operator-shard-manager
v2025.3.14
1 Service Accounts
1 Workloads
4 Bindings
2 Critical
1 High
1 Low
Description
A Helm chart for OpenShift
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
operator-shard-manager | default | ❌ | — | 4 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 operator-shard-manager
Namespace: default | Automount: ❌
🔑 Permissions (4)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole operator-shard-manager | * | create · get · list · patch · update · watch | Critical | AvailabilityImpact CSRApproval CSRCreation CertificateManagement ClusterAdminAccess (+47 more) |
Role operator-shard-manager:leader-election | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
Role operator-shard-manager:leader-election | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
Role operator-shard-manager:leader-election | core/events | create · patch | Low |
⚠️ Potential Abuse (52)
The following security risks were found based on the above permissions:
- Cluster-wide pod exec
- Namespaced pod exec
- Cluster-wide pod attach
- Namespaced pod attach
- Cluster-wide pod port-forward
- Namespaced pod port-forward
- Create pods cluster-wide
- Create pods in a namespace
- Update/Patch pods cluster-wide
- Update/Patch pods in a namespace
- Read secrets cluster-wide
- Read secrets in a namespace
- Modify node configuration (labels, taints)
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Manage ephemeral containers cluster-wide
- Manage ephemeral containers in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Create ServiceAccount Tokens
- Create ServiceAccount Tokens (ClusterRole for any SA in any namespace)
- Create TokenReviews (validate arbitrary tokens)
- Create SubjectAccessReviews (check arbitrary permissions)
- Create LocalSubjectAccessReviews (check permissions in a namespace)
- Approve CertificateSigningRequests
- Create CertificateSigningRequests
- Evict Pods cluster-wide
- Evict Pods in a namespace
- Patch node status cluster-wide
- Read events cluster-wide
- Read RBAC configuration cluster-wide
- Manage Leases in kube-system or kube-node-lease namespace
- List Namespaces (Cluster Reconnaissance)
- List ValidatingWebhookConfigurations (Reconnaissance)
- List MutatingWebhookConfigurations (Reconnaissance)
- Create/Update ControllerRevisions (Potential Tampering)
- Create SelfSubjectRulesReviews (Discover Own Permissions)
- Read LimitRanges (Namespace Information Disclosure)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
- Update CertificateSigningRequest Status (Tampering/DoS)
- Update NetworkPolicy Status (Cluster-wide Tampering)
- Update PodDisruptionBudget Status (Namespace Tampering/DoS)
- Read ComponentStatuses (Control Plane Reconnaissance)
- Update Deployment Scale (Resource Abuse/DoS)
- Update StatefulSet Scale (Resource Abuse/DoS)
- Read CSINode Objects (Node & Storage Reconnaissance)
- Read CSIStorageCapacities (Namespace Storage Reconnaissance)
- Watch All Resources in a Namespace (Broad Information Disclosure)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | operator-shard-manager | operator | ghcr.io/appscode/operator-shard-manager:v0.0.3 |