Description

Datadog Operator

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
datadog-operatordefault721Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.


Identities

🤖 datadog-operator

Namespace: default  |  Automount:

🔑 Permissions (72)

RoleResourceVerbsRiskTags
ClusterRole datadog-operatorapiregistration.k8s.io/apiservices* · deletecollection · list · watchCriticalAPIServiceManipulation ClusterWideAccess DenialOfService InformationDisclosure PrivilegeEscalation (+2 more)
ClusterRole datadog-operatorrbac.authorization.k8s.io/clusterrolebindingscreate · delete · deletecollection · get · list · patch · update · watchCriticalBindingToPrivilegedRole ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation (+2 more)
ClusterRole datadog-operatorrbac.authorization.k8s.io/clusterrolescreate · delete · deletecollection · get · list · patch · update · watchCriticalClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more)
ClusterRole datadog-operatorcore/configmapscreate · delete · get · list · patch · update · watchCriticalConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole datadog-operatorapps/daemonsetscreate · delete · get · list · patch · update · watchCriticalNodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole datadog-operatorapps/deploymentscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole datadog-operatorcore/endpointscreate · delete · get · list · patch · update · watchCriticalDenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection
ClusterRole datadog-operatorcoordination.k8s.io/leasescreate · delete · get · list · patch · update · watchCriticalControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole datadog-operatoradmissionregistration.k8s.io/mutatingwebhookconfigurations*CriticalClusterWideAccess DenialOfService InformationDisclosure PrivilegeEscalation Reconnaissance (+4 more)
ClusterRole datadog-operatornetworking.k8s.io/networkpoliciescreate · delete · get · list · patch · update · watchCriticalDenialOfService LateralMovement NetworkManipulation NetworkPolicyManagement Tampering
ClusterRole datadog-operatorcore/podscreate · delete · get · list · patch · update · watchCriticalLateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more)
ClusterRole datadog-operatorcore/secretscreate · delete · get · list · patch · update · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole datadog-operatorcore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole datadog-operatoradmissionregistration.k8s.io/validatingwebhookconfigurations*CriticalClusterWideAccess DenialOfService InformationDisclosure Reconnaissance Tampering (+3 more)
ClusterRole datadog-operatorexternal.metrics.k8s.io/*get · list · watchHighClusterWideAccess WildcardPermission
ClusterRole datadog-operator//scaleget · updateHighClusterWideAccess WildcardPermission
ClusterRole datadog-operatordatadoghq.com/datadogpodautoscalers*HighClusterWideAccess WildcardPermission
ClusterRole datadog-operatordatadoghq.com/datadogpodautoscalers/status*HighClusterWideAccess WildcardPermission
ClusterRole datadog-operatorrbac.authorization.k8s.io/rolebindingscreate · delete · get · list · patch · update · watchHighBindingToPrivilegedRole InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more)
ClusterRole datadog-operatorrbac.authorization.k8s.io/rolescreate · delete · get · list · patch · update · watchHighInformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery Reconnaissance
ClusterRole datadog-operatorcore/serviceaccountscreate · delete · get · list · patch · update · watchHighIdentityManagement PotentialPrivilegeEscalation Tampering
ClusterRole datadog-operatorcore/componentstatusesget · list · watchMediumControlPlaneDisruption InformationDisclosure Reconnaissance
ClusterRole datadog-operatorcore/eventscreate · delete · get · list · patch · update · watchMediumInformationDisclosure OperationalData Reconnaissance
ClusterRole datadog-operatorpolicy/poddisruptionbudgetscreate · delete · get · list · patch · update · watchMediumAvailabilityImpact DenialOfService Tampering
ClusterRole datadog-operatorcore/resourcequotasget · list · watchMediumInformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration
ClusterRole datadog-operatorauthorization.k8s.io/subjectaccessreviewscreate · getMediumInformationDisclosure RBACQuery
