1 Service Accounts
2 Workloads
20 Bindings
5 Critical
2 High
2 Medium
11 Low
Description
OpenTelemetry Operator Helm chart for Kubernetes
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
opentelemetry-operator-controller-manager | default | ❌ | — | 20 | 2 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 opentelemetry-operator-controller-manager
Namespace: default | Automount: ❌
🔑 Permissions (20)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole opentelemetry-operator-manager-role | core/configmaps | create · delete · get · list · patch · update · watch | Critical | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole opentelemetry-operator-manager-role | apps/daemonsets | create · delete · get · list · patch · update · watch | Critical | NodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole opentelemetry-operator-manager-role | apps/deployments | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole opentelemetry-operator-manager-role | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole opentelemetry-operator-manager-role | apps/statefulsets | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
Role opentelemetry-operator-leader-election-role | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole opentelemetry-operator-manager-role | core/serviceaccounts | create · delete · get · list · patch · update · watch | High | IdentityManagement PotentialPrivilegeEscalation Tampering |
ClusterRole opentelemetry-operator-proxy-role | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
ClusterRole opentelemetry-operator-proxy-role | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
Role opentelemetry-operator-leader-election-role | core/configmaps/status | get · patch · update | Low | |
ClusterRole opentelemetry-operator-manager-role | core/events | create · patch | Low | |
Role opentelemetry-operator-leader-election-role | core/events | create · patch | Low | |
ClusterRole opentelemetry-operator-manager-role | autoscaling/horizontalpodautoscalers | create · delete · get · list · patch · update · watch | Low | |
ClusterRole opentelemetry-operator-manager-role | opentelemetry.io/instrumentations | get · list · patch · update · watch | Low | |
ClusterRole opentelemetry-operator-manager-role | coordination.k8s.io/leases | create · get · list · update | Low | |
ClusterRole opentelemetry-operator-manager-role | core/namespaces | list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole opentelemetry-operator-manager-role | opentelemetry.io/opentelemetrycollectors | create · delete · get · list · patch · update · watch | Low | |
ClusterRole opentelemetry-operator-manager-role | opentelemetry.io/opentelemetrycollectors/finalizers | get · patch · update | Low | |
ClusterRole opentelemetry-operator-manager-role | opentelemetry.io/opentelemetrycollectors/status | get · patch · update | Low | |
ClusterRole opentelemetry-operator-manager-role | apps/replicasets | get · list · watch | Low |
⚠️ Potential Abuse (18)
The following security risks were found based on the above permissions:
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage Deployments cluster-wide (potential for privileged pod execution)
- Manage Deployments in a namespace (potential for privileged pod execution)
- Manage DaemonSets cluster-wide (runs on all nodes, high impact)
- Manage DaemonSets in a namespace (runs on nodes, high impact)
- Manage StatefulSets cluster-wide
- Manage StatefulSets in a namespace
- Create TokenReviews (validate arbitrary tokens)
- Create SubjectAccessReviews (check arbitrary permissions)
- Manage ServiceAccounts cluster-wide
- Manage ServiceAccounts in a namespace
- Manage Services cluster-wide
- Manage Services in a namespace
- List Namespaces (Cluster Reconnaissance)
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | opentelemetry-operator-controller-manager | kube-rbac-proxy | gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 |
| Deployment | opentelemetry-operator-controller-manager | manager | ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator:v0.56.0 |