kubernetes-dashboard :: RBAC ATLAS

Description

General-purpose web UI for Kubernetes clusters

https://github.com/kubernetes/dashboard

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`kubernetes-dashboard-cert-manager`	default	✅	—	52	1	Critical
`kubernetes-dashboard-cert-manager-cainjector`	default	✅	—	8	1	Critical
`kubernetes-dashboard-cert-manager-webhook`	default	✅	—	2	1	Critical
`kubernetes-dashboard-ingress-nginx`	default	✅	—	25	1	Critical
`kubernetes-dashboard-metrics-server`	default	❌	—	5	1	High
`kubernetes-dashboard-cert-manager-startupapicheck`	default	✅	—	1	1	Low
`kubernetes-dashboard-ingress-nginx-admission`	default	✅	—	2	2	Low
`kubernetes-dashboard-metrics-scraper`	default	❌	—	2	1	Low
`kubernetes-dashboard-api`	default	❌	—	0	1	—
`kubernetes-dashboard-kong`	default	❌	—	0	1	—
`kubernetes-dashboard-web`	default	❌	—	0	1	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `kubernetes-dashboard-cert-manager`

Namespace: default | Automount: ✅

🔑 Permissions (52)

Role	Resource	Verbs	Risk	Tags
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	core/pods	create · delete · get · list · watch	Critical	LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation WorkloadExecution
ClusterRole `kubernetes-dashboard-cert-manager-controller-certificates`	core/secrets	create · delete · get · list · patch · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `kubernetes-dashboard-cert-manager-controller-clusterissuers`	core/secrets	create · delete · get · list · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `kubernetes-dashboard-cert-manager-controller-issuers`	core/secrets	create · delete · get · list · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `kubernetes-dashboard-cert-manager-controller-orders`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `kubernetes-dashboard-cert-manager-controller-certificates`	cert-manager.io/certificaterequests	get · list · patch · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-ingress-shim`	cert-manager.io/certificaterequests	create · delete · get · list · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-certificates`	cert-manager.io/certificaterequests/finalizers	update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-certificates`	cert-manager.io/certificaterequests/status	patch · update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-certificates`	cert-manager.io/certificates	get · list · patch · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-ingress-shim`	cert-manager.io/certificates	create · delete · get · list · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-certificates`	cert-manager.io/certificates/finalizers	update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-certificates`	cert-manager.io/certificates/status	patch · update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	acme.cert-manager.io/challenges	get · list · patch · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-orders`	acme.cert-manager.io/challenges	create · delete · get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	acme.cert-manager.io/challenges/finalizers	update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	acme.cert-manager.io/challenges/status	patch · update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-certificates`	cert-manager.io/clusterissuers	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	cert-manager.io/clusterissuers	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-clusterissuers`	cert-manager.io/clusterissuers	get · list · patch · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-ingress-shim`	cert-manager.io/clusterissuers	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-orders`	cert-manager.io/clusterissuers	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-clusterissuers`	cert-manager.io/clusterissuers/status	patch · update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-certificates`	core/events	create · patch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	core/events	create · patch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-clusterissuers`	core/events	create · patch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-ingress-shim`	core/events	create · patch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-issuers`	core/events	create · patch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-orders`	core/events	create · patch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-ingress-shim`	gateway.networking.k8s.io/gateways	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-ingress-shim`	gateway.networking.k8s.io/gateways/finalizers	update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	gateway.networking.k8s.io/httproutes	create · delete · get · list · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-ingress-shim`	gateway.networking.k8s.io/httproutes	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-ingress-shim`	gateway.networking.k8s.io/httproutes/finalizers	update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	networking.k8s.io/ingresses	create · delete · get · list · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-ingress-shim`	networking.k8s.io/ingresses	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-ingress-shim`	networking.k8s.io/ingresses/finalizers	update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-certificates`	cert-manager.io/issuers	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	cert-manager.io/issuers	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-ingress-shim`	cert-manager.io/issuers	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-issuers`	cert-manager.io/issuers	get · list · patch · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-orders`	cert-manager.io/issuers	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-issuers`	cert-manager.io/issuers/status	patch · update	Low
Role `kubernetes-dashboard-cert-manager:leaderelection`	coordination.k8s.io/leases	create · get · patch · update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-certificates`	acme.cert-manager.io/orders	create · delete · get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-orders`	acme.cert-manager.io/orders	get · list · patch · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-orders`	acme.cert-manager.io/orders/finalizers	update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-orders`	acme.cert-manager.io/orders/status	patch · update	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	route.openshift.io/routes/custom-host	create	Low
Role `kubernetes-dashboard-cert-manager-tokenrequest`	core/serviceaccounts/token	create	Low
ClusterRole `kubernetes-dashboard-cert-manager-controller-challenges`	core/services	create · delete · get · list · watch	Low

