16 Service Accounts
14 Workloads
204 Bindings
1 Critical
3 High
143 Medium
57 Low
Description
A Helm chart for EDP Install
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
edp-codebase-operator | default | ❌ | — | 69 | 1 | Critical |
edp-cd-pipeline-operator | default | ❌ | — | 32 | 1 | High |
edp-gerrit-operator | default | ❌ | — | 32 | 1 | Medium |
edp-nexus-operator | default | ❌ | — | 21 | 1 | Medium |
edp-tekton-dashboard | default | ❌ | — | 20 | 1 | Medium |
tekton | default | ❌ | — | 16 | 0 | Medium |
edp-tekton-interceptor | default | ❌ | — | 12 | 1 | Low |
tekton-resource-pruner | default | ❌ | — | 2 | 1 | Low |
edp-headlamp | default | ❌ | — | 0 | 1 | — |
edp-keycloak-operator | default | ❌ | — | 0 | 1 | — |
edp-sonar-operator | default | ❌ | — | 0 | 1 | — |
gerrit | default | ❌ | — | 0 | 1 | — |
nexus | default | ❌ | — | 0 | 1 | — |
nexus-proxy | default | ❌ | — | 0 | 1 | — |
sonar | default | ❌ | — | 0 | 2 | — |
tekton-triggers-sa-default | default | ❌ | — | 0 | 0 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 edp-codebase-operator
Namespace: default | Automount: ❌
🔑 Permissions (69)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-codebase-operator | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
Role edp-codebase-operator | */configmaps | * | High | ConfigMapAccess DataExposure InformationDisclosure NamespaceAdmin NamespaceWideAccess (+3 more) |
Role edp-codebase-operator | */adminconsoles | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */adminconsoles/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */adminconsoles/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagedeployments | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagedeployments/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagedeployments/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagejenkinsdeployments | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagejenkinsdeployments/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */cdstagejenkinsdeployments/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebasebranches | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebasebranches/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebasebranches/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebaseimagestreams | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebaseimagestreams/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebaseimagestreams/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebases | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebases/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */codebases/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */edpcomponents | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */edpcomponents/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */edpcomponents/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */gitservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */gitservers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */gitservers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkins | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkins/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkins/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinses | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinses/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinses/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsfolders | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsfolders/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsfolders/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsjobs | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsjobs/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsjobs/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsscripts | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsscripts/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsscripts/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsserviceaccounts | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsserviceaccounts/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jenkinsserviceaccounts/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jirafixversions | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jirafixversions/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraissuemetadatas | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraissuemetadatas/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraissuemetadatas/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraservers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */jiraservers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */perfdatasourcegitlabs | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */perfdatasourcegitlabs/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */perfdatasourcegitlabs/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */perfdatasourcejenkinses | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */perfdatasourcejenkinses/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */perfdatasourcejenkinses/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */perfdatasourcesonars | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */perfdatasourcesonars/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */perfdatasourcesonars/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */stages | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */stages/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | */stages/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-codebase-operator | argoproj.io/applications | get · list · patch · update · watch | Low | |
Role edp-codebase-operator | core/events | create · patch | Low | |
Role edp-codebase-operator | networking.k8s.io/ingresses | get · list · watch | Low | |
ClusterRole edp-codebase-operator-default | admissionregistration.k8s.io/validatingwebhookconfigurations | get · patch · update | Low | |
Role edp-codebase-operator | core/secrets (restricted to: edp-codebase-operator-webhook-certs) | create · get · patch · update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (5)
The following security risks were found based on the above permissions:
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | codebase-operator | codebase-operator | epamedp/codebase-operator:2.18.0 |
🤖 edp-cd-pipeline-operator
Namespace: default | Automount: ❌
🔑 Permissions (32)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-cd-pipeline-operator | */configmaps | * | High | ConfigMapAccess DataExposure InformationDisclosure NamespaceAdmin NamespaceWideAccess (+3 more) |
