snapscheduler
v3.5.0
1 Service Accounts
1 Workloads
10 Bindings
1 Critical
1 High
2 Medium
6 Low
Description
An operator to take scheduled snapshots of Kubernetes persistent volumes
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
snapscheduler | default | ❌ | — | 10 | 2 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 snapscheduler
Namespace: default | Automount: ❌
🔑 Permissions (10)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role snapscheduler-leader-election | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
Role snapscheduler-leader-election | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole snapscheduler-proxy | authorization.k8s.io/subjectaccessreviews | create | Medium | InformationDisclosure RBACQuery |
ClusterRole snapscheduler-proxy | authentication.k8s.io/tokenreviews | create | Medium | CredentialAccess InformationDisclosure RBACQuery |
Role snapscheduler-leader-election | core/events | create · patch | Low | |
ClusterRole snapscheduler | core/persistentvolumeclaims | get · list · watch | Low | |
ClusterRole snapscheduler | snapscheduler.backube/snapshotschedules | create · delete · get · list · patch · update · watch | Low | |
ClusterRole snapscheduler | snapscheduler.backube/snapshotschedules/finalizers | update | Low | |
ClusterRole snapscheduler | snapscheduler.backube/snapshotschedules/status | get · patch · update | Low | |
ClusterRole snapscheduler | snapshot.storage.k8s.io/volumesnapshots | create · delete · get · list · patch · update · watch | Low |
⚠️ Potential Abuse (6)
The following security risks were found based on the above permissions:
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Create TokenReviews (validate arbitrary tokens)
- Create SubjectAccessReviews (check arbitrary permissions)
- Manage Leases in kube-system or kube-node-lease namespace
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | snapscheduler | kube-rbac-proxy | quay.io/brancz/kube-rbac-proxy:v0.19.1@sha256:9f21034731c7c3228611b9d40807f3230ce8ed2b286b913bf2d1e760d8d866fc |
| Deployment | snapscheduler | manager | quay.io/backube/snapscheduler:3.5.0 |