Description

Elastic Cloud on Kubernetes (ECK) operator

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
elastic-operatordefault471Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.


Identities

🤖 elastic-operator

Namespace: default  |  Automount:

🔑 Permissions (47)

RoleResourceVerbsRiskTags
ClusterRole elastic-operatorcore/configmapscreate · delete · get · list · patch · update · watchCriticalConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole elastic-operatorapps/daemonsetscreate · delete · get · list · patch · update · watchCriticalNodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole elastic-operatorapps/deploymentscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole elastic-operatorcore/podscreate · delete · get · list · patch · update · watchCriticalLateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more)
ClusterRole elastic-operatorcore/secretscreate · delete · get · list · patch · update · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole elastic-operatorcore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole elastic-operatorapps/statefulsetscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole elastic-operatoradmissionregistration.k8s.io/validatingwebhookconfigurationscreate · delete · get · list · patch · update · watchCriticalDenialOfService InformationDisclosure Reconnaissance Tampering WebhookManipulation (+1 more)
ClusterRole elastic-operatorcore/eventscreate · delete · get · list · patch · update · watchMediumInformationDisclosure OperationalData Reconnaissance
ClusterRole elastic-operatorpolicy/poddisruptionbudgetscreate · delete · get · list · patch · update · watchMediumAvailabilityImpact DenialOfService Tampering
ClusterRole elastic-operatorauthorization.k8s.io/subjectaccessreviewscreateMediumInformationDisclosure RBACQuery
ClusterRole elastic-operatoragent.k8s.elastic.co/agentscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatoragent.k8s.elastic.co/agents/finalizerscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatoragent.k8s.elastic.co/agents/statuscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorapm.k8s.elastic.co/apmserverscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorapm.k8s.elastic.co/apmservers/finalizerscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorapm.k8s.elastic.co/apmservers/statuscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorbeat.k8s.elastic.co/beatscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorbeat.k8s.elastic.co/beats/finalizerscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorbeat.k8s.elastic.co/beats/statuscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatormaps.k8s.elastic.co/elasticmapsserverscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatormaps.k8s.elastic.co/elasticmapsservers/finalizerscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatormaps.k8s.elastic.co/elasticmapsservers/statuscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorautoscaling.k8s.elastic.co/elasticsearchautoscalerscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorautoscaling.k8s.elastic.co/elasticsearchautoscalers/finalizerscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorautoscaling.k8s.elastic.co/elasticsearchautoscalers/statuscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorelasticsearch.k8s.elastic.co/elasticsearchescreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorelasticsearch.k8s.elastic.co/elasticsearches/finalizerscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorelasticsearch.k8s.elastic.co/elasticsearches/statuscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorcore/endpointsget · list · watchLow
ClusterRole elastic-operatorenterprisesearch.k8s.elastic.co/enterprisesearchescreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorenterprisesearch.k8s.elastic.co/enterprisesearches/finalizerscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorenterprisesearch.k8s.elastic.co/enterprisesearches/statuscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorkibana.k8s.elastic.co/kibanascreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorkibana.k8s.elastic.co/kibanas/finalizerscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorkibana.k8s.elastic.co/kibanas/statuscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorcoordination.k8s.io/leasescreateLow
ClusterRole elastic-operatorlogstash.k8s.elastic.co/logstashescreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorlogstash.k8s.elastic.co/logstashes/finalizerscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorlogstash.k8s.elastic.co/logstashes/statuscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorcore/nodesget · list · watchLow
ClusterRole elastic-operatorcore/persistentvolumeclaimscreate · delete · get · list · patch · update · watchLow
ClusterRole elastic-operatorstackconfigpolicy.k8s.elastic.co/stackconfigpoliciescreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorstackconfigpolicy.k8s.elastic.co/stackconfigpolicies/finalizerscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorstackconfigpolicy.k8s.elastic.co/stackconfigpolicies/statuscreate · get · list · patch · update · watchLow
ClusterRole elastic-operatorstorage.k8s.io/storageclassesget · list · watchLow
ClusterRole elastic-operatorcoordination.k8s.io/leases (restricted to: elastic-operator-leader)get · update · watchLowResourceNameRestricted

⚠️ Potential Abuse (26)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
StatefulSetelastic-operatormanagerdocker.elastic.co/eck/eck-operator:3.0.0