edp-install :: RBAC ATLAS

Description

A Helm chart for EDP Install

https://github.com/epam/edp-install

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`edp-cd-pipeline-operator`	default	❌	—	32	1	High
`gitlab-ci`	stub-namespace	❌	—	14	0	High
`edp-admin-console`	default	❌	—	15	1	Medium
`edp-admin-console-operator`	default	❌	—	22	1	Medium
`edp-jenkins-operator`	default	❌	—	64	1	Medium
`edp-tekton-dashboard`	default	❌	—	20	1	Medium
`jenkins`	default	❌	—	21	1	Medium
`tekton`	default	❌	—	9	0	Medium
`edp-codebase-operator`	default	❌	—	1	1	Low
`edp-tekton-interceptor`	default	❌	—	8	1	Low
`tekton-resource-pruner`	default	❌	—	2	1	Low
`edp-gerrit-operator`	default	❌	—	0	1	—
`edp-headlamp`	default	❌	—	0	1	—
`edp-kaniko`	stub-namespace	❌	—	0	0	—
`edp-keycloak-operator`	default	❌	—	0	1	—
`edp-nexus-operator`	default	❌	—	0	1	—
`edp-perf-operator`	default	❌	—	0	1	—
`edp-sonar-operator`	default	❌	—	0	1	—
`gerrit`	default	❌	—	0	1	—
`nexus`	default	❌	—	0	1	—
`nexus-proxy`	default	❌	—	0	1	—
`sonar`	default	❌	—	0	2	—
`tekton-triggers-sa-default`	default	❌	—	0	0	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `edp-cd-pipeline-operator`

Namespace: default | Automount: ❌

🔑 Permissions (32)

Role	Resource	Verbs	Risk	Tags
Role `edp-cd-pipeline-operator`	*/configmaps	*	High	ConfigMapAccess DataExposure InformationDisclosure NamespaceAdmin NamespaceWideAccess (+3 more)
ClusterRole `edp-cd-pipeline-operator-stub-namespace`	core/namespaces	create · delete · get · list	High	DenialOfService NamespaceLifecycle ResourceDeletion
Role `edp-cd-pipeline-operator`	*/cdpipelines	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/cdpipelines/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/cdpipelines/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/codebasebranches	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/codebasebranches/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/codebasebranches/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/codebaseimagestreams	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/codebaseimagestreams/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/codebaseimagestreams/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/codebases	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/codebases/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/codebases/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/edpcomponents	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/edpcomponents/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/edpcomponents/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/events	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/gitservers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/gitservers/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/gitservers/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/jenkins	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/jenkinsfolders	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/jenkinsfolders/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/jenkinsfolders/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/jenkinsjobs	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/jenkinsjobs/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/jenkinsjobs/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/stages	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/stages/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	*/stages/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-cd-pipeline-operator`	coordination.k8s.io/leases	create · get · list · update	Low

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	cd-pipeline-operator	cd-pipeline-operator	epamedp/cd-pipeline-operator:2.14.1

🤖 `gitlab-ci`

Namespace: stub-namespace | Automount: ❌

🔑 Permissions (14)

Role	Resource	Verbs	Risk	Tags
Role `gitlab-ci`	*/configmaps	*	High	ConfigMapAccess DataExposure InformationDisclosure NamespaceAdmin NamespaceWideAccess (+3 more)
Role `gitlab-ci`	*/codebasebranches	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/codebasebranches/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/codebaseimagestreams	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/codebaseimagestreams/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/gittags	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/gittags/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/imagestreamimages	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/imagestreammappings	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/imagestreams	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/imagestreams/layers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/imagestreams/secrets	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/imagestreamtags	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `gitlab-ci`	*/imagestreamtags/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `edp-jenkins-operator`

Namespace: default | Automount: ❌

🔑 Permissions (64)

Role	Resource	Verbs	Risk	Tags
Role `edp-jenkins-operator-stub-namespace`	*/adminconsoles	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/cdpipelines	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/cdpipelines/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/cdpipelines/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/cdstagedeployments	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/cdstagedeployments/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/cdstagedeployments/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/cdstagejenkinsdeployments	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/cdstagejenkinsdeployments/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/cdstagejenkinsdeployments/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/codebasebranches	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/codebaseimagestreams	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/codebases	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/codebases/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/edpcomponents	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/events	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/gerrits	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/gitservers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkins	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkins/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkins/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsagents	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsagents/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsagents/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsauthorizationrolemappings	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsauthorizationrolemappings/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsauthorizationrolemappings/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsauthorizationroles	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsauthorizationroles/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsauthorizationroles/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinses	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinses/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinses/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsfolders	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsfolders/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsfolders/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsjobbuildruns	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsjobbuildruns/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsjobs	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsjobs/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsjobs/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsscripts	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsscripts/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsscripts/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsserviceaccounts	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsserviceaccounts/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinsserviceaccounts/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinssharedlibraries	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinssharedlibraries/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jenkinssharedlibraries/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/jirafixversions	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/keycloakclients	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/keycloakclients/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/keycloakclients/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/keycloakrealms	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/keycloakrealms/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/keycloaks	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/keycloaks/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/nexuses	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/projectrequests	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/stages	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/stages/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	*/stages/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-jenkins-operator-stub-namespace`	coordination.k8s.io/leases	create · get · list · update	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	jenkins-operator	jenkins-operator	epamedp/jenkins-operator:2.14.0

