consul :: RBAC ATLAS

Description

Official HashiCorp Consul Chart

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`consul-consul-webhook-cert-manager`	default	❌	—	3	1	Critical
`consul-consul-connect-injector`	default	❌	—	29	1	High
`consul-consul-server`	default	❌	—	0	1	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `consul-consul-webhook-cert-manager`

Namespace: default | Automount: ❌

🔑 Permissions (3)

Role	Resource	Verbs	Risk	Tags
ClusterRole `consul-consul-webhook-cert-manager`	core/secrets	create · delete · get · list · patch · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole `consul-consul-webhook-cert-manager`	admissionregistration.k8s.io/mutatingwebhookconfigurations	get · list · patch · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `consul-consul-webhook-cert-manager`	apps/deployments (restricted to: consul-consul-webhook-cert-manager)	get	Low	ResourceNameRestricted

⚠️ Potential Abuse (6)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	consul-consul-webhook-cert-manager	webhook-cert-manager	hashicorp/consul-k8s-control-plane:1.1.11

🤖 `consul-consul-connect-injector`

Namespace: default | Automount: ❌

🔑 Permissions (29)

Role	Resource	Verbs	Risk	Tags
Role `consul-consul-connect-inject-leader-election`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
Role `consul-consul-connect-inject-leader-election`	core/configmaps/status	get · patch · update	Low
ClusterRole `consul-consul-connect-injector`	core/endpoints	get · list · watch	Low
Role `consul-consul-connect-inject-leader-election`	core/events	create · patch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/exportedservices	create · delete · get · list · patch · update · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/exportedservices/status	get · patch · update	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/ingressgateways	create · delete · get · list · patch · update · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/ingressgateways/status	get · patch · update	Low
ClusterRole `consul-consul-connect-injector`	coordination.k8s.io/leases	create · get · list · update	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/meshes	create · delete · get · list · patch · update · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/meshes/status	get · patch · update	Low
ClusterRole `consul-consul-connect-injector`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `consul-consul-connect-injector`	core/nodes	get · list · watch	Low
ClusterRole `consul-consul-connect-injector`	core/pods	get · list · update · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/proxydefaults	create · delete · get · list · patch · update · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/proxydefaults/status	get · patch · update	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/servicedefaults	create · delete · get · list · patch · update · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/servicedefaults/status	get · patch · update	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/serviceintentions	create · delete · get · list · patch · update · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/serviceintentions/status	get · patch · update	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/serviceresolvers	create · delete · get · list · patch · update · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/serviceresolvers/status	get · patch · update	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/servicerouters	create · delete · get · list · patch · update · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/servicerouters/status	get · patch · update	Low
ClusterRole `consul-consul-connect-injector`	core/services	get · list · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/servicesplitters	create · delete · get · list · patch · update · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/servicesplitters/status	get · patch · update	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/terminatinggateways	create · delete · get · list · patch · update · watch	Low
ClusterRole `consul-consul-connect-injector`	consul.hashicorp.com/terminatinggateways/status	get · patch · update	Low

⚠️ Potential Abuse (4)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	consul-consul-connect-injector	sidecar-injector	hashicorp/consul-k8s-control-plane:1.1.11

🤖 `consul-consul-server`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
StatefulSet	consul-consul-server	consul	hashicorp/consul:1.15.11

consul

Description

Overview

Identities

🤖 consul-consul-webhook-cert-manager

🔑 Permissions (3)

⚠️ Potential Abuse (6)

📦 Workloads (1)

🤖 consul-consul-connect-injector

🔑 Permissions (29)

⚠️ Potential Abuse (4)

📦 Workloads (1)

🤖 consul-consul-server

🔑 Permissions (0)

📦 Workloads (1)

🤖 `consul-consul-webhook-cert-manager`

🤖 `consul-consul-connect-injector`

🤖 `consul-consul-server`