Description

YugabyteDB Anywhere provides deployment, orchestration, and monitoring for managing YugabyteDB clusters. YugabyteDB Anywhere can create a YugabyteDB cluster with multiple pods provided by Kubernetes or OpenShift and logically grouped together to form one logical distributed database.

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
yugawaredefault193Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 yugaware

Namespace: default  |  Automount:

🔑 Permissions (19)

RoleResourceVerbsRiskTags
ClusterRole yugawarecore/configmapscreate · delete · get · list · patch · update · watchCriticalConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole yugawarecore/endpointscreate · delete · get · list · patch · update · watchCriticalDenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection
ClusterRole yugawarecore/nodescreate · delete · get · list · patch · update · watchCriticalDenialOfService NodeAccess PotentialPrivilegeEscalation Tampering
ClusterRole yugawarecore/nodes/proxycreate · delete · get · list · patch · update · watchCriticalAuthorizationBypass ClusterAdminAccess CodeExecution DataExposure ElevationOfPrivilege (+3 more)
ClusterRole yugawarecore/podscreate · delete · get · list · patch · update · watchCriticalLateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more)
ClusterRole yugawarecore/pods/execcreate · delete · get · list · patch · update · watchCriticalClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement PodExec (+1 more)
ClusterRole yugawarecore/secretscreate · delete · get · list · patch · update · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole yugawarecore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole yugawareoperator.yugabyte.io/*create · delete · get · list · patch · update · watchHighClusterWideAccess WildcardPermission
ClusterRole yugawarecore/namespacescreate · delete · get · list · patch · update · watchHighClusterStructure DenialOfService InformationDisclosure NamespaceLifecycle Reconnaissance (+1 more)
ClusterRole yugawarecore/pods/portforwardcreate · delete · get · list · patch · update · watchHighClusterWidePodPortForward LateralMovement NetworkManipulation PodPortForward
ClusterRole yugawarecore/eventscreate · delete · get · list · patch · update · watchMediumInformationDisclosure OperationalData Reconnaissance
ClusterRole yugawarecert-manager.io/certificatescreate · delete · get · patchLow
ClusterRole yugawarecore/deploymentscreate · delete · get · list · update · watchLow
ClusterRole yugawareextensions/deploymentscreate · delete · get · list · update · watchLow
ClusterRole yugawareextensions/ingressesget · list · watchLow
ClusterRole yugawarepolicy/poddisruptionbudgetscreate · delete · get · patchLow
ClusterRole yugawareextensions/servicescreate · delete · get · list · update · watchLow
ClusterRole yugawareapps/statefulsetscreate · delete · get · patch · scaleLow

⚠️ Potential Abuse (28)

The following security risks were found based on the above permissions:

📦 Workloads (3)

KindNameContainerImage
StatefulSetyugaware-yugawarepostgrespostgres:14.9
StatefulSetyugaware-yugawareprometheusprom/prometheus:v2.46.0
StatefulSetyugaware-yugawareyugawarequay.io/yugabyte/yugaware:2.19.3.0-b140