flux2 :: RBAC ATLAS

Description

A Helm chart for flux2

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`helm-controller`	default	❌	—	11	1	Critical
`image-automation-controller`	default	❌	—	11	1	Critical
`image-reflector-controller`	default	❌	—	11	1	Critical
`kustomize-controller`	default	❌	—	11	1	Critical
`notification-controller`	default	❌	—	11	0	Critical
`source-controller`	default	❌	—	11	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `helm-controller`

Namespace: default | Automount: ❌

🔑 Permissions (11)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	create · delete · get · list · patch · update · watch	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	helm-controller	manager	ghcr.io/fluxcd/helm-controller:v0.14.0

🤖 `image-automation-controller`

Namespace: default | Automount: ❌

🔑 Permissions (11)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	create · delete · get · list · patch · update · watch	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	image-automation-controller	manager	ghcr.io/fluxcd/image-automation-controller:v0.18.0

🤖 `image-reflector-controller`

Namespace: default | Automount: ❌

🔑 Permissions (11)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	create · delete · get · list · patch · update · watch	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	image-reflector-controller	manager	ghcr.io/fluxcd/image-reflector-controller:v0.14.0

🤖 `kustomize-controller`

Namespace: default | Automount: ❌

🔑 Permissions (11)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	create · delete · get · list · patch · update · watch	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kustomize-controller	manager	ghcr.io/fluxcd/kustomize-controller:v0.18.1

🤖 `notification-controller`

Namespace: default | Automount: ❌

🔑 Permissions (11)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	create · delete · get · list · patch · update · watch	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `source-controller`

Namespace: default | Automount: ❌

🔑 Permissions (11)

Role	Resource	Verbs	Risk	Tags
ClusterRole `crd-controller`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `crd-controller`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
ClusterRole `crd-controller`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `crd-controller`	helm.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	image.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	kustomize.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	notification.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	source.toolkit.fluxcd.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `crd-controller`	core/configmaps/status	create · delete · get · list · patch · update · watch	Low
ClusterRole `crd-controller`	core/events	create · patch	Low
ClusterRole `crd-controller`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	source-controller	manager	ghcr.io/fluxcd/source-controller:v0.19.0

flux2

Description

Overview

Identities

🤖 helm-controller

🔑 Permissions (11)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 image-automation-controller

🔑 Permissions (11)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 image-reflector-controller

🔑 Permissions (11)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 kustomize-controller

🔑 Permissions (11)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 notification-controller

🔑 Permissions (11)

⚠️ Potential Abuse (11)

📦 Workloads (0)

🤖 source-controller

🔑 Permissions (11)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 `helm-controller`

🤖 `image-automation-controller`

🤖 `image-reflector-controller`

🤖 `kustomize-controller`

🤖 `notification-controller`

🤖 `source-controller`