crossplane
v1.20.0
2 Service Accounts
2 Workloads
16 Bindings
4 Critical
1 Medium
11 Low
Description
Crossplane is an open source Kubernetes add-on that enables platform teams to assemble infrastructure from multiple vendors, and expose higher level self-service APIs for application teams to consume.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
rbac-manager | default | ❌ | — | 16 | 1 | Critical |
crossplane | default | ❌ | — | 0 | 1 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 rbac-manager
Namespace: default | Automount: ❌
🔑 Permissions (16)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole crossplane-rbac-manager | rbac.authorization.k8s.io/clusterrolebindings | * | Critical | BindingToPrivilegedRole ClusterAdminAccess ClusterWideAccess InformationDisclosure PrivilegeEscalation (+4 more) |
ClusterRole crossplane-rbac-manager | rbac.authorization.k8s.io/clusterroles | bind · create · escalate · get · list · patch · update · watch | Critical | BindingToPrivilegedRole ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation (+2 more) |
ClusterRole crossplane-rbac-manager | core/configmaps | create · delete · get · list · patch · update · watch | Critical | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole crossplane-rbac-manager | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering |
ClusterRole crossplane-rbac-manager | rbac.authorization.k8s.io/roles | create · escalate · get · list · patch · update · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole crossplane-rbac-manager | apiextensions.crossplane.io/compositeresourcedefinitions | get · list · watch | Low | |
ClusterRole crossplane-rbac-manager | apiextensions.crossplane.io/compositeresourcedefinitions/finalizers | update | Low | |
ClusterRole crossplane-rbac-manager | coordination.k8s.io/configmaps | create · delete · get · list · patch · update · watch | Low | |
ClusterRole crossplane-rbac-manager | apiextensions.k8s.io/customresourcedefinitions | get · list · watch | Low | |
ClusterRole crossplane-rbac-manager | apps/deployments | get · list · watch | Low | |
ClusterRole crossplane-rbac-manager | core/events | create · delete · patch · update | Low | |
ClusterRole crossplane-rbac-manager | core/leases | create · delete · get · list · patch · update · watch | Low | |
ClusterRole crossplane-rbac-manager | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole crossplane-rbac-manager | core/namespaces/finalizers | update | Low | |
ClusterRole crossplane-rbac-manager | pkg.crossplane.io/providerrevisions | get · list · watch | Low | |
ClusterRole crossplane-rbac-manager | pkg.crossplane.io/providerrevisions/finalizers | update | Low |
⚠️ Potential Abuse (13)
The following security risks were found based on the above permissions:
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage ClusterRoleBindings (create, update, patch, delete)
- Escalate privileges via ClusterRoles (escalate verb)
- Bind ClusterRoles to identities (bind verb)
- Read RBAC configuration cluster-wide
- Manage Leases cluster-wide
- Manage Leases in kube-system or kube-node-lease namespace
- List Namespaces (Cluster Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | crossplane-rbac-manager | crossplane | xpkg.crossplane.io/crossplane/crossplane:v1.20.0 |
🤖 crossplane
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | crossplane | crossplane | xpkg.crossplane.io/crossplane/crossplane:v1.20.0 |