6 Service Accounts
6 Workloads
69 Bindings
1 Critical
1 High
67 Low
Description
The Linkerd-Viz extension contains observability and visualization components for Linkerd.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
prometheus | linkerd-viz | ❌ | — | 5 | 1 | Critical |
web | linkerd-viz | ❌ | — | 19 | 1 | High |
grafana | linkerd-viz | ❌ | — | 2 | 1 | Low |
metrics-api | linkerd-viz | ❌ | — | 21 | 1 | Low |
tap | linkerd-viz | ❌ | — | 19 | 1 | Low |
tap-injector | linkerd-viz | ❌ | — | 3 | 1 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 prometheus
Namespace: linkerd-viz | Automount: ❌
🔑 Permissions (5)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole linkerd-linkerd-viz-prometheus | core/nodes/proxy | get · list · watch | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole linkerd-linkerd-viz-prometheus | core/nodes | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-prometheus | core/pods | get · list · watch | Low | |
Role psp | extensions/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
Role psp | policy/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | prometheus | prometheus | prom/prometheus:v2.19.3 |
🤖 web
Namespace: linkerd-viz | Automount: ❌
🔑 Permissions (19)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole linkerd-linkerd-viz-tap-admin | tap.linkerd.io/* | watch | High | ClusterWideAccess |
ClusterRole linkerd-linkerd-viz-web-check | apiregistration.k8s.io/apiservices | get | Low | |
ClusterRole linkerd-linkerd-viz-web-check | rbac.authorization.k8s.io/clusterrolebindings | list | Low | |
ClusterRole linkerd-linkerd-viz-web-check | rbac.authorization.k8s.io/clusterroles | list | Low | |
Role web | core/configmaps | get | Low | |
ClusterRole linkerd-linkerd-viz-web-check | apiextensions.k8s.io/customresourcedefinitions | list | Low | |
ClusterRole linkerd-linkerd-viz-web-check | admissionregistration.k8s.io/mutatingwebhookconfigurations | list | Low | |
ClusterRole linkerd-linkerd-viz-tap-admin | core/namespaces | list | Low | |
ClusterRole linkerd-linkerd-viz-web-api | core/namespaces | list | Low | |
Role web | core/namespaces | get | Low | |
Role web | core/pods | list | Low | |
ClusterRole linkerd-linkerd-viz-web-check | policy/podsecuritypolicies | list | Low | |
Role web | apps/replicasets | list | Low | |
Role web | core/serviceaccounts | list | Low | |
ClusterRole linkerd-linkerd-viz-web-check | linkerd.io/serviceprofiles | list | Low | |
ClusterRole linkerd-linkerd-viz-web-check | admissionregistration.k8s.io/validatingwebhookconfigurations | list | Low | |
Role web | core/configmaps (restricted to: linkerd-config) | get | Low | ResourceNameRestricted |
Role psp | extensions/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
Role psp | policy/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | web | web | cr.l5d.io/linkerd/web:edge-21.6.2 |
🤖 metrics-api
Namespace: linkerd-viz | Automount: ❌
🔑 Permissions (21)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole linkerd-linkerd-viz-metrics-api | batch/cronjobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | extensions/cronjobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | apps/daemonsets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | extensions/daemonsets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | apps/deployments | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | extensions/deployments | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | core/endpoints | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | batch/jobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | extensions/jobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole linkerd-linkerd-viz-metrics-api | core/pods | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | apps/replicasets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | extensions/replicasets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | linkerd.io/serviceprofiles | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | core/services | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | apps/statefulsets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | extensions/statefulsets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-metrics-api | split.smi-spec.io/trafficsplits | get · list · watch | Low | |
Role psp | extensions/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
Role psp | policy/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | metrics-api | metrics-api | cr.l5d.io/linkerd/metrics-api:edge-21.6.2 |
🤖 tap
Namespace: linkerd-viz | Automount: ❌
🔑 Permissions (19)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole linkerd-linkerd-viz-tap | batch/cronjobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | extensions/cronjobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | apps/daemonsets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | extensions/daemonsets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | apps/deployments | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | extensions/deployments | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | batch/jobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | extensions/jobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole linkerd-linkerd-viz-tap | core/nodes | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | core/pods | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | apps/replicasets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | extensions/replicasets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | core/services | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | apps/statefulsets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-viz-tap | extensions/statefulsets | get · list · watch | Low | |
Role psp | extensions/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
Role psp | policy/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | tap | tap | cr.l5d.io/linkerd/tap:edge-21.6.2 |
🤖 tap-injector
Namespace: linkerd-viz | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole linkerd-tap-injector | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
Role psp | extensions/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
Role psp | policy/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | tap-injector | tap-injector | cr.l5d.io/linkerd/tap:edge-21.6.2 |
🤖 grafana
Namespace: linkerd-viz | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role psp | extensions/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
Role psp | policy/podsecuritypolicies (restricted to: linkerd-linkerd-control-plane) | use | Low | ResourceNameRestricted |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | grafana | grafana | cr.l5d.io/linkerd/grafana:edge-21.6.2 |