eck-operator :: RBAC ATLAS

Description

Elastic Cloud on Kubernetes (ECK) operator

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`elastic-operator`	default	✅	—	47	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `elastic-operator`

Namespace: default | Automount: ✅

🔑 Permissions (47)

Role	Resource	Verbs	Risk	Tags
ClusterRole `elastic-operator`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `elastic-operator`	apps/daemonsets	create · delete · get · list · patch · update · watch	Critical	NodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `elastic-operator`	apps/deployments	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `elastic-operator`	core/pods	create · delete · get · list · patch · update · watch	Critical	LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more)
ClusterRole `elastic-operator`	core/secrets	create · delete · get · list · patch · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole `elastic-operator`	core/services	create · delete · get · list · patch · update · watch	Critical	DenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole `elastic-operator`	apps/statefulsets	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `elastic-operator`	admissionregistration.k8s.io/validatingwebhookconfigurations	create · delete · get · list · patch · update · watch	Critical	DenialOfService InformationDisclosure Reconnaissance Tampering WebhookManipulation (+1 more)
ClusterRole `elastic-operator`	core/events	create · delete · get · list · patch · update · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `elastic-operator`	policy/poddisruptionbudgets	create · delete · get · list · patch · update · watch	Medium	AvailabilityImpact DenialOfService Tampering
ClusterRole `elastic-operator`	authorization.k8s.io/subjectaccessreviews	create	Medium	InformationDisclosure RBACQuery
ClusterRole `elastic-operator`	agent.k8s.elastic.co/agents	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	agent.k8s.elastic.co/agents/finalizers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	agent.k8s.elastic.co/agents/status	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	apm.k8s.elastic.co/apmservers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	apm.k8s.elastic.co/apmservers/finalizers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	apm.k8s.elastic.co/apmservers/status	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	beat.k8s.elastic.co/beats	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	beat.k8s.elastic.co/beats/finalizers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	beat.k8s.elastic.co/beats/status	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	maps.k8s.elastic.co/elasticmapsservers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	maps.k8s.elastic.co/elasticmapsservers/finalizers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	maps.k8s.elastic.co/elasticmapsservers/status	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	autoscaling.k8s.elastic.co/elasticsearchautoscalers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	autoscaling.k8s.elastic.co/elasticsearchautoscalers/finalizers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	autoscaling.k8s.elastic.co/elasticsearchautoscalers/status	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	elasticsearch.k8s.elastic.co/elasticsearches	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	elasticsearch.k8s.elastic.co/elasticsearches/finalizers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	elasticsearch.k8s.elastic.co/elasticsearches/status	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	core/endpoints	get · list · watch	Low
ClusterRole `elastic-operator`	enterprisesearch.k8s.elastic.co/enterprisesearches	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	enterprisesearch.k8s.elastic.co/enterprisesearches/finalizers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	enterprisesearch.k8s.elastic.co/enterprisesearches/status	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	kibana.k8s.elastic.co/kibanas	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	kibana.k8s.elastic.co/kibanas/finalizers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	kibana.k8s.elastic.co/kibanas/status	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	coordination.k8s.io/leases	create	Low
ClusterRole `elastic-operator`	logstash.k8s.elastic.co/logstashes	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	logstash.k8s.elastic.co/logstashes/finalizers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	logstash.k8s.elastic.co/logstashes/status	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	core/nodes	get · list · watch	Low
ClusterRole `elastic-operator`	core/persistentvolumeclaims	create · delete · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	stackconfigpolicy.k8s.elastic.co/stackconfigpolicies	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	stackconfigpolicy.k8s.elastic.co/stackconfigpolicies/finalizers	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	stackconfigpolicy.k8s.elastic.co/stackconfigpolicies/status	create · get · list · patch · update · watch	Low
ClusterRole `elastic-operator`	storage.k8s.io/storageclasses	get · list · watch	Low
ClusterRole `elastic-operator`	coordination.k8s.io/leases (restricted to: elastic-operator-leader)	get · update · watch	Low	ResourceNameRestricted

⚠️ Potential Abuse (26)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
StatefulSet	elastic-operator	manager	docker.elastic.co/eck/eck-operator:3.0.0

eck-operator

Description

Overview

Identities

🤖 elastic-operator

🔑 Permissions (47)

⚠️ Potential Abuse (26)

📦 Workloads (1)

🤖 `elastic-operator`