linkerd-viz :: RBAC ATLAS

Description

The Linkerd-Viz extension contains observability and visualization components for Linkerd.

https://github.com/linkerd/linkerd2/

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`linkerd-prometheus`	linkerd-viz	❌	—	3	1	Critical
`linkerd-web`	linkerd-viz	❌	—	15	1	High
`linkerd-metrics-api`	linkerd-viz	❌	—	19	1	Low
`linkerd-tap`	linkerd-viz	❌	—	17	1	Low
`tap-injector`	linkerd-viz	❌	—	1	1	Low
`linkerd-grafana`	linkerd-viz	❌	—	0	1	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `linkerd-prometheus`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (3)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-linkerd-viz-prometheus`	core/nodes/proxy	get · list · watch	Critical	AuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole `linkerd-linkerd-viz-prometheus`	core/nodes	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-prometheus`	core/pods	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Node proxy GET RCE via WebSocket

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	linkerd-prometheus	prometheus	prom/prometheus:v2.19.3

🤖 `linkerd-web`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (15)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-linkerd-viz-tap-admin`	tap.linkerd.io/*	watch	High	ClusterWideAccess WildcardPermission
ClusterRole `linkerd-linkerd-viz-web-check`	apiregistration.k8s.io/apiservices	get	Low
ClusterRole `linkerd-linkerd-viz-web-check`	rbac.authorization.k8s.io/clusterrolebindings	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	rbac.authorization.k8s.io/clusterroles	list	Low
Role `linkerd-web`	core/configmaps	get	Low
ClusterRole `linkerd-linkerd-viz-web-check`	apiextensions.k8s.io/customresourcedefinitions	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	admissionregistration.k8s.io/mutatingwebhookconfigurations	list	Low
Role `linkerd-web`	core/namespaces	get	Low
Role `linkerd-web`	core/pods	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	policy/podsecuritypolicies	list	Low
Role `linkerd-web`	apps/replicasets	list	Low
Role `linkerd-web`	core/serviceaccounts	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	linkerd.io/serviceprofiles	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	admissionregistration.k8s.io/validatingwebhookconfigurations	list	Low
Role `linkerd-web`	core/configmaps (restricted to: linkerd-config)	get	Low	ResourceNameRestricted

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	linkerd-web	web	ghcr.io/linkerd/web:edge-21.1.4

🤖 `linkerd-metrics-api`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (19)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-linkerd-viz-metrics-api`	batch/cronjobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/cronjobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	apps/daemonsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/daemonsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	apps/deployments	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/deployments	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	core/endpoints	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	batch/jobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/jobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `linkerd-linkerd-viz-metrics-api`	core/pods	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	apps/replicasets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/replicasets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	core/replicationcontrollers	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	linkerd.io/serviceprofiles	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	core/services	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	apps/statefulsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/statefulsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	split.smi-spec.io/trafficsplits	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	linkerd-metrics-api	metrics-api	ghcr.io/linkerd/metrics-api:edge-21.1.4

🤖 `linkerd-tap`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (17)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-linkerd-viz-tap`	batch/cronjobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/cronjobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/daemonsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/daemonsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/deployments	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/deployments	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	batch/jobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/jobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `linkerd-linkerd-viz-tap`	core/nodes	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/pods	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/replicasets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/replicasets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/replicationcontrollers	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/services	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/statefulsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/statefulsets	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	linkerd-tap	tap	ghcr.io/linkerd/controller:edge-21.1.4

🤖 `tap-injector`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (1)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-tap-injector`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	tap-injector	tap-injector	ghcr.io/linkerd/controller:edge-21.1.4

🤖 `linkerd-grafana`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	linkerd-grafana	grafana	ghcr.io/linkerd/grafana:edge-21.1.4

linkerd-viz

Description

Overview

Identities

🤖 linkerd-prometheus

🔑 Permissions (3)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 linkerd-web

🔑 Permissions (15)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 linkerd-metrics-api

🔑 Permissions (19)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 linkerd-tap

🔑 Permissions (17)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 tap-injector

🔑 Permissions (1)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 linkerd-grafana

🔑 Permissions (0)

📦 Workloads (1)

🤖 `linkerd-prometheus`

🤖 `linkerd-web`

🤖 `linkerd-metrics-api`

🤖 `linkerd-tap`

🤖 `tap-injector`

🤖 `linkerd-grafana`