Description

A Helm chart for External DNS Operator by AppsCode

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
external-dns-operatordefault191Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.


Identities

🤖 external-dns-operator

Namespace: default  |  Automount:

🔑 Permissions (19)

RoleResourceVerbsRiskTags
ClusterRole external-dns-operatorapiextensions.k8s.io/customresourcedefinitions*CriticalCRDManipulation ClusterWideAccess PotentialPrivilegeEscalation Tampering WildcardPermission
ClusterRole external-dns-operatorcore/podscreate · get · list · watchCriticalLateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation WorkloadExecution
ClusterRole external-dns-operatorcore/secretscreate · get · list · patch · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole external-dns-operatorexternal-dns.appscode.com/**HighClusterWideAccess WildcardPermission
ClusterRole external-dns-operatorcore/configmapscreate · get · list · patch · watchHighConfigMapAccess DataExposure InformationDisclosure
ClusterRole external-dns-operatorexternaldns.k8s.io/dnsendpoints/status*HighClusterWideAccess WildcardPermission
ClusterRole external-dns-operatormonitoring.coreos.com/servicemonitors*HighClusterWideAccess WildcardPermission
ClusterRole external-dns-operatorrbac.authorization.k8s.io/clusterrolebindingscreate · get · patch · updateLow
ClusterRole external-dns-operatorrbac.authorization.k8s.io/clusterrolescreate · get · patch · updateLow
ClusterRole external-dns-operatorexternaldns.k8s.io/dnsendpointsget · list · watchLow
ClusterRole external-dns-operatorcore/endpointsget · list · watchLow
ClusterRole external-dns-operatorcore/eventscreateLow
ClusterRole external-dns-operatorextensions/ingressesget · list · watchLow
ClusterRole external-dns-operatornetworking.k8s.io/ingressesget · list · watchLow
ClusterRole external-dns-operatorcore/nodeslist · watchLow
ClusterRole external-dns-operatorrbac.authorization.k8s.io/rolebindingscreate · get · patch · updateLow
ClusterRole external-dns-operatorrbac.authorization.k8s.io/rolescreate · get · patch · updateLow
ClusterRole external-dns-operatorcore/serviceaccountscreate · get · list · patch · watchLow
ClusterRole external-dns-operatorcore/servicesget · list · watchLow

⚠️ Potential Abuse (9)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentexternal-dns-operatorexternal-dns-operatorghcr.io/appscode/external-dns-operator:v0.0.8