1 Service Accounts
1 Workloads
24 Bindings
2 Critical
7 High
1 Medium
14 Low
Description
Datadog Operator
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
datadog-operator | default | ❌ | — | 24 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 datadog-operator
Namespace: default | Automount: ❌
🔑 Permissions (24)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole datadog-operator | rbac.authorization.k8s.io/clusterrolebindings | * | Critical | BindingToPrivilegedRole ClusterAdminAccess ClusterWideAccess InformationDisclosure PrivilegeEscalation (+4 more) |
ClusterRole datadog-operator | rbac.authorization.k8s.io/clusterroles | * | Critical | BindingToPrivilegedRole ClusterAdminAccess ClusterWideAccess InformationDisclosure PrivilegeEscalation (+4 more) |
ClusterRole datadog-operator | authorization.k8s.io/clusterrolebindings | * | High | ClusterWideAccess |
ClusterRole datadog-operator | roles.rbac.authorization.k8s.io/clusterrolebindings | * | High | ClusterWideAccess |
ClusterRole datadog-operator | authorization.k8s.io/clusterroles | * | High | ClusterWideAccess |
ClusterRole datadog-operator | roles.rbac.authorization.k8s.io/clusterroles | * | High | ClusterWideAccess |
ClusterRole datadog-operator | datadoghq.com/datadogagents | * | High | ClusterWideAccess |
ClusterRole datadog-operator | datadoghq.com/datadogagents/finalizers | * | High | ClusterWideAccess |
ClusterRole datadog-operator | datadoghq.com/datadogagents/status | * | High | ClusterWideAccess |
ClusterRole datadog-operator | admissionregistration.k8s.io/mutatingwebhookconfigurations | create · get · list · update · watch | Medium | InformationDisclosure Reconnaissance WebhookReconnaissance |
ClusterRole datadog-operator | apiregistration.k8s.io/apiservices | create · delete · get · list · update · watch | Low | |
ClusterRole datadog-operator | apps/cronjobs | get | Low | |
ClusterRole datadog-operator | batch/cronjobs | get | Low | |
ClusterRole datadog-operator | apps/deployments | get | Low | |
ClusterRole datadog-operator | batch/deployments | get | Low | |
ClusterRole datadog-operator | apps/jobs | get | Low | |
ClusterRole datadog-operator | batch/jobs | get | Low | |
ClusterRole datadog-operator | apps/replicasets | get | Low | |
ClusterRole datadog-operator | batch/replicasets | get | Low | |
ClusterRole datadog-operator | admissionregistration.k8s.io/secrets | create · get · list · update · watch | Low | |
ClusterRole datadog-operator | apps/statefulsets | get | Low | |
ClusterRole datadog-operator | batch/statefulsets | get | Low | |
ClusterRole datadog-operator | datadoghq.com/watermarkpodautoscalers | get · list · watch | Low | |
ClusterRole datadog-operator | security.openshift.io/securitycontextconstraints (restricted to: restricted) | use | Low | ResourceNameRestricted |
⚠️ Potential Abuse (8)
The following security risks were found based on the above permissions:
- Manage ClusterRoles (create, update, patch, delete)
- Manage ClusterRoleBindings (create, update, patch, delete)
- Escalate privileges via ClusterRoles (escalate verb)
- Bind ClusterRoles to identities (bind verb)
- Read RBAC configuration cluster-wide
- List MutatingWebhookConfigurations (Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | datadog-operator | datadog-operator | gcr.io/datadoghq/operator:0.3.1 |