7 Service Accounts
3 Workloads
60 Bindings
3 Critical
6 Medium
51 Low
Description
The Dynatrace Operator Helm chart for Kubernetes and OpenShift
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
dynatrace-kubernetes-monitoring | default | ❌ | — | 18 | 0 | Critical |
dynatrace-oneagent-csi-driver | default | ❌ | — | 10 | 4 | Critical |
dynatrace-webhook | default | ❌ | — | 21 | 1 | Critical |
dynatrace-operator | default | ❌ | — | 11 | 1 | Low |
dynatrace-activegate | default | ❌ | — | 0 | 0 | — |
dynatrace-dynakube-oneagent | default | ❌ | — | 0 | 0 | — |
dynatrace-edgeconnect | default | ❌ | — | 0 | 0 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 dynatrace-webhook
Namespace: default | Automount: ❌
🔑 Permissions (21)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role dynatrace-webhook | core/secrets | create · get · list · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role dynatrace-webhook | core/configmaps | create · get · list · update · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole dynatrace-webhook | batch/cronjobs | get | Low | |
ClusterRole dynatrace-webhook | apps/daemonsets | get | Low | |
Role dynatrace-webhook | apps/daemonsets | list · watch | Low | |
ClusterRole dynatrace-webhook | apps.openshift.io/deploymentconfigs | get | Low | |
ClusterRole dynatrace-webhook | apps/deployments | get | Low | |
Role dynatrace-webhook | dynatrace.com/dynakubes | get · list · watch | Low | |
ClusterRole dynatrace-webhook | core/events | create · patch | Low | |
Role dynatrace-webhook | core/events | create · list | Low | |
ClusterRole dynatrace-webhook | batch/jobs | get | Low | |
Role dynatrace-webhook | coordination.k8s.io/leases | create · get · update | Low | |
ClusterRole dynatrace-webhook | core/namespaces | get · list · update · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
Role dynatrace-webhook | core/pods | get · list · watch | Low | |
ClusterRole dynatrace-webhook | apps/replicasets | get | Low | |
ClusterRole dynatrace-webhook | core/replicationcontrollers | get | Low | |
ClusterRole dynatrace-webhook | core/secrets | create | Low | |
Role dynatrace-webhook | core/services | create · get · list · update · watch | Low | |
ClusterRole dynatrace-webhook | apps/statefulsets | get | Low | |
ClusterRole dynatrace-webhook | core/secrets (restricted to: dynatrace-data-ingest-endpoint) | get · list · update · watch | Low | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure ResourceNameRestricted (+1 more) |
ClusterRole dynatrace-webhook | core/secrets (restricted to: dynatrace-dynakube-config) | get · list · update · watch | Low | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure ResourceNameRestricted (+1 more) |
⚠️ Potential Abuse (5)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- List Namespaces (Cluster Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | dynatrace-webhook | webhook | public.ecr.aws/dynatrace/dynatrace-operator:v1.0.1 |
🤖 dynatrace-kubernetes-monitoring
Namespace: default | Automount: ❌
🔑 Permissions (18)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole dynatrace-kubernetes-monitoring | core/nodes/proxy | get · list · watch | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole dynatrace-kubernetes-monitoring | core/events | get · list · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole dynatrace-kubernetes-monitoring | core/resourcequotas | get · list · watch | Medium | InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration |
ClusterRole dynatrace-kubernetes-monitoring | config.openshift.io/clusterversions | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | batch/cronjobs | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | apps/daemonsets | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | apps.openshift.io/deploymentconfigs | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | apps/deployments | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | batch/jobs | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole dynatrace-kubernetes-monitoring | core/nodes | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/nodes/metrics | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/pods | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/pods/proxy | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | apps/replicasets | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/services | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | apps/statefulsets | get · list · watch | Low |
⚠️ Potential Abuse (6)
The following security risks were found based on the above permissions:
- Read events cluster-wide
- List Namespaces (Cluster Reconnaissance)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
- Node proxy GET RCE via WebSocket
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 dynatrace-oneagent-csi-driver
Namespace: default | Automount: ❌
🔑 Permissions (10)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role dynatrace-oneagent-csi-driver | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role dynatrace-oneagent-csi-driver | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole dynatrace-oneagent-csi-driver | storage.k8s.io/csinodes | get · list · watch | Medium | InformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure |
ClusterRole dynatrace-oneagent-csi-driver | core/events | create · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
Role dynatrace-oneagent-csi-driver | dynatrace.com/dynakubes | get · list · watch | Low | |
Role dynatrace-oneagent-csi-driver | core/endpoints | create · delete · get · list · update · watch | Low | |
Role dynatrace-oneagent-csi-driver | coordination.k8s.io/leases | create · delete · get · list · update · watch | Low | |
ClusterRole dynatrace-oneagent-csi-driver | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole dynatrace-oneagent-csi-driver | core/nodes | get · list · watch | Low | |
ClusterRole dynatrace-oneagent-csi-driver | core/pods | get · list · watch | Low |
⚠️ Potential Abuse (6)
The following security risks were found based on the above permissions:
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- Read events cluster-wide
- List Namespaces (Cluster Reconnaissance)
- Read CSINode Objects (Node & Storage Reconnaissance)
📦 Workloads (4)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | dynatrace-oneagent-csi-driver | liveness-probe | public.ecr.aws/dynatrace/dynatrace-operator:v1.0.1 |
| DaemonSet | dynatrace-oneagent-csi-driver | provisioner | public.ecr.aws/dynatrace/dynatrace-operator:v1.0.1 |
| DaemonSet | dynatrace-oneagent-csi-driver | registrar | public.ecr.aws/dynatrace/dynatrace-operator:v1.0.1 |
| DaemonSet | dynatrace-oneagent-csi-driver | server | public.ecr.aws/dynatrace/dynatrace-operator:v1.0.1 |
🤖 dynatrace-operator
Namespace: default | Automount: ❌
🔑 Permissions (11)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole dynatrace-operator | core/events | create · patch | Low | |
ClusterRole dynatrace-operator | core/namespaces | get · list · update · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole dynatrace-operator | core/nodes | get · list · watch | Low | |
ClusterRole dynatrace-operator | core/secrets | create | Low | |
ClusterRole dynatrace-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: dynakubes.dynatrace.com) | get · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | core/secrets (restricted to: dynatrace-data-ingest-endpoint) | delete · get · list · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | core/secrets (restricted to: dynatrace-dynakube-config) | delete · get · list · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | core/secrets (restricted to: dynatrace-internal-proxy) | delete · get · list · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | admissionregistration.k8s.io/mutatingwebhookconfigurations (restricted to: dynatrace-webhook) | get · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | admissionregistration.k8s.io/validatingwebhookconfigurations (restricted to: dynatrace-webhook) | get · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: edgeconnects.dynatrace.com) | get · update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | dynatrace-operator | operator | public.ecr.aws/dynatrace/dynatrace-operator:v1.0.1 |
🤖 dynatrace-activegate
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 dynatrace-dynakube-oneagent
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 dynatrace-edgeconnect
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.