3 Service Accounts
3 Workloads
89 Bindings
3 Critical
1 Medium
85 Low
Description
eBPF-based Networking, Security, and Observability
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
cilium | default | ❌ | — | 33 | 1 | Critical |
cilium-operator | default | ❌ | — | 56 | 1 | Critical |
cilium-envoy | default | ❌ | — | 0 | 1 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 cilium-operator
Namespace: default | Automount: ❌
🔑 Permissions (56)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cilium-operator | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role cilium-operator-tlsinterception-secrets | core/secrets | create · delete · patch · update | Critical | Persistence PotentialPrivilegeEscalation SecretAccess Tampering |
ClusterRole cilium-operator | cilium.io/ciliumbgpadvertisements | create · delete · get · list · patch · update · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumbgpclusterconfigs | get · list · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumbgpclusterconfigs/status | update | Low | |
ClusterRole cilium-operator | cilium.io/ciliumbgpnodeconfigoverrides | get · list · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumbgpnodeconfigs | create · delete · get · list · patch · update · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumbgppeerconfigs | create · delete · get · list · patch · update · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumbgppeerconfigs/status | update | Low | |
ClusterRole cilium-operator | cilium.io/ciliumbgppeeringpolicies | get · list · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumclusterwidenetworkpolicies | create · deletecollection · get · list · patch · update · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumclusterwidenetworkpolicies/status | patch · update | Low | |
ClusterRole cilium-operator | cilium.io/ciliumendpoints | delete · list · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumendpointslices | create · delete · get · list · patch · update · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumenvoyconfigs | create · delete · get · list · patch · update · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumidentities | delete · list · update · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumloadbalancerippools | get · list · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumloadbalancerippools/status | patch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumnetworkpolicies | create · deletecollection · get · list · patch · update · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumnetworkpolicies/status | patch · update | Low | |
ClusterRole cilium-operator | cilium.io/ciliumnodes | create · delete · get · list · update · watch | Low | |
ClusterRole cilium-operator | cilium.io/ciliumnodes/status | update | Low | |
ClusterRole cilium-operator | cilium.io/ciliumpodippools | create · get · list · watch | Low | |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions | create · get · list · watch | Low | |
ClusterRole cilium-operator | core/endpoints | get · list · watch | Low | |
ClusterRole cilium-operator | discovery.k8s.io/endpointslices | get · list · watch | Low | |
ClusterRole cilium-operator | coordination.k8s.io/leases | create · get · update | Low | |
ClusterRole cilium-operator | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole cilium-operator | core/nodes | list · patch · watch | Low | |
ClusterRole cilium-operator | core/nodes/status | patch | Low | |
ClusterRole cilium-operator | core/pods | delete · get · list · watch | Low | |
ClusterRole cilium-operator | core/services | get · list · watch | Low | |
ClusterRole cilium-operator | core/services/status | patch · update | Low | |
ClusterRole cilium-operator | core/configmaps (restricted to: cilium-config) | patch | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumbgpadvertisements.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumbgpclusterconfigs.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumbgpnodeconfigoverrides.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumbgpnodeconfigs.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumbgppeerconfigs.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumbgppeeringpolicies.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumcidrgroups.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumclusterwideenvoyconfigs.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumclusterwidenetworkpolicies.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumegressgatewaypolicies.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumendpoints.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumendpointslices.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumenvoyconfigs.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumgatewayclassconfigs.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumidentities.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliuml2announcementpolicies.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumloadbalancerippools.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumlocalredirectpolicies.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumnetworkpolicies.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumnodeconfigs.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumnodes.cilium.io) | update | Low | ResourceNameRestricted |
ClusterRole cilium-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: ciliumpodippools.cilium.io) | update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (5)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Modify secrets in a namespace
- List Namespaces (Cluster Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cilium-operator | cilium-operator | quay.io/cilium/operator-generic:v1.19.0-pre.0@sha256:84c935be65c01c5298764def57a147ca130267c070ce970473a8f40b29c61c7e |
🤖 cilium
Namespace: default | Automount: ❌
🔑 Permissions (33)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role cilium-tlsinterception-secrets | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role cilium-config-agent | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole cilium | cilium.io/ciliumbgpadvertisements | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumbgpnodeconfigs | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumbgpnodeconfigs/status | patch | Low | |
ClusterRole cilium | cilium.io/ciliumbgppeerconfigs | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumbgppeeringpolicies | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumcidrgroups | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumclusterwideenvoyconfigs | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumclusterwidenetworkpolicies | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumegressgatewaypolicies | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumendpoints | create · delete · get · list · patch · watch | Low | |
ClusterRole cilium | cilium.io/ciliumendpoints/status | patch | Low | |
ClusterRole cilium | cilium.io/ciliumendpointslices | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumenvoyconfigs | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumidentities | create · list · update · watch | Low | |
ClusterRole cilium | cilium.io/ciliuml2announcementpolicies | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliuml2announcementpolicies/status | patch | Low | |
ClusterRole cilium | cilium.io/ciliumloadbalancerippools | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumlocalredirectpolicies | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumnetworkpolicies | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumnodeconfigs | list · watch | Low | |
ClusterRole cilium | cilium.io/ciliumnodes | create · get · list · update · watch | Low | |
ClusterRole cilium | cilium.io/ciliumnodes/status | get · update | Low | |
ClusterRole cilium | cilium.io/ciliumpodippools | list · watch | Low | |
ClusterRole cilium | apiextensions.k8s.io/customresourcedefinitions | get · list · watch | Low | |
ClusterRole cilium | core/endpoints | get · list · watch | Low | |
ClusterRole cilium | discovery.k8s.io/endpointslices | get · list · watch | Low | |
ClusterRole cilium | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole cilium | networking.k8s.io/networkpolicies | get · list · watch | Low | |
ClusterRole cilium | core/nodes | get · list · watch | Low | |
ClusterRole cilium | core/pods | get · list · watch | Low | |
ClusterRole cilium | core/services | get · list · watch | Low |
⚠️ Potential Abuse (4)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | cilium | cilium-agent | quay.io/cilium/cilium:v1.19.0-pre.0@sha256:02d8349bea5a6a0c19dc9a8b58fef113c7b57e7480302c06f7f7d438f75982e6 |
🤖 cilium-envoy
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | cilium-envoy | cilium-envoy | quay.io/cilium/cilium-envoy:v1.35.1-1756466197-aecbf661041fc680854fc765e54a283af11db731@sha256:4a7b4ea470b2f3027ac9115c5b392bf3ba91315fb258f27af318023f2d367578 |