Description

Network Observability in Kubernetes based on eBPF.

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
netobserv-controller-managerdefault431Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.


Identities

🤖 netobserv-controller-manager

Namespace: default  |  Automount:

🔑 Permissions (43)

RoleResourceVerbsRiskTags
ClusterRole netobserv-manager-rolecore/configmapscreate · delete · get · list · patch · update · watchCriticalConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole netobserv-manager-roleapps/daemonsetscreate · delete · get · list · patch · update · watchCriticalNodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole netobserv-manager-roleapps/deploymentscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
Role netobserv-leader-election-rolecoordination.k8s.io/leasescreate · delete · get · list · patch · update · watchCriticalControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole netobserv-manager-rolenetworking.k8s.io/networkpoliciescreate · delete · get · list · patch · update · watchCriticalDenialOfService LateralMovement NetworkManipulation NetworkPolicyManagement Tampering
ClusterRole netobserv-manager-rolecore/secretscreate · delete · get · list · patch · update · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole netobserv-manager-rolecore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
Role netobserv-leader-election-rolecore/configmapscreate · delete · get · list · patch · update · watchHighConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole netobserv-manager-rolecore/namespacescreate · delete · get · list · patch · update · watchHighClusterStructure DenialOfService InformationDisclosure NamespaceLifecycle Reconnaissance (+1 more)
ClusterRole netobserv-manager-rolecore/serviceaccountscreate · delete · get · list · patch · update · watchHighIdentityManagement PotentialPrivilegeEscalation Tampering
ClusterRole netobserv-manager-rolerbac.authorization.k8s.io/clusterrolebindingscreate · delete · get · list · update · watchMediumInformationDisclosure RBACQuery Reconnaissance
ClusterRole netobserv-manager-rolerbac.authorization.k8s.io/rolebindingscreate · delete · get · list · update · watchMediumInformationDisclosure RBACQuery Reconnaissance
ClusterRole netobserv-manager-roleauthorization.k8s.io/subjectaccessreviewscreateMediumInformationDisclosure RBACQuery
ClusterRole netobserv-manager-roleauthentication.k8s.io/tokenreviewscreateMediumCredentialAccess InformationDisclosure RBACQuery
ClusterRole netobserv-manager-roleapiregistration.k8s.io/apiservicesget · list · watchLow
ClusterRole netobserv-manager-rolebpfman.io/clusterbpfapplicationscreate · delete · get · list · patch · update · watchLow
ClusterRole netobserv-manager-rolebpfman.io/clusterbpfapplications/statusget · patch · updateLow
ClusterRole netobserv-manager-rolek8s.ovn.org/clusteruserdefinednetworksget · list · watchLow
ClusterRole netobserv-manager-roleconfig.openshift.io/clusterversionsget · list · watchLow
ClusterRole netobserv-manager-roleconsole.openshift.io/consolepluginscreate · delete · get · list · patch · update · watchLow
ClusterRole netobserv-manager-roleoperator.openshift.io/consolesget · list · update · watchLow
ClusterRole netobserv-manager-roleapiextensions.k8s.io/customresourcedefinitionsget · list · watchLow
ClusterRole netobserv-manager-roleapiextensions.k8s.io/customresourcedefinitions/statuspatch · updateLow
ClusterRole netobserv-manager-rolecore/endpointsget · list · watchLow
Role netobserv-leader-election-rolecore/eventscreate · patchLow
ClusterRole netobserv-manager-roleflows.netobserv.io/flowcollectorscreate · delete · get · list · patch · update · watchLow
ClusterRole netobserv-manager-roleflows.netobserv.io/flowcollectors/finalizersupdateLow
ClusterRole netobserv-manager-roleflows.netobserv.io/flowcollectors/statusget · patch · updateLow
ClusterRole netobserv-manager-roleflows.netobserv.io/flowmetricscreate · delete · get · list · patch · update · watchLow
ClusterRole netobserv-manager-roleflows.netobserv.io/flowmetrics/statusget · patch · updateLow
ClusterRole netobserv-manager-roleautoscaling/horizontalpodautoscalerscreate · delete · get · list · patch · update · watchLow
ClusterRole netobserv-manager-roleloki.grafana.com/lokistacksget · list · watchLow
ClusterRole netobserv-manager-roleconfig.openshift.io/networksget · list · watchLow
ClusterRole netobserv-manager-rolecore/nodesget · list · watchLow
ClusterRole netobserv-manager-rolecore/podsget · list · watchLow
ClusterRole netobserv-manager-rolemetrics.k8s.io/podscreateLow
ClusterRole netobserv-manager-rolemonitoring.coreos.com/prometheusrulescreate · delete · get · list · patch · update · watchLow
ClusterRole netobserv-manager-roleapps/replicasetsget · list · watchLow
ClusterRole netobserv-manager-rolesecurity.openshift.io/securitycontextconstraintscreate · list · update · watchLow
ClusterRole netobserv-manager-rolemonitoring.coreos.com/servicemonitorscreate · delete · get · list · patch · update · watchLow
ClusterRole netobserv-manager-rolek8s.ovn.org/userdefinednetworksget · list · watchLow
ClusterRole netobserv-manager-rolesecurity.openshift.io/securitycontextconstraints (restricted to: hostnetwork)useLowResourceNameRestricted
ClusterRole netobserv-manager-roleloki.grafana.com/network (restricted to: logs)createLowResourceNameRestricted

⚠️ Potential Abuse (25)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentnetobserv-controller-managermanagerquay.io/netobserv/network-observability-operator:1.9.0-community