gadget :: RBAC ATLAS

Description

Gadgets for debugging and introspecting apps

https://github.com/inspektor-gadget/inspektor-gadget

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`gadget`	default	❌	—	16	0	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `gadget`

Namespace: default | Automount: ❌

🔑 Permissions (16)

Role	Resource	Verbs	Risk	Tags
ClusterRole `gadget-cluster-role`	core/nodes/proxy	get	Critical	AuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole `gadget-cluster-role`	*/cronjobs	get	High	ClusterWideAccess WildcardPermission
ClusterRole `gadget-cluster-role`	*/daemonsets	get	High	ClusterWideAccess WildcardPermission
ClusterRole `gadget-cluster-role`	*/deployments	get	High	ClusterWideAccess WildcardPermission
ClusterRole `gadget-cluster-role`	*/jobs	get	High	ClusterWideAccess WildcardPermission
ClusterRole `gadget-cluster-role`	*/replicasets	get	High	ClusterWideAccess WildcardPermission
ClusterRole `gadget-cluster-role`	*/replicationcontrollers	get	High	ClusterWideAccess WildcardPermission
ClusterRole `gadget-cluster-role`	*/statefulsets	get	High	ClusterWideAccess WildcardPermission
ClusterRole `gadget-cluster-role`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `gadget-cluster-role`	core/nodes	get · list · watch	Low
ClusterRole `gadget-cluster-role`	core/pods	get · list · watch	Low
ClusterRole `gadget-cluster-role`	security-profiles-operator.x-k8s.io/seccompprofiles	create · list · watch	Low
ClusterRole `gadget-cluster-role`	core/services	list · watch	Low
ClusterRole `gadget-cluster-role`	gadget.kinvolk.io/traces	create · delete · deletecollection · get · list · patch · update · watch	Low
ClusterRole `gadget-cluster-role`	gadget.kinvolk.io/traces/status	create · delete · deletecollection · get · list · patch · update · watch	Low
ClusterRole `gadget-cluster-role`	security.openshift.io/securitycontextconstraints (restricted to: privileged)	use	Low	ResourceNameRestricted

⚠️ Potential Abuse (4)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

gadget

Description

Overview

Identities

🤖 gadget

🔑 Permissions (16)

⚠️ Potential Abuse (4)

📦 Workloads (0)

🤖 `gadget`