cloudnative-pg :: RBAC ATLAS

Description

CloudNativePG Operator Helm Chart

https://github.com/cloudnative-pg/charts

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`cloudnative-pg`	default	❌	—	40	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `cloudnative-pg`

Namespace: default | Automount: ❌

🔑 Permissions (40)

Role	Resource	Verbs	Risk	Tags
ClusterRole `cloudnative-pg`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `cloudnative-pg`	apps/deployments	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `cloudnative-pg`	core/pods	create · delete · get · list · patch · watch	Critical	LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation WorkloadExecution
ClusterRole `cloudnative-pg`	core/pods/exec	create · delete · get · list · patch · watch	Critical	ClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement PodExec (+1 more)
ClusterRole `cloudnative-pg`	core/secrets	create · delete · get · list · patch · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole `cloudnative-pg`	core/services	create · delete · get · list · patch · update · watch	Critical	DenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole `cloudnative-pg`	policy/poddisruptionbudgets	create · delete · get · list · patch · update · watch	Medium	AvailabilityImpact DenialOfService Tampering
ClusterRole `cloudnative-pg`	rbac.authorization.k8s.io/rolebindings	create · get · list · patch · update · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `cloudnative-pg`	rbac.authorization.k8s.io/roles	create · get · list · patch · update · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/backups	create · delete · get · list · patch · update · watch	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/backups/status	get · patch · update	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/clusterimagecatalogs	get · list · watch	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/clusters	create · delete · get · list · patch · update · watch	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/clusters/finalizers	update	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/clusters/status	get · patch · update · watch	Low
ClusterRole `cloudnative-pg`	core/configmaps/status	get · patch · update	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/databases	create · delete · get · list · patch · update · watch	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/databases/status	get · patch · update	Low
ClusterRole `cloudnative-pg`	core/events	create · patch	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/imagecatalogs	get · list · watch	Low
ClusterRole `cloudnative-pg`	batch/jobs	create · delete · get · list · patch · watch	Low
ClusterRole `cloudnative-pg`	coordination.k8s.io/leases	create · get · update	Low
ClusterRole `cloudnative-pg`	admissionregistration.k8s.io/mutatingwebhookconfigurations	get · patch	Low
ClusterRole `cloudnative-pg`	core/nodes	get · list · watch	Low
ClusterRole `cloudnative-pg`	core/persistentvolumeclaims	create · delete · get · list · patch · watch	Low
ClusterRole `cloudnative-pg`	monitoring.coreos.com/podmonitors	create · delete · get · list · patch · watch	Low
ClusterRole `cloudnative-pg`	core/pods/status	get	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/poolers	create · delete · get · list · patch · update · watch	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/poolers/finalizers	update	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/poolers/status	get · patch · update · watch	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/publications	create · delete · get · list · patch · update · watch	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/publications/status	get · patch · update	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/scheduledbackups	create · delete · get · list · patch · update · watch	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/scheduledbackups/status	get · patch · update	Low
ClusterRole `cloudnative-pg`	core/secrets/status	get · patch · update	Low
ClusterRole `cloudnative-pg`	core/serviceaccounts	create · get · list · patch · update · watch	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/subscriptions	create · delete · get · list · patch · update · watch	Low
ClusterRole `cloudnative-pg`	postgresql.cnpg.io/subscriptions/status	get · patch · update	Low
ClusterRole `cloudnative-pg`	admissionregistration.k8s.io/validatingwebhookconfigurations	get · patch	Low
ClusterRole `cloudnative-pg`	snapshot.storage.k8s.io/volumesnapshots	create · get · list · patch · watch	Low

⚠️ Potential Abuse (19)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	cloudnative-pg	manager	ghcr.io/cloudnative-pg/cloudnative-pg:1.26.0

cloudnative-pg

Description

Overview

Identities

🤖 cloudnative-pg

🔑 Permissions (40)

⚠️ Potential Abuse (19)

📦 Workloads (1)

🤖 `cloudnative-pg`