Description

Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
ingress-nginxdefault251Critical
ingress-nginx-admissiondefault22Low

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 ingress-nginx

Namespace: default  |  Automount:

🔑 Permissions (25)

RoleResourceVerbsRiskTags
Role ingress-nginxcore/secretsget · list · watchCriticalCredentialAccess DataExposure InformationDisclosure SecretAccess
Role ingress-nginxcore/configmapsget · list · watchMediumConfigMapAccess DataExposure InformationDisclosure
ClusterRole ingress-nginxcore/configmapslist · watchLow
ClusterRole ingress-nginxcore/endpointslist · watchLow
Role ingress-nginxcore/endpointsget · list · watchLow
ClusterRole ingress-nginxdiscovery.k8s.io/endpointslicesget · list · watchLow
Role ingress-nginxdiscovery.k8s.io/endpointslicesget · list · watchLow
ClusterRole ingress-nginxcore/eventscreate · patchLow
Role ingress-nginxcore/eventscreate · patchLow
ClusterRole ingress-nginxnetworking.k8s.io/ingressclassesget · list · watchLow
Role ingress-nginxnetworking.k8s.io/ingressclassesget · list · watchLow
ClusterRole ingress-nginxnetworking.k8s.io/ingressesget · list · watchLow
Role ingress-nginxnetworking.k8s.io/ingressesget · list · watchLow
ClusterRole ingress-nginxnetworking.k8s.io/ingresses/statusupdateLow
Role ingress-nginxnetworking.k8s.io/ingresses/statusupdateLow
ClusterRole ingress-nginxcoordination.k8s.io/leaseslist · watchLow
Role ingress-nginxcoordination.k8s.io/leasescreate · get · updateLow
ClusterRole ingress-nginxcore/namespaceslist · watchLowClusterStructure InformationDisclosure Reconnaissance
Role ingress-nginxcore/namespacesgetLow
ClusterRole ingress-nginxcore/nodesget · list · watchLow
ClusterRole ingress-nginxcore/podslist · watchLow
Role ingress-nginxcore/podsget · list · watchLow
ClusterRole ingress-nginxcore/secretslist · watchLow
ClusterRole ingress-nginxcore/servicesget · list · watchLow
Role ingress-nginxcore/servicesget · list · watchLow

⚠️ Potential Abuse (4)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentingress-nginx-controllercontrollerregistry.k8s.io/ingress-nginx/controller:v1.12.3@sha256:ac444cd9515af325ba577b596fe4f27a34be1aa330538e8b317ad9d6c8fb94ee

🤖 ingress-nginx-admission

Namespace: default  |  Automount:

🔑 Permissions (2)

RoleResourceVerbsRiskTags
Role ingress-nginx-admissioncore/secretscreate · getLow
ClusterRole ingress-nginx-admissionadmissionregistration.k8s.io/validatingwebhookconfigurationsget · updateLow

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
Jobingress-nginx-admission-createcreateregistry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.4@sha256:7a38cf0f8480775baaee71ab519c7465fd1dfeac66c421f28f087786e631456e
Jobingress-nginx-admission-patchpatchregistry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.4@sha256:7a38cf0f8480775baaee71ab519c7465fd1dfeac66c421f28f087786e631456e