2 Service Accounts
2 Workloads
13 Bindings
1 Critical
1 Medium
11 Low
Description
DEPRECATED: Moved to https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
newrelic-infra-operator | default | ❌ | — | 10 | 1 | Critical |
newrelic-infra-operator-admission | default | ❌ | — | 3 | 2 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 newrelic-infra-operator
Namespace: default | Automount: ❌
🔑 Permissions (10)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole newrelic-infra-operator | core/nodes/proxy | get · list | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole newrelic-infra-operator | rbac.authorization.k8s.io/clusterrolebindings | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole newrelic-infra-operator | core/nodes | get · list | Low | |
ClusterRole newrelic-infra-operator | core/nodes/metrics | get · list | Low | |
ClusterRole newrelic-infra-operator | core/nodes/stats | get · list | Low | |
ClusterRole newrelic-infra-operator | core/pods | get · list | Low | |
ClusterRole newrelic-infra-operator | core/secrets | create | Low | |
ClusterRole newrelic-infra-operator | core/services | get · list | Low | |
ClusterRole newrelic-infra-operator | core/secrets (restricted to: newrelic-infra-operator-config) | get · patch · update | Low | ResourceNameRestricted |
ClusterRole newrelic-infra-operator | rbac.authorization.k8s.io/clusterrolebindings (restricted to: newrelic-infra-operator-infra-agent) | update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | newrelic-infra-operator | newrelic-infra-operator | newrelic/newrelic-infra-operator:0.6.0 |
🤖 newrelic-infra-operator-admission
Namespace: default | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole newrelic-infra-operator-admission | admissionregistration.k8s.io/mutatingwebhookconfigurations | get · update | Low | |
Role newrelic-infra-operator-admission | core/secrets | create · get | Low | |
ClusterRole newrelic-infra-operator-admission | policy/podsecuritypolicies (restricted to: newrelic-infra-operator-admission) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | newrelic-infra-operator-admission-create | create | k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 |
| Job | newrelic-infra-operator-admission-patch | patch | k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 |