11 Service Accounts
3 Workloads
93 Bindings
2 Critical
10 Medium
81 Low
Description
The Dynatrace Operator Helm chart for Kubernetes and OpenShift
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
dynatrace-oneagent-csi-driver | default | ❌ | — | 6 | 4 | Critical |
dynatrace-webhook | default | ❌ | — | 18 | 1 | Critical |
dynatrace-kubernetes-monitoring | default | ❌ | — | 41 | 0 | Medium |
dynatrace-dynakube-oneagent | default | ✅ | — | 2 | 0 | Low |
dynatrace-logmonitoring | default | ❌ | — | 2 | 0 | Low |
dynatrace-opentelemetry-collector | default | ❌ | — | 14 | 0 | Low |
dynatrace-operator | default | ❌ | — | 10 | 1 | Low |
dynatrace-activegate | default | ❌ | — | 0 | 0 | — |
dynatrace-edgeconnect | default | ❌ | — | 0 | 0 | — |
dynatrace-extensions-controller | default | ❌ | — | 0 | 0 | — |
dynatrace-node-config-collector | default | ❌ | — | 0 | 0 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 dynatrace-webhook
Namespace: default | Automount: ❌
🔑 Permissions (18)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role dynatrace-webhook | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role dynatrace-webhook | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole dynatrace-webhook | batch/cronjobs | get | Low | |
ClusterRole dynatrace-webhook | apps/daemonsets | get | Low | |
ClusterRole dynatrace-webhook | apps.openshift.io/deploymentconfigs | get | Low | |
ClusterRole dynatrace-webhook | apps/deployments | get | Low | |
Role dynatrace-webhook | dynatrace.com/dynakubes | get · list · watch | Low | |
Role dynatrace-webhook | core/events | create · patch | Low | |
ClusterRole dynatrace-webhook | batch/jobs | get | Low | |
ClusterRole dynatrace-webhook | core/namespaces | get · list · update · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
Role dynatrace-webhook | core/pods | get · list · watch | Low | |
ClusterRole dynatrace-webhook | apps/replicasets | get | Low | |
ClusterRole dynatrace-webhook | core/replicationcontrollers | get | Low | |
ClusterRole dynatrace-webhook | core/secrets | create | Low | |
ClusterRole dynatrace-webhook | apps/statefulsets | get | Low | |
ClusterRole dynatrace-webhook | core/secrets (restricted to: dynatrace-bootstrapper-config) | get · list · update · watch | Low | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure ResourceNameRestricted (+1 more) |
ClusterRole dynatrace-webhook | core/secrets (restricted to: dynatrace-dynakube-config) | get · list · update · watch | Low | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure ResourceNameRestricted (+1 more) |
ClusterRole dynatrace-webhook | core/secrets (restricted to: dynatrace-metadata-enrichment-endpoint) | get · list · update · watch | Low | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure ResourceNameRestricted (+1 more) |
⚠️ Potential Abuse (5)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- List Namespaces (Cluster Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | dynatrace-webhook | webhook | public.ecr.aws/dynatrace/dynatrace-operator:v1.6.2 |
🤖 dynatrace-oneagent-csi-driver
Namespace: default | Automount: ❌
🔑 Permissions (6)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role dynatrace-oneagent-csi-driver | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role dynatrace-oneagent-csi-driver | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
Role dynatrace-oneagent-csi-driver | dynatrace.com/dynakubes | get · list · watch | Low | |
Role dynatrace-oneagent-csi-driver | dynatrace.com/dynakubes/finalizers | update | Low | |
Role dynatrace-oneagent-csi-driver | core/events | create · patch | Low | |
Role dynatrace-oneagent-csi-driver | batch/jobs | create · delete · get · list · watch | Low |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (4)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | dynatrace-oneagent-csi-driver | liveness-probe | public.ecr.aws/dynatrace/dynatrace-operator:v1.6.2 |
| DaemonSet | dynatrace-oneagent-csi-driver | provisioner | public.ecr.aws/dynatrace/dynatrace-operator:v1.6.2 |
| DaemonSet | dynatrace-oneagent-csi-driver | registrar | public.ecr.aws/dynatrace/dynatrace-operator:v1.6.2 |
| DaemonSet | dynatrace-oneagent-csi-driver | server | public.ecr.aws/dynatrace/dynatrace-operator:v1.6.2 |
🤖 dynatrace-kubernetes-monitoring
Namespace: default | Automount: ❌
🔑 Permissions (41)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole dynatrace-kubernetes-monitoring-kspm | rbac.authorization.k8s.io/clusterrolebindings | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole dynatrace-kubernetes-monitoring-kspm | rbac.authorization.k8s.io/clusterroles | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole dynatrace-kubernetes-monitoring | core/events | get · list · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole dynatrace-kubernetes-monitoring-kspm | core/events | get · list · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole dynatrace-kubernetes-monitoring | core/resourcequotas | get · list · watch | Medium | InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration |
ClusterRole dynatrace-kubernetes-monitoring-kspm | core/resourcequotas | get · list · watch | Medium | InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration |
