argocd-image-updater :: RBAC ATLAS

Description

A Helm chart for Argo CD Image Updater, a tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`argocd-image-updater`	default	❌	—	10	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Namespace: default | Automount: ❌

Role	Resource	Verbs	Risk	Tags
Role `argocd-image-updater-leader-election-role`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService Tampering
Role `argocd-image-updater`	core/secrets	get · list · watch	Critical	CredentialAccess DataExposure InformationDisclosure SecretAccess
Role `argocd-image-updater-leader-election-role`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
Role `argocd-image-updater`	core/configmaps	get · list · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `argocd-image-updater`	argoproj.io/applications	get · list · patch · update · watch	Low
ClusterRole `argocd-image-updater`	core/events	create	Low
Role `argocd-image-updater-leader-election-role`	core/events	create · patch	Low
ClusterRole `argocd-image-updater`	argocd-image-updater.argoproj.io/imageupdaters	create · delete · get · list · patch · update · watch	Low
ClusterRole `argocd-image-updater`	argocd-image-updater.argoproj.io/imageupdaters/finalizers	update	Low
ClusterRole `argocd-image-updater`	argocd-image-updater.argoproj.io/imageupdaters/status	get · patch · update	Low

The following security risks were found based on the above permissions:

Kind	Name	Container	Image
Deployment	argocd-image-updater-controller	argocd-image-updater-controller	quay.io/argoprojlabs/argocd-image-updater:v1.0.1