dynatrace-operator :: RBAC ATLAS

Description

The Dynatrace Operator Helm chart for Kubernetes and OpenShift

https://github.com/Dynatrace/helm-charts

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`dynatrace-kubernetes-monitoring`	default	❌	—	85	0	Critical
`dynatrace-operator`	default	❌	—	4	1	Low
`dynatrace-dynakube-oneagent`	default	❌	—	0	0	—
`dynatrace-dynakube-oneagent-unprivileged`	default	❌	—	0	0	—
`dynatrace-routing`	default	❌	—	0	0	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `dynatrace-kubernetes-monitoring`

Namespace: default | Automount: ❌

🔑 Permissions (85)

Role	Resource	Verbs	Risk	Tags
ClusterRole `dynatrace-kubernetes-monitoring`	core/nodes/proxy	get · list · watch	Critical	AuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole `dynatrace-kubernetes-monitoring`	core/events	get · list · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `dynatrace-kubernetes-monitoring`	core/resourcequotas	get · list · watch	Medium	InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration
ClusterRole `dynatrace-kubernetes-monitoring`	apps/clusterversions	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/clusterversions	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/clusterversions	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/clusterversions	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/clusterversions	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/cronjobs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/cronjobs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/cronjobs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/cronjobs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/cronjobs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/daemonsets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/daemonsets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/daemonsets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/daemonsets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/daemonsets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/deploymentconfigs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/deploymentconfigs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/deploymentconfigs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/deploymentconfigs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/deploymentconfigs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/deployments	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/deployments	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/deployments	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/deployments	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/deployments	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/events	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/events	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/events	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/events	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/jobs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/jobs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/jobs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/jobs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/jobs	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/namespaces	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/namespaces	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/namespaces	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/namespaces	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `dynatrace-kubernetes-monitoring`	apps/nodes	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/nodes	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/nodes	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/nodes	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/nodes	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/nodes/proxy	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/nodes/proxy	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/nodes/proxy	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/nodes/proxy	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/pods	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/pods	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/pods	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/pods	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/pods	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/pods/proxy	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/pods/proxy	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/pods/proxy	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/pods/proxy	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/pods/proxy	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/replicasets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/replicasets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/replicasets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/replicasets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/replicasets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/replicationcontrollers	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/replicationcontrollers	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/replicationcontrollers	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/replicationcontrollers	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/replicationcontrollers	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/resourcequotas	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/resourcequotas	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/resourcequotas	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/resourcequotas	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/services	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/services	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/services	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/services	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/services	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps/statefulsets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	apps.openshift.io/statefulsets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	batch/statefulsets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	config.openshift.io/statefulsets	get · list · watch	Low
ClusterRole `dynatrace-kubernetes-monitoring`	core/statefulsets	get · list · watch	Low

⚠️ Potential Abuse (6)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `dynatrace-operator`

Namespace: default | Automount: ❌

🔑 Permissions (4)

Role	Resource	Verbs	Risk	Tags
ClusterRole `dynatrace-operator`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `dynatrace-operator`	core/nodes	get · list · watch	Low
ClusterRole `dynatrace-operator`	core/secrets	create	Low
ClusterRole `dynatrace-operator`	core/secrets (restricted to: dynatrace-dynakube-config)	delete · get · update	Low	ResourceNameRestricted

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	dynatrace-operator	dynatrace-operator	docker.io/dynatrace/dynatrace-operator:v0.2.3

🤖 `dynatrace-dynakube-oneagent`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `dynatrace-dynakube-oneagent-unprivileged`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `dynatrace-routing`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (0)

No workloads use this ServiceAccount.

dynatrace-operator

Description

Overview

Identities

🤖 dynatrace-kubernetes-monitoring

🔑 Permissions (85)

⚠️ Potential Abuse (6)

📦 Workloads (0)

🤖 dynatrace-operator

🔑 Permissions (4)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 dynatrace-dynakube-oneagent

🔑 Permissions (0)

📦 Workloads (0)

🤖 dynatrace-dynakube-oneagent-unprivileged

🔑 Permissions (0)

📦 Workloads (0)

🤖 dynatrace-routing

🔑 Permissions (0)

📦 Workloads (0)

🤖 `dynatrace-kubernetes-monitoring`

🤖 `dynatrace-operator`

🤖 `dynatrace-dynakube-oneagent`

🤖 `dynatrace-dynakube-oneagent-unprivileged`

🤖 `dynatrace-routing`