🤖 `edp-admin-console-operator`

Namespace: default | Automount: ❌

🔑 Permissions (22)

Role	Resource	Verbs	Risk	Tags
Role `edp-admin-console-operator-stub-namespace`	*/adminconsoles	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/adminconsoles/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/adminconsoles/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/cdpipelines	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/cdpipelines/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/codebasebranches	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/codebasebranches/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/codebases	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/codebases/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/configmaps	get	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/edpcomponents	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/events	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/keycloakclients	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/keycloakclients/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/keycloakclients/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/keycloakrealms	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/keycloakrealms/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/keycloaks	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/keycloaks/status	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/stages	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	*/stages/finalizers	*	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-admin-console-operator-stub-namespace`	coordination.k8s.io/leases	create · get · list · update	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	admin-console-operator	admin-console-operator	epamedp/admin-console-operator:2.14.0

🤖 `jenkins`

Namespace: default | Automount: ❌

🔑 Permissions (21)

Role	Resource	Verbs	Risk	Tags
Role `jenkins-resources-role`	*/adminconsoles	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/cdpipelines	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/codebasebranches	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/codebasebranches/status	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/codebaseimagestreams	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/codebases	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/codebases/finalizers	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/edpcomponents	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/gitservers	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/jenkins	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/jenkinses	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/jirafixversions	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/jiraissuemetadatas	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/jiraissuemetadatas/finalizers	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/jiraissuemetadatas/status	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/keycloakrealms	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/nexuses	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	*/stages	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `jenkins-resources-role`	build.openshift.io/buildconfigs	list	Low
Role `jenkins-resources-role`	build.openshift.io/builds	list	Low
Role `jenkins-resources-role`	image.openshift.io/imagestreams	list	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	jenkins	edp-jenkins	epamedp/edp-jenkins:2.13.0

🤖 `edp-tekton-dashboard`

Namespace: default | Automount: ❌

🔑 Permissions (20)

Role	Resource	Verbs	Risk	Tags
Role `tekton-dashboard-tenant`	core/pods/log	get · list · watch	Medium	DataExposure InformationDisclosure LogAccess
Role `tekton-dashboard-backend`	apiextensions.k8s.io/customresourcedefinitions	get · list	Low
Role `tekton-dashboard-tenant`	triggers.tekton.dev/eventlisteners	create · delete · get · list · patch · update · watch	Low
Role `tekton-dashboard-tenant`	core/events	get · list · watch	Low
Role `tekton-dashboard-backend`	dashboard.tekton.dev/extensions	create · delete · patch · update	Low
Role `tekton-dashboard-tenant`	dashboard.tekton.dev/extensions	get · list · watch	Low
Role `tekton-dashboard-tenant`	triggers.tekton.dev/interceptors	create · delete · get · list · patch · update · watch	Low
Role `tekton-dashboard-tenant`	core/namespaces	get · list · watch	Low
Role `tekton-dashboard-tenant`	tekton.dev/pipelineresources	create · delete · get · list · patch · update · watch	Low
Role `tekton-dashboard-tenant`	tekton.dev/pipelineruns	create · delete · get · list · patch · update · watch	Low
Role `tekton-dashboard-tenant`	tekton.dev/pipelines	create · delete · get · list · patch · update · watch	Low
Role `tekton-dashboard-tenant`	core/pods	get · list · watch	Low
Role `tekton-dashboard-tenant`	tekton.dev/runs	create · delete · get · list · patch · update · watch	Low
Role `tekton-dashboard-backend`	security.openshift.io/securitycontextconstraints	use	Low
Role `tekton-dashboard-backend`	core/serviceaccounts	get · list · watch	Low
Role `tekton-dashboard-tenant`	tekton.dev/taskruns	create · delete · get · list · patch · update · watch	Low
Role `tekton-dashboard-tenant`	tekton.dev/tasks	create · delete · get · list · patch · update · watch	Low
Role `tekton-dashboard-tenant`	triggers.tekton.dev/triggerbindings	create · delete · get · list · patch · update · watch	Low
Role `tekton-dashboard-tenant`	triggers.tekton.dev/triggers	create · delete · get · list · patch · update · watch	Low
Role `tekton-dashboard-tenant`	triggers.tekton.dev/triggertemplates	create · delete · get · list · patch · update · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Read pod logs in a namespace

