datadog :: RBAC ATLAS

Description

Datadog Agent

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`datadog`	default	✅	—	11	0	Critical
`datadog-cluster-agent`	default	✅	—	90	1	Critical
`datadog-datadog-operator`	default	❌	—	92	1	Critical
`datadog-kube-state-metrics`	default	❌	—	31	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `datadog-datadog-operator`

Namespace: default | Automount: ❌

🔑 Permissions (92)

Role	Resource	Verbs	Risk	Tags
ClusterRole `datadog-datadog-operator`	apiregistration.k8s.io/apiservices	*	Critical	APIServiceManipulation ClusterWideAccess DenialOfService InformationDisclosure PrivilegeEscalation (+2 more)
ClusterRole `datadog-datadog-operator`	rbac.authorization.k8s.io/clusterrolebindings	create · delete · deletecollection · get · list · patch · update · watch	Critical	BindingToPrivilegedRole ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation (+2 more)
ClusterRole `datadog-datadog-operator`	rbac.authorization.k8s.io/clusterroles	create · delete · deletecollection · get · list · patch · update · watch	Critical	ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more)
ClusterRole `datadog-datadog-operator`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `datadog-datadog-operator`	apps/daemonsets	create · delete · deletecollection · get · list · patch · update · watch	Critical	NodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `datadog-datadog-operator`	apps/deployments	create · delete · deletecollection · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `datadog-datadog-operator`	core/endpoints	create · delete · get · list · patch · update · watch	Critical	DenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection
ClusterRole `datadog-datadog-operator`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `datadog-datadog-operator`	admissionregistration.k8s.io/mutatingwebhookconfigurations	*	Critical	ClusterWideAccess DenialOfService InformationDisclosure PrivilegeEscalation Reconnaissance (+4 more)
ClusterRole `datadog-datadog-operator`	networking.k8s.io/networkpolicies	create · delete · get · list · patch · update · watch	Critical	DenialOfService LateralMovement NetworkManipulation NetworkPolicyManagement Tampering
ClusterRole `datadog-datadog-operator`	core/nodes/proxy	get	Critical	AuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole `datadog-datadog-operator`	core/pods	create · delete · get · list · patch · update · watch	Critical	LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more)
ClusterRole `datadog-datadog-operator`	core/secrets	create · delete · get · list · patch · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole `datadog-datadog-operator`	core/services	create · delete · get · list · patch · update · watch	Critical	DenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole `datadog-datadog-operator`	admissionregistration.k8s.io/validatingwebhookconfigurations	*	Critical	ClusterWideAccess DenialOfService InformationDisclosure Reconnaissance Tampering (+3 more)
ClusterRole `datadog-datadog-operator`	datadoghq.com/*	list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-datadog-operator`	external.metrics.k8s.io/*	get · list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-datadog-operator`	karpenter.azure.com/*	list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-datadog-operator`	karpenter.k8s.aws/*	get · list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-datadog-operator`	karpenter.sh/*	create · delete · get · list · patch · update · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-datadog-operator`	//scale	get · update	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogpodautoscalers	*	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogpodautoscalers/status	*	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-datadog-operator`	rbac.authorization.k8s.io/rolebindings	create · delete · get · list · patch · update · watch	High	BindingToPrivilegedRole InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more)
ClusterRole `datadog-datadog-operator`	rbac.authorization.k8s.io/roles	create · delete · get · list · patch · update · watch	High	InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery Reconnaissance
ClusterRole `datadog-datadog-operator`	core/serviceaccounts	create · delete · get · list · patch · update · watch	High	IdentityManagement PotentialPrivilegeEscalation Tampering
ClusterRole `datadog-datadog-operator`	core/componentstatuses	get · list · watch	Medium	ControlPlaneDisruption InformationDisclosure Reconnaissance
ClusterRole `datadog-datadog-operator`	core/events	create · delete · get · list · patch · update · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `datadog-datadog-operator`	policy/poddisruptionbudgets	create · delete · get · list · patch · update · watch	Medium	AvailabilityImpact DenialOfService Tampering
ClusterRole `datadog-datadog-operator`	core/resourcequotas	get · list · watch	Medium	InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration
ClusterRole `datadog-datadog-operator`	authorization.k8s.io/subjectaccessreviews	create · get	Medium	InformationDisclosure RBACQuery
