Description

The Kubedoop operator for Apache DolphinScheduler

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
dolphinscheduler-operatordefault151Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.


Identities

🤖 dolphinscheduler-operator

Namespace: default  |  Automount:

🔑 Permissions (15)

RoleResourceVerbsRiskTags
ClusterRole dolphinscheduler-operatorcore/configmapscreate · delete · get · list · patch · update · watchCriticalConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole dolphinscheduler-operatorapps/deploymentscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole dolphinscheduler-operatorbatch/jobscreate · delete · get · list · patch · update · watchCriticalPotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole dolphinscheduler-operatorcore/secretscreate · delete · get · list · patch · update · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole dolphinscheduler-operatorcore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole dolphinscheduler-operatorapps/statefulsetscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole dolphinscheduler-operatorrbac.authorization.k8s.io/rolebindingscreate · delete · get · list · patch · update · watchHighBindingToPrivilegedRole InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more)
ClusterRole dolphinscheduler-operatorrbac.authorization.k8s.io/rolescreate · delete · get · list · patch · update · watchHighInformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery Reconnaissance
ClusterRole dolphinscheduler-operatorcore/serviceaccountscreate · delete · get · list · patch · update · watchHighIdentityManagement PotentialPrivilegeEscalation Tampering
ClusterRole dolphinscheduler-operatorauthentication.kubedoop.dev/authenticationclassesget · list · watchLow
ClusterRole dolphinscheduler-operatordolphinscheduler.kubedoop.dev/dolphinschedulerclusterscreate · delete · get · list · patch · update · watchLow
ClusterRole dolphinscheduler-operatordolphinscheduler.kubedoop.dev/dolphinschedulerclusters/finalizersupdateLow
ClusterRole dolphinscheduler-operatordolphinscheduler.kubedoop.dev/dolphinschedulerclusters/statusget · patch · updateLow
ClusterRole dolphinscheduler-operatorcore/podsget · list · watchLow
ClusterRole dolphinscheduler-operatorsecrets.kubedoop.dev/secretclassesget · list · watchLow

⚠️ Potential Abuse (22)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentdolphinscheduler-operatordolphinscheduler-operatorquay.io/zncdatadev/dolphinscheduler-operator:0.2.0