1 Service Accounts
1 Workloads
24 Bindings
1 Critical
7 High
16 Low
Description
A Helm chart to install Argo-Events in k8s Cluster
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
argo-events-sa | default | ❌ | — | 24 | 3 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 argo-events-sa
Namespace: default | Automount: ❌
🔑 Permissions (24)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role argo-events-role | core/secrets | create · delete · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more) |
Role argo-events-role | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
Role argo-events-role | apps/deployments | create · delete · get · list · patch · update · watch | High | Persistence PotentialPrivilegeEscalation Tampering WorkloadLifecycle |
Role argo-events-role | batch/jobs | create · delete · get · list · patch · update · watch | High | PotentialPrivilegeEscalation Tampering WorkloadLifecycle |
Role argo-events-role | core/pods | create · delete · get · list · patch · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution |
Role argo-events-role | core/pods/exec | create · delete · get · list · patch · update · watch | High | CodeExecution LateralMovement PodExec PotentialPrivilegeEscalation |
Role argo-events-role | core/services | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation ServiceExposure Tampering |
Role argo-events-role | apps/statefulsets | create · delete · get · list · patch · update · watch | High | Persistence PotentialPrivilegeEscalation Tampering WorkloadLifecycle |
Role argo-events-role | apiextensions.k8s.io/customresourcedefinitions | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/eventbus | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/eventbus/finalizers | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/eventbus/status | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | core/events | create · delete · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/eventsources | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/eventsources/finalizers | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/eventsources/status | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | core/persistentvolumeclaims | create · delete · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/sensors | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/sensors/finalizers | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/sensors/status | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/workflows | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/workflows/finalizers | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/workflowtemplates | create · delete · deletecollection · get · list · patch · update · watch | Low | |
Role argo-events-role | argoproj.io/workflowtemplates/finalizers | create · delete · deletecollection · get · list · patch · update · watch | Low |
⚠️ Potential Abuse (12)
The following security risks were found based on the above permissions:
- Namespaced pod exec
- Create pods in a namespace
- Update/Patch pods in a namespace
- Read secrets in a namespace
- Modify secrets in a namespace
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Manage Deployments in a namespace (potential for privileged pod execution)
- Manage StatefulSets in a namespace
- Manage Jobs in a namespace (one-off privileged execution)
- Manage Services in a namespace
📦 Workloads (3)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | argo-events-eventbus-controller | eventbus-controller | argoproj/eventbus-controller:v1.3.1 |
| Deployment | argo-events-eventsource-controller | eventsource-controller | argoproj/eventsource-controller:v1.3.1 |
| Deployment | argo-events-sensor-controller | sensor-controller | argoproj/sensor-controller:v1.3.1 |