2 Service Accounts
2 Workloads
57 Bindings
3 Critical
2 High
2 Medium
50 Low
Description
The official ngrok Kubernetes Operator.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
ngrok-operator | default | ❌ | — | 47 | 1 | Critical |
ngrok-operator-agent | default | ❌ | — | 10 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 ngrok-operator
Namespace: default | Automount: ❌
🔑 Permissions (47)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role ngrok-operator-leader-election-role | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole ngrok-operator-manager-role | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole ngrok-operator-manager-role | core/configmaps | create · delete · get · list · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
Role ngrok-operator-leader-election-role | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole ngrok-operator-proxy-role | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
ClusterRole ngrok-operator-proxy-role | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/agentendpoints | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/agentendpoints/finalizers | update | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/agentendpoints/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | bindings.k8s.ngrok.com/boundendpoints | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | bindings.k8s.ngrok.com/boundendpoints/finalizers | update | Low | |
ClusterRole ngrok-operator-manager-role | bindings.k8s.ngrok.com/boundendpoints/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/cloudendpoints | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/cloudendpoints/finalizers | update | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/cloudendpoints/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/domains | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/domains/finalizers | update | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/domains/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | core/events | create · patch | Low | |
Role ngrok-operator-leader-election-role | core/events | create · patch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/gatewayclasses | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/gatewayclasses/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/gatewayclasses/status | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/gateways | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/gateways/status | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/httproutes | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/httproutes/status | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | networking.k8s.io/ingressclasses | get · list · watch | Low | |
ClusterRole ngrok-operator-manager-role | networking.k8s.io/ingresses | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | networking.k8s.io/ingresses/status | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/ippolicies | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/ippolicies/finalizers | update | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/ippolicies/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/kubernetesoperators | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/kubernetesoperators/finalizers | update | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/kubernetesoperators/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | core/namespaces | get · list · update · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/ngroktrafficpolicies | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/ngroktrafficpolicies/finalizers | update | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/ngroktrafficpolicies/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/referencegrants | get · list · watch | Low | |
ClusterRole ngrok-operator-manager-role | core/services | create · delete · get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | core/services/status | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/tcproutes | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/tcproutes/status | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/tlsroutes | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/tlsroutes/status | get · list · update · watch | Low |
⚠️ Potential Abuse (10)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Create TokenReviews (validate arbitrary tokens)
- Create SubjectAccessReviews (check arbitrary permissions)
- Manage Leases in kube-system or kube-node-lease namespace
- List Namespaces (Cluster Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | ngrok-operator-manager | ngrok-operator | docker.io/ngrok/ngrok-operator:0.18.0 |
🤖 ngrok-operator-agent
Namespace: default | Automount: ❌
🔑 Permissions (10)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole ngrok-operator-agent-role | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole ngrok-operator-agent-role | ngrok.k8s.ngrok.com/agentendpoints | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-agent-role | ngrok.k8s.ngrok.com/agentendpoints/finalizers | update | Low | |
ClusterRole ngrok-operator-agent-role | ngrok.k8s.ngrok.com/agentendpoints/status | get · patch · update | Low | |
ClusterRole ngrok-operator-agent-role | ingress.k8s.ngrok.com/domains | create · delete · get · list · patch · watch | Low | |
ClusterRole ngrok-operator-agent-role | core/events | create · patch | Low | |
ClusterRole ngrok-operator-agent-role | ngrok.k8s.ngrok.com/ngroktrafficpolicies | get · list · watch | Low | |
ClusterRole ngrok-operator-agent-role | ingress.k8s.ngrok.com/tunnels | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-agent-role | ingress.k8s.ngrok.com/tunnels/finalizers | update | Low | |
ClusterRole ngrok-operator-agent-role | ingress.k8s.ngrok.com/tunnels/status | get · patch · update | Low |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | ngrok-operator-agent | agent | docker.io/ngrok/ngrok-operator:0.18.0 |