hazelcast-platform-operator
v5.15.0
1 Service Accounts
1 Workloads
73 Bindings
9 Critical
4 High
1 Medium
59 Low
Description
A Helm chart for installing Hazelcast Platform Operator which automates common management tasks such as configuring, creating, scaling, and recovering Hazelcast clusters on Kubernetes and Red Hat OpenShift. By taking care of manual deployment and life-cycle management, Hazelcast Platform Operator makes it simpler to work with Hazelcast clusters.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
hazelcast-platform-operator | default | ❌ | — | 73 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 hazelcast-platform-operator
Namespace: default | Automount: ❌
🔑 Permissions (73)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole hazelcast-platform-operator | rbac.authorization.k8s.io/clusterrolebindings | create · delete · get · list · patch · update · watch | Critical | BindingToPrivilegedRole ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation (+2 more) |
ClusterRole hazelcast-platform-operator | rbac.authorization.k8s.io/clusterroles | create · delete · get · list · patch · update · watch | Critical | ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more) |
ClusterRole hazelcast-platform-operator | core/configmaps | create · delete · get · list · patch · update · watch | Critical | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole hazelcast-platform-operator | core/endpoints | create · delete · get · list · patch · update · watch | Critical | DenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection |
Role hazelcast-platform-operator | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole hazelcast-platform-operator | core/pods | create · delete · get · list · patch · update · watch | Critical | LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more) |
ClusterRole hazelcast-platform-operator | core/secrets | create · delete · get · list · patch · update · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more) |
ClusterRole hazelcast-platform-operator | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole hazelcast-platform-operator | apps/statefulsets | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole hazelcast-platform-operator | networking.k8s.io/ingresses | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole hazelcast-platform-operator | rbac.authorization.k8s.io/rolebindings | create · delete · get · list · patch · update · watch | High | BindingToPrivilegedRole InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more) |
ClusterRole hazelcast-platform-operator | rbac.authorization.k8s.io/roles | create · delete · get · list · patch · update · watch | High | InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery Reconnaissance |
ClusterRole hazelcast-platform-operator | core/serviceaccounts | create · delete · get · list · patch · update · watch | High | IdentityManagement PotentialPrivilegeEscalation Tampering |
ClusterRole hazelcast-platform-operator | core/events | create · delete · get · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole hazelcast-platform-operator | hazelcast.com/caches | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/caches/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/caches/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/cronhotbackups | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/cronhotbackups/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/cronhotbackups/status | get · patch · update | Low | |
Role hazelcast-platform-operator | apps/deployments | get | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/flows | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/flows/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/flows/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/hazelcastendpoints | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/hazelcastendpoints/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/hazelcastendpoints/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/hazelcasts | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/hazelcasts/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/hazelcasts/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/hotbackups | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/hotbackups/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/hotbackups/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/jetjobs | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/jetjobs/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/jetjobs/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/jetjobsnapshots | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/jetjobsnapshots/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/jetjobsnapshots/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/managementcenters | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/managementcenters/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/managementcenters/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/maps | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/maps/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/maps/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/multimaps | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/multimaps/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/multimaps/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | core/nodes | get · list · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/queues | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/queues/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/queues/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/replicatedmaps | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/replicatedmaps/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/replicatedmaps/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | route.openshift.io/routes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | route.openshift.io/routes/custom-host | create | Low | |
ClusterRole hazelcast-platform-operator | route.openshift.io/routes/status | get | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/topics | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/topics/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/topics/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/usercodenamespaces | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/usercodenamespaces/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/usercodenamespaces/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/vectorcollections | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/vectorcollections/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/vectorcollections/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/wanreplications | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/wanreplications/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/wanreplications/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/wansyncs | create · delete · get · list · patch · update · watch | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/wansyncs/finalizers | update | Low | |
ClusterRole hazelcast-platform-operator | hazelcast.com/wansyncs/status | get · patch · update | Low |
⚠️ Potential Abuse (29)
The following security risks were found based on the above permissions:
- Create pods cluster-wide
- Create pods in a namespace
- Update/Patch pods cluster-wide
- Update/Patch pods in a namespace
- Read secrets cluster-wide
- Read secrets in a namespace
- Modify secrets cluster-wide
- Modify secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage ClusterRoles (create, update, patch, delete)
- Manage ClusterRoleBindings (create, update, patch, delete)
- Manage Roles in a namespace (create, update, patch, delete)
- Manage RoleBindings in a namespace (create, update, patch, delete)
- Manage StatefulSets cluster-wide
- Manage StatefulSets in a namespace
- Manage ServiceAccounts cluster-wide
- Manage ServiceAccounts in a namespace
- Read events cluster-wide
- Manage Endpoints or EndpointSlices cluster-wide
- Manage Endpoints or EndpointSlices in a namespace
- Manage Services cluster-wide
- Manage Services in a namespace
- Read RBAC configuration cluster-wide
- Manage Leases in kube-system or kube-node-lease namespace
- Manage Ingresses (Namespace Service Exposure/Traffic Redirection)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | hazelcast-platform-operator | manager | hazelcast/hazelcast-platform-operator:5.15.0 |