1 Service Accounts
1 Workloads
2 Bindings
2 Medium
Description
A Helm chart to deploy the Capsule Operator for easily implementing, managing, and maintaining mutitenancy and access control in Kubernetes.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
capsule | default | ❌ | — | 2 | 3 | Medium |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 capsule
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole capsule-proxy-role | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
ClusterRole capsule-proxy-role | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
- Create TokenReviews (validate arbitrary tokens)
- Create SubjectAccessReviews (check arbitrary permissions)
📦 Workloads (3)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | capsule-controller-manager | manager | ghcr.io/projectcapsule/capsule:v0.4.2 |
| Job | capsule-rbac-cleaner | pre-delete-job | docker.io/clastix/kubectl:v1.20 |
| Job | capsule-waiting-certs | post-install-job | docker.io/clastix/kubectl:v1.20 |