argo-events :: RBAC ATLAS

Description

A Helm chart to install Argo-Events in k8s Cluster

https://github.com/argoproj/argo-events

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`argo-events-sa`	default	❌	—	18	3	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `argo-events-sa`

Namespace: default | Automount: ❌

🔑 Permissions (18)

Role	Resource	Verbs	Risk	Tags
Role `argo-events-role`	core/secrets	create · delete · get · list · patch · update · watch	Critical	CredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more)
Role `argo-events-role`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
Role `argo-events-role`	apps/deployments	create · delete · get · list · patch · update · watch	High	Persistence PotentialPrivilegeEscalation Tampering WorkloadLifecycle
Role `argo-events-role`	core/pods	create · delete · get · list · patch · update · watch	High	LateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution
Role `argo-events-role`	core/pods/exec	create · delete · get · list · patch · update · watch	High	CodeExecution LateralMovement PodExec PotentialPrivilegeEscalation
Role `argo-events-role`	core/services	create · delete · get · list · patch · update · watch	High	DenialOfService NetworkManipulation ServiceExposure Tampering
Role `argo-events-role`	apps/statefulsets	create · delete · get · list · patch · update · watch	High	Persistence PotentialPrivilegeEscalation Tampering WorkloadLifecycle
Role `argo-events-role`	apiextensions.k8s.io/customresourcedefinitions	create · delete · deletecollection · get · list · patch · update · watch	Low
Role `argo-events-role`	argoproj.io/eventbus	create · delete · deletecollection · get · list · patch · update · watch	Low
Role `argo-events-role`	argoproj.io/eventbus/finalizers	create · delete · deletecollection · get · list · patch · update · watch	Low
Role `argo-events-role`	argoproj.io/eventbus/status	create · delete · deletecollection · get · list · patch · update · watch	Low
Role `argo-events-role`	argoproj.io/eventsources	create · delete · deletecollection · get · list · patch · update · watch	Low
Role `argo-events-role`	argoproj.io/eventsources/finalizers	create · delete · deletecollection · get · list · patch · update · watch	Low
Role `argo-events-role`	argoproj.io/eventsources/status	create · delete · deletecollection · get · list · patch · update · watch	Low
Role `argo-events-role`	core/persistentvolumeclaims	create · delete · get · list · patch · update · watch	Low
Role `argo-events-role`	argoproj.io/sensors	create · delete · deletecollection · get · list · patch · update · watch	Low
Role `argo-events-role`	argoproj.io/sensors/finalizers	create · delete · deletecollection · get · list · patch · update · watch	Low
Role `argo-events-role`	argoproj.io/sensors/status	create · delete · deletecollection · get · list · patch · update · watch	Low

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (3)

Kind	Name	Container	Image
Deployment	argo-events-eventbus-controller	eventbus-controller	quay.io/argoproj/argo-events:v1.5.0
Deployment	argo-events-eventsource-controller	eventsource-controller	quay.io/argoproj/argo-events:v1.5.0
Deployment	argo-events-sensor-controller	sensor-controller	quay.io/argoproj/argo-events:v1.5.0

argo-events

Description

Overview

Identities

🤖 argo-events-sa

🔑 Permissions (18)

⚠️ Potential Abuse (11)

📦 Workloads (3)

🤖 `argo-events-sa`