linkerd-control-plane
v2025.6.2
4 Service Accounts
4 Workloads
55 Bindings
2 Critical
1 Medium
52 Low
Description
Linkerd gives you observability, reliability, and security for your microservices — with no code change required.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
linkerd-destination | default | ❌ | — | 34 | 4 | Critical |
linkerd-identity | default | ❌ | — | 2 | 2 | Medium |
linkerd-heartbeat | default | ❌ | — | 3 | 1 | Low |
linkerd-proxy-injector | default | ❌ | — | 16 | 2 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 linkerd-destination
Namespace: default | Automount: ❌
🔑 Permissions (34)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole linkerd-default-destination | discovery.k8s.io/endpointslices | create · delete · get · list · patch · update · watch | Critical | DenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection |
Role remote-discovery | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole linkerd-policy | policy.linkerd.io/authorizationpolicies | get · list · watch | Low | |
ClusterRole linkerd-policy | apps/deployments | get | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/egressnetworks | get · list · watch | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/egressnetworks/status | patch | Low | |
ClusterRole linkerd-default-destination | core/endpoints | get · list · watch | Low | |
ClusterRole linkerd-default-destination | workload.linkerd.io/externalworkloads | get · list · watch | Low | |
ClusterRole linkerd-policy | workload.linkerd.io/externalworkloads | get · list · watch | Low | |
ClusterRole linkerd-policy | gateway.networking.k8s.io/grpcroutes | get · list · watch | Low | |
ClusterRole linkerd-policy | gateway.networking.k8s.io/grpcroutes/status | patch | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/httplocalratelimitpolicies | get · list · watch | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/httplocalratelimitpolicies/status | patch | Low | |
ClusterRole linkerd-policy | gateway.networking.k8s.io/httproutes | get · list · watch | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/httproutes | get · list · watch | Low | |
ClusterRole linkerd-policy | gateway.networking.k8s.io/httproutes/status | patch | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/httproutes/status | patch | Low | |
ClusterRole linkerd-default-destination | batch/jobs | get · list · watch | Low | |
ClusterRole linkerd-default-destination | coordination.k8s.io/leases | create · get · patch · update | Low | |
ClusterRole linkerd-policy | coordination.k8s.io/leases | create · get · patch | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/meshtlsauthentications | get · list · watch | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/networkauthentications | get · list · watch | Low | |
ClusterRole linkerd-default-destination | core/nodes | get · list · watch | Low | |
ClusterRole linkerd-default-destination | core/pods | get · list · watch | Low | |
ClusterRole linkerd-policy | core/pods | get · list · watch | Low | |
ClusterRole linkerd-default-destination | apps/replicasets | get · list · watch | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/serverauthorizations | get · list · watch | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/servers | get · list · watch | Low | |
ClusterRole linkerd-default-destination | linkerd.io/serviceprofiles | get · list · watch | Low | |
ClusterRole linkerd-default-destination | core/services | get · list · watch | Low | |
ClusterRole linkerd-policy | gateway.networking.k8s.io/tcproutes | get · list · watch | Low | |
ClusterRole linkerd-policy | gateway.networking.k8s.io/tcproutes/status | patch | Low | |
ClusterRole linkerd-policy | gateway.networking.k8s.io/tlsroutes | get · list · watch | Low | |
ClusterRole linkerd-policy | gateway.networking.k8s.io/tlsroutes/status | patch | Low |
⚠️ Potential Abuse (4)
The following security risks were found based on the above permissions:
- Read secrets in a namespace
- Manage Endpoints or EndpointSlices cluster-wide
- Manage Endpoints or EndpointSlices in a namespace
📦 Workloads (4)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | linkerd-destination | destination | cr.l5d.io/linkerd/controller:edge-25.6.2 |
| Deployment | linkerd-destination | linkerd-proxy | cr.l5d.io/linkerd/proxy:edge-25.6.2 |
| Deployment | linkerd-destination | policy | cr.l5d.io/linkerd/policy-controller:edge-25.6.2 |
| Deployment | linkerd-destination | sp-validator | cr.l5d.io/linkerd/controller:edge-25.6.2 |
🤖 linkerd-identity
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole linkerd-default-identity | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
ClusterRole linkerd-default-identity | core/events | create · patch | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | linkerd-identity | identity | cr.l5d.io/linkerd/controller:edge-25.6.2 |
| Deployment | linkerd-identity | linkerd-proxy | cr.l5d.io/linkerd/proxy:edge-25.6.2 |
🤖 linkerd-proxy-injector
Namespace: default | Automount: ❌
🔑 Permissions (16)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole linkerd-default-proxy-injector | batch/cronjobs | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | extensions/cronjobs | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | apps/daemonsets | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | extensions/daemonsets | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | apps/deployments | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | extensions/deployments | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | core/events | create · patch | Low | |
ClusterRole linkerd-default-proxy-injector | batch/jobs | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | extensions/jobs | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole linkerd-default-proxy-injector | core/pods | list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | apps/replicasets | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | extensions/replicasets | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | apps/statefulsets | get · list · watch | Low | |
ClusterRole linkerd-default-proxy-injector | extensions/statefulsets | get · list · watch | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | linkerd-proxy-injector | linkerd-proxy | cr.l5d.io/linkerd/proxy:edge-25.6.2 |
| Deployment | linkerd-proxy-injector | proxy-injector | cr.l5d.io/linkerd/controller:edge-25.6.2 |
🤖 linkerd-heartbeat
Namespace: default | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role linkerd-heartbeat | core/configmaps | get | Low | |
ClusterRole linkerd-heartbeat | core/namespaces | list | Low | |
ClusterRole linkerd-heartbeat | linkerd.io/serviceprofiles | list | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| CronJob | linkerd-heartbeat | heartbeat | cr.l5d.io/linkerd/controller:edge-25.6.2 |