linkerd-viz :: RBAC ATLAS

Description

The Linkerd-Viz extension contains observability and visualization components for Linkerd.

https://github.com/linkerd/linkerd2/

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`prometheus`	linkerd-viz	❌	—	3	1	Critical
`web`	linkerd-viz	❌	—	17	1	High
`metrics-api`	linkerd-viz	❌	—	20	1	Low
`tap`	linkerd-viz	❌	—	17	1	Low
`tap-injector`	linkerd-viz	❌	—	1	1	Low
`grafana`	linkerd-viz	❌	—	0	1	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `prometheus`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (3)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-linkerd-viz-prometheus`	core/nodes/proxy	get · list · watch	Critical	AuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole `linkerd-linkerd-viz-prometheus`	core/nodes	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-prometheus`	core/pods	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Node proxy GET RCE via WebSocket

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	prometheus	prometheus	prom/prometheus:v2.30.3

🤖 `web`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (17)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-linkerd-viz-tap-admin`	tap.linkerd.io/*	watch	High	ClusterWideAccess WildcardPermission
ClusterRole `linkerd-linkerd-viz-web-check`	apiregistration.k8s.io/apiservices	get	Low
ClusterRole `linkerd-linkerd-viz-web-check`	rbac.authorization.k8s.io/clusterrolebindings	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	rbac.authorization.k8s.io/clusterroles	list	Low
Role `web`	core/configmaps	get	Low
ClusterRole `linkerd-linkerd-viz-web-check`	apiextensions.k8s.io/customresourcedefinitions	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	admissionregistration.k8s.io/mutatingwebhookconfigurations	list	Low
ClusterRole `linkerd-linkerd-viz-tap-admin`	core/namespaces	list	Low
ClusterRole `linkerd-linkerd-viz-web-api`	core/namespaces	list	Low
Role `web`	core/namespaces	get	Low
ClusterRole `linkerd-linkerd-viz-web-check`	core/nodes	list	Low
Role `web`	core/pods	list	Low
Role `web`	apps/replicasets	list	Low
Role `web`	core/serviceaccounts	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	linkerd.io/serviceprofiles	list	Low
ClusterRole `linkerd-linkerd-viz-web-check`	admissionregistration.k8s.io/validatingwebhookconfigurations	list	Low
Role `web`	core/configmaps (restricted to: linkerd-config)	get	Low	ResourceNameRestricted

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	web	web	cr.l5d.io/linkerd/web:edge-21.12.2

🤖 `metrics-api`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (20)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-linkerd-viz-metrics-api`	batch/cronjobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/cronjobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	apps/daemonsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/daemonsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	apps/deployments	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/deployments	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	core/endpoints	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	batch/jobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/jobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `linkerd-linkerd-viz-metrics-api`	core/pods	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	apps/replicasets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/replicasets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	core/replicationcontrollers	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	policy.linkerd.io/serverauthorizations	get · list	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	policy.linkerd.io/servers	get · list	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	linkerd.io/serviceprofiles	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	core/services	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	apps/statefulsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-metrics-api`	extensions/statefulsets	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	metrics-api	metrics-api	cr.l5d.io/linkerd/metrics-api:edge-21.12.2

🤖 `tap`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (17)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-linkerd-viz-tap`	batch/cronjobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/cronjobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/daemonsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/daemonsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/deployments	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/deployments	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	batch/jobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/jobs	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `linkerd-linkerd-viz-tap`	core/nodes	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/pods	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/replicasets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/replicasets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/replicationcontrollers	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	core/services	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	apps/statefulsets	get · list · watch	Low
ClusterRole `linkerd-linkerd-viz-tap`	extensions/statefulsets	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	tap	tap	cr.l5d.io/linkerd/tap:edge-21.12.2

🤖 `tap-injector`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (1)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-tap-injector`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	tap-injector	tap-injector	cr.l5d.io/linkerd/tap:edge-21.12.2

🤖 `grafana`

Namespace: linkerd-viz | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	grafana	grafana	cr.l5d.io/linkerd/grafana:edge-21.12.2

linkerd-viz

Description

Overview

Identities

🤖 prometheus

🔑 Permissions (3)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 web

🔑 Permissions (17)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 metrics-api

🔑 Permissions (20)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 tap

🔑 Permissions (17)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 tap-injector

🔑 Permissions (1)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 grafana

🔑 Permissions (0)

📦 Workloads (1)

🤖 `prometheus`

🤖 `web`

🤖 `metrics-api`

🤖 `tap`

🤖 `tap-injector`

🤖 `grafana`