dash0-operator :: RBAC ATLAS

Description

The Dash0 Kubernetes Operator makes observability easy for every Kubernetes setup, simply install the operator into your cluster to get OpenTelemetry data flowing from your applications and infrastructure to Dash0.

https://github.com/dash0hq/dash0-operator

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`dash0-operator-controller-manager`	default	❌	—	17	3	Critical
`dash0-operator-opentelemetry-collector`	default	❌	—	4	1	Low

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `dash0-operator-controller-manager`

Namespace: default | Automount: ❌

🔑 Permissions (17)

Role	Resource	Verbs	Risk	Tags
Role `dash0-operator-leader-election-role`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService Tampering
Role `dash0-operator-leader-election-role`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `dash0-operator-proxy-role`	authorization.k8s.io/subjectaccessreviews	create	Medium	InformationDisclosure RBACQuery
ClusterRole `dash0-operator-proxy-role`	authentication.k8s.io/tokenreviews	create	Medium	CredentialAccess InformationDisclosure RBACQuery
ClusterRole `dash0-operator-manager-role`	batch/cronjobs	get · list · patch · update · watch	Low
ClusterRole `dash0-operator-manager-role`	apps/daemonsets	get · list · patch · update · watch	Low
ClusterRole `dash0-operator-manager-role`	operator.dash0.com/dash0s	create · delete · deletecollection · get · list · patch · update · watch	Low
ClusterRole `dash0-operator-manager-role`	operator.dash0.com/dash0s/finalizers	update	Low
ClusterRole `dash0-operator-manager-role`	operator.dash0.com/dash0s/status	get · patch · update	Low
ClusterRole `dash0-operator-manager-role`	apps/deployments	get · list · patch · update · watch	Low
ClusterRole `dash0-operator-manager-role`	core/events	create	Low
Role `dash0-operator-leader-election-role`	core/events	create · patch	Low
ClusterRole `dash0-operator-manager-role`	batch/jobs	get · list · patch · update · watch	Low
ClusterRole `dash0-operator-manager-role`	core/namespaces	get	Low
ClusterRole `dash0-operator-manager-role`	core/pods	delete · get · list	Low
ClusterRole `dash0-operator-manager-role`	apps/replicasets	get · list · patch · update · watch	Low
ClusterRole `dash0-operator-manager-role`	apps/statefulsets	get · list · patch · update · watch	Low

⚠️ Potential Abuse (6)

The following security risks were found based on the above permissions:

📦 Workloads (3)

Kind	Name	Container	Image
Deployment	dash0-operator-controller-manager	kube-rbac-proxy	quay.io/brancz/kube-rbac-proxy:v0.18.0
Deployment	dash0-operator-controller-manager	manager	ghcr.io/dash0hq/operator-controller:0.1.3
Job	dash0-operator-pre-delete	pre-delete-job	ghcr.io/dash0hq/operator-controller:0.1.3

🤖 `dash0-operator-opentelemetry-collector`

Namespace: default | Automount: ❌

🔑 Permissions (4)

Role	Resource	Verbs	Risk	Tags
ClusterRole `dash0-operator-opentelemetry-collector`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `dash0-operator-opentelemetry-collector`	core/pods	get · list · watch	Low
ClusterRole `dash0-operator-opentelemetry-collector`	apps/replicasets	get · list · watch	Low
ClusterRole `dash0-operator-opentelemetry-collector`	extensions/replicasets	get · list · watch	Low

⚠️ Potential Abuse (2)