3 Service Accounts
3 Workloads
43 Bindings
6 Critical
2 High
2 Medium
33 Low
Description
The Kubedoop Listener Operator
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
listener-operator | default | ❌ | — | 21 | 1 | Critical |
listener-operator-csi | default | ❌ | — | 21 | 6 | Critical |
listener-operator-ds-check | default | ❌ | — | 1 | 1 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 listener-operator
Namespace: default | Automount: ❌
🔑 Permissions (21)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role listener-operator-leader-election | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole listener-operator | core/pods | get · list · patch · update · watch | Critical | PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadExecution |
ClusterRole listener-operator | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
Role listener-operator-leader-election | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole listener-operator | core/events | create · get · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole listener-operator | storage.k8s.io/csidrivers | get · list · watch | Low | |
ClusterRole listener-operator | discovery.k8s.io/endpointslices | get · list · watch | Low | |
Role listener-operator-leader-election | core/events | create · patch | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listenerclasses | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listenerclasses/finalizers | update | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listenerclasses/status | get · patch · update | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listeners | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listeners/finalizers | update | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/listeners/status | get · patch · update | Low | |
ClusterRole listener-operator | core/nodes | get · list · watch | Low | |
ClusterRole listener-operator | core/persistentvolumeclaims | get · list · watch | Low | |
ClusterRole listener-operator | core/persistentvolumes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/podlisteners | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/podlisteners/finalizers | update | Low | |
ClusterRole listener-operator | listeners.kubedoop.dev/podlisteners/status | get · patch · update | Low | |
ClusterRole listener-operator | storage.k8s.io/storageclasses | get · list · watch | Low |
⚠️ Potential Abuse (9)
The following security risks were found based on the above permissions:
- Update/Patch pods cluster-wide
- Update/Patch pods in a namespace
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Read events cluster-wide
- Manage Services cluster-wide
- Manage Services in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | listener-operator | listener-operator | quay.io/zncdatadev/listener-operator:0.0.0-dev |
🤖 listener-operator-csi
Namespace: default | Automount: ❌
🔑 Permissions (21)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role listener-operator-leader-election | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole listener-operator-csi | core/pods | get · list · patch · update · watch | Critical | PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadExecution |
ClusterRole listener-operator-csi | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
Role listener-operator-leader-election | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole listener-operator-csi | core/events | create · get · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole listener-operator-csi | storage.k8s.io/csidrivers | get · list · watch | Low | |
ClusterRole listener-operator-csi | discovery.k8s.io/endpointslices | get · list · watch | Low | |
Role listener-operator-leader-election | core/events | create · patch | Low | |
ClusterRole listener-operator-csi | listeners.kubedoop.dev/listenerclasses | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator-csi | listeners.kubedoop.dev/listenerclasses/finalizers | update | Low | |
ClusterRole listener-operator-csi | listeners.kubedoop.dev/listenerclasses/status | get · patch · update | Low | |
ClusterRole listener-operator-csi | listeners.kubedoop.dev/listeners | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator-csi | listeners.kubedoop.dev/listeners/finalizers | update | Low | |
ClusterRole listener-operator-csi | listeners.kubedoop.dev/listeners/status | get · patch · update | Low | |
ClusterRole listener-operator-csi | core/nodes | get · list · watch | Low | |
ClusterRole listener-operator-csi | core/persistentvolumeclaims | get · list · watch | Low | |
ClusterRole listener-operator-csi | core/persistentvolumes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator-csi | listeners.kubedoop.dev/podlisteners | create · delete · get · list · patch · update · watch | Low | |
ClusterRole listener-operator-csi | listeners.kubedoop.dev/podlisteners/finalizers | update | Low | |
ClusterRole listener-operator-csi | listeners.kubedoop.dev/podlisteners/status | get · patch · update | Low | |
ClusterRole listener-operator-csi | storage.k8s.io/storageclasses | get · list · watch | Low |
⚠️ Potential Abuse (9)
The following security risks were found based on the above permissions:
- Update/Patch pods cluster-wide
- Update/Patch pods in a namespace
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Read events cluster-wide
- Manage Services cluster-wide
- Manage Services in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
📦 Workloads (6)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | listener-operator-csi-node | listener-operator-csi-node | quay.io/zncdatadev/listener-csi-driver:0.0.0-dev |
| DaemonSet | listener-operator-csi-node | liveness-probe | quay.io/zncdatadev/sig-storage/livenessprobe:v2.14.0 |
| DaemonSet | listener-operator-csi-node | node-driver-registrar | quay.io/zncdatadev/sig-storage/csi-node-driver-registrar:v2.12.0 |
| Deployment | listener-operator-csi-controller | csi-provisioner | quay.io/zncdatadev/sig-storage/csi-provisioner:v5.1.0 |
| Deployment | listener-operator-csi-controller | listener-operator-csi-controller | quay.io/zncdatadev/listener-csi-driver:0.0.0-dev |
| Deployment | listener-operator-csi-controller | liveness-probe | quay.io/zncdatadev/sig-storage/livenessprobe:v2.14.0 |
🤖 listener-operator-ds-check
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role listener-operator-ds-check | apps/daemonsets | get · list · watch | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | listener-operator-ds-check | kubectl | quay.io/zncdatadev/tools:1.0.0-kubedoop0.0.0-dev |