argo-rollouts
v2.39.6
1 Service Accounts
1 Workloads
46 Bindings
2 Critical
2 High
42 Low
Description
A Helm chart for Argo Rollouts
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
argo-rollouts | default | ❌ | — | 46 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 argo-rollouts
Namespace: default | Automount: ❌
🔑 Permissions (46)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole argo-rollouts | batch/jobs | create · delete · get · list · patch · update · watch | Critical | PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole argo-rollouts | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole argo-rollouts | core/configmaps | create · get · list · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole argo-rollouts | networking.gloo.solo.io/routetables | * | High | ClusterWideAccess |
ClusterRole argo-rollouts | getambassador.io/ambassadormappings | create · delete · get · list · update · watch | Low | |
ClusterRole argo-rollouts | x.getambassador.io/ambassadormappings | create · delete · get · list · update · watch | Low | |
ClusterRole argo-rollouts | argoproj.io/analysisruns | create · delete · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | argoproj.io/analysisruns/finalizers | create · delete · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | argoproj.io/analysistemplates | get · list · watch | Low | |
ClusterRole argo-rollouts | apisix.apache.org/apisixroutes | get · update · watch | Low | |
ClusterRole argo-rollouts | argoproj.io/clusteranalysistemplates | get · list · watch | Low | |
ClusterRole argo-rollouts | apps/deployments | get · list · update · watch | Low | |
ClusterRole argo-rollouts | core/deployments | get · list · update · watch | Low | |
ClusterRole argo-rollouts | networking.istio.io/destinationrules | get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | core/endpoints | get | Low | |
ClusterRole argo-rollouts | core/events | create · patch · update | Low | |
ClusterRole argo-rollouts | argoproj.io/experiments | create · delete · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | argoproj.io/experiments/finalizers | create · delete · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | gateway.networking.k8s.io/grpcroutes | get · list · update · watch | Low | |
ClusterRole argo-rollouts | projectcontour.io/httpproxies | get · list · update · watch | Low | |
ClusterRole argo-rollouts | gateway.networking.k8s.io/httproutes | get · list · update · watch | Low | |
ClusterRole argo-rollouts | extensions/ingresses | create · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | networking.k8s.io/ingresses | create · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | coordination.k8s.io/leases | create · get · update | Low | |
ClusterRole argo-rollouts | getambassador.io/mappings | create · delete · get · list · update · watch | Low | |
ClusterRole argo-rollouts | x.getambassador.io/mappings | create · delete · get · list · update · watch | Low | |
ClusterRole argo-rollouts | core/pods | list · update · watch | Low | |
ClusterRole argo-rollouts | core/pods/eviction | create | Low | |
ClusterRole argo-rollouts | apps/podtemplates | get · list · update · watch | Low | |
ClusterRole argo-rollouts | core/podtemplates | get · list · update · watch | Low | |
ClusterRole argo-rollouts | apps/replicasets | create · delete · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | argoproj.io/rollouts | get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | argoproj.io/rollouts/finalizers | get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | argoproj.io/rollouts/status | get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | core/services | create · delete · get · list · patch · watch | Low | |
ClusterRole argo-rollouts | elbv2.k8s.aws/targetgroupbindings | get · list | Low | |
ClusterRole argo-rollouts | gateway.networking.k8s.io/tcproutes | get · list · update · watch | Low | |
ClusterRole argo-rollouts | gateway.networking.k8s.io/tlsroutes | get · list · update · watch | Low | |
ClusterRole argo-rollouts | traefik.containo.us/traefikservices | get · update · watch | Low | |
ClusterRole argo-rollouts | traefik.io/traefikservices | get · update · watch | Low | |
ClusterRole argo-rollouts | split.smi-spec.io/trafficsplits | create · get · patch · update · watch | Low | |
ClusterRole argo-rollouts | gateway.networking.k8s.io/udproutes | get · list · update · watch | Low | |
ClusterRole argo-rollouts | appmesh.k8s.aws/virtualnodes | get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | appmesh.k8s.aws/virtualrouters | get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts | appmesh.k8s.aws/virtualservices | get · list · watch | Low | |
ClusterRole argo-rollouts | networking.istio.io/virtualservices | get · list · patch · update · watch | Low |
⚠️ Potential Abuse (8)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Manage Jobs cluster-wide (one-off privileged execution)
- Manage Jobs in a namespace (one-off privileged execution)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | argo-rollouts | argo-rollouts | quay.io/argoproj/argo-rollouts:v1.8.3 |