datadog-operator :: RBAC ATLAS

Description

Datadog Operator

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`datadog-operator`	default	❌	—	52	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `datadog-operator`

Namespace: default | Automount: ❌

🔑 Permissions (52)

Role	Resource	Verbs	Risk	Tags
ClusterRole `datadog-operator`	apiregistration.k8s.io/apiservices	*	Critical	APIServiceManipulation ClusterWideAccess DenialOfService InformationDisclosure PrivilegeEscalation (+2 more)
ClusterRole `datadog-operator`	rbac.authorization.k8s.io/clusterrolebindings	*	Critical	BindingToPrivilegedRole ClusterAdminAccess ClusterWideAccess InformationDisclosure PrivilegeEscalation (+4 more)
ClusterRole `datadog-operator`	rbac.authorization.k8s.io/clusterroles	*	Critical	BindingToPrivilegedRole ClusterAdminAccess ClusterWideAccess InformationDisclosure PrivilegeEscalation (+4 more)
ClusterRole `datadog-operator`	core/configmaps	*	Critical	ClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole `datadog-operator`	apps/daemonsets	*	Critical	ClusterWideAccess NodeAccess Persistence PrivilegeEscalation Tampering (+2 more)
ClusterRole `datadog-operator`	apps/deployments	*	Critical	ClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole `datadog-operator`	core/endpoints	*	Critical	ClusterWideAccess DenialOfService ManInTheMiddle NetworkManipulation Tampering (+2 more)
ClusterRole `datadog-operator`	coordination.k8s.io/leases	*	Critical	ClusterWideAccess ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse (+2 more)
ClusterRole `datadog-operator`	admissionregistration.k8s.io/mutatingwebhookconfigurations	*	Critical	ClusterWideAccess DenialOfService InformationDisclosure PrivilegeEscalation Reconnaissance (+4 more)
ClusterRole `datadog-operator`	networking.k8s.io/networkpolicies	*	Critical	ClusterWideAccess DenialOfService LateralMovement NetworkManipulation NetworkPolicyManagement (+2 more)
ClusterRole `datadog-operator`	core/nodes/proxy	get	Critical	AuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole `datadog-operator`	core/pods	*	Critical	ClusterWideAccess LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation (+3 more)
ClusterRole `datadog-operator`	core/secrets	*	Critical	ClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole `datadog-operator`	core/serviceaccounts	*	Critical	ClusterAdminAccess ClusterWideAccess IdentityManagement Impersonation PotentialPrivilegeEscalation (+4 more)
ClusterRole `datadog-operator`	core/services	*	Critical	ClusterWideAccess DenialOfService NetworkManipulation ServiceExposure Tampering (+1 more)
ClusterRole `datadog-operator`	authorization.k8s.io/clusterrolebindings	*	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-operator`	roles.rbac.authorization.k8s.io/clusterrolebindings	*	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-operator`	authorization.k8s.io/clusterroles	*	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-operator`	roles.rbac.authorization.k8s.io/clusterroles	*	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-operator`	datadoghq.com/extendeddaemonsets	*	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-operator`	authorization.k8s.io/rolebindings	*	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-operator`	rbac.authorization.k8s.io/rolebindings	*	High	BindingToPrivilegedRole ClusterWideAccess InformationDisclosure PrivilegeEscalation RBACManipulation (+3 more)
ClusterRole `datadog-operator`	roles.rbac.authorization.k8s.io/rolebindings	*	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-operator`	authorization.k8s.io/roles	*	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-operator`	rbac.authorization.k8s.io/roles	*	High	ClusterWideAccess InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+2 more)
ClusterRole `datadog-operator`	roles.rbac.authorization.k8s.io/roles	*	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-operator`	core/componentstatuses	get · list · watch	Medium	ControlPlaneDisruption InformationDisclosure Reconnaissance
ClusterRole `datadog-operator`	core/events	*	Medium	ClusterWideAccess InformationDisclosure OperationalData Reconnaissance WildcardPermission
ClusterRole `datadog-operator`	policy/poddisruptionbudgets	*	Medium	AvailabilityImpact ClusterWideAccess DenialOfService Tampering WildcardPermission
ClusterRole `datadog-operator`	authorization.k8s.io/subjectaccessreviews	create	Medium	InformationDisclosure RBACQuery
ClusterRole `datadog-operator`	quota.openshift.io/clusterresourcequotas	get · list	Low
ClusterRole `datadog-operator`	batch/cronjobs	get · list · watch	Low
ClusterRole `datadog-operator`	datadoghq.com/datadogagents	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-operator`	datadoghq.com/datadogagents/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-operator`	datadoghq.com/datadogagents/status	get · patch · update	Low
ClusterRole `datadog-operator`	datadoghq.com/datadogmetrics	create · delete · get · list · update · watch	Low
ClusterRole `datadog-operator`	datadoghq.com/datadogmetrics/status	update	Low
ClusterRole `datadog-operator`	datadoghq.com/datadogmonitors	create · delete · get · list · update · watch	Low
ClusterRole `datadog-operator`	datadoghq.com/datadogmonitors/status	update	Low
ClusterRole `datadog-operator`	batch/jobs	get · list · watch	Low
ClusterRole `datadog-operator`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `datadog-operator`	core/nodes	get · list · watch	Low
ClusterRole `datadog-operator`	core/nodes/metrics	get	Low
ClusterRole `datadog-operator`	core/nodes/spec	get	Low
ClusterRole `datadog-operator`	core/nodes/stats	get	Low
ClusterRole `datadog-operator`	policy/podsecuritypolicies	get · list · watch	Low
ClusterRole `datadog-operator`	apps/replicasets	get · list · watch	Low
ClusterRole `datadog-operator`	authorization.k8s.io/selfsubjectaccessreviews	create	Low
ClusterRole `datadog-operator`	authorization.k8s.io/selfsubjectrulesreviews	create	Low	InformationDisclosure RBACQuery Reconnaissance SelfPermissionReviewQuery
ClusterRole `datadog-operator`	apps/statefulsets	get · list · watch	Low
ClusterRole `datadog-operator`	datadoghq.com/watermarkpodautoscalers	get · list · watch	Low
ClusterRole `datadog-operator`	security.openshift.io/securitycontextconstraints (restricted to: restricted)	use	Low	ResourceNameRestricted

⚠️ Potential Abuse (46)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	datadog-operator	datadog-operator	gcr.io/datadoghq/operator:0.6.0

datadog-operator

Description

Overview

Identities

🤖 datadog-operator

🔑 Permissions (52)

⚠️ Potential Abuse (46)

📦 Workloads (1)

🤖 `datadog-operator`