Description

A Helm chart to deploy the Capsule Operator for easily implementing, managing, and maintaining mutitenancy and access control in Kubernetes.

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
capsule-crdsdefault21Low
capsule-post-installdefault11Low
capsule-pre-deletedefault51Low
capsule-proxy-crdsdefault21Low
capsuledefault01
capsule-capsule-proxydefault02

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.


Identities

🤖 capsule-pre-delete

Namespace: default  |  Automount:

🔑 Permissions (5)

RoleResourceVerbsRiskTags
ClusterRole capsule-pre-deleterbac.authorization.k8s.io/clusterrolebindings (restricted to: capsule-namespace-deleter)deleteLowResourceNameRestricted
ClusterRole capsule-pre-deleterbac.authorization.k8s.io/clusterroles (restricted to: capsule-namespace-deleter)deleteLowResourceNameRestricted
ClusterRole capsule-pre-deleterbac.authorization.k8s.io/clusterrolebindings (restricted to: capsule-namespace-provisioner)deleteLowResourceNameRestricted
ClusterRole capsule-pre-deleterbac.authorization.k8s.io/clusterroles (restricted to: capsule-namespace-provisioner)deleteLowResourceNameRestricted
Role capsule-pre-deletecore/secrets (restricted to: capsule-tls)deleteLowResourceNameRestricted

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Jobcapsule-pre-deletepre-delete-jobdocker.io/clastix/kubectl:v1.20

🤖 capsule-crds

Namespace: default  |  Automount:

🔑 Permissions (2)

RoleResourceVerbsRiskTags
ClusterRole capsule-crdsapiextensions.k8s.io/customresourcedefinitionscreate · delete · get · patchLow
ClusterRole capsule-crdscore/jobscreate · deleteLow

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Jobcapsule-crdscrds-hookdocker.io/clastix/kubectl:v1.20

🤖 capsule-proxy-crds

Namespace: default  |  Automount:

🔑 Permissions (2)

RoleResourceVerbsRiskTags
ClusterRole capsule-proxy-crdsapiextensions.k8s.io/customresourcedefinitionscreate · delete · get · patchLow
ClusterRole capsule-proxy-crdscore/jobscreate · deleteLow

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Jobcapsule-proxy-crdscrds-hookdocker.io/clastix/kubectl:v1.20

🤖 capsule-post-install

Namespace: default  |  Automount:

🔑 Permissions (1)

RoleResourceVerbsRiskTags
Role capsule-post-installcore/secretsgetLow

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Jobcapsule-post-installpost-installdocker.io/clastix/kubectl:v1.20

🤖 capsule

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

KindNameContainerImage
Deploymentcapsule-controller-managermanagerghcr.io/projectcapsule/capsule:v0.10.1

🤖 capsule-capsule-proxy

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (2)

KindNameContainerImage
Deploymentcapsule-capsule-proxycapsule-proxyghcr.io/projectcapsule/capsule-proxy:v0.9.8
Jobcapsule-capsule-proxy-certgenpost-install-jobregistry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.4