grafana-operator :: RBAC ATLAS

Description

A Helm chart for Grafana Operator by AppsCode

https://github.com/open-viz/grafana-operator

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`grafana-operator`	default	❌	—	20	2	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `grafana-operator`

Namespace: default | Automount: ❌

🔑 Permissions (20)

Role	Resource	Verbs	Risk	Tags
ClusterRole `grafana-operator`	apiextensions.k8s.io/customresourcedefinitions	*	Critical	CRDManipulation ClusterWideAccess PotentialPrivilegeEscalation Tampering WildcardPermission
ClusterRole `grafana-operator`	core/pods	create · get · list	Critical	LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation WorkloadExecution
ClusterRole `grafana-operator`	core/pods/exec	create · get · list	Critical	ClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement PodExec (+1 more)
ClusterRole `grafana-operator`	appcatalog.appscode.com/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `grafana-operator`	openviz.dev/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `grafana-operator`	core/configmaps	create · get · list · patch · watch	High	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `grafana-operator`	monitoring.coreos.com/servicemonitors	*	High	ClusterWideAccess WildcardPermission
ClusterRole `grafana-operator`	admissionregistration.k8s.io/mutatingwebhookconfigurations	delete · list · patch · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `grafana-operator`	admissionregistration.k8s.io/validatingwebhookconfigurations	delete · list · patch · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `grafana-operator`	apiregistration.k8s.io/apiservices	delete · get · patch	Low
ClusterRole `grafana-operator`	rbac.authorization.k8s.io/clusterrolebindings	create · get · patch · update	Low
ClusterRole `grafana-operator`	rbac.authorization.k8s.io/clusterroles	create · get · patch · update	Low
ClusterRole `grafana-operator`	apps/deployments	create · get · patch · update	Low
ClusterRole `grafana-operator`	core/events	create	Low
ClusterRole `grafana-operator`	core/nodes	list	Low
ClusterRole `grafana-operator`	rbac.authorization.k8s.io/rolebindings	create · get · patch · update	Low
ClusterRole `grafana-operator`	rbac.authorization.k8s.io/roles	create · get · patch · update	Low
ClusterRole `grafana-operator`	core/secrets	create · get · patch	Low
ClusterRole `grafana-operator`	core/serviceaccounts	create · get · patch	Low
ClusterRole `grafana-operator`	core/services	create · get · patch	Low

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (2)

Kind	Name	Container	Image
Deployment	grafana-operator	operator	appscode/grafana-tools:v0.0.1
Job	grafana-operator-cleaner	kubectl	appscode/kubectl:v1.22

grafana-operator

Description

Overview

Identities

🤖 grafana-operator

🔑 Permissions (20)

⚠️ Potential Abuse (11)

📦 Workloads (2)

🤖 `grafana-operator`