1 Service Accounts
1 Workloads
89 Bindings
10 Critical
2 High
3 Medium
74 Low
Description
Deploy Kong Gateway Operator
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
controller-manager | default | ❌ | — | 89 | 2 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 controller-manager
Namespace: default | Automount: ❌
🔑 Permissions (89)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole gateway-operator-gateway-operator-manager-role | rbac.authorization.k8s.io/clusterrolebindings | create · delete · get · list · patch · update · watch | Critical | BindingToPrivilegedRole ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation (+2 more) |
ClusterRole gateway-operator-gateway-operator-manager-role | rbac.authorization.k8s.io/clusterroles | create · delete · get · list · patch · update · watch | Critical | ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more) |
ClusterRole gateway-operator-gateway-operator-manager-role | core/configmaps | create · delete · get · list · patch · update · watch | Critical | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole gateway-operator-gateway-operator-manager-role | apps/deployments | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole gateway-operator-gateway-operator-manager-role | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering |
Role gateway-operator-gateway-operator-leader-election-role | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole gateway-operator-gateway-operator-manager-role | networking.k8s.io/networkpolicies | create · delete · get · list · patch · update · watch | Critical | DenialOfService LateralMovement NetworkManipulation NetworkPolicyManagement Tampering |
ClusterRole gateway-operator-gateway-operator-manager-role | core/secrets | create · delete · get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole gateway-operator-gateway-operator-manager-role | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole gateway-operator-gateway-operator-manager-role | admissionregistration.k8s.io/validatingwebhookconfigurations | create · delete · get · list · patch · update · watch | Critical | DenialOfService InformationDisclosure Reconnaissance Tampering WebhookManipulation (+1 more) |
Role gateway-operator-gateway-operator-leader-election-role | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole gateway-operator-gateway-operator-manager-role | core/serviceaccounts | create · delete · get · list · patch · update · watch | High | IdentityManagement PotentialPrivilegeEscalation Tampering |
ClusterRole gateway-operator-gateway-operator-manager-role | policy/poddisruptionbudgets | create · delete · get · list · patch · update · watch | Medium | AvailabilityImpact DenialOfService Tampering |
ClusterRole gateway-operator-gateway-operator-proxy-role | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
ClusterRole gateway-operator-gateway-operator-proxy-role | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway-operator.konghq.com/aigateways | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway-operator.konghq.com/aigateways/finalizers | update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway-operator.konghq.com/aigateways/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | cert-manager.io/certificates | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | rbac.authorization.k8s.io/clusterrolebindings/status | get | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | rbac.authorization.k8s.io/clusterroles/status | get | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway-operator.konghq.com/controlplanes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway-operator.konghq.com/controlplanes/finalizers | update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway-operator.konghq.com/controlplanes/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | apiextensions.k8s.io/customresourcedefinitions | list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway-operator.konghq.com/dataplanemetricsextensions | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway-operator.konghq.com/dataplanes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway-operator.konghq.com/dataplanes/finalizers | update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway-operator.konghq.com/dataplanes/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | apps/deployments/status | get | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | discovery.k8s.io/endpointslices | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | core/events | create · patch | Low | |
Role gateway-operator-gateway-operator-leader-election-role | core/events | create · patch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/gatewayclasses | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/gatewayclasses/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway-operator.konghq.com/gatewayconfigurations | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/gateways | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/gateways/finalizers | update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/gateways/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/grpcroutes | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/grpcroutes/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | autoscaling/horizontalpodautoscalers | create · delete · get · list · patch · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/httproutes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/httproutes/status | get · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | networking.k8s.io/ingressclasses | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/ingressclassparameterses | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | networking.k8s.io/ingresses | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | networking.k8s.io/ingresses/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | batch/jobs | create · delete · get | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongclusterplugins | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongclusterplugins/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongconsumergroups | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongconsumergroups/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongconsumers | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongconsumers/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongcustomentities | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongcustomentities/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongingresses | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongingresses/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/konglicenses | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/konglicenses/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongplugins | create · delete · get · list · patch · update · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongplugins/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | incubator.ingress-controller.konghq.com/kongservicefacades | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | incubator.ingress-controller.konghq.com/kongservicefacades/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongupstreampolicies | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongupstreampolicies/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongvaults | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/kongvaults/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole gateway-operator-gateway-operator-manager-role | core/nodes | list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | core/pods | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/referencegrants | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/referencegrants/status | get | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | rbac.authorization.k8s.io/rolebindings | create · delete · get | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | rbac.authorization.k8s.io/roles | create · delete · get | Low | |
ClusterRole gateway-operator-gateway-operator-kong-mtls-secret-role | core/secrets | create · get · list · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | core/serviceaccounts/status | get | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | core/services/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/tcpingresses | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/tcpingresses/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/tcproutes | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/tcproutes/status | get · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/tlsroutes | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/tlsroutes/status | get · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/udpingresses | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | configuration.konghq.com/udpingresses/status | get · patch · update | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/udproutes | get · list · watch | Low | |
ClusterRole gateway-operator-gateway-operator-manager-role | gateway.networking.k8s.io/udproutes/status | get · update | Low |
⚠️ Potential Abuse (26)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage ClusterRoles (create, update, patch, delete)
- Manage ClusterRoleBindings (create, update, patch, delete)
- Manage Deployments cluster-wide (potential for privileged pod execution)
- Manage Deployments in a namespace (potential for privileged pod execution)
- Manage ValidatingWebhookConfigurations
- Create TokenReviews (validate arbitrary tokens)
- Create SubjectAccessReviews (check arbitrary permissions)
- Manage ServiceAccounts cluster-wide
- Manage ServiceAccounts in a namespace
- Manage NetworkPolicies cluster-wide
- Manage NetworkPolicies in a namespace
- Manage Services cluster-wide
- Manage Services in a namespace
- Read RBAC configuration cluster-wide
- Manage PodDisruptionBudgets cluster-wide
- Manage Leases cluster-wide
- Manage Leases in kube-system or kube-node-lease namespace
- List Namespaces (Cluster Reconnaissance)
- List ValidatingWebhookConfigurations (Reconnaissance)
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | gateway-operator-gateway-operator-controller-manager | kube-rbac-proxy | gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 |
| Deployment | gateway-operator-gateway-operator-controller-manager | manager | docker.io/kong/gateway-operator:1.2 |