linkerd-viz :: RBAC ATLAS

Description

Linkerd Viz extension contains the observability and visualization components that can be integrated directly.

https://github.com/linkerd/linkerd2/

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`linkerd-prometheus`	linkerd-viz	❌	—	3	1	Critical
`linkerd-web`	linkerd-viz	❌	—	15	1	High
`linkerd-tap`	linkerd-viz	❌	—	17	1	Low
`linkerd-grafana`	linkerd-viz	❌	—	0	1	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `linkerd-prometheus`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (3)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-linkerd-viz-prometheus`	core/nodes/proxy	get · list · watch	Critical	AuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole `linkerd-linkerd-viz-prometheus`	core/nodes	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-prometheus`	core/pods	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Node proxy GET RCE via WebSocket

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	linkerd-prometheus	prometheus	prom/prometheus:v2.19.3

🤖 `linkerd-web`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (15)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-linkerd-viz-tap-admin`	tap.linkerd.io/*	watch	High	ClusterWideAccess WildcardPermission
ClusterRole `linkerd-linkerd-viz-web-check`	apiregistration.k8s.io/apiservices	get	Low
ClusterRole `linkerd-linkerd-viz-web-check`	rbac.authorization.k8s.io/clusterrolebindings	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	rbac.authorization.k8s.io/clusterroles	list	Low
Role `linkerd-web`	core/configmaps	get	Low
ClusterRole `linkerd-linkerd-viz-web-check`	apiextensions.k8s.io/customresourcedefinitions	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	admissionregistration.k8s.io/mutatingwebhookconfigurations	list	Low
Role `linkerd-web`	core/namespaces	get	Low
Role `linkerd-web`	core/pods	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	policy/podsecuritypolicies	list	Low
Role `linkerd-web`	apps/replicasets	list	Low
Role `linkerd-web`	core/serviceaccounts	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	linkerd.io/serviceprofiles	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	admissionregistration.k8s.io/validatingwebhookconfigurations	list	Low
Role `linkerd-web`	core/configmaps (restricted to: linkerd-config)	get	Low	ResourceNameRestricted

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	linkerd-web	web	ghcr.io/linkerd/web:edge-21.1.2

🤖 `linkerd-tap`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (17)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-linkerd-viz-tap`	batch/cronjobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/cronjobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/daemonsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/daemonsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/deployments	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/deployments	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	batch/jobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/jobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `linkerd-linkerd-viz-tap`	core/nodes	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/pods	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/replicasets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/replicasets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/replicationcontrollers	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/services	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/statefulsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/statefulsets	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	linkerd-tap	tap	ghcr.io/linkerd/controller:edge-21.1.2

🤖 `linkerd-grafana`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	linkerd-grafana	grafana	ghcr.io/linkerd/grafana:edge-21.1.2

linkerd-viz

Description

Overview

Identities

🤖 linkerd-prometheus

🔑 Permissions (3)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 linkerd-web

🔑 Permissions (15)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 linkerd-tap

🔑 Permissions (17)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 linkerd-grafana

🔑 Permissions (0)

📦 Workloads (1)

🤖 `linkerd-prometheus`

🤖 `linkerd-web`

🤖 `linkerd-tap`

🤖 `linkerd-grafana`