Description

Official Vault Secrets Operator Chart

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
vault-secrets-operator-controller-managerdefault413Critical
vault-secrets-operator-upgrade-crdsdefault11Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.


Identities

🤖 vault-secrets-operator-controller-manager

Namespace: default  |  Automount:

🔑 Permissions (41)

RoleResourceVerbsRiskTags
Role vault-secrets-operator-leader-election-rolecoordination.k8s.io/leasescreate · delete · get · list · patch · update · watchCriticalControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole vault-secrets-operator-manager-rolecore/secretscreate · delete · deletecollection · get · list · patch · update · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole vault-secrets-operator-manager-rolecore/configmapsget · list · watchHighConfigMapAccess DataExposure InformationDisclosure
Role vault-secrets-operator-leader-election-rolecore/configmapscreate · delete · get · list · patch · update · watchHighConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole vault-secrets-operator-proxy-roleauthorization.k8s.io/subjectaccessreviewscreateMediumInformationDisclosure RBACQuery
ClusterRole vault-secrets-operator-proxy-roleauthentication.k8s.io/tokenreviewscreateMediumCredentialAccess InformationDisclosure RBACQuery
ClusterRole vault-secrets-operator-manager-roleapps/daemonsetsget · list · patch · watchLow
ClusterRole vault-secrets-operator-manager-roleapps/deploymentsget · list · patch · watchLow
ClusterRole vault-secrets-operator-manager-rolecore/eventscreate · patchLow
Role vault-secrets-operator-leader-election-rolecore/eventscreate · patchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/hcpauthscreate · delete · get · list · patch · update · watchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/hcpauths/finalizersupdateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/hcpauths/statusget · patch · updateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/hcpvaultsecretsappscreate · delete · get · list · patch · update · watchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/hcpvaultsecretsapps/finalizersupdateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/hcpvaultsecretsapps/statusget · patch · updateLow
ClusterRole vault-secrets-operator-manager-roleargoproj.io/rolloutsget · list · patch · watchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/secrettransformationscreate · delete · get · list · patch · update · watchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/secrettransformations/finalizersupdateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/secrettransformations/statusget · patch · updateLow
ClusterRole vault-secrets-operator-manager-rolecore/serviceaccountsget · list · watchLow
ClusterRole vault-secrets-operator-manager-rolecore/serviceaccounts/tokencreate · get · list · watchLow
ClusterRole vault-secrets-operator-manager-roleapps/statefulsetsget · list · patch · watchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultauthglobalscreate · delete · get · list · patch · update · watchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultauthglobals/finalizersupdateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultauthglobals/statusget · patch · updateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultauthscreate · delete · get · list · patch · update · watchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultauths/finalizersupdateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultauths/statusget · patch · updateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultconnectionscreate · delete · get · list · patch · update · watchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultconnections/finalizersupdateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultconnections/statusget · patch · updateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultdynamicsecretscreate · delete · get · list · patch · update · watchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultdynamicsecrets/finalizersupdateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultdynamicsecrets/statusget · patch · updateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultpkisecretscreate · delete · get · list · patch · update · watchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultpkisecrets/finalizersupdateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultpkisecrets/statusget · patch · updateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultstaticsecretscreate · delete · get · list · patch · update · watchLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultstaticsecrets/finalizersupdateLow
ClusterRole vault-secrets-operator-manager-rolesecrets.hashicorp.com/vaultstaticsecrets/statusget · patch · updateLow

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (3)

KindNameContainerImage
Deploymentvault-secrets-operator-controller-managerkube-rbac-proxyquay.io/brancz/kube-rbac-proxy:v0.18.1
Deploymentvault-secrets-operator-controller-managermanagerhashicorp/vault-secrets-operator:0.10.0
Jobpdcc-vault-secrets-operatorpre-delete-controller-cleanuphashicorp/vault-secrets-operator:0.10.0

🤖 vault-secrets-operator-upgrade-crds

Namespace: default  |  Automount:

🔑 Permissions (1)

RoleResourceVerbsRiskTags
ClusterRole vault-secrets-operator-upgrade-crdsapiextensions.k8s.io/customresourcedefinitionscreate · delete · get · list · patch · updateCriticalCRDManipulation PotentialPrivilegeEscalation Tampering

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Jobupgrade-crds-vault-secrets-operatorpre-upgrade-crdshashicorp/vault-secrets-operator:0.10.0