4 Service Accounts
4 Workloads
69 Bindings
7 Critical
3 Medium
59 Low
Description
A Helm chart for cert-manager
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
cert-manager | default | ✅ | — | 55 | 1 | Critical |
cert-manager-cainjector | default | ✅ | — | 10 | 1 | Critical |
cert-manager-webhook | default | ✅ | — | 3 | 1 | Medium |
cert-manager-startupapicheck | default | ✅ | — | 1 | 1 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 cert-manager
Namespace: default | Automount: ✅
🔑 Permissions (55)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cert-manager-controller-challenges | core/pods | create · delete · get · list · watch | Critical | LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation WorkloadExecution |
ClusterRole cert-manager-controller-certificates | core/secrets | create · delete · get · list · patch · update · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more) |
ClusterRole cert-manager-controller-challenges | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole cert-manager-controller-clusterissuers | core/secrets | create · delete · get · list · update · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole cert-manager-controller-issuers | core/secrets | create · delete · get · list · update · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole cert-manager-controller-orders | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole cert-manager-controller-certificates | cert-manager.io/certificaterequests | get · list · patch · update · watch | Low | |
ClusterRole cert-manager-controller-ingress-shim | cert-manager.io/certificaterequests | create · delete · get · list · update · watch | Low | |
ClusterRole cert-manager-controller-certificates | cert-manager.io/certificaterequests/finalizers | update | Low | |
ClusterRole cert-manager-controller-certificates | cert-manager.io/certificaterequests/status | patch · update | Low | |
ClusterRole cert-manager-controller-certificates | cert-manager.io/certificates | get · list · patch · update · watch | Low | |
ClusterRole cert-manager-controller-ingress-shim | cert-manager.io/certificates | create · delete · get · list · update · watch | Low | |
ClusterRole cert-manager-controller-certificates | cert-manager.io/certificates/finalizers | update | Low | |
ClusterRole cert-manager-controller-certificates | cert-manager.io/certificates/status | patch · update | Low | |
ClusterRole cert-manager-controller-challenges | acme.cert-manager.io/challenges | get · list · patch · update · watch | Low | |
ClusterRole cert-manager-controller-orders | acme.cert-manager.io/challenges | create · delete · get · list · watch | Low | |
ClusterRole cert-manager-controller-challenges | acme.cert-manager.io/challenges/finalizers | update | Low | |
ClusterRole cert-manager-controller-challenges | acme.cert-manager.io/challenges/status | patch · update | Low | |
ClusterRole cert-manager-controller-certificates | cert-manager.io/clusterissuers | get · list · watch | Low | |
ClusterRole cert-manager-controller-challenges | cert-manager.io/clusterissuers | get · list · watch | Low | |
ClusterRole cert-manager-controller-clusterissuers | cert-manager.io/clusterissuers | get · list · patch · update · watch | Low | |
ClusterRole cert-manager-controller-ingress-shim | cert-manager.io/clusterissuers | get · list · watch | Low | |
ClusterRole cert-manager-controller-orders | cert-manager.io/clusterissuers | get · list · watch | Low | |
ClusterRole cert-manager-controller-clusterissuers | cert-manager.io/clusterissuers/status | patch · update | Low | |
ClusterRole cert-manager-controller-certificates | core/events | create · patch | Low | |
ClusterRole cert-manager-controller-challenges | core/events | create · patch | Low | |
ClusterRole cert-manager-controller-clusterissuers | core/events | create · patch | Low | |
ClusterRole cert-manager-controller-ingress-shim | core/events | create · patch | Low | |
ClusterRole cert-manager-controller-issuers | core/events | create · patch | Low | |
ClusterRole cert-manager-controller-orders | core/events | create · patch | Low | |
ClusterRole cert-manager-controller-ingress-shim | gateway.networking.k8s.io/gateways | get · list · watch | Low | |
ClusterRole cert-manager-controller-ingress-shim | gateway.networking.k8s.io/gateways/finalizers | update | Low | |
ClusterRole cert-manager-controller-challenges | gateway.networking.k8s.io/httproutes | create · delete · get · list · update · watch | Low | |
ClusterRole cert-manager-controller-ingress-shim | gateway.networking.k8s.io/httproutes | get · list · watch | Low | |
ClusterRole cert-manager-controller-ingress-shim | gateway.networking.k8s.io/httproutes/finalizers | update | Low | |
ClusterRole cert-manager-controller-challenges | networking.k8s.io/ingresses | create · delete · get · list · update · watch | Low | |
ClusterRole cert-manager-controller-ingress-shim | networking.k8s.io/ingresses | get · list · watch | Low | |
ClusterRole cert-manager-controller-ingress-shim | networking.k8s.io/ingresses/finalizers | update | Low | |
ClusterRole cert-manager-controller-certificates | cert-manager.io/issuers | get · list · watch | Low | |
