Description

The Operator to install and manage the lifecycle of the Kuadrant components deployments.

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
authorino-operatordefault221Critical
dns-operator-controller-managerdefault101Critical
kuadrant-operator-controller-managerdefault481Critical
limitador-operator-controller-managerdefault151Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.


Identities

🤖 kuadrant-operator-controller-manager

Namespace: default  |  Automount:

🔑 Permissions (48)

RoleResourceVerbsRiskTags
ClusterRole kuadrant-operator-manager-rolecore/configmapscreate · delete · get · list · patch · update · watchCriticalConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole kuadrant-operator-manager-roleapps/deploymentscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole kuadrant-operator-manager-rolecoordination.k8s.io/leasescreate · delete · get · list · patch · update · watchCriticalControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse Tampering
Role kuadrant-operator-leader-election-rolecoordination.k8s.io/leasescreate · delete · get · list · patch · update · watchCriticalControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole kuadrant-operator-manager-rolecore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
Role kuadrant-operator-leader-election-rolecore/configmapscreate · delete · get · list · patch · update · watchHighConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole kuadrant-operator-manager-rolecore/serviceaccountscreate · delete · get · list · patch · update · watchHighIdentityManagement PotentialPrivilegeEscalation Tampering
ClusterRole kuadrant-operator-manager-roleauthorino.kuadrant.io/authconfigscreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-roleoperator.authorino.kuadrant.io/authorinoscreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/authpoliciesget · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/authpolicies/finalizersupdateLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/authpolicies/statusget · patch · updateLow
ClusterRole kuadrant-operator-manager-rolecert-manager.io/certificatescreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolecert-manager.io/clusterissuersget · list · watchLow
ClusterRole kuadrant-operator-manager-rolecoordination.k8s.io/configmapscreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-roleconsole.openshift.io/consolepluginscreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/dnspoliciesget · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/dnspolicies/finalizersupdateLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/dnspolicies/statusget · patch · updateLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/dnsrecordscreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/dnsrecords/statusgetLow
ClusterRole kuadrant-operator-manager-rolegateway.envoyproxy.io/envoyextensionpoliciescreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolenetworking.istio.io/envoyfilterscreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolegateway.envoyproxy.io/envoypatchpoliciescreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolecore/eventscreate · patchLow
Role kuadrant-operator-leader-election-rolecore/eventscreate · patchLow
ClusterRole kuadrant-operator-manager-rolegateway.networking.k8s.io/gatewayclassesget · list · watchLow
ClusterRole kuadrant-operator-manager-rolegateway.networking.k8s.io/gatewaysget · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolegateway.networking.k8s.io/gateways/finalizersupdateLow
ClusterRole kuadrant-operator-manager-rolegateway.networking.k8s.io/gateways/statusget · patch · updateLow
ClusterRole kuadrant-operator-manager-rolegateway.networking.k8s.io/httproutesget · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolegateway.networking.k8s.io/httproutes/statusget · patch · updateLow
ClusterRole kuadrant-operator-manager-rolecert-manager.io/issuersget · list · watchLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/kuadrantsget · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/kuadrants/finalizersupdateLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/kuadrants/statusget · patch · updateLow
ClusterRole kuadrant-operator-manager-rolecore/leasescreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolelimitador.kuadrant.io/limitadorscreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolecore/namespacesget · list · watchLowClusterStructure InformationDisclosure Reconnaissance
ClusterRole kuadrant-operator-manager-rolemonitoring.coreos.com/podmonitorscreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/ratelimitpoliciesget · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/ratelimitpolicies/finalizersupdateLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/ratelimitpolicies/statusget · patch · updateLow
ClusterRole kuadrant-operator-manager-rolemonitoring.coreos.com/servicemonitorscreate · delete · get · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/tlspoliciesget · list · patch · update · watchLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/tlspolicies/finalizersupdateLow
ClusterRole kuadrant-operator-manager-rolekuadrant.io/tlspolicies/statusget · patch · updateLow
ClusterRole kuadrant-operator-manager-roleextensions.istio.io/wasmpluginscreate · delete · get · list · patch · update · watchLow

⚠️ Potential Abuse (14)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentkuadrant-operator-controller-managermanagerquay.io/kuadrant/kuadrant-operator:v1.2.0

🤖 authorino-operator

Namespace: default  |  Automount:

🔑 Permissions (22)

