eck-operator
v3.0.0
1 Service Accounts
1 Workloads
47 Bindings
8 Critical
3 Medium
36 Low
Description
Elastic Cloud on Kubernetes (ECK) operator
Overview
Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
---|---|---|---|---|---|---|
elastic-operator | default | ✅ | — | 47 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 elastic-operator
Namespace: default
| Automount: ✅
🔑 Permissions (47)
Role | Resource | Verbs | Risk | Tags |
---|---|---|---|---|
ClusterRole elastic-operator | core/configmaps | create · delete · get · list · patch · update · watch | Critical | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole elastic-operator | apps/daemonsets | create · delete · get · list · patch · update · watch | Critical | NodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole elastic-operator | apps/deployments | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole elastic-operator | core/pods | create · delete · get · list · patch · update · watch | Critical | LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more) |
ClusterRole elastic-operator | core/secrets | create · delete · get · list · patch · update · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more) |
ClusterRole elastic-operator | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole elastic-operator | apps/statefulsets | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole elastic-operator | admissionregistration.k8s.io/validatingwebhookconfigurations | create · delete · get · list · patch · update · watch | Critical | DenialOfService InformationDisclosure Reconnaissance Tampering WebhookManipulation (+1 more) |
ClusterRole elastic-operator | core/events | create · delete · get · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole elastic-operator | policy/poddisruptionbudgets | create · delete · get · list · patch · update · watch | Medium | AvailabilityImpact DenialOfService Tampering |
ClusterRole elastic-operator | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
ClusterRole elastic-operator | agent.k8s.elastic.co/agents | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | agent.k8s.elastic.co/agents/finalizers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | agent.k8s.elastic.co/agents/status | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | apm.k8s.elastic.co/apmservers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | apm.k8s.elastic.co/apmservers/finalizers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | apm.k8s.elastic.co/apmservers/status | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | beat.k8s.elastic.co/beats | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | beat.k8s.elastic.co/beats/finalizers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | beat.k8s.elastic.co/beats/status | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | maps.k8s.elastic.co/elasticmapsservers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | maps.k8s.elastic.co/elasticmapsservers/finalizers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | maps.k8s.elastic.co/elasticmapsservers/status | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | autoscaling.k8s.elastic.co/elasticsearchautoscalers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | autoscaling.k8s.elastic.co/elasticsearchautoscalers/finalizers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | autoscaling.k8s.elastic.co/elasticsearchautoscalers/status | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | elasticsearch.k8s.elastic.co/elasticsearches | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | elasticsearch.k8s.elastic.co/elasticsearches/finalizers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | elasticsearch.k8s.elastic.co/elasticsearches/status | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | core/endpoints | get · list · watch | Low | |
ClusterRole elastic-operator | enterprisesearch.k8s.elastic.co/enterprisesearches | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | enterprisesearch.k8s.elastic.co/enterprisesearches/finalizers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | enterprisesearch.k8s.elastic.co/enterprisesearches/status | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | kibana.k8s.elastic.co/kibanas | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | kibana.k8s.elastic.co/kibanas/finalizers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | kibana.k8s.elastic.co/kibanas/status | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | coordination.k8s.io/leases | create | Low | |
ClusterRole elastic-operator | logstash.k8s.elastic.co/logstashes | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | logstash.k8s.elastic.co/logstashes/finalizers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | logstash.k8s.elastic.co/logstashes/status | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | core/nodes | get · list · watch | Low | |
ClusterRole elastic-operator | core/persistentvolumeclaims | create · delete · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | stackconfigpolicy.k8s.elastic.co/stackconfigpolicies | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | stackconfigpolicy.k8s.elastic.co/stackconfigpolicies/finalizers | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | stackconfigpolicy.k8s.elastic.co/stackconfigpolicies/status | create · get · list · patch · update · watch | Low | |
ClusterRole elastic-operator | storage.k8s.io/storageclasses | get · list · watch | Low | |
ClusterRole elastic-operator | coordination.k8s.io/leases (restricted to: elastic-operator-leader) | get · update · watch | Low | ResourceNameRestricted |
⚠️ Potential Abuse (26)
The following security risks were found based on the above permissions:
- Create pods cluster-wide
- Create pods in a namespace
- Update/Patch pods cluster-wide
- Update/Patch pods in a namespace
- Read secrets cluster-wide
- Read secrets in a namespace
- Modify secrets cluster-wide
- Modify secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage Deployments cluster-wide (potential for privileged pod execution)
- Manage Deployments in a namespace (potential for privileged pod execution)
- Manage DaemonSets cluster-wide (runs on all nodes, high impact)
- Manage DaemonSets in a namespace (runs on nodes, high impact)
- Manage StatefulSets cluster-wide
- Manage StatefulSets in a namespace
- Manage ValidatingWebhookConfigurations
- Create SubjectAccessReviews (check arbitrary permissions)
- Read events cluster-wide
- Manage Services cluster-wide
- Manage Services in a namespace
- Manage PodDisruptionBudgets cluster-wide
- List ValidatingWebhookConfigurations (Reconnaissance)
📦 Workloads (1)
Kind | Name | Container | Image |
---|---|---|---|
StatefulSet | elastic-operator | manager | docker.elastic.co/eck/eck-operator:3.0.0 |