altinity-clickhouse-operator

Description

Helm chart to deploy altinity-clickhouse-operator. The ClickHouse Operator creates, configures and manages ClickHouse clusters running on Kubernetes.

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`altinity-clickhouse-operator`	ntnx-cpaas	❌	—	25	2	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `altinity-clickhouse-operator`

Namespace: ntnx-cpaas | Automount: ❌

🔑 Permissions (25)

Role	Resource	Verbs	Risk	Tags
ClusterRole `altinity-clickhouse-operator`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `altinity-clickhouse-operator`	core/pods	delete · get · list · patch · update · watch	Critical	PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadExecution
ClusterRole `altinity-clickhouse-operator`	core/secrets	create · delete · get · list · patch · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole `altinity-clickhouse-operator`	core/services	create · delete · get · list · patch · update · watch	Critical	DenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole `altinity-clickhouse-operator`	apps/statefulsets	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `altinity-clickhouse-operator`	policy/poddisruptionbudgets	create · delete · get · list · patch · update · watch	Medium	AvailabilityImpact DenialOfService Tampering
ClusterRole `altinity-clickhouse-operator`	clickhouse.altinity.com/clickhouseinstallations	delete · get · list · patch · update · watch	Low
ClusterRole `altinity-clickhouse-operator`	clickhouse.altinity.com/clickhouseinstallations/finalizers	update	Low
ClusterRole `altinity-clickhouse-operator`	clickhouse.altinity.com/clickhouseinstallations/status	create · delete · get · patch · update	Low
ClusterRole `altinity-clickhouse-operator`	clickhouse.altinity.com/clickhouseinstallationtemplates	get · list · watch	Low
ClusterRole `altinity-clickhouse-operator`	clickhouse.altinity.com/clickhouseinstallationtemplates/finalizers	update	Low
ClusterRole `altinity-clickhouse-operator`	clickhouse.altinity.com/clickhouseinstallationtemplates/status	create · delete · get · patch · update	Low
ClusterRole `altinity-clickhouse-operator`	clickhouse-keeper.altinity.com/clickhousekeeperinstallations	delete · get · list · patch · update · watch	Low
ClusterRole `altinity-clickhouse-operator`	clickhouse-keeper.altinity.com/clickhousekeeperinstallations/finalizers	update	Low
ClusterRole `altinity-clickhouse-operator`	clickhouse-keeper.altinity.com/clickhousekeeperinstallations/status	create · delete · get · patch · update	Low
ClusterRole `altinity-clickhouse-operator`	clickhouse.altinity.com/clickhouseoperatorconfigurations	get · list · watch	Low
ClusterRole `altinity-clickhouse-operator`	clickhouse.altinity.com/clickhouseoperatorconfigurations/finalizers	update	Low
ClusterRole `altinity-clickhouse-operator`	clickhouse.altinity.com/clickhouseoperatorconfigurations/status	create · delete · get · patch · update	Low
ClusterRole `altinity-clickhouse-operator`	apiextensions.k8s.io/customresourcedefinitions	get · list	Low
ClusterRole `altinity-clickhouse-operator`	core/endpoints	get · list · watch	Low
ClusterRole `altinity-clickhouse-operator`	core/events	create	Low
ClusterRole `altinity-clickhouse-operator`	core/persistentvolumeclaims	create · delete · get · list · patch · update · watch	Low
ClusterRole `altinity-clickhouse-operator`	core/persistentvolumes	get · list · patch · update · watch	Low
ClusterRole `altinity-clickhouse-operator`	apps/replicasets	delete · get · patch · update	Low
ClusterRole `altinity-clickhouse-operator`	apps/deployments (restricted to: altinity-clickhouse-operator)	delete · get · patch · update	Low	ResourceNameRestricted

⚠️ Potential Abuse (16)

The following security risks were found based on the above permissions:

📦 Workloads (2)

Kind	Name	Container	Image
Deployment	altinity-clickhouse-operator	altinity-clickhouse-operator	artifactory.dyn.ntnxdpro.com/canaveral-legacy-docker/cpaas-clickhouse-altinity-operator:0.24.2
Deployment	altinity-clickhouse-operator	metrics-exporter	artifactory.dyn.ntnxdpro.com/canaveral-legacy-docker/cpaas-clickhouse-metrics-exporter:0.24.2