault301Critical
zookeeper-operatordefault151Critical
solr-operator-zookeeper-operator-pre-deletedefault11High
solr-operator-zookeeper-operator-post-install-upgradedefault21Medium

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 solr-operator

Namespace: default  |  Automount:

🔑 Permissions (30)

RoleResourceVerbsRiskTags
ClusterRole solr-operator-rolecore/configmapscreate · delete · get · list · patch · update · watchCriticalConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole solr-operator-roleapps/deploymentscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
Role solr-operator-leader-election-rolecoordination.k8s.io/leasescreate · delete · get · list · patch · update · watchCriticalControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole solr-operator-rolecore/pods/execcreateCriticalClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement PodExec (+1 more)
ClusterRole solr-operator-rolecore/secretscreate · delete · get · list · patch · update · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole solr-operator-rolecore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole solr-operator-roleapps/statefulsetscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
Role solr-operator-leader-election-rolecore/configmapscreate · delete · get · list · patch · update · watchHighConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole solr-operator-rolenetworking.k8s.io/ingressescreate · delete · get · list · patch · update · watchHighDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole solr-operator-rolepolicy/poddisruptionbudgetscreate · delete · get · list · patch · update · watchMediumAvailabilityImpact DenialOfService Tampering
ClusterRole solr-operator-rolecore/configmaps/statusgetLow
ClusterRole solr-operator-roleapps/deployments/statusgetLow
Role solr-operator-leader-election-rolecore/eventscreate · patchLow
ClusterRole solr-operator-rolenetworking.k8s.io/ingresses/statusgetLow
ClusterRole solr-operator-rolecore/persistentvolumeclaimsdelete · get · list · watchLow
ClusterRole solr-operator-rolecore/podsdelete · get · list · watchLow
ClusterRole solr-operator-rolecore/pods/statusget · patchLow
ClusterRole solr-operator-rolecore/services/statusgetLow
ClusterRole solr-operator-rolesolr.apache.org/solrbackupscreate · delete · get · list · patch · update · watchLow
ClusterRole solr-operator-rolesolr.apache.org/solrbackups/finalizersupdateLow
ClusterRole solr-operator-rolesolr.apache.org/solrbackups/statusget · patch · updateLow
ClusterRole solr-operator-rolesolr.apache.org/solrcloudscreate · delete · get · list · patch · update · watchLow
ClusterRole solr-operator-rolesolr.apache.org/solrclouds/finalizersupdateLow
ClusterRole solr-operator-rolesolr.apache.org/solrclouds/statusget · patch · updateLow
ClusterRole solr-operator-rolesolr.apache.org/solrprometheusexporterscreate · delete · get · list · patch · update · watchLow
ClusterRole solr-operator-rolesolr.apache.org/solrprometheusexporters/finalizersupdateLow
ClusterRole solr-operator-rolesolr.apache.org/solrprometheusexporters/statusget · patch · updateLow
ClusterRole solr-operator-roleapps/statefulsets/statusgetLow
ClusterRole solr-operator-rolezookeeper.pravega.io/zookeeperclusterscreate · delete · get · list · patch · update · watchLow
ClusterRole solr-operator-rolezookeeper.pravega.io/zookeeperclusters/statusgetLow

⚠️ Potential Abuse (20)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentsolr-operatorsolr-operatorapache/solr-operator:v0.9.1

🤖 zookeeper-operator

Namespace: default  |  Automount:

🔑 Permissions (15)

RoleResourceVerbsRiskTags
ClusterRole solr-operator-zookeeper-operatorcore/configmaps*CriticalClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole solr-operator-zookeeper-operatorapps/daemonsets*CriticalClusterWideAccess NodeAccess Persistence PrivilegeEscalation Tampering (+2 more)
ClusterRole solr-operator-zookeeper-operatorapps/deployments*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole solr-operator-zookeeper-operatorcore/endpoints*CriticalClusterWideAccess DenialOfService ManInTheMiddle NetworkManipulation Tampering (+2 more)
ClusterRole solr-operator-zookeeper-operatorcore/nodes*CriticalClusterWideAccess DenialOfService NodeAccess PotentialPrivilegeEscalation ResourceDeletion (+2 more)
ClusterRole solr-operator-zookeeper-operatorcore/pods*CriticalClusterWideAccess LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation (+3 more)
ClusterRole solr-operator-zookeeper-operatorcore/secrets*CriticalClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole solr-operator-zookeeper-operatorcore/serviceaccounts*CriticalClusterAdminAccess ClusterWideAccess IdentityManagement Impersonation PotentialPrivilegeEscalation (+4 more)
ClusterRole solr-operator-zookeeper-operatorcore/services*CriticalClusterWideAccess DenialOfService NetworkManipulation ServiceExposure Tampering (+1 more)
ClusterRole solr-operator-zookeeper-operatorapps/statefulsets*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole solr-operator-zookeeper-operatorzookeeper.pravega.io/**HighClusterWideAccess WildcardPermission
ClusterRole solr-operator-zookeeper-operatorcore/persistentvolumeclaims*HighClusterWideAccess WildcardPermission
ClusterRole solr-operator-zookeeper-operatorapps/replicasets*HighClusterWideAccess WildcardPermission
ClusterRole solr-operator-zookeeper-operatorcore/events*MediumClusterWideAccess InformationDisclosure OperationalData Reconnaissance WildcardPermission
ClusterRole solr-operator-zookeeper-operatorpolicy/poddisruptionbudgets*MediumAvailabilityImpact ClusterWideAccess DenialOfService Tampering WildcardPermission

⚠️ Potential Abuse (30)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentsolr-operator-zookeeper-operatorsolr-operator-zookeeper-operatorpravega/zookeeper-operator:0.2.15

🤖 solr-operator-zookeeper-operator-pre-delete

Namespace: default  |  Automount:

🔑 Permissions (1)

RoleResourceVerbsRiskTags
ClusterRole solr-operator-zookeeper-operator-pre-deletezookeeper.pravega.io/*get · listHighClusterWideAccess WildcardPermission

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Jobsolr-operator-zookeeper-operator-pre-deletepre-delete-joblachlanevenson/k8s-kubectl:v1.23.2

🤖 solr-operator-zookeeper-operator-post-install-upgrade

Namespace: default  |  Automount:

🔑 Permissions (2)

RoleResourceVerbsRiskTags
Role solr-operator-zookeeper-operator-post-install-upgradezookeeper.pravega.io/*getMediumNamespaceAdmin NamespaceWideAccess WildcardPermission
Role solr-operator-zookeeper-operator-post-install-upgradeextensions/deploymentsgetLow

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Jobsolr-operator-zookeeper-operator-post-install-upgradepost-install-upgrade-joblachlanevenson/k8s-kubectl:v1.23.2