3 Service Accounts
3 Workloads
64 Bindings
7 Critical
1 High
56 Low
Description
The official ngrok Kubernetes Operator.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
ngrok-operator | default | ❌ | — | 55 | 1 | Critical |
ngrok-operator-agent | default | ❌ | — | 8 | 1 | Critical |
ngrok-operator-cleanup | default | ❌ | — | 1 | 1 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 ngrok-operator
Namespace: default | Automount: ❌
🔑 Permissions (55)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole ngrok-operator-manager-role | core/configmaps | create · delete · get · list · patch · update · watch | Critical | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
Role ngrok-operator-leader-election-role | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole ngrok-operator-manager-role | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role ngrok-operator-operator-state-role | core/secrets | create · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole ngrok-operator-bindings-cluster-role | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole ngrok-operator-manager-role | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
Role ngrok-operator-leader-election-role | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/agentendpoints | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/agentendpoints/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/agentendpoints/status | get · patch · update | Low | |
ClusterRole ngrok-operator-bindings-cluster-role | bindings.k8s.ngrok.com/boundendpoints | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-bindings-cluster-role | bindings.k8s.ngrok.com/boundendpoints/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-bindings-cluster-role | bindings.k8s.ngrok.com/boundendpoints/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/cloudendpoints | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/cloudendpoints/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/cloudendpoints/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/domains | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/domains/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/domains/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | core/events | create · patch | Low | |
Role ngrok-operator-leader-election-role | core/events | create · patch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/gatewayclasses | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/gatewayclasses/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/gatewayclasses/status | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/gateways | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/gateways/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/gateways/status | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/httproutes | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/httproutes/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/httproutes/status | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | networking.k8s.io/ingressclasses | get · list · watch | Low | |
ClusterRole ngrok-operator-manager-role | networking.k8s.io/ingresses | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | networking.k8s.io/ingresses/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | networking.k8s.io/ingresses/status | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/ippolicies | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/ippolicies/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | ingress.k8s.ngrok.com/ippolicies/status | get · patch · update | Low | |
Role ngrok-operator-operator-state-role | ngrok.k8s.ngrok.com/kubernetesoperators | create · delete · get · list · patch · update · watch | Low | |
Role ngrok-operator-operator-state-role | ngrok.k8s.ngrok.com/kubernetesoperators/finalizers | patch · update | Low | |
Role ngrok-operator-operator-state-role | ngrok.k8s.ngrok.com/kubernetesoperators/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | core/namespaces | get · list · update · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/ngroktrafficpolicies | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/ngroktrafficpolicies/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | ngrok.k8s.ngrok.com/ngroktrafficpolicies/status | get · patch · update | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/referencegrants | get · list · watch | Low | |
ClusterRole ngrok-operator-bindings-cluster-role | core/services/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | core/services/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-bindings-cluster-role | core/services/status | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | core/services/status | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/tcproutes | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/tcproutes/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/tcproutes/status | get · list · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/tlsroutes | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/tlsroutes/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-manager-role | gateway.networking.k8s.io/tlsroutes/status | get · list · update · watch | Low |
⚠️ Potential Abuse (11)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage Services cluster-wide
- Manage Services in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
- List Namespaces (Cluster Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | ngrok-operator-manager | ngrok-operator | docker.io/ngrok/ngrok-operator:0.21.0-rc.1 |
🤖 ngrok-operator-agent
Namespace: default | Automount: ❌
🔑 Permissions (8)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole ngrok-operator-agent-role | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole ngrok-operator-agent-role | ngrok.k8s.ngrok.com/agentendpoints | get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-agent-role | ngrok.k8s.ngrok.com/agentendpoints/finalizers | patch · update | Low | |
ClusterRole ngrok-operator-agent-role | ngrok.k8s.ngrok.com/agentendpoints/status | get · patch · update | Low | |
ClusterRole ngrok-operator-agent-role | ingress.k8s.ngrok.com/domains | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ngrok-operator-agent-role | core/events | create · patch | Low | |
Role ngrok-operator-agent-operator-state-role | ngrok.k8s.ngrok.com/kubernetesoperators | get · list · watch | Low | |
ClusterRole ngrok-operator-agent-role | ngrok.k8s.ngrok.com/ngroktrafficpolicies | get · list · watch | Low |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | ngrok-operator-agent | agent | docker.io/ngrok/ngrok-operator:0.21.0-rc.1 |
🤖 ngrok-operator-cleanup
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role ngrok-operator-cleanup | ngrok.k8s.ngrok.com/kubernetesoperators | delete · get · list · watch | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | ngrok-operator-cleanup | cleanup | bitnami/kubectl:latest |