18 Service Accounts
17 Workloads
217 Bindings
1 Critical
30 High
176 Medium
10 Low
Description
A Helm chart for EDP Install
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
edp-cd-pipeline-operator | default | ❌ | — | 32 | 1 | Critical |
edp-reconciler | stub-namespace | ❌ | — | 47 | 1 | High |
gitlab-ci | stub-namespace | ❌ | — | 14 | 0 | High |
edp-admin-console | default | ❌ | — | 16 | 1 | Medium |
edp-admin-console-operator | default | ❌ | — | 23 | 1 | Medium |
edp-jenkins-operator | default | ❌ | — | 65 | 1 | Medium |
jenkins | default | ❌ | — | 20 | 1 | Medium |
edp-codebase-operator | default | ❌ | — | 0 | 1 | — |
edp-db | stub-namespace | ❌ | — | 0 | 1 | — |
edp-gerrit-operator | default | ❌ | — | 0 | 1 | — |
edp-kaniko | stub-namespace | ❌ | — | 0 | 0 | — |
edp-keycloak-operator | default | ❌ | — | 0 | 1 | — |
edp-nexus-operator | default | ❌ | — | 0 | 1 | — |
edp-perf-operator | default | ❌ | — | 0 | 1 | — |
edp-sonar-operator | default | ❌ | — | 0 | 1 | — |
gerrit | default | ❌ | — | 0 | 1 | — |
nexus | default | ❌ | — | 0 | 1 | — |
sonar | default | ❌ | — | 0 | 2 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 edp-cd-pipeline-operator
Namespace: default | Automount: ❌
🔑 Permissions (32)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole edp-cd-pipeline-operator-stub-namespace | */configmaps | * | Critical | ClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more) |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */cdpipelines | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */cdpipelines/finalizers | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */cdpipelines/status | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */codebasebranches | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */codebasebranches/finalizers | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */codebasebranches/status | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */codebaseimagestreams | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */codebaseimagestreams/finalizers | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */codebaseimagestreams/status | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */codebases | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */codebases/finalizers | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */codebases/status | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */deploymentconfigs | get · list | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */edpcomponents | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */edpcomponents/finalizers | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */edpcomponents/status | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */gitservers | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */gitservers/finalizers | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */gitservers/status | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */jenkinsfolders | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */jenkinsfolders/finalizers | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */jenkinsfolders/status | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */jenkinsjobs | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */jenkinsjobs/finalizers | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */jenkinsjobs/status | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */stages | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */stages/finalizers | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */stages/status | * | High | ClusterWideAccess |
ClusterRole edp-cd-pipeline-operator-stub-namespace | */events | * | Medium | ClusterWideAccess InformationDisclosure OperationalData Reconnaissance |
ClusterRole edp-cd-pipeline-operator-stub-namespace | apps/deployments | get · list | Low | |
ClusterRole edp-cd-pipeline-operator-stub-namespace | coordination.k8s.io/leases | create · get · list · update | Low |
⚠️ Potential Abuse (7)
The following security risks were found based on the above permissions:
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Read events cluster-wide
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cd-pipeline-operator | cd-pipeline-operator | epamedp/cd-pipeline-operator:2.11.0 |
🤖 edp-reconciler
Namespace: stub-namespace | Automount: ❌
🔑 Permissions (47)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-reconciler | */services | * | High | DenialOfService NamespaceAdmin NamespaceWideAccess NetworkManipulation ServiceExposure (+2 more) |
Role edp-reconciler | */cdpipelines | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */cdpipelines/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */cdpipelines/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */codebasebranches | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */codebasebranches/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */codebasebranches/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */codebaseimagestreams | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */codebaseimagestreams/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */codebaseimagestreams/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */codebases | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */codebases/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */codebases/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */edpcomponents | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */events | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */gitservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */gitservers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */gitservers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkins | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkins/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkins/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkinses | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkinses/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkinses/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkinsjobs | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkinsjobs/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkinsjobs/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkinsscripts | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkinsserviceaccounts | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkinsserviceaccounts/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jenkinsserviceaccounts/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jiraservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jiraservers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */jiraservers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */perfdatasourcejenkinses | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */perfdatasourcejenkinses/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */perfdatasourcejenkinses/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */perfdatasourcesonars | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */perfdatasourcesonars/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */perfdatasourcesonars/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */perfservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */perfservers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */perfservers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */stages | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */stages/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | */stages/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-reconciler | coordination.k8s.io/leases | create · get · list · update | Low |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | reconciler | reconciler | epamedp/reconciler:2.11.0 |
🤖 gitlab-ci
Namespace: stub-namespace | Automount: ❌
🔑 Permissions (14)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role gitlab-ci | */configmaps | * | High | ConfigMapAccess DataExposure InformationDisclosure NamespaceAdmin NamespaceWideAccess (+3 more) |
Role gitlab-ci | */codebasebranches | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */codebasebranches/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */codebaseimagestreams | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */codebaseimagestreams/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */gittags | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */gittags/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */imagestreamimages | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */imagestreammappings | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */imagestreams | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */imagestreams/layers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */imagestreams/secrets | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */imagestreamtags | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role gitlab-ci | */imagestreamtags/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 edp-jenkins-operator
Namespace: default | Automount: ❌