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	edp-tekton-dashboard	tekton-dashboard	gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard:v0.32.0

🤖 `edp-admin-console`

Namespace: default | Automount: ❌

🔑 Permissions (15)

Role	Resource	Verbs	Risk	Tags
Role `edp-resources-admin`	*/cdpipelines	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/cdpipelines/finalizers	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/codebasebranches	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/codebasebranches/finalizers	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/codebaseimagestreams	get · list	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/codebases	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/codebases/finalizers	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/edpcomponents	get · list	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/gitservers	list	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/jenkins	get · list	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/jiraservers	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/jiraservers/finalizers	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/perfservers	list	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/stages	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission
Role `edp-resources-admin`	*/stages/finalizers	create · delete · get · list · patch · update	Medium	NamespaceAdmin NamespaceWideAccess WildcardPermission

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	edp-admin-console	edp-admin-console	epamedp/edp-admin-console:2.14.0

🤖 `tekton`

Namespace: default | Automount: ❌

🔑 Permissions (9)

Role	Resource	Verbs	Risk	Tags
Role `tekton-pipeline-role`	core/configmaps	get · list · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure
Role `tekton-pipeline-role`	v2.edp.epam.com/cdpipelines	get · list · patch · update	Low
Role `tekton-pipeline-role`	v2.edp.epam.com/codebasebranches	get · list · patch · update	Low
Role `tekton-pipeline-role`	v2.edp.epam.com/codebasebranches/status	get · list · patch · update	Low
Role `tekton-pipeline-role`	v2.edp.epam.com/codebaseimagestreams	get · list · patch · update	Low
Role `tekton-pipeline-role`	v2.edp.epam.com/codebases	get · list · patch · update	Low
Role `tekton-pipeline-role`	v1.edp.epam.com/edpcomponents	get	Low
Role `tekton-pipeline-role`	v2.edp.epam.com/jiraissuemetadatas	create · get	Low
Role `tekton-pipeline-role`	v2.edp.epam.com/stages	get · list · patch · update	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Read ConfigMaps in a namespace

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `edp-tekton-interceptor`

Namespace: default | Automount: ❌

🔑 Permissions (8)

Role	Resource	Verbs	Risk	Tags
Role `tekton-triggers-edp-interceptor`	v2.edp.epam.com/codebasebranches	get · list · watch	Low
Role `tekton-triggers-edp-interceptor`	v2.edp.epam.com/codebasebranches/finalizers	get · list · watch	Low
Role `tekton-triggers-edp-interceptor`	v2.edp.epam.com/codebasebranches/status	get · list · watch	Low
Role `tekton-triggers-edp-interceptor`	v2.edp.epam.com/codebases	get · list · watch	Low
Role `tekton-triggers-edp-interceptor`	v2.edp.epam.com/codebases/finalizers	get · list · watch	Low
Role `tekton-triggers-edp-interceptor`	v2.edp.epam.com/codebases/status	get · list · watch	Low
Role `tekton-triggers-edp-interceptor`	triggers.tekton.dev/interceptors	get · list · update · watch	Low
Role `tekton-triggers-edp-interceptor`	core/secrets (restricted to: tekton-edp-interceptor-certs)	create · get · list · update · watch	Low	CredentialAccess DataExposure InformationDisclosure ResourceNameRestricted SecretAccess

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Read secrets in a namespace

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	edp-tekton-interceptor	tekton-triggers-edp-interceptor	epamedp/edp-tekton:0.4.0

🤖 `tekton-resource-pruner`

Namespace: default | Automount: ❌

🔑 Permissions (2)

Role	Resource	Verbs	Risk	Tags
Role `tekton-resource-pruner`	tekton.dev/pipelineruns	delete · list	Low
Role `tekton-resource-pruner`	tekton.dev/pipelines	delete · list	Low

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
CronJob	tekton-resource-pruner	pruner-tkn-tekton-pipelines	gcr.io/tekton-releases/dogfooding/tkn@sha256:025de221fb059ca24a3b2d988889ea34bce48dc76c0cf0d6b4499edb8c21325f

🤖 `edp-codebase-operator`

Namespace: default | Automount: ❌

🔑 Permissions (1)

