cilium :: RBAC ATLAS

Description

eBPF-based Networking, Security, and Observability

https://github.com/cilium/cilium

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`cilium`	default	❌	—	33	1	Critical
`cilium-operator`	default	❌	—	34	1	Critical
`cilium-envoy`	default	❌	—	0	1	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `cilium-operator`

Namespace: default | Automount: ❌

🔑 Permissions (34)

Role	Resource	Verbs	Risk	Tags
ClusterRole `cilium-operator`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
Role `cilium-operator-tlsinterception-secrets`	core/secrets	create · delete · patch · update	Critical	Persistence PotentialPrivilegeEscalation SecretAccess Tampering
ClusterRole `cilium-operator`	cilium.io/ciliumbgpadvertisements	create · delete · get · list · patch · update · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumbgpclusterconfigs	get · list · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumbgpclusterconfigs/status	update	Low
ClusterRole `cilium-operator`	cilium.io/ciliumbgpnodeconfigoverrides	get · list · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumbgpnodeconfigs	create · delete · get · list · patch · update · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumbgppeerconfigs	create · delete · get · list · patch · update · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumbgppeerconfigs/status	update	Low
ClusterRole `cilium-operator`	cilium.io/ciliumbgppeeringpolicies	get · list · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumclusterwidenetworkpolicies	create · deletecollection · get · list · patch · update · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumclusterwidenetworkpolicies/status	patch · update	Low
ClusterRole `cilium-operator`	cilium.io/ciliumendpoints	delete · list · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumendpointslices	create · delete · get · list · patch · update · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumenvoyconfigs	create · delete · get · list · patch · update · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumidentities	delete · list · update · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumloadbalancerippools	get · list · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumloadbalancerippools/status	patch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumnetworkpolicies	create · deletecollection · get · list · patch · update · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumnetworkpolicies/status	patch · update	Low
ClusterRole `cilium-operator`	cilium.io/ciliumnodes	create · delete · get · list · update · watch	Low
ClusterRole `cilium-operator`	cilium.io/ciliumnodes/status	update	Low
ClusterRole `cilium-operator`	cilium.io/ciliumpodippools	create · get · list · watch	Low
ClusterRole `cilium-operator`	core/configmaps	patch	Low
ClusterRole `cilium-operator`	apiextensions.k8s.io/customresourcedefinitions	create · get · list · update · watch	Low
ClusterRole `cilium-operator`	core/endpoints	get · list · watch	Low
ClusterRole `cilium-operator`	discovery.k8s.io/endpointslices	get · list · watch	Low
ClusterRole `cilium-operator`	coordination.k8s.io/leases	create · get · update	Low
ClusterRole `cilium-operator`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `cilium-operator`	core/nodes	list · patch · watch	Low
ClusterRole `cilium-operator`	core/nodes/status	patch	Low
ClusterRole `cilium-operator`	core/pods	delete · get · list · watch	Low
ClusterRole `cilium-operator`	core/services	get · list · watch	Low
ClusterRole `cilium-operator`	core/services/status	patch · update	Low

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	cilium-operator	cilium-operator	quay.io/cilium/operator-generic:v1.17.4@sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5

🤖 `cilium`

Namespace: default | Automount: ❌

🔑 Permissions (33)

Role	Resource	Verbs	Risk	Tags
Role `cilium-tlsinterception-secrets`	core/secrets	get · list · watch	Critical	CredentialAccess DataExposure InformationDisclosure SecretAccess
Role `cilium-config-agent`	core/configmaps	get · list · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `cilium`	cilium.io/ciliumbgpadvertisements	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumbgpnodeconfigs	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumbgpnodeconfigs/status	patch	Low
ClusterRole `cilium`	cilium.io/ciliumbgppeerconfigs	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumbgppeeringpolicies	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumcidrgroups	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumclusterwideenvoyconfigs	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumclusterwidenetworkpolicies	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumegressgatewaypolicies	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumendpoints	create · delete · get · list · patch · watch	Low
ClusterRole `cilium`	cilium.io/ciliumendpoints/status	patch	Low
ClusterRole `cilium`	cilium.io/ciliumendpointslices	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumenvoyconfigs	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumidentities	create · list · update · watch	Low
ClusterRole `cilium`	cilium.io/ciliuml2announcementpolicies	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliuml2announcementpolicies/status	patch	Low
ClusterRole `cilium`	cilium.io/ciliumloadbalancerippools	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumlocalredirectpolicies	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumnetworkpolicies	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumnodeconfigs	list · watch	Low
ClusterRole `cilium`	cilium.io/ciliumnodes	create · get · list · update · watch	Low
ClusterRole `cilium`	cilium.io/ciliumnodes/status	get · update	Low
ClusterRole `cilium`	cilium.io/ciliumpodippools	list · watch	Low
ClusterRole `cilium`	apiextensions.k8s.io/customresourcedefinitions	get · list · watch	Low
ClusterRole `cilium`	core/endpoints	get · list · watch	Low
ClusterRole `cilium`	discovery.k8s.io/endpointslices	get · list · watch	Low
ClusterRole `cilium`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `cilium`	networking.k8s.io/networkpolicies	get · list · watch	Low
ClusterRole `cilium`	core/nodes	get · list · watch	Low
ClusterRole `cilium`	core/pods	get · list · watch	Low
ClusterRole `cilium`	core/services	get · list · watch	Low

⚠️ Potential Abuse (4)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
DaemonSet	cilium	cilium-agent	quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a

🤖 `cilium-envoy`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
DaemonSet	cilium-envoy	cilium-envoy	quay.io/cilium/cilium-envoy:v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c@sha256:a04218c6879007d60d96339a441c448565b6f86650358652da27582e0efbf182

cilium

Description

Overview

Identities

🤖 cilium-operator

🔑 Permissions (34)

⚠️ Potential Abuse (5)

📦 Workloads (1)

🤖 cilium

🔑 Permissions (33)

⚠️ Potential Abuse (4)

📦 Workloads (1)

🤖 cilium-envoy

🔑 Permissions (0)

📦 Workloads (1)

🤖 `cilium-operator`

🤖 `cilium`

🤖 `cilium-envoy`