netchecks :: RBAC ATLAS

Description

Netchecks proactively verifies whether your security controls are working as intended.

https://github.com/hardbyte/netchecks

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`netcheck-operator`	default	❌	—	18	1	Critical
`netchecks-kyverno-plugin`	default	❌	—	7	1	High
`netchecks-policy-reporter`	default	❌	—	5	1	High
`netchecks-ui`	default	❌	—	1	1	Low

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `netcheck-operator`

Namespace: default | Automount: ❌

🔑 Permissions (18)

Role	Resource	Verbs	Risk	Tags
ClusterRole `netchecks`	core/configmaps	create · delete · get · list · patch · update	Critical	ConfigMapAccess PotentialPrivilegeEscalation Tampering
ClusterRole `netchecks`	core/pods/log	get · list · watch	High	ClusterWideLogAccess DataExposure InformationDisclosure LogAccess
ClusterRole `netchecks`	kopf.dev/clusterkopfpeerings	get · list · patch · watch	Low
ClusterRole `netchecks`	batch/cronjobs	create · delete · get · list · update	Low
ClusterRole `netchecks`	extensions/cronjobs	create · delete · get · list · update	Low
ClusterRole `netchecks`	apiextensions.k8s.io/customresourcedefinitions	list · watch	Low
ClusterRole `netchecks`	core/events	create	Low
ClusterRole `netchecks`	batch/jobs	create · delete · get · list · update	Low
ClusterRole `netchecks`	extensions/jobs	create · delete · get · list · update	Low
ClusterRole `netchecks`	admissionregistration.k8s.io/v1/mutatingwebhookconfigurations	create · patch	Low
ClusterRole `netchecks`	admissionregistration.k8s.io/v1beta1/mutatingwebhookconfigurations	create · patch	Low
ClusterRole `netchecks`	core/namespaces	list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `netchecks`	netchecks.io/networkassertions	get · list · patch · update · watch	Low
ClusterRole `netchecks`	core/pods	get · list · patch · watch	Low
ClusterRole `netchecks`	core/pods/status	get · patch	Low
ClusterRole `netchecks`	wgpolicyk8s.io/policyreports	create · get · list · patch · update · watch	Low
ClusterRole `netchecks`	admissionregistration.k8s.io/v1/validatingwebhookconfigurations	create · patch	Low
ClusterRole `netchecks`	admissionregistration.k8s.io/v1beta1/validatingwebhookconfigurations	create · patch	Low

⚠️ Potential Abuse (6)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	netchecks	netchecks	ghcr.io/hardbyte/netchecks-operator:0.5.6

🤖 `netchecks-kyverno-plugin`

Namespace: default | Automount: ❌

🔑 Permissions (7)

Role	Resource	Verbs	Risk	Tags
ClusterRole `netchecks-kyverno-plugin`	*/clusterpolicies	get · list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `netchecks-kyverno-plugin`	*/clusterpolicies/status	get · list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `netchecks-kyverno-plugin`	*/clusterpolicyreports	get · list	High	ClusterWideAccess WildcardPermission
ClusterRole `netchecks-kyverno-plugin`	*/policies	get · list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `netchecks-kyverno-plugin`	*/policies/status	get · list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `netchecks-kyverno-plugin`	*/policyreports	get · list	High	ClusterWideAccess WildcardPermission
Role `netchecks-kyverno-plugin-secret-reader`	core/secrets	get	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	netchecks-kyverno-plugin	kyverno-plugin	ghcr.io/kyverno/policy-reporter-kyverno-plugin:1.6.3

🤖 `netchecks-policy-reporter`

Namespace: default | Automount: ❌

🔑 Permissions (5)

Role	Resource	Verbs	Risk	Tags
ClusterRole `netchecks-policy-reporter`	*/clusterpolicyreports	get · list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `netchecks-policy-reporter`	*/clusterpolicyreports/status	get · list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `netchecks-policy-reporter`	*/policyreports	get · list · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `netchecks-policy-reporter`	*/policyreports/status	get · list · watch	High	ClusterWideAccess WildcardPermission
Role `netchecks-policy-reporter-secret-reader`	core/secrets	get	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	netchecks-policy-reporter	policy-reporter	ghcr.io/kyverno/policy-reporter:2.18.1

🤖 `netchecks-ui`

Namespace: default | Automount: ❌

🔑 Permissions (1)

Role	Resource	Verbs	Risk	Tags
Role `netchecks-ui-secret-reader`	core/secrets	get	Low

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	netchecks-ui	ui	ghcr.io/kyverno/policy-reporter-ui:1.9.2

netchecks

Description

Overview

Identities

🤖 netcheck-operator

🔑 Permissions (18)

⚠️ Potential Abuse (6)

📦 Workloads (1)

🤖 netchecks-kyverno-plugin

🔑 Permissions (7)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 netchecks-policy-reporter

🔑 Permissions (5)

⚠️ Potential Abuse (2)

📦 Workloads (1)

🤖 netchecks-ui

🔑 Permissions (1)

⚠️ Potential Abuse (1)

📦 Workloads (1)

🤖 `netcheck-operator`

🤖 `netchecks-kyverno-plugin`

🤖 `netchecks-policy-reporter`

🤖 `netchecks-ui`