rabbitmq-cluster-operator

Description

The RabbitMQ Cluster Kubernetes Operator automates provisioning, management, and operations of RabbitMQ clusters running on Kubernetes.

https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq-cluster-operator

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`rabbitmq-cluster-operator`	default	❌	—	17	1	Critical
`rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	default	❌	—	47	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`

Namespace: default | Automount: ❌

🔑 Permissions (47)

Role	Resource	Verbs	Risk	Tags
Role `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	core/secrets	create · get · list · patch · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
Role `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/bindings	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/bindings/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/bindings/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	core/events	create · get · patch	Low
Role `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	core/events	create	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/exchanges	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/exchanges/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/exchanges/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/federations	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/federations/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/federations/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/operatorpolicies	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/operatorpolicies/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/operatorpolicies/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/permissions	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/permissions/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/permissions/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/policies	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/policies/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/policies/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/queues	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/queues/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/queues/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/rabbitmqclusters	get · list · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/rabbitmqclusters/status	get	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/schemareplications	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/schemareplications/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/schemareplications/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	core/services	get · list · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/shovels	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/shovels/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/shovels/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/superstreams	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/superstreams/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/superstreams/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/topicpermissions	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/topicpermissions/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/topicpermissions/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/users	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/users/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/users/status	get · patch · update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/vhosts	create · delete · get · list · patch · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/vhosts/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`	rabbitmq.com/vhosts/status	get · patch · update	Low

⚠️ Potential Abuse (6)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator	rabbitmq-cluster-operator	docker.io/bitnami/rmq-messaging-topology-operator:1.17.2-debian-12-r0

🤖 `rabbitmq-cluster-operator`

Namespace: default | Automount: ❌

🔑 Permissions (17)

Role	Resource	Verbs	Risk	Tags
Role `rabbitmq-cluster-operator`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole `rabbitmq-cluster-operator-default`	core/pods/exec	create	Critical	ClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement PodExec (+1 more)
ClusterRole `rabbitmq-cluster-operator-default`	core/secrets	create · get · list · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `rabbitmq-cluster-operator-default`	core/configmaps	create · get · list · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `rabbitmq-cluster-operator-default`	rbac.authorization.k8s.io/rolebindings	create · get · list · update · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `rabbitmq-cluster-operator-default`	rbac.authorization.k8s.io/roles	create · get · list · update · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `rabbitmq-cluster-operator-default`	core/endpoints	get · list · watch	Low
ClusterRole `rabbitmq-cluster-operator-default`	core/events	create · get · patch	Low
Role `rabbitmq-cluster-operator`	core/events	create	Low
ClusterRole `rabbitmq-cluster-operator-default`	core/persistentvolumeclaims	create · get · list · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-default`	core/pods	get · list · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-default`	rabbitmq.com/rabbitmqclusters	create · get · list · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-default`	rabbitmq.com/rabbitmqclusters/finalizers	update	Low
ClusterRole `rabbitmq-cluster-operator-default`	rabbitmq.com/rabbitmqclusters/status	get · update	Low
ClusterRole `rabbitmq-cluster-operator-default`	core/serviceaccounts	create · get · list · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-default`	core/services	create · get · list · update · watch	Low
ClusterRole `rabbitmq-cluster-operator-default`	apps/statefulsets	create · delete · get · list · update · watch	Low

⚠️ Potential Abuse (9)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	rabbitmq-cluster-operator	rabbitmq-cluster-operator	docker.io/bitnami/rabbitmq-cluster-operator:2.15.0-debian-12-r0

rabbitmq-cluster-operator

Description

Overview

Identities

🤖 rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator

🔑 Permissions (47)

⚠️ Potential Abuse (6)

📦 Workloads (1)

🤖 rabbitmq-cluster-operator

🔑 Permissions (17)

⚠️ Potential Abuse (9)

📦 Workloads (1)

🤖 `rabbitmq-cluster-operator-rabbitmq-messaging-topology-operator`

🤖 `rabbitmq-cluster-operator`