Description

Doris Operator for creating, configuring and managing Doris clusters (dcr) and Doris disaggregated clusters (ddc).

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
doris-operatordefault231Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.


Identities

🤖 doris-operator

Namespace: default  |  Automount:

🔑 Permissions (23)

RoleResourceVerbsRiskTags
ClusterRole doris-operatorrbac.authorization.k8s.io/clusterrolebindingscreate · delete · get · list · patch · update · watchCriticalBindingToPrivilegedRole ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation (+2 more)
Role leader-election-rolecoordination.k8s.io/leasescreate · delete · get · list · patch · update · watchCriticalControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole doris-operatorcore/secretsget · list · update · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole doris-operatorcore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole doris-operatorapps/statefulsetscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole doris-operatorcore/configmapsget · list · watchHighConfigMapAccess DataExposure InformationDisclosure
Role leader-election-rolecore/configmapscreate · delete · get · list · patch · update · watchHighConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole doris-operatorrbac.authorization.k8s.io/rolebindingscreate · delete · get · list · patch · update · watchHighBindingToPrivilegedRole InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more)
ClusterRole doris-operatorcore/serviceaccountscreate · delete · get · list · patch · update · watchHighIdentityManagement PotentialPrivilegeEscalation Tampering
ClusterRole doris-operatoradmissionregistration.k8s.io/mutatingwebhookconfigurationsget · list · update · watchMediumInformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole doris-operatoradmissionregistration.k8s.io/validatingwebhookconfigurationsget · list · update · watchMediumInformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole doris-operatordoris.selectdb.com/dorisclusterscreate · delete · get · list · patch · update · watchLow
ClusterRole doris-operatordoris.selectdb.com/dorisclusters/finalizersupdateLow
ClusterRole doris-operatordoris.selectdb.com/dorisclusters/statusget · patch · updateLow
ClusterRole doris-operatordisaggregated.cluster.doris.com/dorisdisaggregatedclusterscreate · delete · get · list · patch · update · watchLow
ClusterRole doris-operatordisaggregated.cluster.doris.com/dorisdisaggregatedclusters/statusget · patch · updateLow
ClusterRole doris-operatorcore/endpointsget · list · watchLow
Role leader-election-rolecore/eventscreate · patchLow
ClusterRole doris-operatorapps.foundationdb.org/foundationdbclusterscreate · delete · get · list · patch · update · watchLow
ClusterRole doris-operatorautoscaling/horizontalpodautoscalerscreate · delete · get · list · patch · update · watchLow
ClusterRole doris-operatorcore/persistentvolumeclaimsdelete · get · list · patch · update · watchLow
ClusterRole doris-operatorcore/podsget · list · update · watchLow
ClusterRole doris-operatorapps/statefulsets/statusgetLow

⚠️ Potential Abuse (18)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentdoris-operatordorisoperatorapache/doris:operator-latest