Role	Resource	Verbs	Risk	Tags
ClusterRole `edp-codebase-operator-stub-namespace`	admissionregistration.k8s.io/validatingwebhookconfigurations	get · patch · update	Low

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	codebase-operator	codebase-operator	epamedp/codebase-operator:2.15.0

🤖 `edp-gerrit-operator`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	gerrit-operator	gerrit-operator	epamedp/gerrit-operator:2.14.0

🤖 `edp-headlamp`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	edp-headlamp	edp-headlamp	epamedp/edp-headlamp:0.5.0

🤖 `edp-kaniko`

Namespace: stub-namespace | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `edp-keycloak-operator`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	keycloak-operator	keycloak-operator	epamedp/keycloak-operator:1.15.0

🤖 `edp-nexus-operator`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	nexus-operator	nexus-operator	epamedp/nexus-operator:2.14.1

🤖 `edp-perf-operator`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	perf-operator	perf-operator	epamedp/perf-operator:2.13.0

🤖 `edp-sonar-operator`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	sonar-operator	sonar-operator	epamedp/sonar-operator:2.14.0

🤖 `gerrit`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	gerrit	gerrit	epamedp/edp-gerrit:3.6.2

🤖 `nexus`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	nexus	nexus	sonatype/nexus3:3.43.0

🤖 `nexus-proxy`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	nexus-proxy	nexus-proxy	quay.io/oauth2-proxy/oauth2-proxy:v7.4.0

🤖 `sonar`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (2)

Kind	Name	Container	Image
Deployment	sonar	sonar	sonarqube:8.9.10-community
Deployment	sonar-db	sonar-db	postgres:9.6

🤖 `tekton-triggers-sa-default`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (0)

No workloads use this ServiceAccount.

edp-install

Description

Overview

Identities

🤖 edp-cd-pipeline-operator

🔑 Permissions (32)

⚠️ Potential Abuse (5)

📦 Workloads (1)

🤖 gitlab-ci

🔑 Permissions (14)

⚠️ Potential Abuse (3)

📦 Workloads (0)

🤖 edp-jenkins-operator

🔑 Permissions (64)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 edp-admin-console-operator

🔑 Permissions (22)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 jenkins

🔑 Permissions (21)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 edp-tekton-dashboard

🔑 Permissions (20)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 edp-admin-console

🔑 Permissions (15)

⚠️ Potential Abuse (1)

📦 Workloads (1)

🤖 tekton

🔑 Permissions (9)

⚠️ Potential Abuse (2)

📦 Workloads (0)

🤖 edp-tekton-interceptor

🔑 Permissions (8)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 tekton-resource-pruner

🔑 Permissions (2)

⚠️ Potential Abuse (1)

📦 Workloads (1)

🤖 edp-codebase-operator

🔑 Permissions (1)

⚠️ Potential Abuse (1)

📦 Workloads (1)

🤖 edp-gerrit-operator

🔑 Permissions (0)

📦 Workloads (1)

🤖 edp-headlamp

🔑 Permissions (0)

📦 Workloads (1)

🤖 edp-kaniko

🔑 Permissions (0)

📦 Workloads (0)

🤖 edp-keycloak-operator

🔑 Permissions (0)

📦 Workloads (1)

🤖 edp-nexus-operator

🔑 Permissions (0)

📦 Workloads (1)

🤖 edp-perf-operator

🔑 Permissions (0)

📦 Workloads (1)

🤖 edp-sonar-operator

🔑 Permissions (0)

📦 Workloads (1)

🤖 gerrit

🔑 Permissions (0)

📦 Workloads (1)

🤖 nexus

🔑 Permissions (0)

📦 Workloads (1)

🤖 nexus-proxy

🔑 Permissions (0)

📦 Workloads (1)

🤖 sonar

🔑 Permissions (0)

🤖 `edp-cd-pipeline-operator`

🤖 `gitlab-ci`

🤖 `edp-jenkins-operator`

🤖 `edp-admin-console-operator`

🤖 `jenkins`

🤖 `edp-tekton-dashboard`

🤖 `edp-admin-console`

🤖 `tekton`

🤖 `edp-tekton-interceptor`

🤖 `tekton-resource-pruner`

🤖 `edp-codebase-operator`

🤖 `edp-gerrit-operator`

🤖 `edp-headlamp`

🤖 `edp-kaniko`

🤖 `edp-keycloak-operator`

🤖 `edp-nexus-operator`

🤖 `edp-perf-operator`

🤖 `edp-sonar-operator`

🤖 `gerrit`

🤖 `nexus`

🤖 `nexus-proxy`

🤖 `sonar`

🤖 `tekton-triggers-sa-default`