2 Service Accounts
2 Workloads
14 Bindings
5 Critical
3 High
2 Medium
4 Low
Description
Helm Chart for Capsule Proxy, addon for Capsule, the multi-tenant Operator
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
capsule-proxy | default | ❌ | — | 11 | 1 | Critical |
capsule-proxy-crds | default | ❌ | — | 3 | 1 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 capsule-proxy
Namespace: default | Automount: ❌
🔑 Permissions (11)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole capsule-proxy:capsule-proxy | * | get · list · watch | Critical | ClusterAdminAccess ClusterStructure ClusterWideAccess ClusterWideLogAccess (+20 more) |
ClusterRole capsule-proxy:capsule-proxy | core/groups | impersonate | Critical | ClusterAdminAccess Impersonation PrivilegeEscalation Spoofing |
Role capsule-proxy:capsule-proxy | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole capsule-proxy:capsule-proxy | core/serviceaccounts | impersonate | Critical | ClusterAdminAccess Impersonation PrivilegeEscalation Spoofing |
ClusterRole capsule-proxy:capsule-proxy | core/users | impersonate | Critical | ClusterAdminAccess Impersonation PrivilegeEscalation Spoofing |
Role capsule-proxy:capsule-proxy | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
Role capsule-proxy:capsule-proxy | core/endpoints | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation Tampering TrafficRedirection |
ClusterRole capsule-proxy:capsule-proxy | core/userextras/* | impersonate | High | ClusterWideAccess |
ClusterRole capsule-proxy:capsule-proxy | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
ClusterRole capsule-proxy:capsule-proxy | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
ClusterRole capsule-proxy:capsule-proxy | authorization.k8s.io/selfsubjectaccessreviews | create · get · list · watch | Low |
⚠️ Potential Abuse (27)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Create TokenReviews (validate arbitrary tokens)
- Create SubjectAccessReviews (check arbitrary permissions)
- Impersonate users, groups, or service accounts (cluster-wide)
- Read events cluster-wide
- Manage Endpoints or EndpointSlices in a namespace
- Read RBAC configuration cluster-wide
- Manage Leases in kube-system or kube-node-lease namespace
- List Namespaces (Cluster Reconnaissance)
- List ValidatingWebhookConfigurations (Reconnaissance)
- List MutatingWebhookConfigurations (Reconnaissance)
- Read LimitRanges (Namespace Information Disclosure)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
- Read ComponentStatuses (Control Plane Reconnaissance)
- Read CSINode Objects (Node & Storage Reconnaissance)
- Read CSIStorageCapacities (Namespace Storage Reconnaissance)
- Watch All Resources in a Namespace (Broad Information Disclosure)
- Node proxy GET RCE via WebSocket
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | capsule-proxy | capsule-proxy | ghcr.io/projectcapsule/capsule-proxy:v0.13.1 |
🤖 capsule-proxy-crds
Namespace: default | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole capsule-proxy:capsule-proxy-crds | core/jobs | create · delete | Low | |
ClusterRole capsule-proxy:capsule-proxy-crds | apiextensions.k8s.io/customresourcedefinitions (restricted to: globalproxysettings.capsule.clastix.io) | create · delete · get · patch · update | Low | CRDManipulation PotentialPrivilegeEscalation ResourceNameRestricted Tampering |
ClusterRole capsule-proxy:capsule-proxy-crds | apiextensions.k8s.io/customresourcedefinitions (restricted to: proxysettings.capsule.clastix.io) | create · delete · get · patch · update | Low | CRDManipulation PotentialPrivilegeEscalation ResourceNameRestricted Tampering |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | capsule-proxy-crds | crds-hook | docker.io/clastix/kubectl:v1.20 |