3 Service Accounts
3 Workloads
23 Bindings
3 Critical
6 High
14 Low
Description
A Helm chart for Gatekeeper
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
gatekeeper-admin | default | ❌ | — | 21 | 2 | Critical |
gatekeeper-admin-upgrade-crds | default | ❌ | — | 1 | 1 | Low |
gatekeeper-update-namespace-label | default | ❌ | — | 1 | 0 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 gatekeeper-admin
Namespace: default | Automount: ❌
🔑 Permissions (21)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole gatekeeper-manager-role | * | get · list · watch | Critical | ClusterStructure ClusterWideAccess ClusterWideLogAccess ClusterWideSecretAccess ConfigMapAccess (+15 more) |
ClusterRole gatekeeper-manager-role | apiextensions.k8s.io/customresourcedefinitions | create · delete · get · list · patch · update · watch | Critical | CRDManipulation PotentialPrivilegeEscalation Tampering |
Role gatekeeper-manager-role | core/secrets | create · delete · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more) |
ClusterRole gatekeeper-manager-role | config.gatekeeper.sh/* | create · delete · get · list · patch · update · watch | High | ClusterWideAccess |
ClusterRole gatekeeper-manager-role | connection.gatekeeper.sh/* | create · delete · get · list · patch · update · watch | High | ClusterWideAccess |
ClusterRole gatekeeper-manager-role | constraints.gatekeeper.sh/* | create · delete · get · list · patch · update · watch | High | ClusterWideAccess |
ClusterRole gatekeeper-manager-role | expansion.gatekeeper.sh/* | create · delete · get · list · patch · update · watch | High | ClusterWideAccess |
ClusterRole gatekeeper-manager-role | mutations.gatekeeper.sh/* | create · delete · get · list · patch · update · watch | High | ClusterWideAccess |
ClusterRole gatekeeper-manager-role | status.gatekeeper.sh/* | create · delete · get · list · patch · update · watch | High | ClusterWideAccess |
ClusterRole gatekeeper-manager-role | config.gatekeeper.sh/configs | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gatekeeper-manager-role | config.gatekeeper.sh/configs/status | get · patch · update | Low | |
ClusterRole gatekeeper-manager-role | templates.gatekeeper.sh/constrainttemplates | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gatekeeper-manager-role | templates.gatekeeper.sh/constrainttemplates/finalizers | update | Low | |
ClusterRole gatekeeper-manager-role | templates.gatekeeper.sh/constrainttemplates/status | get · patch · update | Low | |
ClusterRole gatekeeper-manager-role | core/events | create · patch | Low | |
Role gatekeeper-manager-role | core/events | create · patch | Low | |
ClusterRole gatekeeper-manager-role | externaldata.gatekeeper.sh/providers | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gatekeeper-manager-role | admissionregistration.k8s.io/validatingadmissionpolicies | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gatekeeper-manager-role | admissionregistration.k8s.io/validatingadmissionpolicybindings | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gatekeeper-manager-role | admissionregistration.k8s.io/mutatingwebhookconfigurations (restricted to: gatekeeper-mutating-webhook-configuration) | get · list · patch · update · watch | Low | InformationDisclosure Reconnaissance ResourceNameRestricted WebhookReconnaissance |
ClusterRole gatekeeper-manager-role | admissionregistration.k8s.io/validatingwebhookconfigurations (restricted to: gatekeeper-validating-webhook-configuration) | create · delete · get · list · patch · update · watch | Low | DenialOfService InformationDisclosure Reconnaissance ResourceNameRestricted Tampering (+2 more) |
⚠️ Potential Abuse (23)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Modify secrets in a namespace
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Manage ValidatingWebhookConfigurations
- Manage CustomResourceDefinitions
- Read events cluster-wide
- Read RBAC configuration cluster-wide
- List Namespaces (Cluster Reconnaissance)
- List ValidatingWebhookConfigurations (Reconnaissance)
- List MutatingWebhookConfigurations (Reconnaissance)
- Read LimitRanges (Namespace Information Disclosure)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
- Read ComponentStatuses (Control Plane Reconnaissance)
- Read CSINode Objects (Node & Storage Reconnaissance)
- Read CSIStorageCapacities (Namespace Storage Reconnaissance)
- Watch All Resources in a Namespace (Broad Information Disclosure)
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | gatekeeper-audit | manager | openpolicyagent/gatekeeper:v3.21.0-beta.0 |
| Deployment | gatekeeper-controller-manager | manager | openpolicyagent/gatekeeper:v3.21.0-beta.0 |
🤖 gatekeeper-admin-upgrade-crds
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole gatekeeper-admin-upgrade-crds | apiextensions.k8s.io/customresourcedefinitions | create · get · patch · update | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | gatekeeper-update-crds-hook | crds-upgrade | openpolicyagent/gatekeeper-crds:v3.21.0-beta.0 |
🤖 gatekeeper-update-namespace-label
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole gatekeeper-update-namespace-label | core/namespaces (restricted to: default) | get · patch · update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.