Description
A Helm chart to deploy the Capsule Operator for easily implementing, managing, and maintaining mutitenancy and access control in Kubernetes.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
capsule-crds | default | ❌ | — | 2 | 1 | Low |
capsule-post-install | default | ❌ | — | 1 | 1 | Low |
capsule-pre-delete | default | ❌ | — | 5 | 1 | Low |
capsule-proxy-crds | default | ❌ | — | 2 | 1 | Low |
capsule | default | ❌ | — | 0 | 1 | — |
capsule-capsule-proxy | default | ❌ | — | 0 | 2 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 capsule-pre-delete
Namespace: default | Automount: ❌
🔑 Permissions (5)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole capsule-pre-delete | rbac.authorization.k8s.io/clusterrolebindings (restricted to: capsule-namespace-deleter) | delete | Low | ResourceNameRestricted |
ClusterRole capsule-pre-delete | rbac.authorization.k8s.io/clusterroles (restricted to: capsule-namespace-deleter) | delete | Low | ResourceNameRestricted |
ClusterRole capsule-pre-delete | rbac.authorization.k8s.io/clusterrolebindings (restricted to: capsule-namespace-provisioner) | delete | Low | ResourceNameRestricted |
ClusterRole capsule-pre-delete | rbac.authorization.k8s.io/clusterroles (restricted to: capsule-namespace-provisioner) | delete | Low | ResourceNameRestricted |
Role capsule-pre-delete | core/secrets (restricted to: capsule-tls) | delete | Low | ResourceNameRestricted |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | capsule-pre-delete | pre-delete-job | docker.io/clastix/kubectl:v1.20 |
🤖 capsule-crds
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole capsule-crds | apiextensions.k8s.io/customresourcedefinitions | create · delete · get · patch | Low | |
ClusterRole capsule-crds | core/jobs | create · delete | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | capsule-crds | crds-hook | docker.io/clastix/kubectl:v1.20 |
🤖 capsule-proxy-crds
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole capsule-proxy-crds | apiextensions.k8s.io/customresourcedefinitions | create · delete · get · patch | Low | |
ClusterRole capsule-proxy-crds | core/jobs | create · delete | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | capsule-proxy-crds | crds-hook | docker.io/clastix/kubectl:v1.20 |
🤖 capsule-post-install
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role capsule-post-install | core/secrets | get | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | capsule-post-install | post-install | docker.io/clastix/kubectl:v1.20 |
🤖 capsule
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | capsule-controller-manager | manager | ghcr.io/projectcapsule/capsule:v0.10.1 |
🤖 capsule-capsule-proxy
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | capsule-capsule-proxy | capsule-proxy | ghcr.io/projectcapsule/capsule-proxy:v0.9.8 |
| Job | capsule-capsule-proxy-certgen | post-install-job | registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.4 |