Description

A Helm chart for StarRocks operator

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
starrocksdefault191Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.


Identities

🤖 starrocks

Namespace: default  |  Automount:

🔑 Permissions (19)

RoleResourceVerbsRiskTags
ClusterRole kube-starrocks-operatorcore/configmaps*CriticalClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole kube-starrocks-operatorbatch/cronjobs*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole kube-starrocks-operatorapps/deployments*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
Role cn-leader-election-rolecoordination.k8s.io/leasescreate · delete · get · list · patch · update · watchCriticalControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole kube-starrocks-operatorcore/secretsget · list · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole kube-starrocks-operatorcore/serviceaccounts*CriticalClusterAdminAccess ClusterWideAccess IdentityManagement Impersonation PotentialPrivilegeEscalation (+4 more)
ClusterRole kube-starrocks-operatorcore/services*CriticalClusterWideAccess DenialOfService NetworkManipulation ServiceExposure Tampering (+1 more)
ClusterRole kube-starrocks-operatorapps/statefulsets*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
Role cn-leader-election-rolecore/configmapscreate · delete · get · list · patch · update · watchHighConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole kube-starrocks-operatorautoscaling/horizontalpodautoscalers*HighClusterWideAccess WildcardPermission
ClusterRole kube-starrocks-operatorstarrocks.com/starrocksclusters*HighClusterWideAccess WildcardPermission
ClusterRole kube-starrocks-operatorstarrocks.com/starrockswarehouses*HighClusterWideAccess WildcardPermission
ClusterRole kube-starrocks-operatorcore/endpointsget · list · watchLow
Role cn-leader-election-rolecore/eventscreate · patchLow
ClusterRole kube-starrocks-operatorcore/podsget · list · watchLow
ClusterRole kube-starrocks-operatorstarrocks.com/starrocksclusters/finalizersupdateLow
ClusterRole kube-starrocks-operatorstarrocks.com/starrocksclusters/statusget · patch · updateLow
ClusterRole kube-starrocks-operatorstarrocks.com/starrockswarehouses/finalizersupdateLow
ClusterRole kube-starrocks-operatorstarrocks.com/starrockswarehouses/statusget · patch · updateLow

⚠️ Potential Abuse (20)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentkube-starrocks-operatormanagerstarrocks/operator:v1.10.2