edp-install
v3.11.3
9 Service Accounts
8 Workloads
125 Bindings
4 Critical
3 High
78 Medium
40 Low
Description
A Helm chart for KubeRocketCI Platform
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
edp-cd-pipeline-operator | default | ❌ | — | 29 | 1 | Critical |
edp-codebase-operator | default | ❌ | — | 37 | 1 | Critical |
tekton | default | ❌ | kaniko-docker-config | 17 | 0 | Critical |
edp-gerrit-operator | default | ❌ | — | 28 | 1 | Medium |
tekton-interceptor | default | ❌ | — | 12 | 1 | Low |
tekton-resource-pruner | default | ❌ | — | 2 | 1 | Low |
edp-headlamp | default | ❌ | — | 0 | 1 | — |
gerrit | default | ❌ | — | 0 | 1 | — |
tekton-triggers-sa-default | default | ❌ | — | 0 | 0 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 edp-codebase-operator
Namespace: default | Automount: ❌
🔑 Permissions (37)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-codebase-operator | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
Role edp-codebase-operator | core/secrets | create · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role edp-codebase-operator | */configmaps | * | High | ConfigMapAccess DataExposure InformationDisclosure NamespaceAdmin NamespaceWideAccess (+3 more) |
Role edp-codebase-operator | */cdpipelines | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagedeployments | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagedeployments/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagedeployments/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebasebranches | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebasebranches/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebasebranches/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebaseimagestreams | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebaseimagestreams/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebaseimagestreams/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebases | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebases/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebases/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */gitservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */gitservers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */gitservers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jirafixversions | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jirafixversions/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraissuemetadatas | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraissuemetadatas/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraissuemetadatas/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraservers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraservers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */quicklinks | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */stages | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */stages/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */stages/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | argoproj.io/applications | get · list · patch · update · watch | Low | |
Role edp-codebase-operator | core/events | create · patch | Low | |
Role edp-codebase-operator | networking.k8s.io/ingresses | create · get · list · watch | Low | |
Role edp-codebase-operator | tekton.dev/pipelineruns | create · get · list · patch · update · watch | Low | |
Role edp-codebase-operator | triggers.tekton.dev/triggertemplates | get · list · watch | Low | |
ClusterRole edp-codebase-operator-default | admissionregistration.k8s.io/validatingwebhookconfigurations | get · patch · update | Low |
⚠️ Potential Abuse (6)
The following security risks were found based on the above permissions:
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | codebase-operator | codebase-operator | epamedp/codebase-operator:2.27.2 |
🤖 edp-cd-pipeline-operator
Namespace: default | Automount: ❌
🔑 Permissions (29)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-cd-pipeline-operator | core/secrets | create · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role edp-cd-pipeline-operator | */configmaps | * | High | ConfigMapAccess DataExposure InformationDisclosure NamespaceAdmin NamespaceWideAccess (+3 more) |
ClusterRole edp-cd-pipeline-operator-default | core/namespaces | create · delete · get · list | High | DenialOfService NamespaceLifecycle ResourceDeletion |
Role edp-cd-pipeline-operator | */cdpipelines | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */cdpipelines/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */cdpipelines/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebasebranches | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebasebranches/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebasebranches/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebaseimagestreams | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebaseimagestreams/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebaseimagestreams/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebases | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebases/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebases/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */edpcomponents | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */edpcomponents/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */edpcomponents/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */events | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */gitservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */gitservers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */gitservers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */stages | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */stages/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */stages/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | argoproj.io/applicationsets | create · get · list · patch · update · watch | Low | |
Role edp-cd-pipeline-operator | coordination.k8s.io/leases | create · get · list · update | Low | |
ClusterRole edp-cd-pipeline-operator-default-validation-webhook | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole edp-cd-pipeline-operator-default-validation-webhook | admissionregistration.k8s.io/validatingwebhookconfigurations | get · patch · update | Low |
⚠️ Potential Abuse (7)
The following security risks were found based on the above permissions:
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Delete namespaces
- List Namespaces (Cluster Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cd-pipeline-operator | cd-pipeline-operator | epamedp/cd-pipeline-operator:2.25.2 |
🤖 tekton
Namespace: default | Automount: ❌ | Secrets: kaniko-docker-config
🔑 Permissions (17)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role tekton-autotests-role | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role tekton-pipeline-role | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
Role tekton-autotests-role | argoproj.io/applications | get · list | Low | |
Role tekton-pipeline-role | argoproj.io/applicationsets | get · list · patch · update · watch | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/cdpipelines | get · list · patch · update | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/codebasebranches | get · list · patch · update | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/codebasebranches/status | get · list · patch · update | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/codebaseimagestreams | get · list · patch · update | Low | |
Role tekton-autotests-role | v2.edp.epam.com/codebases | get · list · watch | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/codebases | get · list · patch · update | Low | |
Role tekton-autotests-role | v2.edp.epam.com/gitservers | get · list · watch | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/jiraissuemetadatas | create · get | Low | |
Role tekton-autotests-role | tekton.dev/pipelineruns | create · get · list · patch · update · watch | Low | |
Role tekton-autotests-role | tekton.dev/pipelines | create · get · list · patch · update · watch | Low | |
Role tekton-autotests-role | v2.edp.epam.com/stages | get · list · watch | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/stages | get · list · patch · update | Low | |
Role tekton-pipeline-role | tekton.dev/taskruns | get · list · watch | Low |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 edp-gerrit-operator
Namespace: default | Automount: ❌
🔑 Permissions (28)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-gerrit-operator | */events | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritgroupmembers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritgroupmembers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritgroupmembers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritgroups | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritgroups/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritmergerequests | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritmergerequests/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritmergerequests/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojectaccesses | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojectaccesses/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojectaccesses/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojects | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojects/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojects/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritreplicationconfigs | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritreplicationconfigs/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerrits | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerrits/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerrits/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloakclients | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloakclients/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloakclients/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloakrealms | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloakrealms/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloaks | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloaks/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | coordination.k8s.io/leases | create · get · list · update | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | gerrit-operator | gerrit-operator | epamedp/gerrit-operator:2.23.1 |
🤖 tekton-interceptor
Namespace: default | Automount: ❌
🔑 Permissions (12)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebasebranches | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebasebranches/finalizers | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebasebranches/status | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebases | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebases/finalizers | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebases/status | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/gitservers | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/gitservers/finalizers | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/gitservers/status | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | triggers.tekton.dev/interceptors | get · list · update · watch | Low | |
Role tekton-triggers-edp-interceptor | core/secrets | get | Low | |
Role tekton-triggers-edp-interceptor | core/secrets (restricted to: tekton-edp-interceptor-certs) | create · get · list · update · watch | Low | CredentialAccess DataExposure InformationDisclosure ResourceNameRestricted SecretAccess |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | tekton-interceptor | tekton-triggers-edp-interceptor | epamedp/edp-tekton:0.18.0 |
🤖 tekton-resource-pruner
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role tekton-resource-pruner | tekton.dev/pipelineruns | delete · get · list | Low | |
Role tekton-resource-pruner | core/ConfigMap (restricted to: tekton-resource-pruner-scripts) | get | Low | ResourceNameRestricted |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| CronJob | tekton-resource-pruner | kubectl | bitnami/kubectl:1.25 |
🤖 edp-headlamp
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | portal | portal | epamedp/edp-headlamp:0.22.0 |
🤖 gerrit
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | gerrit | gerrit | epamedp/edp-gerrit:3.6.2-oauth |
🤖 tekton-triggers-sa-default
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.