1 Service Accounts
1 Workloads
21 Bindings
2 Critical
19 Low
Description
A Helm chart for Argo Rollouts
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
argo-rollouts | default | ❌ | — | 21 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 argo-rollouts
Namespace: default | Automount: ❌
🔑 Permissions (21)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole argo-rollouts-clusterrole | batch/jobs | create · delete · get · list · patch · update · watch | Critical | PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole argo-rollouts-clusterrole | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole argo-rollouts-clusterrole | argoproj.io/analysisruns | create · delete · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts-clusterrole | argoproj.io/analysisruns/finalizers | create · delete · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts-clusterrole | argoproj.io/analysistemplates | get · list · watch | Low | |
ClusterRole argo-rollouts-clusterrole | argoproj.io/clusteranalysistemplates | get · list · watch | Low | |
ClusterRole argo-rollouts-clusterrole | networking.istio.io/destinationrules | get · list · update · watch | Low | |
ClusterRole argo-rollouts-clusterrole | core/events | create · patch · update | Low | |
ClusterRole argo-rollouts-clusterrole | argoproj.io/experiments | create · delete · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts-clusterrole | argoproj.io/experiments/finalizers | create · delete · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts-clusterrole | extensions/ingresses | create · get · list · patch · watch | Low | |
ClusterRole argo-rollouts-clusterrole | networking.k8s.io/ingresses | create · get · list · patch · watch | Low | |
ClusterRole argo-rollouts-clusterrole | core/pods | list · update | Low | |
ClusterRole argo-rollouts-clusterrole | core/pods/eviction | create | Low | |
ClusterRole argo-rollouts-clusterrole | apps/replicasets | create · delete · get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts-clusterrole | argoproj.io/rollouts | get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts-clusterrole | argoproj.io/rollouts/finalizers | get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts-clusterrole | argoproj.io/rollouts/status | get · list · patch · update · watch | Low | |
ClusterRole argo-rollouts-clusterrole | core/services | get · list · patch · watch | Low | |
ClusterRole argo-rollouts-clusterrole | split.smi-spec.io/trafficsplits | create · get · patch · update · watch | Low | |
ClusterRole argo-rollouts-clusterrole | networking.istio.io/virtualservices | get · list · update · watch | Low |
⚠️ Potential Abuse (5)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Manage Jobs cluster-wide (one-off privileged execution)
- Manage Jobs in a namespace (one-off privileged execution)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | argo-rollouts | argo-rollouts | argoproj/argo-rollouts:v0.10.2 |