1 Service Accounts
1 Workloads
52 Bindings
3 Critical
6 High
2 Medium
41 Low
Description
A Helm chart for installing Hazelcast Platform Operator which automates common management tasks such as configuring, creating, scaling, and recovering Hazelcast clusters on Kubernetes and Red Hat OpenShift. By taking care of manual deployment and life-cycle management, Hazelcast Platform Operator makes it simpler to work with Hazelcast clusters.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
hazelcast-platform-operator | default | ❌ | — | 52 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 hazelcast-platform-operator
Namespace: default | Automount: ❌
🔑 Permissions (52)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole hazelcast-platform-operator | rbac.authorization.k8s.io/clusterrolebindings | create · delete · get · list · patch · update · watch | Critical | BindingToPrivilegedRole ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation (+2 more) |
ClusterRole hazelcast-platform-operator | rbac.authorization.k8s.io/clusterroles | create · delete · get · list · patch · update · watch | Critical | ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more) |
Role hazelcast-platform-operator | core/secrets | create · get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role hazelcast-platform-operator | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
Role hazelcast-platform-operator | core/pods | create · delete · get · list · patch · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution |
Role hazelcast-platform-operator | rbac.authorization.k8s.io/rolebindings | create · delete · get · list · patch · update · watch | High | BindingToPrivilegedRole PrivilegeEscalation RBACManipulation |
Role hazelcast-platform-operator | rbac.authorization.k8s.io/roles | create · delete · get · list · patch · update · watch | High | PrivilegeEscalation RBACManipulation |
Role hazelcast-platform-operator | core/services | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation ServiceExposure Tampering |
Role hazelcast-platform-operator | apps/statefulsets | create · delete · get · list · patch · update · watch | High | Persistence PotentialPrivilegeEscalation Tampering WorkloadLifecycle |
Role hazelcast-platform-operator | core/serviceaccounts | create · delete · get · list · patch · update · watch | Medium | IdentityManagement PotentialPrivilegeEscalation Tampering |
ClusterRole hazelcast-platform-operator | admissionregistration.k8s.io/validatingwebhookconfigurations | get · list · update · watch | Medium | InformationDisclosure Reconnaissance WebhookReconnaissance |
Role hazelcast-platform-operator | hazelcast.com/caches | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/caches/finalizers | update | Low | |
Role hazelcast-platform-operator | hazelcast.com/caches/status | get · patch · update | Low | |
Role hazelcast-platform-operator | hazelcast.com/cronhotbackups | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/cronhotbackups/finalizers | update | Low | |
Role hazelcast-platform-operator | hazelcast.com/cronhotbackups/status | get · patch · update | Low | |
Role hazelcast-platform-operator | apps/deployments | get | Low | |
ClusterRole hazelcast-platform-operator | core/endpoints | get · list | Low | |
Role hazelcast-platform-operator | core/events | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/hazelcasts | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/hazelcasts/finalizers | update | Low | |
Role hazelcast-platform-operator | hazelcast.com/hazelcasts/status | get · patch · update | Low | |
Role hazelcast-platform-operator | hazelcast.com/hotbackups | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/hotbackups/finalizers | update | Low | |
Role hazelcast-platform-operator | hazelcast.com/hotbackups/status | get · patch · update | Low | |
Role hazelcast-platform-operator | hazelcast.com/managementcenters | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/managementcenters/finalizers | update | Low | |
Role hazelcast-platform-operator | hazelcast.com/managementcenters/status | get · patch · update | Low | |
Role hazelcast-platform-operator | hazelcast.com/maps | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/maps/finalizers | update | Low | |
Role hazelcast-platform-operator | hazelcast.com/maps/status | get · patch · update | Low | |
Role hazelcast-platform-operator | hazelcast.com/multimaps | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/multimaps/finalizers | update | Low | |
Role hazelcast-platform-operator | hazelcast.com/multimaps/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | core/nodes | get · list | Low | |
ClusterRole hazelcast-platform-operator | core/pods | get · list | Low | |
Role hazelcast-platform-operator | hazelcast.com/queues | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/queues/finalizers | update | Low | |
Role hazelcast-platform-operator | hazelcast.com/queues/status | get · patch · update | Low | |
Role hazelcast-platform-operator | hazelcast.com/replicatedmaps | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/replicatedmaps/finalizers | update | Low | |
Role hazelcast-platform-operator | hazelcast.com/replicatedmaps/status | get · patch · update | Low | |
ClusterRole hazelcast-platform-operator | security.openshift.io/securitycontextconstraints | use | Low | |
ClusterRole hazelcast-platform-operator | core/services | get · list | Low | |
ClusterRole hazelcast-platform-operator | apps/statefulsets | list · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/topics | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/topics/finalizers | update | Low | |
Role hazelcast-platform-operator | hazelcast.com/topics/status | get · patch · update | Low | |
Role hazelcast-platform-operator | hazelcast.com/wanreplications | create · delete · get · list · patch · update · watch | Low | |
Role hazelcast-platform-operator | hazelcast.com/wanreplications/finalizers | update | Low | |
Role hazelcast-platform-operator | hazelcast.com/wanreplications/status | get · patch · update | Low |
⚠️ Potential Abuse (15)
The following security risks were found based on the above permissions:
- Create pods in a namespace
- Update/Patch pods in a namespace
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Manage ClusterRoles (create, update, patch, delete)
- Manage ClusterRoleBindings (create, update, patch, delete)
- Manage Roles in a namespace (create, update, patch, delete)
- Manage RoleBindings in a namespace (create, update, patch, delete)
- Manage StatefulSets in a namespace
- Manage ServiceAccounts in a namespace
- Manage Services in a namespace
- Read RBAC configuration cluster-wide
- List ValidatingWebhookConfigurations (Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | hazelcast-platform-operator | manager | hazelcast/hazelcast-platform-operator:5.6 |