victoria-metrics-operator

Description

Victoria Metrics Operator

https://github.com/VictoriaMetrics/operator

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`victoria-metrics-operator`	default	❌	—	52	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `victoria-metrics-operator`

Namespace: default | Automount: ❌

🔑 Permissions (52)

Role	Resource	Verbs	Risk	Tags
ClusterRole `victoria-metrics-operator`	core/configmaps	* · get · list · watch	Critical	ClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole `victoria-metrics-operator`	apps/deployments	*	Critical	ClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole `victoria-metrics-operator`	core/endpoints	* · get · list · watch	Critical	ClusterWideAccess DenialOfService ManInTheMiddle NetworkManipulation Tampering (+2 more)
ClusterRole `victoria-metrics-operator`	core/nodes/proxy	get · list · watch	Critical	AuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole `victoria-metrics-operator`	core/pods	* · get · list · watch	Critical	ClusterWideAccess LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation (+3 more)
ClusterRole `victoria-metrics-operator`	policy/podsecuritypolicies	create · get · list · patch · update · use · watch	Critical	DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation
ClusterRole `victoria-metrics-operator`	core/secrets	*	Critical	ClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole `victoria-metrics-operator`	core/services	* · get · list · watch	Critical	ClusterWideAccess DenialOfService NetworkManipulation ServiceExposure Tampering (+1 more)
ClusterRole `victoria-metrics-operator`	apps/statefulsets	*	Critical	ClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole `victoria-metrics-operator`	monitoring.coreos.com/*	*	High	ClusterWideAccess WildcardPermission
Role `victoria-metrics-operator`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `victoria-metrics-operator`	core/persistentvolumeclaims	*	High	ClusterWideAccess WildcardPermission
ClusterRole `victoria-metrics-operator`	apps/replicasets	*	High	ClusterWideAccess WildcardPermission
ClusterRole `victoria-metrics-operator`	core/services/finalizers	*	High	ClusterWideAccess WildcardPermission
ClusterRole `victoria-metrics-operator`	rbac.authorization.k8s.io/clusterrolebindings	create · get · list · patch · update · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `victoria-metrics-operator`	rbac.authorization.k8s.io/clusterroles	create · get · list · patch · update · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `victoria-metrics-operator`	core/events	*	Medium	ClusterWideAccess InformationDisclosure OperationalData Reconnaissance WildcardPermission
Role `victoria-metrics-operator`	core/configmaps/status	get · patch · update	Low
ClusterRole `victoria-metrics-operator`	core/endpointslices	get · list · watch	Low
Role `victoria-metrics-operator`	core/events	create · patch	Low
ClusterRole `victoria-metrics-operator`	extensions/ingresses	get · list · watch	Low
ClusterRole `victoria-metrics-operator`	networking.k8s.io/ingresses	get · list · watch	Low
ClusterRole `victoria-metrics-operator`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `victoria-metrics-operator`	core/nodes	get · list · watch	Low
ClusterRole `victoria-metrics-operator`	core/serviceaccounts	create · get · list · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmagents	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmagents/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmagents/status	get · patch · update	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmalertmanagers	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmalertmanagers/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmalertmanagers/status	get · patch · update	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmalerts	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmalerts/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmalerts/status	get · patch · update	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmclusters	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmclusters/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmclusters/status	get · patch · update	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmpodscrapes	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmpodscrapes/status	get · patch · update	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmprobes	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmprobes/status	get · patch · update	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmprobscrapes/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmrules	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmrules/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmrules/status	get · patch · update	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmservicescrapes	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmservicescrapes/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmservicescrapes/status	get · patch · update	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmsingles	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmsingles/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `victoria-metrics-operator`	operator.victoriametrics.com/vmsingles/status	get · patch · update	Low
ClusterRole `victoria-metrics-operator-psp`	policy/podsecuritypolicies (restricted to: victoria-metrics-operator)	use	Low	DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted

⚠️ Potential Abuse (27)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	victoria-metrics-operator	victoria-metrics-operator	victoriametrics/operator:v0.5.0

victoria-metrics-operator

Description

Overview

Identities

🤖 victoria-metrics-operator

🔑 Permissions (52)

⚠️ Potential Abuse (27)

📦 Workloads (1)

🤖 `victoria-metrics-operator`