1 Service Accounts
1 Workloads
21 Bindings
1 Critical
1 High
19 Low
Description
A Traefik based Kubernetes ingress controller
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
traefik | default | ❌ | — | 21 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 traefik
Namespace: default | Automount: ❌
🔑 Permissions (21)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole traefik-default | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole traefik-default | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole traefik-default | discovery.k8s.io/endpointslices | list · watch | Low | |
ClusterRole traefik-default | extensions/ingressclasses | get · list · watch | Low | |
ClusterRole traefik-default | networking.k8s.io/ingressclasses | get · list · watch | Low | |
ClusterRole traefik-default | extensions/ingresses | get · list · watch | Low | |
ClusterRole traefik-default | networking.k8s.io/ingresses | get · list · watch | Low | |
ClusterRole traefik-default | extensions/ingresses/status | update | Low | |
ClusterRole traefik-default | networking.k8s.io/ingresses/status | update | Low | |
ClusterRole traefik-default | traefik.io/ingressroutes | get · list · watch | Low | |
ClusterRole traefik-default | traefik.io/ingressroutetcps | get · list · watch | Low | |
ClusterRole traefik-default | traefik.io/ingressrouteudps | get · list · watch | Low | |
ClusterRole traefik-default | traefik.io/middlewares | get · list · watch | Low | |
ClusterRole traefik-default | traefik.io/middlewaretcps | get · list · watch | Low | |
ClusterRole traefik-default | core/nodes | get · list · watch | Low | |
ClusterRole traefik-default | traefik.io/serverstransports | get · list · watch | Low | |
ClusterRole traefik-default | traefik.io/serverstransporttcps | get · list · watch | Low | |
ClusterRole traefik-default | core/services | get · list · watch | Low | |
ClusterRole traefik-default | traefik.io/tlsoptions | get · list · watch | Low | |
ClusterRole traefik-default | traefik.io/tlsstores | get · list · watch | Low | |
ClusterRole traefik-default | traefik.io/traefikservices | get · list · watch | Low |
⚠️ Potential Abuse (5)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | traefik | traefik | docker.io/traefik:v3.4.1 |