ais-operator :: RBAC ATLAS

Description

A Helm chart for Kubernetes

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`(orphaned-bindings)`	—	—	—	29	0	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

⚠️ `(orphaned-bindings)`

Warning: The following RBAC bindings exist but are not associated with any active service accounts in the cluster.

🔑 Permissions (29)

Role	Resource	Verbs	Risk	Tags
ClusterRole `ais-operator-manager-role`	core/configmaps	create · delete · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `ais-operator-manager-role`	apps/deployments	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
Role `ais-operator-leader-election-role`	coordination.k8s.io/leases	create · delete · get · list · patch · update · watch	Critical	ControlPlaneDisruption CriticalNamespace DenialOfService Tampering
ClusterRole `ais-operator-manager-role`	core/pods	create · delete · get · list · update · watch	Critical	LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation WorkloadExecution
ClusterRole `ais-operator-manager-role`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `ais-operator-manager-role`	core/services	create · delete · get · list · patch · update · watch	Critical	DenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole `ais-operator-manager-role`	apps/statefulsets	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
Role `ais-operator-leader-election-role`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `ais-operator-manager-role`	core/pods/log	get	High	ClusterWideLogAccess DataExposure InformationDisclosure LogAccess
ClusterRole `ais-operator-manager-role`	policy/poddisruptionbudgets	create · delete · get · list · patch · update · watch	Medium	AvailabilityImpact DenialOfService Tampering
ClusterRole `ais-operator-manager-role`	rbac.authorization.k8s.io/rolebindings	create · delete · get · list · update · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `ais-operator-manager-role`	rbac.authorization.k8s.io/roles	create · delete · get · list · update · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `ais-operator-proxy-role`	authorization.k8s.io/subjectaccessreviews	create	Medium	InformationDisclosure RBACQuery
ClusterRole `ais-operator-proxy-role`	authentication.k8s.io/tokenreviews	create	Medium	CredentialAccess InformationDisclosure RBACQuery
ClusterRole `ais-operator-manager-role`	ais.nvidia.com/aistores	create · delete · get · list · patch · update · watch	Low
ClusterRole `ais-operator-manager-role`	ais.nvidia.com/aistores/finalizers	update	Low
ClusterRole `ais-operator-manager-role`	ais.nvidia.com/aistores/status	get · patch · update	Low
ClusterRole `ais-operator-manager-role`	rbac.authorization.k8s.io/clusterrolebindings	delete	Low
ClusterRole `ais-operator-manager-role`	rbac.authorization.k8s.io/clusterroles	delete	Low
Role `ais-operator-leader-election-role`	coordination.k8s.io/configmaps	create · delete · get · list · patch · update · watch	Low
ClusterRole `ais-operator-manager-role`	discovery.k8s.io/endpointslices	get · list · watch	Low
ClusterRole `ais-operator-manager-role`	core/events	create · patch	Low
Role `ais-operator-leader-election-role`	core/events	create · patch	Low
ClusterRole `ais-operator-manager-role`	batch/jobs	delete · list · watch	Low
Role `ais-operator-leader-election-role`	core/leases	create · delete · get · list · patch · update · watch	Low
ClusterRole `ais-operator-manager-role`	core/nodes	get · list · watch	Low
ClusterRole `ais-operator-manager-role`	core/persistentvolumeclaims	delete · list · watch	Low
ClusterRole `ais-operator-manager-role`	core/serviceaccounts	create · delete · get · list · update · watch	Low
ClusterRole `ais-operator-manager-role`	storage.k8s.io/storageclasses	get · list · watch	Low

⚠️ Potential Abuse (22)

The following security risks were found based on the above permissions: