Description

DEPRECATED - This chart will be renamed. See https://github.com/prometheus-community/community/issues/28#issuecomment-670406329

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
prometheus-operator-grafanadefault32Critical
prometheus-operator-kube-state-metricsdefault321Critical
prometheus-operator-operatordefault202Critical
prometheus-operator-prometheusdefault90Critical
prometheus-operator-admissiondefault42Low
prometheus-operator-alertmanagerdefault10Low
prometheus-operator-grafana-testdefault11Low
prometheus-operator-prometheus-node-exporterdefault11Low

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 prometheus-operator-kube-state-metrics

Namespace: default  |  Automount:

🔑 Permissions (32)

RoleResourceVerbsRiskTags
ClusterRole prometheus-operator-kube-state-metricscore/secretslist · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole prometheus-operator-kube-state-metricscore/configmapslist · watchHighConfigMapAccess DataExposure InformationDisclosure
ClusterRole prometheus-operator-kube-state-metricsadmissionregistration.k8s.io/mutatingwebhookconfigurationslist · watchMediumInformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole prometheus-operator-kube-state-metricscore/resourcequotaslist · watchMediumInformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration
ClusterRole prometheus-operator-kube-state-metricsadmissionregistration.k8s.io/validatingwebhookconfigurationslist · watchMediumInformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole prometheus-operator-kube-state-metricscertificates.k8s.io/certificatesigningrequestslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsbatch/cronjobslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsapps/daemonsetslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsextensions/daemonsetslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsapps/deploymentslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsextensions/deploymentslist · watchLow
ClusterRole prometheus-operator-kube-state-metricscore/endpointslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsautoscaling/horizontalpodautoscalerslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsextensions/ingresseslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsnetworking.k8s.io/ingresseslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsbatch/jobslist · watchLow
ClusterRole prometheus-operator-kube-state-metricscore/limitrangeslist · watchLowInformationDisclosure Reconnaissance ResourceConfiguration
ClusterRole prometheus-operator-kube-state-metricscore/namespaceslist · watchLowClusterStructure InformationDisclosure Reconnaissance
ClusterRole prometheus-operator-kube-state-metricsnetworking.k8s.io/networkpolicieslist · watchLow
ClusterRole prometheus-operator-kube-state-metricscore/nodeslist · watchLow
ClusterRole prometheus-operator-kube-state-metricscore/persistentvolumeclaimslist · watchLow
ClusterRole prometheus-operator-kube-state-metricscore/persistentvolumeslist · watchLow
ClusterRole prometheus-operator-kube-state-metricspolicy/poddisruptionbudgetslist · watchLow
ClusterRole prometheus-operator-kube-state-metricscore/podslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsapps/replicasetslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsextensions/replicasetslist · watchLow
ClusterRole prometheus-operator-kube-state-metricscore/replicationcontrollerslist · watchLow
ClusterRole prometheus-operator-kube-state-metricscore/serviceslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsapps/statefulsetslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsstorage.k8s.io/storageclasseslist · watchLow
ClusterRole prometheus-operator-kube-state-metricsstorage.k8s.io/volumeattachmentslist · watchLow
ClusterRole psp-prometheus-operator-kube-state-metricspolicy/podsecuritypolicies (restricted to: prometheus-operator-kube-state-metrics)useLowDeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted

⚠️ Potential Abuse (12)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentprometheus-operator-kube-state-metricskube-state-metricsquay.io/coreos/kube-state-metrics:v1.9.7

🤖 prometheus-operator-operator

Namespace: default  |  Automount:

🔑 Permissions (20)

RoleResourceVerbsRiskTags
ClusterRole prometheus-operator-operatorcore/configmaps*CriticalClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole prometheus-operator-operatorapiextensions.k8s.io/customresourcedefinitions*CriticalCRDManipulation ClusterWideAccess PotentialPrivilegeEscalation Tampering WildcardPermission
ClusterRole prometheus-operator-operatorcore/secrets*CriticalClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole prometheus-operator-operatorapps/statefulsets*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole prometheus-operator-operatormonitoring.coreos.com/alertmanagers*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operator-operatormonitoring.coreos.com/alertmanagers/finalizers*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operator-operatormonitoring.coreos.com/podmonitors*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operator-operatormonitoring.coreos.com/prometheuses*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operator-operatormonitoring.coreos.com/prometheuses/finalizers*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operator-operatormonitoring.coreos.com/prometheusrules*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operator-operatormonitoring.coreos.com/servicemonitors*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operator-operatormonitoring.coreos.com/thanosrulers*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operator-operatormonitoring.coreos.com/thanosrulers/finalizers*HighClusterWideAccess WildcardPermission
ClusterRole prometheus-operator-operatorcore/endpointscreate · delete · get · updateLow
ClusterRole prometheus-operator-operatorcore/namespacesget · list · watchLowClusterStructure InformationDisclosure Reconnaissance
ClusterRole prometheus-operator-operatorcore/nodeslist · watchLow
ClusterRole prometheus-operator-operatorcore/podsdelete · listLow
ClusterRole prometheus-operator-operatorcore/servicescreate · delete · get · updateLow
ClusterRole prometheus-operator-operatorcore/services/finalizerscreate · delete · get · updateLow
ClusterRole prometheus-operator-operator-psppolicy/podsecuritypolicies (restricted to: prometheus-operator-operator)useLowDeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted

⚠️ Potential Abuse (15)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
Deploymentprometheus-operator-operatorprometheus-operatorquay.io/coreos/prometheus-operator:v0.38.1
Deploymentprometheus-operator-operatortls-proxysquareup/ghostunnel:v1.5.2

🤖 prometheus-operator-prometheus

Namespace: default  |  Automount:

🔑 Permissions (9)

RoleResourceVerbsRiskTags
ClusterRole prometheus-operator-prometheuscore/nodes/proxyget · list · watchCriticalAuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole prometheus-operator-prometheuscore/endpointsget · list · watchLow
ClusterRole prometheus-operator-prometheusextensions/ingressesget · list · watchLow
ClusterRole prometheus-operator-prometheusnetworking.k8s.io/ingressesget · list · watchLow
ClusterRole prometheus-operator-prometheuscore/nodesget · list · watchLow
ClusterRole prometheus-operator-prometheuscore/nodes/metricsget · list · watchLow
ClusterRole prometheus-operator-prometheuscore/podsget · list · watchLow
ClusterRole prometheus-operator-prometheuscore/servicesget · list · watchLow
ClusterRole prometheus-operator-prometheus-psppolicy/podsecuritypolicies (restricted to: prometheus-operator-prometheus)useLowDeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 prometheus-operator-grafana

Namespace: default  |  Automount:

🔑 Permissions (3)

RoleResourceVerbsRiskTags
ClusterRole prometheus-operator-grafana-clusterrolecore/secretsget · list · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole prometheus-operator-grafana-clusterrolecore/configmapsget · list · watchHighConfigMapAccess DataExposure InformationDisclosure
Role prometheus-operator-grafanaextensions/podsecuritypolicies (restricted to: prometheus-operator-grafana)useLowResourceNameRestricted

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
Deploymentprometheus-operator-grafanagrafanagrafana/grafana:7.0.5
Deploymentprometheus-operator-grafanagrafana-sc-dashboardkiwigrid/k8s-sidecar:0.1.151

🤖 prometheus-operator-admission

Namespace: default  |  Automount:

🔑 Permissions (4)

RoleResourceVerbsRiskTags
ClusterRole prometheus-operator-admissionadmissionregistration.k8s.io/mutatingwebhookconfigurationsget · updateLow
Role prometheus-operator-admissioncore/secretscreate · getLow
ClusterRole prometheus-operator-admissionadmissionregistration.k8s.io/validatingwebhookconfigurationsget · updateLow
ClusterRole prometheus-operator-admissionpolicy/podsecuritypolicies (restricted to: prometheus-operator-admission)useLowDeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
Jobprometheus-operator-admission-createcreatejettech/kube-webhook-certgen:v1.2.1
Jobprometheus-operator-admission-patchpatchjettech/kube-webhook-certgen:v1.2.1

🤖 prometheus-operator-alertmanager

Namespace: default  |  Automount:

🔑 Permissions (1)

RoleResourceVerbsRiskTags
Role prometheus-operator-alertmanagerpolicy/podsecuritypolicies (restricted to: prometheus-operator-alertmanager)useLowResourceNameRestricted

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 prometheus-operator-grafana-test

Namespace: default  |  Automount:

🔑 Permissions (1)

RoleResourceVerbsRiskTags
Role prometheus-operator-grafana-testpolicy/podsecuritypolicies (restricted to: prometheus-operator-grafana-test)useLowResourceNameRestricted

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Podprometheus-operator-grafana-testprometheus-operator-testbats/bats:v1.1.0

🤖 prometheus-operator-prometheus-node-exporter

Namespace: default  |  Automount:

🔑 Permissions (1)

RoleResourceVerbsRiskTags
ClusterRole psp-prometheus-operator-prometheus-node-exporterextensions/podsecuritypolicies (restricted to: prometheus-operator-prometheus-node-exporter)useLowDeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
DaemonSetprometheus-operator-prometheus-node-exporternode-exporterquay.io/prometheus/node-exporter:v1.0.0