⚠️ Potential Abuse (7)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kubernetes-dashboard-cert-manager	cert-manager-controller	quay.io/jetstack/cert-manager-controller:v1.16.2

🤖 `kubernetes-dashboard-ingress-nginx`

Namespace: default | Automount: ✅

🔑 Permissions (25)

Role	Resource	Verbs	Risk	Tags
Role `kubernetes-dashboard-ingress-nginx`	core/secrets	get · list · watch	Critical	CredentialAccess DataExposure InformationDisclosure SecretAccess
Role `kubernetes-dashboard-ingress-nginx`	core/configmaps	get · list · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `kubernetes-dashboard-ingress-nginx`	core/configmaps	list · watch	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	core/endpoints	list · watch	Low
Role `kubernetes-dashboard-ingress-nginx`	core/endpoints	get · list · watch	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	discovery.k8s.io/endpointslices	get · list · watch	Low
Role `kubernetes-dashboard-ingress-nginx`	discovery.k8s.io/endpointslices	get · list · watch	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	core/events	create · patch	Low
Role `kubernetes-dashboard-ingress-nginx`	core/events	create · patch	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	networking.k8s.io/ingressclasses	get · list · watch	Low
Role `kubernetes-dashboard-ingress-nginx`	networking.k8s.io/ingressclasses	get · list · watch	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	networking.k8s.io/ingresses	get · list · watch	Low
Role `kubernetes-dashboard-ingress-nginx`	networking.k8s.io/ingresses	get · list · watch	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	networking.k8s.io/ingresses/status	update	Low
Role `kubernetes-dashboard-ingress-nginx`	networking.k8s.io/ingresses/status	update	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	coordination.k8s.io/leases	list · watch	Low
Role `kubernetes-dashboard-ingress-nginx`	coordination.k8s.io/leases	create · get · update	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	core/namespaces	list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
Role `kubernetes-dashboard-ingress-nginx`	core/namespaces	get	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	core/nodes	get · list · watch	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	core/pods	list · watch	Low
Role `kubernetes-dashboard-ingress-nginx`	core/pods	get · list · watch	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	core/secrets	list · watch	Low
ClusterRole `kubernetes-dashboard-ingress-nginx`	core/services	get · list · watch	Low
Role `kubernetes-dashboard-ingress-nginx`	core/services	get · list · watch	Low

⚠️ Potential Abuse (4)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kubernetes-dashboard-ingress-nginx-controller	controller	registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa

🤖 `kubernetes-dashboard-cert-manager-cainjector`

Namespace: default | Automount: ✅

🔑 Permissions (8)

Role	Resource	Verbs	Risk	Tags
ClusterRole `kubernetes-dashboard-cert-manager-cainjector`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `kubernetes-dashboard-cert-manager-cainjector`	admissionregistration.k8s.io/mutatingwebhookconfigurations	get · list · patch · update · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `kubernetes-dashboard-cert-manager-cainjector`	admissionregistration.k8s.io/validatingwebhookconfigurations	get · list · patch · update · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `kubernetes-dashboard-cert-manager-cainjector`	apiregistration.k8s.io/apiservices	get · list · patch · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-cainjector`	cert-manager.io/certificates	get · list · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-cainjector`	apiextensions.k8s.io/customresourcedefinitions	get · list · patch · update · watch	Low
ClusterRole `kubernetes-dashboard-cert-manager-cainjector`	core/events	create · get · patch · update	Low
Role `kubernetes-dashboard-cert-manager-cainjector:leaderelection`	coordination.k8s.io/leases	create · get · patch · update	Low

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kubernetes-dashboard-cert-manager-cainjector	cert-manager-cainjector	quay.io/jetstack/cert-manager-cainjector:v1.16.2

🤖 `kubernetes-dashboard-cert-manager-webhook`

Namespace: default | Automount: ✅

🔑 Permissions (2)

Role	Resource	Verbs	Risk	Tags
Role `kubernetes-dashboard-cert-manager-webhook:dynamic-serving`	core/secrets	create · get · list · update · watch	Critical	CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `kubernetes-dashboard-cert-manager-webhook:subjectaccessreviews`	authorization.k8s.io/subjectaccessreviews	create	Medium	InformationDisclosure RBACQuery

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kubernetes-dashboard-cert-manager-webhook	cert-manager-webhook	quay.io/jetstack/cert-manager-webhook:v1.16.2

🤖 `kubernetes-dashboard-metrics-server`

Namespace: default | Automount: ❌

🔑 Permissions (5)

Role	Resource	Verbs	Risk	Tags
ClusterRole `system:kubernetes-dashboard-metrics-server`	core/configmaps	get · list · watch	High	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `system:kubernetes-dashboard-metrics-server`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `system:kubernetes-dashboard-metrics-server`	core/nodes	get · list · watch	Low
ClusterRole `system:kubernetes-dashboard-metrics-server`	core/nodes/metrics	get	Low
ClusterRole `system:kubernetes-dashboard-metrics-server`	core/pods	get · list · watch	Low