ClusterRole `datadog-datadog-operator`	authentication.k8s.io/tokenreviews	create · get · list · watch	Medium	CredentialAccess InformationDisclosure RBACQuery
ClusterRole `datadog-datadog-operator`	auto.gke.io/allowlistsynchronizers	create · get · list · watch	Low
ClusterRole `datadog-datadog-operator`	certificates.k8s.io/certificatesigningrequests	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	cilium.io/ciliumnetworkpolicies	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	quota.openshift.io/clusterresourcequotas	get · list	Low
ClusterRole `datadog-datadog-operator`	apps/controllerrevisions	list · watch	Low
ClusterRole `datadog-datadog-operator`	batch/cronjobs	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	apiextensions.k8s.io/customresourcedefinitions	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogagentinternals	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogagentinternals/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogagentinternals/status	get · patch · update	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogagents	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogagents/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogagents/status	get · patch · update	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadoggenericresources	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadoggenericresources/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadoggenericresources/status	get · patch · update	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogmetrics	create · delete · get · list · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogmetrics/status	update	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogmonitors	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogmonitors/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogmonitors/status	get · patch · update	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogslos	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogslos/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/datadogslos/status	get · patch · update	Low
ClusterRole `datadog-datadog-operator`	core/deployments	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	discovery.k8s.io/endpointslices	list · watch	Low
ClusterRole `datadog-datadog-operator`	gateway.envoyproxy.io/envoyextensionpolicies	create · delete · get	Low
ClusterRole `datadog-datadog-operator`	networking.istio.io/envoyfilters	create · delete · get	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/extendeddaemonsetreplicasets	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/extendeddaemonsets	create · delete · get · list · patch · update · watch	Low
ClusterRole `datadog-datadog-operator`	gateway.networking.k8s.io/gatewayclasses	get · list · patch · watch	Low
ClusterRole `datadog-datadog-operator`	gateway.networking.k8s.io/gateways	get · list · patch · watch	Low
ClusterRole `datadog-datadog-operator`	autoscaling/horizontalpodautoscalers	list · watch	Low
ClusterRole `datadog-datadog-operator`	gateway.networking.k8s.io/httproutes	get · list · patch · watch	Low
ClusterRole `datadog-datadog-operator`	networking.k8s.io/ingresses	get · list · patch · watch	Low
ClusterRole `datadog-datadog-operator`	batch/jobs	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	metrics.eks.amazonaws.com/kcm/metrics	get	Low
ClusterRole `datadog-datadog-operator`	metrics.eks.amazonaws.com/ksh/metrics	get	Low
ClusterRole `datadog-datadog-operator`	core/limitranges	get · list · watch	Low	InformationDisclosure Reconnaissance ResourceConfiguration
ClusterRole `datadog-datadog-operator`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `datadog-datadog-operator`	core/nodes	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	core/nodes/configz	get	Low
ClusterRole `datadog-datadog-operator`	core/nodes/healthz	get	Low
ClusterRole `datadog-datadog-operator`	core/nodes/logs	get	Low
ClusterRole `datadog-datadog-operator`	core/nodes/metrics	get	Low
ClusterRole `datadog-datadog-operator`	core/nodes/pods	get	Low
ClusterRole `datadog-datadog-operator`	core/nodes/spec	get	Low
ClusterRole `datadog-datadog-operator`	core/nodes/stats	get	Low
ClusterRole `datadog-datadog-operator`	core/persistentvolumeclaims	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	core/persistentvolumes	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	gateway.networking.k8s.io/referencegrants	create · delete · get · patch	Low
ClusterRole `datadog-datadog-operator`	apps/replicasets	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	core/replicationcontrollers	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	argoproj.io/rollouts	list · patch · watch	Low
ClusterRole `datadog-datadog-operator`	apps/statefulsets	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	storage.k8s.io/storageclasses	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	autoscaling.k8s.io/verticalpodautoscalers	list · watch	Low
ClusterRole `datadog-datadog-operator`	storage.k8s.io/volumeattachments	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	datadoghq.com/watermarkpodautoscalers	get · list · watch	Low
ClusterRole `datadog-datadog-operator`	security.openshift.io/securitycontextconstraints (restricted to: restricted)	use	Low	ResourceNameRestricted