🔑 Permissions (65)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-jenkins-operator-stub-namespace | */adminconsoles | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */cdpipelines | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */cdpipelines/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */cdpipelines/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */cdstagedeployments | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */cdstagedeployments/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */cdstagedeployments/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */cdstagejenkinsdeployments | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */cdstagejenkinsdeployments/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */cdstagejenkinsdeployments/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */codebasebranches | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */codebaseimagestreams | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */codebases | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */codebases/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */edpcomponents | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */events | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */gerrits | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */gitservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkins | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkins/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkins/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsagents | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsagents/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsagents/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsauthorizationrolemappings | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsauthorizationrolemappings/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsauthorizationrolemappings/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsauthorizationroles | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsauthorizationroles/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsauthorizationroles/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinses | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinses/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinses/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsfolders | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsfolders/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsfolders/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsjobbuildruns | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsjobbuildruns/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsjobs | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsjobs/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsjobs/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsscripts | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsscripts/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsscripts/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsserviceaccounts | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsserviceaccounts/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinsserviceaccounts/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinssharedlibraries | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinssharedlibraries/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jenkinssharedlibraries/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */jirafixversions | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */keycloakclients | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */keycloakclients/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */keycloakclients/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */keycloakrealms | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */keycloakrealms/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */keycloaks | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */keycloaks/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */nexuses | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */podsecuritypolicies | get · list · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */projectrequests | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */stages | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */stages/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | */stages/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-operator-stub-namespace | coordination.k8s.io/leases | create · get · list · update | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | jenkins-operator | jenkins-operator | epamedp/jenkins-operator:2.11.1 |
🤖 edp-admin-console-operator
Namespace: default | Automount: ❌
🔑 Permissions (23)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-admin-console-operator-stub-namespace | */adminconsoles | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */adminconsoles/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */adminconsoles/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */cdpipelines | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */cdpipelines/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */codebasebranches | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */codebasebranches/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */codebases | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */codebases/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */configmaps | get | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */edpcomponents | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */events | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */keycloakclients | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */keycloakclients/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */keycloakclients/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */keycloakrealms | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */keycloakrealms/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */keycloaks | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */keycloaks/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */stages | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | */stages/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-operator-stub-namespace | coordination.k8s.io/leases | create · get · list · update | Low | |
Role edp-admin-console-operator-stub-namespace | storage.k8s.io/storageclasses | get · list | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | admin-console-operator | admin-console-operator | epamedp/admin-console-operator:2.11.0 |
🤖 jenkins
Namespace: default | Automount: ❌
🔑 Permissions (20)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-jenkins-role | */adminconsoles | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */cdpipelines | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */codebasebranches | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */codebaseimagestreams | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */codebases | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */codebases/finalizers | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */edpcomponents | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */gitservers | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */jenkins | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */jenkinses | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */jirafixversions | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */jiraissuemetadatas | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */jiraissuemetadatas/finalizers | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */jiraissuemetadatas/status | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */keycloakrealms | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */nexuses | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | */stages | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-jenkins-role | build.openshift.io/buildconfigs | list | Low | |
Role edp-jenkins-role | build.openshift.io/builds | list | Low | |
Role edp-jenkins-role | image.openshift.io/imagestreams | list | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | jenkins | jenkins | epamedp/edp-jenkins:2.11.0 |
🤖 edp-admin-console
Namespace: default | Automount: ❌
🔑 Permissions (16)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-resources-admin | */cdpipelines | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */cdpipelines/finalizers | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */codebasebranches | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */codebasebranches/finalizers | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */codebaseimagestreams | get · list | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */codebases | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */codebases/finalizers | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */edpcomponents | get · list | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */gitservers | list | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */jenkins | get · list | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */jiraservers | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */jiraservers/finalizers | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */perfservers | list | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */stages | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-resources-admin | */stages/finalizers | create · delete · get · list · patch · update | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-admin-console-stub-namespace | storage.k8s.io/storageclasses | get · list | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | edp-admin-console | edp-admin-console | epamedp/edp-admin-console:2.12.0 |
🤖 edp-codebase-operator
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | codebase-operator | codebase-operator | epamedp/codebase-operator:2.12.0 |
🤖 edp-db
Namespace: stub-namespace | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | edp-db | edp-db | postgres:9.6 |
🤖 edp-gerrit-operator
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | gerrit-operator | gerrit-operator | epamedp/gerrit-operator:2.11.0 |
🤖 edp-kaniko
Namespace: stub-namespace | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 edp-keycloak-operator
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | keycloak-operator | keycloak-operator | epamedp/keycloak-operator:1.11.0 |
🤖 edp-nexus-operator
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | nexus-operator | nexus-operator | epamedp/nexus-operator:2.11.0 |
🤖 edp-perf-operator
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | perf-operator | perf-operator | epamedp/perf-operator:2.11.0 |
🤖 edp-sonar-operator
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | sonar-operator | sonar-operator | epamedp/sonar-operator:2.11.0 |
🤖 gerrit
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | gerrit | gerrit | openfrontier/gerrit:3.3.2 |
🤖 nexus
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | nexus | nexus | sonatype/nexus3:3.38.1 |
🤖 sonar
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | sonar | sonar | sonarqube:8.9.8-community |
| Deployment | sonar-db | sonar-db | postgres:9.6 |