ClusterRole edp-cd-pipeline-operator-default | core/namespaces | create · delete · get · list | High | DenialOfService NamespaceLifecycle ResourceDeletion |
Role edp-cd-pipeline-operator | */cdpipelines | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */cdpipelines/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */cdpipelines/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebasebranches | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebasebranches/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebasebranches/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebaseimagestreams | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebaseimagestreams/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebaseimagestreams/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebases | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebases/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */codebases/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */edpcomponents | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */edpcomponents/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */edpcomponents/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */events | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */gitservers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */gitservers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */gitservers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */jenkins | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */jenkinsfolders | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */jenkinsfolders/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */jenkinsfolders/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */jenkinsjobs | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */jenkinsjobs/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */jenkinsjobs/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */stages | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */stages/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | */stages/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-cd-pipeline-operator | coordination.k8s.io/leases | create · get · list · update | Low |
⚠️ Potential Abuse (5)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cd-pipeline-operator | cd-pipeline-operator | epamedp/cd-pipeline-operator:2.16.0 |
🤖 edp-gerrit-operator
Namespace: default | Automount: ❌
🔑 Permissions (32)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-gerrit-operator | */edpcomponents | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */events | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritgroupmembers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritgroupmembers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritgroupmembers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritgroups | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritgroups/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritmergerequests | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritmergerequests/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritmergerequests/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojectaccesses | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojectaccesses/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojectaccesses/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojects | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojects/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritprojects/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritreplicationconfigs | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerritreplicationconfigs/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerrits | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerrits/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */gerrits/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */jenkinsscripts | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */jenkinsserviceaccounts | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloakclients | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloakclients/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloakclients/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloakrealms | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloakrealms/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloaks | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | */keycloaks/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-gerrit-operator | v2.edp.epam.com/jenkins | get · list · watch | Low | |
Role edp-gerrit-operator | coordination.k8s.io/leases | create · get · list · update | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | gerrit-operator | gerrit-operator | epamedp/gerrit-operator:2.17.0 |
🤖 edp-nexus-operator
Namespace: default | Automount: ❌
🔑 Permissions (21)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role edp-nexus-operator | */deployments/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */events | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkins | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkins/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkins/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkinses | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkinses/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkinses/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkinsscripts | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkinsscripts/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkinsscripts/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkinsserviceaccounts | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkinsserviceaccounts/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */jenkinsserviceaccounts/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */nexuses | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */nexuses/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */nexuses/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */nexususers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */nexususers/finalizers | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | */nexususers/status | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role edp-nexus-operator | coordination.k8s.io/leases | create · get · list · update | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | nexus-operator | nexus-operator | epamedp/nexus-operator:2.17.0 |
🤖 edp-tekton-dashboard
Namespace: default | Automount: ❌
🔑 Permissions (20)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role tekton-dashboard-tenant | core/pods/log | get · list · watch | Medium | DataExposure InformationDisclosure LogAccess |