ClusterRole cert-manager-controller-challenges | cert-manager.io/issuers | get · list · watch | Low | |
ClusterRole cert-manager-controller-ingress-shim | cert-manager.io/issuers | get · list · watch | Low | |
ClusterRole cert-manager-controller-issuers | cert-manager.io/issuers | get · list · patch · update · watch | Low | |
ClusterRole cert-manager-controller-orders | cert-manager.io/issuers | get · list · watch | Low | |
ClusterRole cert-manager-controller-issuers | cert-manager.io/issuers/status | patch · update | Low | |
Role cert-manager:leaderelection | coordination.k8s.io/leases | create | Low | |
ClusterRole cert-manager-controller-ingress-shim | gateway.networking.k8s.io/listenersets | get · list · watch | Low | |
ClusterRole cert-manager-controller-ingress-shim | gateway.networking.k8s.io/listenersets/finalizers | update | Low | |
ClusterRole cert-manager-controller-certificates | acme.cert-manager.io/orders | create · delete · get · list · watch | Low | |
ClusterRole cert-manager-controller-orders | acme.cert-manager.io/orders | get · list · patch · update · watch | Low | |
ClusterRole cert-manager-controller-orders | acme.cert-manager.io/orders/finalizers | update | Low | |
ClusterRole cert-manager-controller-orders | acme.cert-manager.io/orders/status | patch · update | Low | |
ClusterRole cert-manager-controller-challenges | route.openshift.io/routes/custom-host | create | Low | |
ClusterRole cert-manager-controller-challenges | core/services | create · delete · get · list · watch | Low | |
Role cert-manager-tokenrequest | core/serviceaccounts/token (restricted to: cert-manager) | create | Low | ResourceNameRestricted |
Role cert-manager:leaderelection | coordination.k8s.io/leases (restricted to: cert-manager-controller) | get · patch · update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (7)
The following security risks were found based on the above permissions:
- Create pods cluster-wide
- Create pods in a namespace
- Read secrets cluster-wide
- Read secrets in a namespace
- Modify secrets cluster-wide
- Modify secrets in a namespace
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cert-manager | cert-manager-controller | quay.io/jetstack/cert-manager-controller:v1.21.0-alpha.0 |
🤖 cert-manager-cainjector
Namespace: default | Automount: ✅
🔑 Permissions (10)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cert-manager-cainjector | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole cert-manager-cainjector | admissionregistration.k8s.io/mutatingwebhookconfigurations | get · list · patch · update · watch | Medium | InformationDisclosure Reconnaissance WebhookReconnaissance |
ClusterRole cert-manager-cainjector | admissionregistration.k8s.io/validatingwebhookconfigurations | get · list · patch · update · watch | Medium | InformationDisclosure Reconnaissance WebhookReconnaissance |
ClusterRole cert-manager-cainjector | apiregistration.k8s.io/apiservices | get · list · patch · update · watch | Low | |
ClusterRole cert-manager-cainjector | cert-manager.io/certificates | get · list · watch | Low | |
ClusterRole cert-manager-cainjector | apiextensions.k8s.io/customresourcedefinitions | get · list · patch · update · watch | Low | |
ClusterRole cert-manager-cainjector | core/events | create · get · patch · update | Low | |
Role cert-manager-cainjector:leaderelection | coordination.k8s.io/leases | create | Low | |
Role cert-manager-cainjector:leaderelection | coordination.k8s.io/leases (restricted to: cert-manager-cainjector-leader-election) | get · patch · update | Low | ResourceNameRestricted |
Role cert-manager-cainjector:leaderelection | coordination.k8s.io/leases (restricted to: cert-manager-cainjector-leader-election-core) | get · patch · update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (5)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- List ValidatingWebhookConfigurations (Reconnaissance)
- List MutatingWebhookConfigurations (Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cert-manager-cainjector | cert-manager-cainjector | quay.io/jetstack/cert-manager-cainjector:v1.21.0-alpha.0 |
🤖 cert-manager-webhook
Namespace: default | Automount: ✅
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cert-manager-webhook:subjectaccessreviews | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
Role cert-manager-webhook:dynamic-serving | core/secrets | create | Low | |
Role cert-manager-webhook:dynamic-serving | core/secrets (restricted to: cert-manager-webhook-ca) | get · list · update · watch | Low | CredentialAccess DataExposure InformationDisclosure ResourceNameRestricted SecretAccess |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cert-manager-webhook | cert-manager-webhook | quay.io/jetstack/cert-manager-webhook:v1.21.0-alpha.0 |
🤖 cert-manager-startupapicheck
Namespace: default | Automount: ✅
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role cert-manager-startupapicheck:create-cert | cert-manager.io/certificaterequests | create | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | cert-manager-startupapicheck | cert-manager-startupapicheck | quay.io/jetstack/cert-manager-startupapicheck:v1.21.0-alpha.0 |