⚠️ Potential Abuse (4)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kubernetes-dashboard-metrics-server	metrics-server	registry.k8s.io/metrics-server/metrics-server:v0.7.2

🤖 `kubernetes-dashboard-ingress-nginx-admission`

Namespace: default | Automount: ✅

🔑 Permissions (2)

Role	Resource	Verbs	Risk	Tags
Role `kubernetes-dashboard-ingress-nginx-admission`	core/secrets	create · get	Low
ClusterRole `kubernetes-dashboard-ingress-nginx-admission`	admissionregistration.k8s.io/validatingwebhookconfigurations	get · update	Low

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (2)

Kind	Name	Container	Image
Job	kubernetes-dashboard-ingress-nginx-admission-create	create	registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
Job	kubernetes-dashboard-ingress-nginx-admission-patch	patch	registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4

🤖 `kubernetes-dashboard-metrics-scraper`

Namespace: default | Automount: ❌

🔑 Permissions (2)

Role	Resource	Verbs	Risk	Tags
ClusterRole `kubernetes-dashboard-metrics-scraper`	metrics.k8s.io/nodes	get · list · watch	Low
ClusterRole `kubernetes-dashboard-metrics-scraper`	metrics.k8s.io/pods	get · list · watch	Low

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kubernetes-dashboard-metrics-scraper	kubernetes-dashboard-metrics-scraper	docker.io/kubernetesui/dashboard-metrics-scraper:1.2.2

🤖 `kubernetes-dashboard-cert-manager-startupapicheck`

Namespace: default | Automount: ✅

🔑 Permissions (1)

Role	Resource	Verbs	Risk	Tags
Role `kubernetes-dashboard-cert-manager-startupapicheck:create-cert`	cert-manager.io/certificaterequests	create	Low

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Job	kubernetes-dashboard-cert-manager-startupapicheck	cert-manager-startupapicheck	quay.io/jetstack/cert-manager-startupapicheck:v1.16.2

🤖 `kubernetes-dashboard-api`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kubernetes-dashboard-api	kubernetes-dashboard-api	docker.io/kubernetesui/dashboard-api:1.13.0

🤖 `kubernetes-dashboard-kong`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kubernetes-dashboard-kong	proxy	kong:3.8

🤖 `kubernetes-dashboard-web`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kubernetes-dashboard-web	kubernetes-dashboard-web	docker.io/kubernetesui/dashboard-web:1.7.0

kubernetes-dashboard

Description

Overview

Identities

🤖 kubernetes-dashboard-cert-manager

🔑 Permissions (52)

⚠️ Potential Abuse (7)

📦 Workloads (1)

🤖 kubernetes-dashboard-ingress-nginx

🔑 Permissions (25)

⚠️ Potential Abuse (4)

📦 Workloads (1)

🤖 kubernetes-dashboard-cert-manager-cainjector

🔑 Permissions (8)

⚠️ Potential Abuse (5)

📦 Workloads (1)

🤖 kubernetes-dashboard-cert-manager-webhook

🔑 Permissions (2)

⚠️ Potential Abuse (3)

📦 Workloads (1)

🤖 kubernetes-dashboard-metrics-server

🔑 Permissions (5)

⚠️ Potential Abuse (4)

📦 Workloads (1)

🤖 kubernetes-dashboard-ingress-nginx-admission

🔑 Permissions (2)

⚠️ Potential Abuse (1)

📦 Workloads (2)

🤖 kubernetes-dashboard-metrics-scraper

🔑 Permissions (2)

⚠️ Potential Abuse (1)

📦 Workloads (1)

🤖 kubernetes-dashboard-cert-manager-startupapicheck

🔑 Permissions (1)

⚠️ Potential Abuse (1)

📦 Workloads (1)

🤖 kubernetes-dashboard-api

🔑 Permissions (0)

📦 Workloads (1)

🤖 kubernetes-dashboard-kong

🔑 Permissions (0)

📦 Workloads (1)

🤖 kubernetes-dashboard-web

🔑 Permissions (0)

📦 Workloads (1)

🤖 `kubernetes-dashboard-cert-manager`

🤖 `kubernetes-dashboard-ingress-nginx`

🤖 `kubernetes-dashboard-cert-manager-cainjector`

🤖 `kubernetes-dashboard-cert-manager-webhook`

🤖 `kubernetes-dashboard-metrics-server`

🤖 `kubernetes-dashboard-ingress-nginx-admission`

🤖 `kubernetes-dashboard-metrics-scraper`

🤖 `kubernetes-dashboard-cert-manager-startupapicheck`

🤖 `kubernetes-dashboard-api`

🤖 `kubernetes-dashboard-kong`

🤖 `kubernetes-dashboard-web`