metallb
v0.15.2
3 Service Accounts
3 Workloads
24 Bindings
2 Critical
2 High
3 Medium
17 Low
Description
A network load-balancer implementation for Kubernetes using standard routing protocols
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
metallb-controller | default | ❌ | — | 7 | 1 | Critical |
metallb-speaker | default | ❌ | — | 8 | 4 | High |
metallb-frr-k8s-controller | default | ❌ | — | 9 | 8 | Medium |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 metallb-controller
Namespace: default | Automount: ❌
🔑 Permissions (7)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole metallb:controller | apiextensions.k8s.io/customresourcedefinitions | create · delete · get · list · patch · update · watch | Critical | CRDManipulation PotentialPrivilegeEscalation Tampering |
ClusterRole metallb:controller | admissionregistration.k8s.io/validatingwebhookconfigurations | create · delete · get · list · patch · update · watch | Critical | DenialOfService InformationDisclosure Reconnaissance Tampering WebhookManipulation (+1 more) |
ClusterRole metallb:controller | core/events | create · patch | Low | |
ClusterRole metallb:controller | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole metallb:controller | core/nodes | list | Low | |
ClusterRole metallb:controller | core/services | get · list · watch | Low | |
ClusterRole metallb:controller | core/services/status | update | Low |
⚠️ Potential Abuse (5)
The following security risks were found based on the above permissions:
- Manage ValidatingWebhookConfigurations
- Manage CustomResourceDefinitions
- List Namespaces (Cluster Reconnaissance)
- List ValidatingWebhookConfigurations (Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | metallb-controller | controller | quay.io/metallb/controller:v0.15.2 |
🤖 metallb-speaker
Namespace: default | Automount: ❌
🔑 Permissions (8)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole metallb:speaker | metallb.io/servicel2statuses | * | High | ClusterWideAccess |
ClusterRole metallb:speaker | metallb.io/servicel2statuses/status | * | High | ClusterWideAccess |
ClusterRole metallb:speaker | core/endpoints | get · list · watch | Low | |
ClusterRole metallb:speaker | discovery.k8s.io/endpointslices | get · list · watch | Low | |
ClusterRole metallb:speaker | core/events | create · patch | Low | |
ClusterRole metallb:speaker | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole metallb:speaker | core/nodes | get · list · watch | Low | |
ClusterRole metallb:speaker | core/services | get · list · watch | Low |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (4)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | metallb-speaker | frr | quay.io/frrouting/frr:9.1.0 |
| DaemonSet | metallb-speaker | frr-metrics | quay.io/frrouting/frr:9.1.0 |
| DaemonSet | metallb-speaker | reloader | quay.io/frrouting/frr:9.1.0 |
| DaemonSet | metallb-speaker | speaker | quay.io/metallb/speaker:v0.15.2 |
🤖 metallb-frr-k8s-controller
Namespace: default | Automount: ❌
🔑 Permissions (9)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole metallb-frr-k8s-controller | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
ClusterRole metallb-frr-k8s-controller | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
ClusterRole metallb-frr-k8s-controller | admissionregistration.k8s.io/validatingwebhookconfigurations | get · list · update · watch | Medium | InformationDisclosure Reconnaissance WebhookReconnaissance |
ClusterRole metallb-frr-k8s-controller | frrk8s.metallb.io/bgpsessionstates | create · delete · get · list · patch · update · watch | Low | |
ClusterRole metallb-frr-k8s-controller | frrk8s.metallb.io/bgpsessionstates/status | get · patch · update | Low | |
ClusterRole metallb-frr-k8s-controller | frrk8s.metallb.io/frrconfigurations | get · list · watch | Low | |
ClusterRole metallb-frr-k8s-controller | frrk8s.metallb.io/frrnodestates | create · delete · get · list · patch · update · watch | Low | |
ClusterRole metallb-frr-k8s-controller | frrk8s.metallb.io/frrnodestates/status | get · patch · update | Low | |
ClusterRole metallb-frr-k8s-controller | core/nodes | get · list · watch | Low |
⚠️ Potential Abuse (4)
The following security risks were found based on the above permissions:
- Create TokenReviews (validate arbitrary tokens)
- Create SubjectAccessReviews (check arbitrary permissions)
- List ValidatingWebhookConfigurations (Reconnaissance)
📦 Workloads (8)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | metallb-frr-k8s | controller | quay.io/metallb/frr-k8s:v0.0.20 |
| DaemonSet | metallb-frr-k8s | frr | quay.io/frrouting/frr:9.1.0 |
| DaemonSet | metallb-frr-k8s | frr-metrics | quay.io/frrouting/frr:9.1.0 |
| DaemonSet | metallb-frr-k8s | frr-status | quay.io/frrouting/frr:9.1.0 |
| DaemonSet | metallb-frr-k8s | kube-rbac-proxy | gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0 |
| DaemonSet | metallb-frr-k8s | kube-rbac-proxy-frr | gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0 |
| DaemonSet | metallb-frr-k8s | reloader | quay.io/frrouting/frr:9.1.0 |
| Deployment | metallb-frr-k8s-webhook-server | frr-k8s-webhook-server | quay.io/metallb/frr-k8s:v0.0.20 |