1 Service Accounts
1 Workloads
17 Bindings
3 Critical
1 Medium
13 Low
Description
The Kubedoop Listener Operator
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
listener-operator | default | ✅ | — | 17 | 5 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 listener-operator
Namespace: default | Automount: ✅
🔑 Permissions (17)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole listener-operator | core/nodes | create · get · list · patch · update · watch | Critical | DenialOfService NodeAccess PotentialPrivilegeEscalation Tampering |
ClusterRole listener-operator | core/pods | create · get · list · patch · update · watch | Critical | LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more) |
ClusterRole listener-operator | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole listener-operator | core/events | create · get · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole listener-operator | storage.k8s.io/csidrivers | get · list · patch · watch | Low | |
ClusterRole listener-operator | core/endpoints | get · list · watch | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listenerclasses | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listenerclasses/finalizers | update | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listenerclasses/status | get · patch · update | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listenercsis | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listenercsis/finalizers | update | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listeners | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listeners/finalizers | update | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listeners/status | get · patch · update | Low | |
ClusterRole listener-operator | core/persistentvolumeclaims | get · list · watch | Low | |
ClusterRole listener-operator | core/persistentvolumes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator | storage.k8s.io/storageclasses | get · list · patch · watch | Low |
⚠️ Potential Abuse (9)
The following security risks were found based on the above permissions:
- Create pods cluster-wide
- Create pods in a namespace
- Update/Patch pods cluster-wide
- Update/Patch pods in a namespace
- Modify node configuration (labels, taints)
- Read events cluster-wide
- Manage Services cluster-wide
- Manage Services in a namespace
📦 Workloads (5)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | listener-operator-daemonset | csi-driver | quay.io/zncdatadev/listener-csi-driver:0.1.0 |
| DaemonSet | listener-operator-daemonset | csi-provisioner | registry.k8s.io/sig-storage/csi-provisioner:v5.1.0 |
| DaemonSet | listener-operator-daemonset | liveness-probe | registry.k8s.io/sig-storage/livenessprobe:v2.14.0 |
| DaemonSet | listener-operator-daemonset | node-driver-registrar | registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 |
| Deployment | listener-operator | listener-operator | quay.io/zncdatadev/listener-operator:0.1.0 |