ClusterRole dynatrace-kubernetes-monitoring-kspm | rbac.authorization.k8s.io/rolebindings | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole dynatrace-kubernetes-monitoring-kspm | rbac.authorization.k8s.io/roles | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole dynatrace-kubernetes-monitoring | config.openshift.io/clusterversions | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | batch/cronjobs | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | batch/cronjobs | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | apps/daemonsets | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | apps/daemonsets | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | apps.openshift.io/deploymentconfigs | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | apps/deployments | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | apps/deployments | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | dynatrace.com/dynakubes | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | batch/jobs | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | batch/jobs | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole dynatrace-kubernetes-monitoring-kspm | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole dynatrace-kubernetes-monitoring-kspm | networking.k8s.io/networkpolicies | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/nodes | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | core/nodes | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/nodes/metrics | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | core/nodes/metrics | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/nodes/proxy | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | core/nodes/proxy | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/pods | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | core/pods | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/pods/proxy | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | core/pods/proxy | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | apps/replicasets | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | apps/replicasets | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | core/serviceaccounts | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | core/services | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | core/services | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring | apps/statefulsets | get · list · watch | Low | |
ClusterRole dynatrace-kubernetes-monitoring-kspm | apps/statefulsets | get · list · watch | Low |
⚠️ Potential Abuse (6)
The following security risks were found based on the above permissions:
- Read events cluster-wide
- Read RBAC configuration cluster-wide
- List Namespaces (Cluster Reconnaissance)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 dynatrace-opentelemetry-collector
Namespace: default | Automount: ❌
🔑 Permissions (14)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole dynatrace-extensions-prometheus | apps/daemonsets | get · list · watch | Low | |
ClusterRole dynatrace-extensions-prometheus | apps/deployments | get · list · watch | Low | |
ClusterRole dynatrace-extensions-prometheus | core/endpoints | get · list · watch | Low | |
ClusterRole dynatrace-extensions-prometheus | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole dynatrace-telemetry-ingest | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole dynatrace-extensions-prometheus | core/nodes | get · list · watch | Low | |
ClusterRole dynatrace-telemetry-ingest | core/nodes | get · list · watch | Low | |
ClusterRole dynatrace-extensions-prometheus | core/nodes/metrics | get · list · watch | Low | |
ClusterRole dynatrace-extensions-prometheus | core/pods | get · list · watch | Low | |
ClusterRole dynatrace-telemetry-ingest | core/pods | get · list · watch | Low | |
ClusterRole dynatrace-extensions-prometheus | apps/replicasets | get · list · watch | Low | |
ClusterRole dynatrace-telemetry-ingest | apps/replicasets | get · list · watch | Low | |
ClusterRole dynatrace-extensions-prometheus | core/services | get · list · watch | Low | |
ClusterRole dynatrace-extensions-prometheus | apps/statefulsets | get · list · watch | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 dynatrace-operator
Namespace: default | Automount: ❌
🔑 Permissions (10)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole dynatrace-operator | core/namespaces | get · list · update · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole dynatrace-operator | core/nodes | get · list · watch | Low | |
ClusterRole dynatrace-operator | core/secrets | create | Low | |
ClusterRole dynatrace-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: dynakubes.dynatrace.com) | get · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | core/secrets (restricted to: dynatrace-bootstrapper-config) | delete · get · list · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | core/secrets (restricted to: dynatrace-dynakube-config) | delete · get · list · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | core/secrets (restricted to: dynatrace-metadata-enrichment-endpoint) | delete · get · list · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | admissionregistration.k8s.io/mutatingwebhookconfigurations (restricted to: dynatrace-webhook) | get · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | admissionregistration.k8s.io/validatingwebhookconfigurations (restricted to: dynatrace-webhook) | get · update | Low | ResourceNameRestricted |
ClusterRole dynatrace-operator | apiextensions.k8s.io/customresourcedefinitions (restricted to: edgeconnects.dynatrace.com) | get · update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | dynatrace-operator | operator | public.ecr.aws/dynatrace/dynatrace-operator:v1.6.2 |
🤖 dynatrace-dynakube-oneagent
Namespace: default | Automount: ✅
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole dynatrace-logmonitoring | core/nodes/proxy | get | Low | |
ClusterRole dynatrace-logmonitoring | security.openshift.io/securitycontextconstraints (restricted to: privileged) | use | Low | ResourceNameRestricted |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 dynatrace-logmonitoring
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole dynatrace-logmonitoring | core/nodes/proxy | get | Low | |
ClusterRole dynatrace-logmonitoring | security.openshift.io/securitycontextconstraints (restricted to: privileged) | use | Low | ResourceNameRestricted |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 dynatrace-activegate
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 dynatrace-edgeconnect
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 dynatrace-extensions-controller
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 dynatrace-node-config-collector
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.