linkerd2
v2.11.5
4 Service Accounts
4 Workloads
34 Bindings
1 Medium
33 Low
Description
DEPRECATED: Use linkerd-crds and linkerd-control-plane for Linkerd 2.12.0 and later (see https://linkerd.io/2.12/tasks/upgrade/#upgrading-to-2-12-0-using-helm) - Linkerd gives you observability, reliability, and security for your microservices — with no code change required.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
linkerd-identity | linkerd | ❌ | — | 3 | 2 | Medium |
linkerd-destination | linkerd | ❌ | — | 12 | 4 | Low |
linkerd-heartbeat | linkerd | ❌ | — | 3 | 1 | Low |
linkerd-proxy-injector | linkerd | ❌ | — | 16 | 2 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 linkerd-identity
Namespace: linkerd | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole linkerd-linkerd-identity | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
ClusterRole linkerd-linkerd-identity | apps/deployments | get | Low | |
ClusterRole linkerd-linkerd-identity | core/events | create · patch | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | linkerd-identity | identity | cr.l5d.io/linkerd/controller:stable-2.11.5 |
| Deployment | linkerd-identity | linkerd-proxy | cr.l5d.io/linkerd/proxy:stable-2.11.5 |
🤖 linkerd-proxy-injector
Namespace: linkerd | Automount: ❌
🔑 Permissions (16)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole linkerd-linkerd-proxy-injector | batch/cronjobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | extensions/cronjobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | apps/daemonsets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | extensions/daemonsets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | apps/deployments | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | extensions/deployments | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | core/events | create · patch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | batch/jobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | extensions/jobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole linkerd-linkerd-proxy-injector | core/pods | list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | apps/replicasets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | extensions/replicasets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | apps/statefulsets | get · list · watch | Low | |
ClusterRole linkerd-linkerd-proxy-injector | extensions/statefulsets | get · list · watch | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | linkerd-proxy-injector | linkerd-proxy | cr.l5d.io/linkerd/proxy:stable-2.11.5 |
| Deployment | linkerd-proxy-injector | proxy-injector | cr.l5d.io/linkerd/controller:stable-2.11.5 |
🤖 linkerd-destination
Namespace: linkerd | Automount: ❌
🔑 Permissions (12)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole linkerd-linkerd-destination | core/endpoints | get · list · watch | Low | |
ClusterRole linkerd-linkerd-destination | batch/jobs | get · list · watch | Low | |
ClusterRole linkerd-linkerd-destination | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole linkerd-linkerd-destination | core/nodes | get · list · watch | Low | |
ClusterRole linkerd-linkerd-destination | core/pods | get · list · watch | Low | |
ClusterRole linkerd-policy | core/pods | get · list · watch | Low | |
ClusterRole linkerd-linkerd-destination | apps/replicasets | get · list · watch | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/serverauthorizations | get · list · watch | Low | |
ClusterRole linkerd-policy | policy.linkerd.io/servers | get · list · watch | Low | |
ClusterRole linkerd-linkerd-destination | linkerd.io/serviceprofiles | get · list · watch | Low | |
ClusterRole linkerd-linkerd-destination | core/services | get · list · watch | Low | |
ClusterRole linkerd-linkerd-destination | split.smi-spec.io/trafficsplits | get · list · watch | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (4)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | linkerd-destination | destination | cr.l5d.io/linkerd/controller:stable-2.11.5 |
| Deployment | linkerd-destination | linkerd-proxy | cr.l5d.io/linkerd/proxy:stable-2.11.5 |
| Deployment | linkerd-destination | policy | cr.l5d.io/linkerd/policy-controller:stable-2.11.5 |
| Deployment | linkerd-destination | sp-validator | cr.l5d.io/linkerd/controller:stable-2.11.5 |
🤖 linkerd-heartbeat
Namespace: linkerd | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role linkerd-heartbeat | core/configmaps | get | Low | |
ClusterRole linkerd-heartbeat | core/namespaces | list | Low | |
ClusterRole linkerd-heartbeat | linkerd.io/serviceprofiles | list | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| CronJob | linkerd-heartbeat | heartbeat | cr.l5d.io/linkerd/controller:stable-2.11.5 |