Description

Prometheus operator

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
prometheus-operatordefault321Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 prometheus-operator

Namespace: default  |  Automount:

🔑 Permissions (32)

RoleResourceVerbsRiskTags
ClusterRole prometheus-operatorcore/configmaps*CriticalClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole prometheus-operatorcore/secrets*CriticalClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole prometheus-operatorapps/statefulsets*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole prometheus-operatormonitoring.coreos.com/alertmanagerconfigs*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/alertmanagers*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/alertmanagers/finalizers*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/alertmanagers/status*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/podmonitors*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/probes*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/prometheusagents*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/prometheusagents/finalizers*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/prometheusagents/status*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/prometheuses*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/prometheuses/finalizers*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/prometheuses/status*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/prometheusrules*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/scrapeconfigs*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/servicemonitors*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/thanosrulers*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/thanosrulers/finalizers*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatormonitoring.coreos.com/thanosrulers/status*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operatorauthorization.k8s.io/subjectaccessreviewscreateMediumInformationDisclosure RBACQuery
ClusterRole prometheus-operatorauthentication.k8s.io/tokenreviewscreateMediumCredentialAccess InformationDisclosure RBACQuery
ClusterRole prometheus-operatorcore/endpointscreate · delete · get · updateLow
ClusterRole prometheus-operatorcore/eventscreate · patchLow
ClusterRole prometheus-operatornetworking.k8s.io/ingressesget · list · watchLow
ClusterRole prometheus-operatorcore/namespacesget · list · watchLowClusterStructure InformationDisclosure Reconnaissance
ClusterRole prometheus-operatorcore/nodeslist · watchLow
ClusterRole prometheus-operatorcore/podsdelete · listLow
ClusterRole prometheus-operatorcore/servicescreate · delete · get · updateLow
ClusterRole prometheus-operatorcore/services/finalizerscreate · delete · get · updateLow
ClusterRole prometheus-operatorstorage.k8s.io/storageclassesgetLow

⚠️ Potential Abuse (15)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentprometheus-operatorprometheus-operatorquay.io/prometheus-operator/prometheus-operator:v0.77.1