operator
v1.10.2
1 Service Accounts
1 Workloads
19 Bindings
8 Critical
4 High
7 Low
Description
A Helm chart for StarRocks operator
Overview
Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
---|---|---|---|---|---|---|
starrocks | default | ❌ | — | 19 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 starrocks
Namespace: default
| Automount: ❌
🔑 Permissions (19)
Role | Resource | Verbs | Risk | Tags |
---|---|---|---|---|
ClusterRole kube-starrocks-operator | core/configmaps | * | Critical | ClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more) |
ClusterRole kube-starrocks-operator | batch/cronjobs | * | Critical | ClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more) |
ClusterRole kube-starrocks-operator | apps/deployments | * | Critical | ClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more) |
Role cn-leader-election-role | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole kube-starrocks-operator | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole kube-starrocks-operator | core/serviceaccounts | * | Critical | ClusterAdminAccess ClusterWideAccess IdentityManagement Impersonation PotentialPrivilegeEscalation (+4 more) |
ClusterRole kube-starrocks-operator | core/services | * | Critical | ClusterWideAccess DenialOfService NetworkManipulation ServiceExposure Tampering (+1 more) |
ClusterRole kube-starrocks-operator | apps/statefulsets | * | Critical | ClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more) |
Role cn-leader-election-role | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole kube-starrocks-operator | autoscaling/horizontalpodautoscalers | * | High | ClusterWideAccess |
ClusterRole kube-starrocks-operator | starrocks.com/starrocksclusters | * | High | ClusterWideAccess |
ClusterRole kube-starrocks-operator | starrocks.com/starrockswarehouses | * | High | ClusterWideAccess |
ClusterRole kube-starrocks-operator | core/endpoints | get · list · watch | Low | |
Role cn-leader-election-role | core/events | create · patch | Low | |
ClusterRole kube-starrocks-operator | core/pods | get · list · watch | Low | |
ClusterRole kube-starrocks-operator | starrocks.com/starrocksclusters/finalizers | update | Low | |
ClusterRole kube-starrocks-operator | starrocks.com/starrocksclusters/status | get · patch · update | Low | |
ClusterRole kube-starrocks-operator | starrocks.com/starrockswarehouses/finalizers | update | Low | |
ClusterRole kube-starrocks-operator | starrocks.com/starrockswarehouses/status | get · patch · update | Low |
⚠️ Potential Abuse (20)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage Deployments cluster-wide (potential for privileged pod execution)
- Manage Deployments in a namespace (potential for privileged pod execution)
- Manage StatefulSets cluster-wide
- Manage StatefulSets in a namespace
- Manage CronJobs cluster-wide (scheduled privileged execution, persistence)
- Manage CronJobs in a namespace (scheduled privileged execution, persistence)
- Impersonate users, groups, or service accounts (cluster-wide)
- Manage ServiceAccounts cluster-wide
- Manage ServiceAccounts in a namespace
- Manage Services cluster-wide
- Manage Services in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
📦 Workloads (1)
Kind | Name | Container | Image |
---|---|---|---|
Deployment | kube-starrocks-operator | manager | starrocks/operator:v1.10.2 |