flux2 :: RBAC ATLAS

Description

A Helm chart for flux2

https://github.com/fluxcd-community/helm-charts

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`helm-controller`	default	❌	—	12	1	Critical
`image-automation-controller`	default	❌	—	12	1	Critical
`image-reflector-controller`	default	❌	—	12	1	Critical
`kustomize-controller`	default	❌	—	12	1	Critical
`notification-controller`	default	❌	—	12	1	Critical
`source-controller`	default	❌	—	12	1	Critical
`flux2-flux-check`	default	❌	—	0	1	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `helm-controller`

Namespace: default | Automount: ❌

🔑 Permissions (12)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	get · patch · update	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `crd-controller`	core/serviceaccounts	get · list · watch	Low

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	helm-controller	manager	ghcr.io/fluxcd/helm-controller:v1.3.0

🤖 `image-automation-controller`

Namespace: default | Automount: ❌

🔑 Permissions (12)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	get · patch · update	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `crd-controller`	core/serviceaccounts	get · list · watch	Low

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	image-automation-controller	manager	ghcr.io/fluxcd/image-automation-controller:v0.41.0

🤖 `image-reflector-controller`

Namespace: default | Automount: ❌

🔑 Permissions (12)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	get · patch · update	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `crd-controller`	core/serviceaccounts	get · list · watch	Low

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	image-reflector-controller	manager	ghcr.io/fluxcd/image-reflector-controller:v0.35.1

🤖 `kustomize-controller`

Namespace: default | Automount: ❌

🔑 Permissions (12)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	get · patch · update	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `crd-controller`	core/serviceaccounts	get · list · watch	Low

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kustomize-controller	manager	ghcr.io/fluxcd/kustomize-controller:v1.6.0

🤖 `notification-controller`

Namespace: default | Automount: ❌

🔑 Permissions (12)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	get · patch · update	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `crd-controller`	core/serviceaccounts	get · list · watch	Low

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	notification-controller	manager	ghcr.io/fluxcd/notification-controller:v1.6.0

🤖 `source-controller`

Namespace: default | Automount: ❌

🔑 Permissions (12)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	get · patch · update	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `crd-controller`	core/serviceaccounts	get · list · watch	Low

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	source-controller	manager	ghcr.io/fluxcd/source-controller:v1.6.0

🤖 `flux2-flux-check`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Job	flux2-flux-check	flux-cli	ghcr.io/fluxcd/flux-cli:v2.6.1

flux2

Description

Overview

Identities

🤖 helm-controller

🔑 Permissions (12)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 image-automation-controller

🔑 Permissions (12)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 image-reflector-controller

🔑 Permissions (12)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 kustomize-controller

🔑 Permissions (12)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 notification-controller

🔑 Permissions (12)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 source-controller

🔑 Permissions (12)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 flux2-flux-check

🔑 Permissions (0)

📦 Workloads (1)

🤖 `helm-controller`

🤖 `image-automation-controller`

🤖 `image-reflector-controller`

🤖 `kustomize-controller`

🤖 `notification-controller`

🤖 `source-controller`

🤖 `flux2-flux-check`