1 Service Accounts
1 Workloads
48 Bindings
8 Critical
4 High
4 Medium
32 Low
Description
The Dash0 Operator makes observability easy for every Kubernetes setup, simply install the operator into your cluster to get OpenTelemetry data flowing from your applications and infrastructure to Dash0.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
dash0-operator-controller | default | ❌ | — | 48 | 3 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 dash0-operator-controller
Namespace: default | Automount: ❌
🔑 Permissions (48)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole dash0-operator-manager-role | rbac.authorization.k8s.io/clusterrolebindings | create · delete · get · list · patch · update · watch | Critical | BindingToPrivilegedRole ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation (+2 more) |
ClusterRole dash0-operator-manager-role | rbac.authorization.k8s.io/clusterroles | create · delete · get · list · patch · update · watch | Critical | ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more) |
ClusterRole dash0-operator-manager-role | core/configmaps | create · delete · get · list · patch · update · watch | Critical | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole dash0-operator-manager-role | apps/daemonsets | create · delete · get · list · patch · update · watch | Critical | NodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole dash0-operator-manager-role | apps/deployments | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
Role dash0-operator-leader-election-role | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole dash0-operator-manager-role | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole dash0-operator-manager-role | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
Role dash0-operator-leader-election-role | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole dash0-operator-manager-role | rbac.authorization.k8s.io/rolebindings | create · delete · get · list · patch · update · watch | High | BindingToPrivilegedRole InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more) |
ClusterRole dash0-operator-manager-role | rbac.authorization.k8s.io/roles | create · delete · get · list · patch · update · watch | High | InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery Reconnaissance |
ClusterRole dash0-operator-manager-role | core/serviceaccounts | create · delete · get · list · patch · update · watch | High | IdentityManagement PotentialPrivilegeEscalation Tampering |
ClusterRole dash0-operator-manager-role | core/events | create · get · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole dash0-operator-manager-role | core/resourcequotas | get · list · watch | Medium | InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration |
ClusterRole dash0-operator-proxy-role | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
ClusterRole dash0-operator-proxy-role | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
ClusterRole dash0-operator-manager-role | batch/cronjobs | get · list · patch · update · watch | Low | |
ClusterRole dash0-operator-manager-role | apiextensions.k8s.io/customresourcedefinitions | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | extensions/daemonsets | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | operator.dash0.com/dash0monitorings | create · delete · deletecollection · get · list · patch · update · watch | Low | |
ClusterRole dash0-operator-manager-role | operator.dash0.com/dash0monitorings/finalizers | update | Low | |
ClusterRole dash0-operator-manager-role | operator.dash0.com/dash0monitorings/status | get · patch · update | Low | |
ClusterRole dash0-operator-manager-role | operator.dash0.com/dash0operatorconfigurations | create · delete · deletecollection · get · list · patch · update · watch | Low | |
ClusterRole dash0-operator-manager-role | operator.dash0.com/dash0operatorconfigurations/finalizers | update | Low | |
ClusterRole dash0-operator-manager-role | operator.dash0.com/dash0operatorconfigurations/status | get · patch · update | Low | |
ClusterRole dash0-operator-manager-role | extensions/deployments | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | core/endpoints | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | discovery.k8s.io/endpointslices | list | Low | |
Role dash0-operator-leader-election-role | core/events | create · patch | Low | |
ClusterRole dash0-operator-manager-role | autoscaling/horizontalpodautoscalers | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | batch/jobs | get · list · patch · update · watch | Low | |
ClusterRole dash0-operator-manager-role | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole dash0-operator-manager-role | core/namespaces/status | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | core/nodes | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | core/nodes/proxy | get | Low | |
ClusterRole dash0-operator-manager-role | core/nodes/spec | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | core/nodes/stats | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | perses.dev/persesdashboards | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | core/persistentvolumeclaims | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | core/persistentvolumes | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | core/pods | delete · get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | core/pods/status | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | monitoring.coreos.com/prometheusrules | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | apps/replicasets | get · list · patch · update · watch | Low | |
ClusterRole dash0-operator-manager-role | extensions/replicasets | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | core/replicationcontrollers/status | get · list · watch | Low | |
ClusterRole dash0-operator-manager-role | apps/statefulsets | get · list · patch · update · watch | Low |
⚠️ Potential Abuse (27)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage ClusterRoles (create, update, patch, delete)
- Manage ClusterRoleBindings (create, update, patch, delete)
- Manage Roles in a namespace (create, update, patch, delete)
- Manage RoleBindings in a namespace (create, update, patch, delete)
- Manage Deployments cluster-wide (potential for privileged pod execution)
- Manage Deployments in a namespace (potential for privileged pod execution)
- Manage DaemonSets cluster-wide (runs on all nodes, high impact)
- Manage DaemonSets in a namespace (runs on nodes, high impact)
- Create TokenReviews (validate arbitrary tokens)
- Create SubjectAccessReviews (check arbitrary permissions)
- Manage ServiceAccounts cluster-wide
- Manage ServiceAccounts in a namespace
- Read events cluster-wide
- Manage Services cluster-wide
- Manage Services in a namespace
- Read RBAC configuration cluster-wide
- Manage Leases in kube-system or kube-node-lease namespace
- List Namespaces (Cluster Reconnaissance)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
📦 Workloads (3)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | dash0-operator-controller | kube-rbac-proxy | quay.io/brancz/kube-rbac-proxy:v0.18.0 |
| Deployment | dash0-operator-controller | manager | ghcr.io/dash0hq/operator-controller:0.74.0 |
| Job | dash0-operator-pre-delete | pre-delete-job | ghcr.io/dash0hq/operator-controller:0.74.0 |