⚠️ Potential Abuse (48)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	datadog-datadog-operator	datadog-operator	gcr.io/datadoghq/operator:1.22.0

🤖 `datadog-cluster-agent`

Namespace: default | Automount: ✅

🔑 Permissions (90)

Role	Resource	Verbs	Risk	Tags
ClusterRole `datadog-ksm-core`	core/secrets	list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
Role `datadog-cluster-agent-main`	core/secrets	create · get · list · update · watch	Critical	CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `datadog-cluster-agent`	datadoghq.com/*	list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-cluster-agent`	karpenter.azure.com/*	list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-cluster-agent`	karpenter.k8s.aws/*	list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-cluster-agent`	karpenter.sh/*	list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `datadog-ksm-core`	core/configmaps	list · watch	High	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `datadog-cluster-agent`	rbac.authorization.k8s.io/clusterrolebindings	get · list · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `datadog-cluster-agent`	rbac.authorization.k8s.io/clusterroles	get · list · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `datadog-cluster-agent`	core/componentstatuses	get · list · watch	Medium	ControlPlaneDisruption InformationDisclosure Reconnaissance
ClusterRole `datadog-cluster-agent`	core/events	create · get · list · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `datadog-ksm-core`	core/events	list · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `datadog-ksm-core`	core/resourcequotas	list · watch	Medium	InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration
ClusterRole `datadog-cluster-agent`	rbac.authorization.k8s.io/rolebindings	get · list · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `datadog-cluster-agent`	rbac.authorization.k8s.io/roles	get · list · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `datadog-cluster-agent`	argoproj.io/applications	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	argoproj.io/applicationsets	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	source.toolkit.fluxcd.io/buckets	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	quota.openshift.io/clusterresourcequotas	get · list	Low
ClusterRole `datadog-cluster-agent`	core/configmaps	create	Low
Role `datadog-dca-flare`	core/configmaps	get · list	Low
ClusterRole `datadog-ksm-core`	apps/controllerrevisions	list · watch	Low
ClusterRole `datadog-cluster-agent`	batch/cronjobs	get · list · watch	Low
ClusterRole `datadog-ksm-core`	batch/cronjobs	list · watch	Low
ClusterRole `datadog-cluster-agent`	apiextensions.k8s.io/customresourcedefinitions	get · list · watch	Low
ClusterRole `datadog-ksm-core`	apiextensions.k8s.io/customresourcedefinitions	list · watch	Low
ClusterRole `datadog-cluster-agent`	apps/daemonsets	get · list · watch	Low
ClusterRole `datadog-ksm-core`	apps/daemonsets	list · watch	Low
ClusterRole `datadog-ksm-core`	extensions/daemonsets	list · watch	Low
ClusterRole `datadog-cluster-agent`	apps/deployments	get · list · watch	Low
ClusterRole `datadog-ksm-core`	apps/deployments	list · watch	Low
ClusterRole `datadog-ksm-core`	extensions/deployments	list · watch	Low
ClusterRole `datadog-cluster-agent`	core/endpoints	get · list · watch	Low
ClusterRole `datadog-ksm-core`	core/endpoints	list · watch	Low
ClusterRole `datadog-cluster-agent`	discovery.k8s.io/endpointslices	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	source.toolkit.fluxcd.io/externalartifacts	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	source.toolkit.fluxcd.io/gitrepositories	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	source.toolkit.fluxcd.io/helmcharts	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	source.toolkit.fluxcd.io/helmrepositories	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	autoscaling/horizontalpodautoscalers	list · watch	Low
ClusterRole `datadog-ksm-core`	autoscaling/horizontalpodautoscalers	list · watch	Low
ClusterRole `datadog-cluster-agent`	networking.k8s.io/ingresses	get · list · watch	Low
ClusterRole `datadog-ksm-core`	networking.k8s.io/ingresses	list · watch	Low
ClusterRole `datadog-cluster-agent`	batch/jobs	get · list · watch	Low
ClusterRole `datadog-ksm-core`	batch/jobs	list · watch	Low
