keptn :: RBAC ATLAS

Description

A Helm chart for Keptn, a set of tools to enable cloud-native application lifecycle management

https://github.com/keptn/lifecycle-toolkit

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`certificate-operator`	default	❌	—	9	1	Critical
`lifecycle-operator`	default	❌	—	48	1	Critical
`metrics-operator`	default	❌	—	15	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `lifecycle-operator`

Namespace: default | Automount: ❌

🔑 Permissions (48)

Role	Resource	Verbs	Risk	Tags
Role `lifecycle-operator-leader-election-role`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole `lifecycle-operator-role`	core/configmaps	create · get · list · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure
Role `lifecycle-operator-leader-election-role`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `lifecycle-operator-role`	apps/daemonsets	get · list · watch	Low
ClusterRole `lifecycle-operator-role`	apps/deployments	get · list · watch	Low
ClusterRole `lifecycle-operator-role`	core/deployments	create · delete · get · list · patch · update · watch	Low
ClusterRole `lifecycle-operator-role`	core/events	create · patch · watch	Low
Role `lifecycle-operator-leader-election-role`	core/events	create · patch	Low
ClusterRole `lifecycle-operator-role`	batch/jobs	create · get · list · update · watch	Low
ClusterRole `lifecycle-operator-role`	batch/jobs/status	get · list	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnappcontexts	get · list · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnappcreationrequests	create · delete · get · list · patch · update · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnappcreationrequests/finalizers	update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnappcreationrequests/status	get · patch · update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnapps	create · delete · get · list · patch · update · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnapps/finalizers	update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnapps/status	get · patch · update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnappversion	create · delete · get · list · patch · update · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnappversion/finalizers	update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnappversion/status	get · patch · update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnappversions	create · delete · get · list · patch · update · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnappversions/finalizers	update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnappversions/status	get · patch · update	Low
ClusterRole `lifecycle-operator-role`	options.keptn.sh/keptnconfigs	get · list · watch	Low
ClusterRole `lifecycle-operator-role`	options.keptn.sh/keptnconfigs/status	get	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnevaluationdefinitions	get · list · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnevaluations	create · delete · get · list · patch · update · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnevaluations/finalizers	update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnevaluations/status	get · patch · update	Low
ClusterRole `lifecycle-operator-role`	metrics.keptn.sh/keptnmetrics	get · list · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptntaskdefinitions	create · delete · get · list · patch · update · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptntaskdefinitions/finalizers	update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptntaskdefinitions/status	get · patch · update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptntasks	create · delete · get · list · patch · update · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptntasks/finalizers	update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptntasks/status	get · patch · update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnworkloads	create · delete · get · list · patch · update · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnworkloads/finalizers	update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnworkloads/status	get · patch · update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnworkloadversions	create · delete · get · list · patch · update · watch	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnworkloadversions/finalizers	update	Low
ClusterRole `lifecycle-operator-role`	lifecycle.keptn.sh/keptnworkloadversions/status	get · patch · update	Low
ClusterRole `lifecycle-operator-role`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `lifecycle-operator-role`	core/pods	get · list · update · watch	Low
ClusterRole `lifecycle-operator-role`	apps/replicasets	get · list · watch	Low
ClusterRole `lifecycle-operator-role`	argoproj.io/rollouts	get · list · watch	Low
ClusterRole `lifecycle-operator-role`	core/secrets	get	Low
ClusterRole `lifecycle-operator-role`	apps/statefulsets	get · list · watch	Low

⚠️ Potential Abuse (6)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	lifecycle-operator	lifecycle-operator	ghcr.io/keptn/lifecycle-operator:v2.0.0

🤖 `metrics-operator`

Namespace: default | Automount: ❌

🔑 Permissions (15)

Role	Resource	Verbs	Risk	Tags
Role `metrics-operator-leader-election-role`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole `metrics-operator-role`	core/configmaps	get · list · watch	High	ConfigMapAccess DataExposure InformationDisclosure
Role `metrics-operator-leader-election-role`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `metrics-operator-role`	metrics.keptn.sh/analyses	create · delete · get · list · patch · update · watch	Low
ClusterRole `metrics-operator-role`	metrics.keptn.sh/analyses/finalizers	update	Low
ClusterRole `metrics-operator-role`	metrics.keptn.sh/analyses/status	get · patch · update	Low
ClusterRole `metrics-operator-role`	metrics.keptn.sh/analysisdefinitions	get · list · watch	Low
ClusterRole `metrics-operator-role`	metrics.keptn.sh/analysisvaluetemplates	get · list · watch	Low
Role `metrics-operator-leader-election-role`	core/events	create · patch	Low
ClusterRole `metrics-operator-role`	metrics.keptn.sh/keptnmetrics	get · list · watch	Low
ClusterRole `metrics-operator-role`	metrics.keptn.sh/keptnmetrics/finalizers	update	Low
ClusterRole `metrics-operator-role`	metrics.keptn.sh/keptnmetrics/status	get · patch · update	Low
ClusterRole `metrics-operator-role`	metrics.keptn.sh/keptnmetricsproviders	get · list · watch	Low
ClusterRole `metrics-operator-role`	metrics.keptn.sh/providers	get · list · watch	Low
ClusterRole `metrics-operator-role`	core/secrets	get	Low

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	metrics-operator	metrics-operator	ghcr.io/keptn/metrics-operator:v2.1.0

🤖 `certificate-operator`

Namespace: default | Automount: ❌

🔑 Permissions (9)

Role	Resource	Verbs	Risk	Tags
Role `certificate-operator-leader-election-role`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService Tampering
Role `certificate-operator-leader-election-role`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `certificate-operator-role`	admissionregistration.k8s.io/mutatingwebhookconfigurations	get · list · patch · update · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `certificate-operator-role`	admissionregistration.k8s.io/validatingwebhookconfigurations	get · list · patch · update · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `certificate-operator-role`	apiextensions.k8s.io/customresourcedefinitions	get · list · patch · update · watch	Low
ClusterRole `certificate-operator-role`	apps/deployments	get · list · watch	Low
Role `certificate-operator-leader-election-role`	core/events	create · patch	Low
Role `certificate-operator-role`	core/secrets	create · list · watch	Low
Role `certificate-operator-role`	core/secrets (restricted to: keptn-certs)	get · patch · update	Low	ResourceNameRestricted

⚠️ Potential Abuse (6)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	certificate-operator	certificate-operator	ghcr.io/keptn/certificate-operator:v3.0.0

keptn

Description

Overview

Identities

🤖 lifecycle-operator

🔑 Permissions (48)

⚠️ Potential Abuse (6)

📦 Workloads (1)

🤖 metrics-operator

🔑 Permissions (15)

⚠️ Potential Abuse (5)

📦 Workloads (1)

🤖 certificate-operator

🔑 Permissions (9)

⚠️ Potential Abuse (6)

📦 Workloads (1)

🤖 `lifecycle-operator`

🤖 `metrics-operator`

🤖 `certificate-operator`