RoleResourceVerbsRiskTags
ClusterRole authorino-operator-managercore/configmapscreate · delete · get · list · patch · update · watchCriticalConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole authorino-operator-managerapps/deploymentscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
Role authorino-operator-leader-electioncoordination.k8s.io/leasescreate · delete · get · list · patch · update · watchCriticalControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole authorino-operator-managercore/secretsget · list · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
Role authorino-operator-leader-electioncore/configmapscreate · delete · get · list · patch · update · watchHighConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole authorino-operator-managerrbac.authorization.k8s.io/clusterrolebindingscreate · get · list · update · watchMediumInformationDisclosure RBACQuery Reconnaissance
ClusterRole authorino-operator-managerrbac.authorization.k8s.io/clusterrolescreate · get · list · update · watchMediumInformationDisclosure RBACQuery Reconnaissance
ClusterRole authorino-operator-managerrbac.authorization.k8s.io/rolebindingscreate · get · list · update · watchMediumInformationDisclosure RBACQuery Reconnaissance
ClusterRole authorino-operator-managerrbac.authorization.k8s.io/rolescreate · get · list · update · watchMediumInformationDisclosure RBACQuery Reconnaissance
ClusterRole authorino-operator-managerauthorization.k8s.io/subjectaccessreviewscreateMediumInformationDisclosure RBACQuery
ClusterRole authorino-operator-managerauthentication.k8s.io/tokenreviewscreateMediumCredentialAccess InformationDisclosure RBACQuery
ClusterRole authorino-operator-managerauthorino.kuadrant.io/authconfigscreate · delete · get · list · patch · update · watchLow
ClusterRole authorino-operator-managerauthorino.kuadrant.io/authconfigs/statusget · patch · updateLow
ClusterRole authorino-operator-manageroperator.authorino.kuadrant.io/authorinoscreate · delete · get · list · patch · update · watchLow
ClusterRole authorino-operator-manageroperator.authorino.kuadrant.io/authorinos/finalizersupdateLow
ClusterRole authorino-operator-manageroperator.authorino.kuadrant.io/authorinos/statusget · patch · updateLow
ClusterRole authorino-operator-managercore/configmaps/statusdelete · get · patch · updateLow
ClusterRole authorino-operator-managercore/eventscreate · patchLow
Role authorino-operator-leader-electioncore/eventscreate · patchLow
ClusterRole authorino-operator-managercoordination.k8s.io/leasescreate · get · list · updateLow
ClusterRole authorino-operator-managercore/serviceaccountscreate · get · list · update · watchLow
ClusterRole authorino-operator-managercore/servicescreate · get · list · update · watchLow

⚠️ Potential Abuse (13)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentauthorino-operatormanagerquay.io/kuadrant/authorino-operator:v0.18.0

🤖 limitador-operator-controller-manager

Namespace: default  |  Automount:

🔑 Permissions (15)

RoleResourceVerbsRiskTags
Role limitador-operator-leader-election-rolecoordination.k8s.io/leasescreate · delete · get · list · patch · update · watchCriticalControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole limitador-operator-manager-rolecore/secretscreate · delete · get · list · update · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole limitador-operator-manager-rolecore/configmapscreate · delete · get · list · update · watchHighConfigMapAccess DataExposure InformationDisclosure
Role limitador-operator-leader-election-rolecore/configmapscreate · delete · get · list · patch · update · watchHighConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
Role limitador-operator-leader-election-rolecoordination.k8s.io/configmapscreate · delete · get · list · patch · update · watchLow
ClusterRole limitador-operator-manager-roleapps/deploymentscreate · delete · get · list · update · watchLow
Role limitador-operator-leader-election-rolecore/eventscreate · patchLow
Role limitador-operator-leader-election-rolecore/leasescreate · delete · get · list · patch · update · watchLow
ClusterRole limitador-operator-manager-rolelimitador.kuadrant.io/limitadorscreate · delete · get · list · patch · update · watchLow
ClusterRole limitador-operator-manager-rolelimitador.kuadrant.io/limitadors/finalizersupdateLow
ClusterRole limitador-operator-manager-rolelimitador.kuadrant.io/limitadors/statusget · patch · updateLow
ClusterRole limitador-operator-manager-rolecore/persistentvolumeclaimscreate · delete · get · list · update · watchLow
ClusterRole limitador-operator-manager-rolepolicy/poddisruptionbudgetscreate · delete · get · list · update · watchLow
ClusterRole limitador-operator-manager-rolecore/podslist · update · watchLow
ClusterRole limitador-operator-manager-rolecore/servicescreate · delete · get · list · update · watchLow

⚠️ Potential Abuse (7)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentlimitador-operator-controller-managermanagerquay.io/kuadrant/limitador-operator:v0.14.0

🤖 dns-operator-controller-manager

Namespace: default  |  Automount:

🔑 Permissions (10)

RoleResourceVerbsRiskTags
Role dns-operator-leader-election-rolecoordination.k8s.io/leasescreate · delete · get · list · patch · update · watchCriticalControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole dns-operator-manager-rolecore/secretsget · list · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
Role dns-operator-leader-election-rolecore/configmapscreate · delete · get · list · patch · update · watchHighConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole dns-operator-manager-rolekuadrant.io/dnshealthcheckprobescreate · delete · get · list · patch · update · watchLow
ClusterRole dns-operator-manager-rolekuadrant.io/dnshealthcheckprobes/finalizersupdateLow
ClusterRole dns-operator-manager-rolekuadrant.io/dnshealthcheckprobes/statusget · patch · updateLow
ClusterRole dns-operator-manager-rolekuadrant.io/dnsrecordscreate · delete · get · list · patch · update · watchLow
ClusterRole dns-operator-manager-rolekuadrant.io/dnsrecords/finalizersupdateLow
ClusterRole dns-operator-manager-rolekuadrant.io/dnsrecords/statusget · patch · updateLow
Role dns-operator-leader-election-rolecore/eventscreate · patchLow

⚠️ Potential Abuse (6)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentdns-operator-controller-managermanagerquay.io/kuadrant/dns-operator:v0.14.0