ClusterRole `datadog-cluster-agent`	kustomize.toolkit.fluxcd.io/kustomizations	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	coordination.k8s.io/leases	create	Low
ClusterRole `datadog-cluster-agent`	core/limitranges	get · list · watch	Low	InformationDisclosure Reconnaissance ResourceConfiguration
ClusterRole `datadog-ksm-core`	core/limitranges	list · watch	Low	InformationDisclosure Reconnaissance ResourceConfiguration
ClusterRole `datadog-cluster-agent`	admissionregistration.k8s.io/mutatingwebhookconfigurations	create	Low
ClusterRole `datadog-cluster-agent`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `datadog-ksm-core`	core/namespaces	list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `datadog-cluster-agent`	networking.k8s.io/networkpolicies	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	core/nodes	get · list · watch	Low
ClusterRole `datadog-ksm-core`	core/nodes	list · watch	Low
ClusterRole `datadog-cluster-agent`	source.toolkit.fluxcd.io/ocirepositories	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	core/persistentvolumeclaims	get · list · watch	Low
ClusterRole `datadog-ksm-core`	core/persistentvolumeclaims	list · watch	Low
ClusterRole `datadog-cluster-agent`	core/persistentvolumes	get · list · watch	Low
ClusterRole `datadog-ksm-core`	core/persistentvolumes	list · watch	Low
ClusterRole `datadog-cluster-agent`	policy/poddisruptionbudgets	get · list · watch	Low
ClusterRole `datadog-ksm-core`	policy/poddisruptionbudgets	list · watch	Low
ClusterRole `datadog-cluster-agent`	core/pods	get · list · watch	Low
ClusterRole `datadog-ksm-core`	core/pods	list · watch	Low
ClusterRole `datadog-cluster-agent`	apps/replicasets	get · list · watch	Low
ClusterRole `datadog-ksm-core`	apps/replicasets	list · watch	Low
ClusterRole `datadog-ksm-core`	extensions/replicasets	list · watch	Low
ClusterRole `datadog-cluster-agent`	core/replicationcontrollers	get	Low
ClusterRole `datadog-ksm-core`	core/replicationcontrollers	list · watch	Low
ClusterRole `datadog-cluster-agent`	argoproj.io/rollouts	get · list · watch	Low
Role `datadog-dca-flare`	core/secrets	get · list	Low
ClusterRole `datadog-cluster-agent`	core/serviceaccounts	get · list · watch	Low
ClusterRole `datadog-cluster-agent`	core/services	get · list · watch	Low
ClusterRole `datadog-ksm-core`	core/services	list · watch	Low
ClusterRole `datadog-cluster-agent`	apps/statefulsets	get · list · watch	Low
ClusterRole `datadog-ksm-core`	apps/statefulsets	list · watch	Low
ClusterRole `datadog-cluster-agent`	storage.k8s.io/storageclasses	get · list · watch	Low
ClusterRole `datadog-ksm-core`	storage.k8s.io/storageclasses	list · watch	Low
ClusterRole `datadog-cluster-agent`	admissionregistration.k8s.io/validatingwebhookconfigurations	create	Low
ClusterRole `datadog-cluster-agent`	autoscaling.k8s.io/verticalpodautoscalers	get · list · watch	Low
ClusterRole `datadog-ksm-core`	storage.k8s.io/volumeattachments	list · watch	Low
ClusterRole `datadog-cluster-agent`	security.openshift.io/securitycontextconstraints (restricted to: datadog-cluster-agent)	use	Low	ResourceNameRestricted
ClusterRole `datadog-cluster-agent`	core/configmaps (restricted to: datadog-cluster-id)	create · get · update	Low	ResourceNameRestricted
ClusterRole `datadog-cluster-agent`	core/configmaps (restricted to: datadog-leader-election)	get · update	Low	ResourceNameRestricted
ClusterRole `datadog-cluster-agent`	coordination.k8s.io/leases (restricted to: datadog-leader-election)	get · update	Low	ResourceNameRestricted
ClusterRole `datadog-cluster-agent`	admissionregistration.k8s.io/mutatingwebhookconfigurations (restricted to: datadog-webhook)	delete · get · list · update · watch	Low	InformationDisclosure Reconnaissance ResourceNameRestricted WebhookReconnaissance
ClusterRole `datadog-cluster-agent`	admissionregistration.k8s.io/validatingwebhookconfigurations (restricted to: datadog-webhook)	delete · get · list · update · watch	Low	InformationDisclosure Reconnaissance ResourceNameRestricted WebhookReconnaissance
ClusterRole `datadog-cluster-agent`	core/configmaps (restricted to: datadogtoken)	get · update	Low	ResourceNameRestricted
ClusterRole `datadog-cluster-agent`	security.openshift.io/securitycontextconstraints (restricted to: hostnetwork)	use	Low	ResourceNameRestricted
ClusterRole `datadog-cluster-agent`	core/namespaces (restricted to: kube-system)	get	Low	ResourceNameRestricted

