1 Service Accounts
1 Workloads
28 Bindings
5 Critical
2 High
3 Medium
18 Low
Description
A Helm chart for Kubernetes
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
(orphaned-bindings) | — | — | — | 28 | 0 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
⚠️ (orphaned-bindings)
Warning: The following RBAC bindings exist but are not associated with any active service accounts in the cluster.
🔑 Permissions (28)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole ais-operator-manager-role | core/configmaps | create · delete · get · list · patch · update · watch | Critical | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole ais-operator-manager-role | apps/deployments | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
Role ais-operator-leader-election-role | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole ais-operator-manager-role | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole ais-operator-manager-role | apps/statefulsets | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
Role ais-operator-leader-election-role | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole ais-operator-manager-role | core/pods/log | get | High | ClusterWideLogAccess DataExposure InformationDisclosure LogAccess |
ClusterRole ais-operator-manager-role | policy/poddisruptionbudgets | create · delete · get · patch · update | Medium | AvailabilityImpact DenialOfService Tampering |
ClusterRole ais-operator-proxy-role | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
ClusterRole ais-operator-proxy-role | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
ClusterRole ais-operator-manager-role | ais.nvidia.com/aistores | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ais-operator-manager-role | ais.nvidia.com/aistores/finalizers | update | Low | |
ClusterRole ais-operator-manager-role | ais.nvidia.com/aistores/status | get · patch · update | Low | |
ClusterRole ais-operator-manager-role | rbac.authorization.k8s.io/clusterrolebindings | delete | Low | |
ClusterRole ais-operator-manager-role | rbac.authorization.k8s.io/clusterroles | delete | Low | |
Role ais-operator-leader-election-role | coordination.k8s.io/configmaps | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ais-operator-manager-role | discovery.k8s.io/endpointslices | get · list | Low | |
ClusterRole ais-operator-manager-role | core/events | create · patch | Low | |
Role ais-operator-leader-election-role | core/events | create · patch | Low | |
ClusterRole ais-operator-manager-role | batch/jobs | list | Low | |
Role ais-operator-leader-election-role | core/leases | create · delete · get · list · patch · update · watch | Low | |
ClusterRole ais-operator-manager-role | core/nodes | get · list · watch | Low | |
ClusterRole ais-operator-manager-role | core/persistentvolumeclaims | delete · list | Low | |
ClusterRole ais-operator-manager-role | core/pods | delete · get · list · watch | Low | |
ClusterRole ais-operator-manager-role | rbac.authorization.k8s.io/rolebindings | create · delete · update | Low | |
ClusterRole ais-operator-manager-role | rbac.authorization.k8s.io/roles | create · delete · update | Low | |
ClusterRole ais-operator-manager-role | core/secrets | get · list | Low | |
ClusterRole ais-operator-manager-role | core/serviceaccounts | create · delete · update | Low |
⚠️ Potential Abuse (17)
The following security risks were found based on the above permissions:
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage Deployments cluster-wide (potential for privileged pod execution)
- Manage Deployments in a namespace (potential for privileged pod execution)
- Manage StatefulSets cluster-wide
- Manage StatefulSets in a namespace
- Create TokenReviews (validate arbitrary tokens)
- Create SubjectAccessReviews (check arbitrary permissions)
- Manage Services cluster-wide
- Manage Services in a namespace
- Manage PodDisruptionBudgets cluster-wide
- Manage Leases in kube-system or kube-node-lease namespace