minio-operator :: RBAC ATLAS

Description

A Helm chart for MinIO Operator

https://github.com/minio/operator

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`console-sa`	default	❌	—	30	1	Critical
`minio-operator`	default	❌	—	19	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `console-sa`

Namespace: default | Automount: ❌

🔑 Permissions (30)

Role	Resource	Verbs	Risk	Tags
ClusterRole `console-sa-role`	apps/deployments	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `console-sa-role`	batch/jobs	create · delete · get · list · patch · update · watch	Critical	PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `console-sa-role`	core/pods	create · delete · deletecollection · get · list · patch · watch	Critical	LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation WorkloadExecution
ClusterRole `console-sa-role`	core/secrets	create · deletecollection · get · list · patch · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `console-sa-role`	apps/statefulsets	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `console-sa-role`	min.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `console-sa-role`	minio.min.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `console-sa-role`	core/pods/log	get · list · watch	High	ClusterWideLogAccess DataExposure InformationDisclosure LogAccess
ClusterRole `console-sa-role`	certificates.k8s.io/certificatesigningrequests	create · get · update	Medium	CSRCreation PotentialPrivilegeEscalation Spoofing
ClusterRole `console-sa-role`	storage.k8s.io/csinodes	get · list · watch	Medium	InformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole `console-sa-role`	core/events	create · get · list · patch · update · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `console-sa-role`	core/resourcequotas	create · get · list · patch · watch	Medium	InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration
ClusterRole `console-sa-role`	certificates.k8s.io/certificatesigningrequests/approval	create · get · update	Low
ClusterRole `console-sa-role`	certificates.k8s.io/certificatesigningrequests/status	create · get · update	Low
ClusterRole `console-sa-role`	apiextensions.k8s.io/customresourcedefinitions	create · delete · get · list · update · watch	Low
ClusterRole `console-sa-role`	direct.csi.min.io/directcsidrives	create · delete · get · list · update · watch	Low
ClusterRole `console-sa-role`	direct.csi.min.io/directcsivolumes	create · delete · get · list · update · watch	Low
ClusterRole `console-sa-role`	core/endpoints	create · delete · get · list · update · watch	Low
ClusterRole `console-sa-role`	coordination.k8s.io/leases	create · delete · get · list · update · watch	Low
ClusterRole `console-sa-role`	core/namespaces	create · get · list · patch · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `console-sa-role`	core/nodes	create · get · list · patch · watch	Low
ClusterRole `console-sa-role`	core/persistentvolumeclaims	deletecollection · get · list · update · watch	Low
ClusterRole `console-sa-role`	core/persistentvolumes	create · delete · get · list · watch	Low
ClusterRole `console-sa-role`	core/pod	get · list · watch	Low
ClusterRole `console-sa-role`	core/services	create · get · list · patch · watch	Low
ClusterRole `console-sa-role`	storage.k8s.io/storageclasses	create · get · list · patch · watch	Low
ClusterRole `console-sa-role`	storage.k8s.io/volumeattachments	get · list · watch	Low
ClusterRole `console-sa-role`	direct.csi.min.io/volumes	create · delete · get · list · update · watch	Low
ClusterRole `console-sa-role`	snapshot.storage.k8s.io/volumesnapshotcontents	get · list	Low
ClusterRole `console-sa-role`	snapshot.storage.k8s.io/volumesnapshots	get · list	Low

⚠️ Potential Abuse (20)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	minio-operator-console	minio-operator	minio/console:v0.12.3

🤖 `minio-operator`

Namespace: default | Automount: ❌

🔑 Permissions (19)

Role	Resource	Verbs	Risk	Tags
ClusterRole `minio-operator-role`	core/configmaps	create · delete · deletecollection · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `minio-operator-role`	apps/deployments	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `minio-operator-role`	batch/jobs	create · delete · get · list · patch · update · watch	Critical	PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `minio-operator-role`	core/pods	create · delete · deletecollection · get · list · patch · update · watch	Critical	LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more)
ClusterRole `minio-operator-role`	core/secrets	create · delete · deletecollection · get · list · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `minio-operator-role`	core/services	create · delete · deletecollection · get · list · patch · update · watch	Critical	DenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole `minio-operator-role`	apps/statefulsets	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `minio-operator-role`	min.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `minio-operator-role`	minio.min.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `minio-operator-role`	certificates.k8s.io/certificatesigningrequests	create · delete · get · update	Medium	CSRCreation PotentialPrivilegeEscalation Spoofing
ClusterRole `minio-operator-role`	core/events	create · delete · deletecollection · get · list · patch · update · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `minio-operator-role`	certificates.k8s.io/certificatesigningrequests/approval	create · delete · get · update	Low
ClusterRole `minio-operator-role`	certificates.k8s.io/certificatesigningrequests/status	create · delete · get · update	Low
ClusterRole `minio-operator-role`	apiextensions.k8s.io/customresourcedefinitions	get · update	Low
ClusterRole `minio-operator-role`	coordination.k8s.io/leases	create · get · update	Low
ClusterRole `minio-operator-role`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `minio-operator-role`	core/persistentvolumeclaims	get · list · update	Low
ClusterRole `minio-operator-role`	monitoring.coreos.com/servicemonitors	create · get · list	Low
ClusterRole `minio-operator-role`	certificates.k8s.io/signers	approve · sign	Low

⚠️ Potential Abuse (23)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	minio-operator	minio-operator	minio/operator:v4.3.7

minio-operator

Description

Overview

Identities

🤖 console-sa

🔑 Permissions (30)

⚠️ Potential Abuse (20)

📦 Workloads (1)

🤖 minio-operator

🔑 Permissions (19)

⚠️ Potential Abuse (23)

📦 Workloads (1)

🤖 `console-sa`

🤖 `minio-operator`