codebase-operator
v2.27.2
1 Service Accounts
1 Workloads
37 Bindings
2 Critical
1 High
28 Medium
6 Low
Description
A Helm chart for KubeRocketCI Codebase Operator
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
edp-codebase-operator | default | ❌ | — | 37 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 edp-codebase-operator
Namespace: default | Automount: ❌
🔑 Permissions (37)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-codebase-operator | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
Role edp-codebase-operator | core/secrets | create · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role edp-codebase-operator | */configmaps | * | High | ConfigMapAccess DataExposure InformationDisclosure NamespaceAdmin NamespaceWideAccess (+3 more) |
Role edp-codebase-operator | */cdpipelines | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagedeployments | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagedeployments/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagedeployments/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebasebranches | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebasebranches/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebasebranches/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebaseimagestreams | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebaseimagestreams/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebaseimagestreams/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebases | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebases/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebases/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */gitservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */gitservers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */gitservers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jirafixversions | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jirafixversions/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraissuemetadatas | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraissuemetadatas/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraissuemetadatas/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraservers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraservers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */quicklinks | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */stages | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */stages/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */stages/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | argoproj.io/applications | get · list · patch · update · watch | Low | |
Role edp-codebase-operator | core/events | create · patch | Low | |
Role edp-codebase-operator | networking.k8s.io/ingresses | create · get · list · watch | Low | |
Role edp-codebase-operator | tekton.dev/pipelineruns | create · get · list · patch · update · watch | Low | |
Role edp-codebase-operator | triggers.tekton.dev/triggertemplates | get · list · watch | Low | |
ClusterRole edp-codebase-operator-default | admissionregistration.k8s.io/validatingwebhookconfigurations | get · patch · update | Low |
⚠️ Potential Abuse (6)
The following security risks were found based on the above permissions:
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | codebase-operator | codebase-operator | epamedp/codebase-operator:2.27.2 |