ClusterRole datadog-operatorauthentication.k8s.io/tokenreviewscreate · get · list · watchMediumCredentialAccess InformationDisclosure RBACQuery
ClusterRole datadog-operatorcertificates.k8s.io/certificatesigningrequestsget · list · watchLow
ClusterRole datadog-operatorcilium.io/ciliumnetworkpoliciescreate · delete · get · list · patch · update · watchLow
ClusterRole datadog-operatorquota.openshift.io/clusterresourcequotasget · listLow
ClusterRole datadog-operatorbatch/cronjobsget · list · watchLow
ClusterRole datadog-operatorapiextensions.k8s.io/customresourcedefinitionslist · watchLow
ClusterRole datadog-operatordatadoghq.com/datadogagentscreate · delete · get · list · patch · update · watchLow
ClusterRole datadog-operatordatadoghq.com/datadogagents/finalizerscreate · delete · get · list · patch · update · watchLow
ClusterRole datadog-operatordatadoghq.com/datadogagents/statusget · patch · updateLow
ClusterRole datadog-operatordatadoghq.com/datadoggenericresourcescreate · delete · get · list · patch · update · watchLow
ClusterRole datadog-operatordatadoghq.com/datadoggenericresources/finalizerscreate · delete · get · list · patch · update · watchLow
ClusterRole datadog-operatordatadoghq.com/datadoggenericresources/statusget · patch · updateLow
ClusterRole datadog-operatordatadoghq.com/datadogmetricscreate · delete · get · list · watchLow
ClusterRole datadog-operatordatadoghq.com/datadogmetrics/statusupdateLow
ClusterRole datadog-operatordatadoghq.com/datadogmonitorscreate · delete · get · list · patch · update · watchLow
ClusterRole datadog-operatordatadoghq.com/datadogmonitors/finalizerscreate · delete · get · list · patch · update · watchLow
ClusterRole datadog-operatordatadoghq.com/datadogmonitors/statusget · patch · updateLow
ClusterRole datadog-operatordatadoghq.com/datadogsloscreate · delete · get · list · patch · update · watchLow
ClusterRole datadog-operatordatadoghq.com/datadogslos/finalizerscreate · delete · get · list · patch · update · watchLow
ClusterRole datadog-operatordatadoghq.com/datadogslos/statusget · patch · updateLow
ClusterRole datadog-operatorcore/deploymentsget · list · watchLow
ClusterRole datadog-operatordiscovery.k8s.io/endpointsliceslist · watchLow
ClusterRole datadog-operatordatadoghq.com/extendeddaemonsetreplicasetsget · list · watchLow
ClusterRole datadog-operatordatadoghq.com/extendeddaemonsetscreate · delete · get · list · patch · update · watchLow
ClusterRole datadog-operatorautoscaling/horizontalpodautoscalerslist · watchLow
ClusterRole datadog-operatornetworking.k8s.io/ingresseslist · watchLow
ClusterRole datadog-operatorbatch/jobsget · list · watchLow
ClusterRole datadog-operatormetrics.eks.amazonaws.com/kcm/metricsgetLow
ClusterRole datadog-operatormetrics.eks.amazonaws.com/ksh/metricsgetLow
ClusterRole datadog-operatorcore/limitrangesget · list · watchLowInformationDisclosure Reconnaissance ResourceConfiguration
ClusterRole datadog-operatorcore/namespacesget · list · watchLowClusterStructure InformationDisclosure Reconnaissance
ClusterRole datadog-operatorcore/nodesget · list · watchLow
ClusterRole datadog-operatorcore/nodes/metricsgetLow
ClusterRole datadog-operatorcore/nodes/proxygetLow
ClusterRole datadog-operatorcore/nodes/specgetLow
ClusterRole datadog-operatorcore/nodes/statsgetLow
ClusterRole datadog-operatorcore/persistentvolumeclaimsget · list · watchLow
ClusterRole datadog-operatorcore/persistentvolumesget · list · watchLow
ClusterRole datadog-operatorapps/replicasetsget · list · watchLow
ClusterRole datadog-operatorcore/replicationcontrollersget · list · watchLow
ClusterRole datadog-operatorapps/statefulsetsget · list · watchLow
ClusterRole datadog-operatorstorage.k8s.io/storageclassesget · list · watchLow
ClusterRole datadog-operatorautoscaling.k8s.io/verticalpodautoscalerslist · watchLow
ClusterRole datadog-operatorstorage.k8s.io/volumeattachmentsget · list · watchLow
ClusterRole datadog-operatordatadoghq.com/watermarkpodautoscalersget · list · watchLow
ClusterRole datadog-operatorsecurity.openshift.io/securitycontextconstraints (restricted to: restricted)useLowResourceNameRestricted

⚠️ Potential Abuse (47)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentdatadog-operatordatadog-operatorgcr.io/datadoghq/operator:1.16.0