⚠️ Potential Abuse (15)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	datadog-cluster-agent	cluster-agent	gcr.io/datadoghq/cluster-agent:7.75.0

🤖 `datadog-kube-state-metrics`

Namespace: default | Automount: ❌

🔑 Permissions (31)

Role	Resource	Verbs	Risk	Tags
ClusterRole `datadog-kube-state-metrics`	core/secrets	list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `datadog-kube-state-metrics`	core/configmaps	list · watch	High	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `datadog-kube-state-metrics`	admissionregistration.k8s.io/mutatingwebhookconfigurations	list · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `datadog-kube-state-metrics`	core/resourcequotas	list · watch	Medium	InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration
ClusterRole `datadog-kube-state-metrics`	admissionregistration.k8s.io/validatingwebhookconfigurations	list · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `datadog-kube-state-metrics`	certificates.k8s.io/certificatesigningrequests	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	batch/cronjobs	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	apps/daemonsets	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	extensions/daemonsets	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	apps/deployments	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	extensions/deployments	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	core/endpoints	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	autoscaling/horizontalpodautoscalers	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	extensions/ingresses	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	networking.k8s.io/ingresses	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	batch/jobs	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	core/limitranges	list · watch	Low	InformationDisclosure Reconnaissance ResourceConfiguration
ClusterRole `datadog-kube-state-metrics`	core/namespaces	list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `datadog-kube-state-metrics`	networking.k8s.io/networkpolicies	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	core/nodes	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	core/persistentvolumeclaims	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	core/persistentvolumes	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	policy/poddisruptionbudgets	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	core/pods	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	apps/replicasets	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	extensions/replicasets	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	core/replicationcontrollers	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	core/services	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	apps/statefulsets	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	storage.k8s.io/storageclasses	list · watch	Low
ClusterRole `datadog-kube-state-metrics`	storage.k8s.io/volumeattachments	list · watch	Low

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	datadog-kube-state-metrics	kube-state-metrics	registry.k8s.io/kube-state-metrics/kube-state-metrics:v1.9.8

🤖 `datadog`

Namespace: default | Automount: ✅

🔑 Permissions (11)

Role	Resource	Verbs	Risk	Tags
ClusterRole `datadog`	core/nodes/proxy	get	Critical	AuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole `datadog`	core/endpoints	get	Low
ClusterRole `datadog`	metrics.eks.amazonaws.com/kcm/metrics	get	Low
ClusterRole `datadog`	metrics.eks.amazonaws.com/ksh/metrics	get	Low
ClusterRole `datadog`	coordination.k8s.io/leases	get	Low
ClusterRole `datadog`	core/nodes/metrics	get	Low
ClusterRole `datadog`	core/nodes/spec	get	Low
ClusterRole `datadog`	core/nodes/stats	get	Low
ClusterRole `datadog`	security.openshift.io/securitycontextconstraints (restricted to: datadog)	use	Low	ResourceNameRestricted
ClusterRole `datadog`	security.openshift.io/securitycontextconstraints (restricted to: hostaccess)	use	Low	ResourceNameRestricted
ClusterRole `datadog`	security.openshift.io/securitycontextconstraints (restricted to: privileged)	use	Low	ResourceNameRestricted

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Node proxy GET RCE via WebSocket

📦 Workloads (0)

No workloads use this ServiceAccount.

datadog

Description

Overview

Identities

🤖 datadog-datadog-operator

🔑 Permissions (92)

⚠️ Potential Abuse (48)

📦 Workloads (1)

🤖 datadog-cluster-agent

🔑 Permissions (90)

⚠️ Potential Abuse (15)

📦 Workloads (1)

🤖 datadog-kube-state-metrics

🔑 Permissions (31)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 datadog

🔑 Permissions (11)

⚠️ Potential Abuse (2)

📦 Workloads (0)

🤖 `datadog-datadog-operator`

🤖 `datadog-cluster-agent`

🤖 `datadog-kube-state-metrics`

🤖 `datadog`