vault-secrets-operator
v0.10.0
2 Service Accounts
3 Workloads
42 Bindings
3 Critical
2 High
2 Medium
35 Low
Description
Official Vault Secrets Operator Chart
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
vault-secrets-operator-controller-manager | default | ❌ | — | 41 | 3 | Critical |
vault-secrets-operator-upgrade-crds | default | ❌ | — | 1 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 vault-secrets-operator-controller-manager
Namespace: default | Automount: ❌
🔑 Permissions (41)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role vault-secrets-operator-leader-election-role | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole vault-secrets-operator-manager-role | core/secrets | create · delete · deletecollection · get · list · patch · update · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more) |
ClusterRole vault-secrets-operator-manager-role | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
Role vault-secrets-operator-leader-election-role | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole vault-secrets-operator-proxy-role | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
ClusterRole vault-secrets-operator-proxy-role | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
ClusterRole vault-secrets-operator-manager-role | apps/daemonsets | get · list · patch · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | apps/deployments | get · list · patch · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | core/events | create · patch | Low | |
Role vault-secrets-operator-leader-election-role | core/events | create · patch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/hcpauths | create · delete · get · list · patch · update · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/hcpauths/finalizers | update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/hcpauths/status | get · patch · update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/hcpvaultsecretsapps | create · delete · get · list · patch · update · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/hcpvaultsecretsapps/finalizers | update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/hcpvaultsecretsapps/status | get · patch · update | Low | |
ClusterRole vault-secrets-operator-manager-role | argoproj.io/rollouts | get · list · patch · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/secrettransformations | create · delete · get · list · patch · update · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/secrettransformations/finalizers | update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/secrettransformations/status | get · patch · update | Low | |
ClusterRole vault-secrets-operator-manager-role | core/serviceaccounts | get · list · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | core/serviceaccounts/token | create · get · list · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | apps/statefulsets | get · list · patch · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultauthglobals | create · delete · get · list · patch · update · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultauthglobals/finalizers | update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultauthglobals/status | get · patch · update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultauths | create · delete · get · list · patch · update · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultauths/finalizers | update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultauths/status | get · patch · update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultconnections | create · delete · get · list · patch · update · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultconnections/finalizers | update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultconnections/status | get · patch · update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultdynamicsecrets | create · delete · get · list · patch · update · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultdynamicsecrets/finalizers | update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultdynamicsecrets/status | get · patch · update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultpkisecrets | create · delete · get · list · patch · update · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultpkisecrets/finalizers | update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultpkisecrets/status | get · patch · update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultstaticsecrets | create · delete · get · list · patch · update · watch | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultstaticsecrets/finalizers | update | Low | |
ClusterRole vault-secrets-operator-manager-role | secrets.hashicorp.com/vaultstaticsecrets/status | get · patch · update | Low |
⚠️ Potential Abuse (11)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Modify secrets cluster-wide
- Modify secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Create TokenReviews (validate arbitrary tokens)
- Create SubjectAccessReviews (check arbitrary permissions)
- Manage Leases in kube-system or kube-node-lease namespace
📦 Workloads (3)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | vault-secrets-operator-controller-manager | kube-rbac-proxy | quay.io/brancz/kube-rbac-proxy:v0.18.1 |
| Deployment | vault-secrets-operator-controller-manager | manager | hashicorp/vault-secrets-operator:0.10.0 |
| Job | pdcc-vault-secrets-operator | pre-delete-controller-cleanup | hashicorp/vault-secrets-operator:0.10.0 |
🤖 vault-secrets-operator-upgrade-crds
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole vault-secrets-operator-upgrade-crds | apiextensions.k8s.io/customresourcedefinitions | create · delete · get · list · patch · update | Critical | CRDManipulation PotentialPrivilegeEscalation Tampering |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | upgrade-crds-vault-secrets-operator | pre-upgrade-crds | hashicorp/vault-secrets-operator:0.10.0 |