external-dns :: RBAC ATLAS

Description

ExternalDNS is a Kubernetes addon that configures public DNS servers with information about exposed Kubernetes services to make them discoverable.

https://github.com/bitnami/charts/tree/main/bitnami/external-dns

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`external-dns`	default	❌	—	30	1	Low

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `external-dns`

Namespace: default | Automount: ❌

🔑 Permissions (30)

Role	Resource	Verbs	Risk	Tags
ClusterRole `external-dns-default`	core/endpoints	get · list · watch	Low
ClusterRole `external-dns-default`	gateway.networking.k8s.io/gateways	get · list · watch	Low
ClusterRole `external-dns-default`	networking.istio.io/gateways	get · list · watch	Low
ClusterRole `external-dns-default`	gateway.networking.k8s.io/grpcroutes	get · list · watch	Low
ClusterRole `external-dns-default`	extensions/hosts	get · list · watch	Low
ClusterRole `external-dns-default`	getambassador.io/hosts	get · list · watch	Low
ClusterRole `external-dns-default`	networking.k8s.io/hosts	get · list · watch	Low
ClusterRole `external-dns-default`	projectcontour.io/httpproxies	get · list · watch	Low
ClusterRole `external-dns-default`	gateway.networking.k8s.io/httproutes	get · list · watch	Low
ClusterRole `external-dns-default`	extensions/ingresses	get · list · watch	Low
ClusterRole `external-dns-default`	getambassador.io/ingresses	get · list · watch	Low
ClusterRole `external-dns-default`	networking.k8s.io/ingresses	get · list · watch	Low
ClusterRole `external-dns-default`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `external-dns-default`	core/nodes	get · list · watch	Low
ClusterRole `external-dns-default`	core/pods	get · list · watch	Low
ClusterRole `external-dns-default`	gateway.solo.io/proxies	get · list · watch	Low
ClusterRole `external-dns-default`	gloo.solo.io/proxies	get · list · watch	Low
ClusterRole `external-dns-default`	zalando.org/routegroups	get · list · watch	Low
ClusterRole `external-dns-default`	zalando.org/routegroups/status	patch · update	Low
ClusterRole `external-dns-default`	route.openshift.io/routes	get · list · watch	Low
ClusterRole `external-dns-default`	core/services	get · list · watch	Low
ClusterRole `external-dns-default`	configuration.konghq.com/tcpingresses	get · list · watch	Low
ClusterRole `external-dns-default`	gateway.networking.k8s.io/tcproutes	get · list · watch	Low
ClusterRole `external-dns-default`	gateway.networking.k8s.io/tlsroutes	get · list · watch	Low
ClusterRole `external-dns-default`	cis.f5.com/transportservers	get · list · watch	Low
ClusterRole `external-dns-default`	gateway.networking.k8s.io/udproutes	get · list · watch	Low
ClusterRole `external-dns-default`	cis.f5.com/virtualservers	get · list · watch	Low
ClusterRole `external-dns-default`	gateway.solo.io/virtualservices	get · list · watch	Low
ClusterRole `external-dns-default`	gloo.solo.io/virtualservices	get · list · watch	Low
ClusterRole `external-dns-default`	networking.istio.io/virtualservices	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	external-dns	external-dns	docker.io/bitnami/external-dns:0.17.0-debian-12-r5

external-dns