Description

Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
ingress-nginxdefault261Critical
ingress-nginx-admissiondefault22Low

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 ingress-nginx

Namespace: default  |  Automount:

🔑 Permissions (26)

RoleResourceVerbsRiskTags
ClusterRole ingress-nginxcore/secretslist · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
Role ingress-nginxcore/secretsget · list · watchCriticalCredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole ingress-nginxcore/configmapslist · watchHighConfigMapAccess DataExposure InformationDisclosure
Role ingress-nginxcore/configmapsget · list · watchMediumConfigMapAccess DataExposure InformationDisclosure
ClusterRole ingress-nginxcore/endpointslist · watchLow
Role ingress-nginxcore/endpointsget · list · watchLow
ClusterRole ingress-nginxdiscovery.k8s.io/endpointslicesget · list · watchLow
Role ingress-nginxdiscovery.k8s.io/endpointslicesget · list · watchLow
ClusterRole ingress-nginxcore/eventscreate · patchLow
Role ingress-nginxcore/eventscreate · patchLow
ClusterRole ingress-nginxnetworking.k8s.io/ingressclassesget · list · watchLow
Role ingress-nginxnetworking.k8s.io/ingressclassesget · list · watchLow
ClusterRole ingress-nginxnetworking.k8s.io/ingressesget · list · watchLow
Role ingress-nginxnetworking.k8s.io/ingressesget · list · watchLow
ClusterRole ingress-nginxnetworking.k8s.io/ingresses/statusupdateLow
Role ingress-nginxnetworking.k8s.io/ingresses/statusupdateLow
ClusterRole ingress-nginxcoordination.k8s.io/leaseslist · watchLow
Role ingress-nginxcoordination.k8s.io/leasescreateLow
ClusterRole ingress-nginxcore/namespaceslist · watchLowClusterStructure InformationDisclosure Reconnaissance
Role ingress-nginxcore/namespacesgetLow
ClusterRole ingress-nginxcore/nodesget · list · watchLow
ClusterRole ingress-nginxcore/podslist · watchLow
Role ingress-nginxcore/podsget · list · watchLow
ClusterRole ingress-nginxcore/servicesget · list · watchLow
Role ingress-nginxcore/servicesget · list · watchLow
Role ingress-nginxcoordination.k8s.io/leases (restricted to: ingress-nginx-leader)get · updateLowResourceNameRestricted

⚠️ Potential Abuse (6)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentingress-nginx-controllercontrollerregistry.k8s.io/ingress-nginx/controller:v1.14.1@sha256:f95a79b85fb93ac3de752c71a5c27d5ceae10a18b61904dec224c1c6a4581e47

🤖 ingress-nginx-admission

Namespace: default  |  Automount:

🔑 Permissions (2)

RoleResourceVerbsRiskTags
Role ingress-nginx-admissioncore/secretscreate · getLow
ClusterRole ingress-nginx-admissionadmissionregistration.k8s.io/validatingwebhookconfigurationsget · updateLow

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
Jobingress-nginx-admission-createcreateregistry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.5@sha256:03a00eb0e255e8a25fa49926c24cde0f7e12e8d072c445cdf5136ec78b546285
Jobingress-nginx-admission-patchpatchregistry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.5@sha256:03a00eb0e255e8a25fa49926c24cde0f7e12e8d072c445cdf5136ec78b546285