Role tekton-dashboard-backend | apiextensions.k8s.io/customresourcedefinitions | get · list | Low | |
Role tekton-dashboard-tenant | triggers.tekton.dev/eventlisteners | create · delete · get · list · patch · update · watch | Low | |
Role tekton-dashboard-tenant | core/events | get · list · watch | Low | |
Role tekton-dashboard-backend | dashboard.tekton.dev/extensions | create · delete · patch · update | Low | |
Role tekton-dashboard-tenant | dashboard.tekton.dev/extensions | get · list · watch | Low | |
Role tekton-dashboard-tenant | triggers.tekton.dev/interceptors | create · delete · get · list · patch · update · watch | Low | |
Role tekton-dashboard-tenant | core/namespaces | get · list · watch | Low | |
Role tekton-dashboard-tenant | tekton.dev/pipelineresources | create · delete · get · list · patch · update · watch | Low | |
Role tekton-dashboard-tenant | tekton.dev/pipelineruns | create · delete · get · list · patch · update · watch | Low | |
Role tekton-dashboard-tenant | tekton.dev/pipelines | create · delete · get · list · patch · update · watch | Low | |
Role tekton-dashboard-tenant | core/pods | get · list · watch | Low | |
Role tekton-dashboard-tenant | tekton.dev/runs | create · delete · get · list · patch · update · watch | Low | |
Role tekton-dashboard-backend | security.openshift.io/securitycontextconstraints | use | Low | |
Role tekton-dashboard-backend | core/serviceaccounts | get · list · watch | Low | |
Role tekton-dashboard-tenant | tekton.dev/taskruns | create · delete · get · list · patch · update · watch | Low | |
Role tekton-dashboard-tenant | tekton.dev/tasks | create · delete · get · list · patch · update · watch | Low | |
Role tekton-dashboard-tenant | triggers.tekton.dev/triggerbindings | create · delete · get · list · patch · update · watch | Low | |
Role tekton-dashboard-tenant | triggers.tekton.dev/triggers | create · delete · get · list · patch · update · watch | Low | |
Role tekton-dashboard-tenant | triggers.tekton.dev/triggertemplates | create · delete · get · list · patch · update · watch | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | edp-tekton-dashboard | tekton-dashboard | gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard:v0.39.0 |
🤖 tekton
Namespace: default | Automount: ❌
🔑 Permissions (16)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role tekton-pipeline-role | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
Role tekton-autotests-role | argoproj.io/applications | get · list | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/cdpipelines | get · list · patch · update | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/codebasebranches | get · list · patch · update | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/codebasebranches/status | get · list · patch · update | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/codebaseimagestreams | get · list · patch · update | Low | |
Role tekton-autotests-role | v2.edp.epam.com/codebases | get · list · watch | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/codebases | get · list · patch · update | Low | |
Role tekton-pipeline-role | v1.edp.epam.com/edpcomponents | get | Low | |
Role tekton-autotests-role | v2.edp.epam.com/gitservers | get · list · watch | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/jiraissuemetadatas | create · get | Low | |
Role tekton-autotests-role | tekton.dev/pipelineruns | create · get · list · patch · update · watch | Low | |
Role tekton-autotests-role | tekton.dev/pipelines | create · get · list · patch · update · watch | Low | |
Role tekton-autotests-role | v2.edp.epam.com/stages | get · list · watch | Low | |
Role tekton-pipeline-role | v2.edp.epam.com/stages | get · list · patch · update | Low | |
Role tekton-pipeline-role | tekton.dev/taskruns | get · list · watch | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 edp-tekton-interceptor
Namespace: default | Automount: ❌
🔑 Permissions (12)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebasebranches | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebasebranches/finalizers | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebasebranches/status | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebases | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebases/finalizers | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/codebases/status | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/gitservers | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/gitservers/finalizers | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | v2.edp.epam.com/gitservers/status | get · list · watch | Low | |
Role tekton-triggers-edp-interceptor | triggers.tekton.dev/interceptors | get · list · update · watch | Low | |
Role tekton-triggers-edp-interceptor | core/secrets | get | Low | |
Role tekton-triggers-edp-interceptor | core/secrets (restricted to: tekton-edp-interceptor-certs) | create · get · list · update · watch | Low | CredentialAccess DataExposure InformationDisclosure ResourceNameRestricted SecretAccess |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | edp-tekton-interceptor | tekton-triggers-edp-interceptor | epamedp/edp-tekton:0.7.0 |
🤖 tekton-resource-pruner
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role tekton-resource-pruner | tekton.dev/pipelineruns | delete · list | Low | |
Role tekton-resource-pruner | tekton.dev/pipelines | delete · list | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| CronJob | tekton-resource-pruner | pruner-tkn-tekton-pipelines | gcr.io/tekton-releases/dogfooding/tkn@sha256:025de221fb059ca24a3b2d988889ea34bce48dc76c0cf0d6b4499edb8c21325f |
🤖 edp-headlamp
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | edp-headlamp | edp-headlamp | epamedp/edp-headlamp:0.9.0 |
🤖 edp-keycloak-operator
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | keycloak-operator | keycloak-operator | epamedp/keycloak-operator:1.18.0 |
🤖 edp-sonar-operator
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | sonar-operator | sonar-operator | epamedp/sonar-operator:2.14.1 |
🤖 gerrit
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | gerrit | gerrit | epamedp/edp-gerrit:3.6.2 |
🤖 nexus
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | nexus | nexus | sonatype/nexus3:3.58.1 |
🤖 nexus-proxy
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | nexus-proxy | nexus-proxy | quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 |
🤖 sonar
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | sonar | sonar | sonarqube:8.9.10-community |
| Deployment | sonar-db | sonar-db | postgres:9.6 |
🤖 tekton-triggers-sa-default
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.