linkerd-viz :: RBAC ATLAS

Description

The Linkerd-Viz extension contains observability and visualization components for Linkerd.

https://github.com/linkerd/linkerd2/

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`prometheus`	default	❌	—	3	1	Critical
`web`	default	❌	—	19	1	High
`metrics-api`	default	❌	—	22	1	Low
`namespace-metadata`	default	❌	—	1	1	Low
`tap`	default	❌	—	17	1	Low
`tap-injector`	default	❌	—	1	1	Low

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `prometheus`

Namespace: default | Automount: ❌

🔑 Permissions (3)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-default-prometheus`	core/nodes/proxy	get · list · watch	Critical	AuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole `linkerd-default-prometheus`	core/nodes	get · list · watch	Low
ClusterRole `linkerd-default-prometheus`	core/pods	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Node proxy GET RCE via WebSocket

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	prometheus	prometheus	prom/prometheus:v2.48.0

🤖 `web`

Namespace: default | Automount: ❌

🔑 Permissions (19)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-default-tap-admin`	tap.linkerd.io/*	watch	High	ClusterWideAccess WildcardPermission
ClusterRole `linkerd-default-web-check`	apiregistration.k8s.io/apiservices	get	Low
ClusterRole `linkerd-default-web-check`	rbac.authorization.k8s.io/clusterrolebindings	list	Low
ClusterRole `linkerd-default-web-check`	rbac.authorization.k8s.io/clusterroles	list	Low
Role `web`	core/configmaps	get	Low
ClusterRole `linkerd-default-web-check`	apiextensions.k8s.io/customresourcedefinitions	list	Low
ClusterRole `linkerd-default-web-check`	admissionregistration.k8s.io/mutatingwebhookconfigurations	list	Low
ClusterRole `linkerd-default-tap-admin`	core/namespaces	list	Low
ClusterRole `linkerd-default-web-api`	core/namespaces	list	Low
Role `web`	core/namespaces	get	Low
ClusterRole `linkerd-default-web-check`	core/nodes	list	Low
ClusterRole `linkerd-default-web-check`	core/pods	list	Low
Role `web`	core/pods	list	Low
Role `web`	apps/replicasets	list	Low
Role `web`	core/serviceaccounts	list	Low
ClusterRole `linkerd-default-web-check`	linkerd.io/serviceprofiles	list	Low
ClusterRole `linkerd-default-web-check`	core/services	list	Low
ClusterRole `linkerd-default-web-check`	admissionregistration.k8s.io/validatingwebhookconfigurations	list	Low
Role `web`	core/configmaps (restricted to: linkerd-config)	get	Low	ResourceNameRestricted

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	web	web	cr.l5d.io/linkerd/web:stable-2.14.10

🤖 `metrics-api`

Namespace: default | Automount: ❌

🔑 Permissions (22)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-default-metrics-api`	policy.linkerd.io/authorizationpolicies	get · list	Low
ClusterRole `linkerd-default-metrics-api`	batch/cronjobs	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	extensions/cronjobs	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	apps/daemonsets	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	extensions/daemonsets	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	apps/deployments	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	extensions/deployments	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	core/endpoints	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	policy.linkerd.io/httproutes	get · list	Low
ClusterRole `linkerd-default-metrics-api`	batch/jobs	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	extensions/jobs	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `linkerd-default-metrics-api`	core/pods	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	apps/replicasets	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	extensions/replicasets	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	core/replicationcontrollers	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	policy.linkerd.io/serverauthorizations	get · list	Low
ClusterRole `linkerd-default-metrics-api`	policy.linkerd.io/servers	get · list	Low
ClusterRole `linkerd-default-metrics-api`	linkerd.io/serviceprofiles	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	core/services	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	apps/statefulsets	get · list · watch	Low
ClusterRole `linkerd-default-metrics-api`	extensions/statefulsets	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	metrics-api	metrics-api	cr.l5d.io/linkerd/metrics-api:stable-2.14.10

🤖 `tap`

Namespace: default | Automount: ❌

🔑 Permissions (17)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-default-tap`	batch/cronjobs	get · list · watch	Low
ClusterRole `linkerd-default-tap`	extensions/cronjobs	get · list · watch	Low
ClusterRole `linkerd-default-tap`	apps/daemonsets	get · list · watch	Low
ClusterRole `linkerd-default-tap`	extensions/daemonsets	get · list · watch	Low
ClusterRole `linkerd-default-tap`	apps/deployments	get · list · watch	Low
ClusterRole `linkerd-default-tap`	extensions/deployments	get · list · watch	Low
ClusterRole `linkerd-default-tap`	batch/jobs	get · list · watch	Low
ClusterRole `linkerd-default-tap`	extensions/jobs	get · list · watch	Low
ClusterRole `linkerd-default-tap`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `linkerd-default-tap`	core/nodes	get · list · watch	Low
ClusterRole `linkerd-default-tap`	core/pods	get · list · watch	Low
ClusterRole `linkerd-default-tap`	apps/replicasets	get · list · watch	Low
ClusterRole `linkerd-default-tap`	extensions/replicasets	get · list · watch	Low
ClusterRole `linkerd-default-tap`	core/replicationcontrollers	get · list · watch	Low
ClusterRole `linkerd-default-tap`	core/services	get · list · watch	Low
ClusterRole `linkerd-default-tap`	apps/statefulsets	get · list · watch	Low
ClusterRole `linkerd-default-tap`	extensions/statefulsets	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	tap	tap	cr.l5d.io/linkerd/tap:stable-2.14.10

🤖 `namespace-metadata`

Namespace: default | Automount: ❌

🔑 Permissions (1)

Role	Resource	Verbs	Risk	Tags
Role `namespace-metadata`	core/namespaces (restricted to: default)	get · patch	Low	ResourceNameRestricted

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Job	namespace-metadata	namespace-metadata	cr.l5d.io/linkerd/extension-init:v0.1.0

🤖 `tap-injector`

Namespace: default | Automount: ❌

🔑 Permissions (1)

Role	Resource	Verbs	Risk	Tags
ClusterRole `linkerd-tap-injector`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

List Namespaces (Cluster Reconnaissance)

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	tap-injector	tap-injector	cr.l5d.io/linkerd/tap:stable-2.14.10

linkerd-viz

Description

Overview

Identities

🤖 prometheus

🔑 Permissions (3)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 web

🔑 Permissions (19)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 metrics-api

🔑 Permissions (22)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 tap

🔑 Permissions (17)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 namespace-metadata

🔑 Permissions (1)

⚠️ Potential Abuse (1)

📦 Workloads (1)

🤖 tap-injector

🔑 Permissions (1)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 `prometheus`

🤖 `web`

🤖 `metrics-api`

🤖 `tap`

🤖 `namespace-metadata`

🤖 `tap-injector`