wavefront
v4.4.3
2 Service Accounts
3 Workloads
48 Bindings
3 Critical
2 High
3 Medium
40 Low
Description
DEPRECATED Wavefront is a high-performance streaming analytics platform for monitoring and optimizing your environment and applications.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
wavefront-collector | default | ✅ | — | 17 | 1 | Critical |
wavefront-kube-state-metrics | default | ✅ | — | 31 | 1 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 wavefront-kube-state-metrics
Namespace: default | Automount: ✅
🔑 Permissions (31)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole wavefront-kube-state-metrics-default | core/secrets | list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole wavefront-kube-state-metrics-default | core/configmaps | list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole wavefront-kube-state-metrics-default | admissionregistration.k8s.io/mutatingwebhookconfigurations | list · watch | Medium | InformationDisclosure Reconnaissance WebhookReconnaissance |
ClusterRole wavefront-kube-state-metrics-default | core/resourcequotas | list · watch | Medium | InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration |
ClusterRole wavefront-kube-state-metrics-default | certificates.k8s.io/certificatesigningrequests | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | batch/cronjobs | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | apps/daemonsets | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | extensions/daemonsets | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | apps/deployments | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | extensions/deployments | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | core/endpoints | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | autoscaling/horizontalpodautoscalers | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | extensions/ingresses | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | networking.k8s.io/ingresses | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | batch/jobs | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | core/limitranges | list · watch | Low | InformationDisclosure Reconnaissance ResourceConfiguration |
ClusterRole wavefront-kube-state-metrics-default | core/namespaces | list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole wavefront-kube-state-metrics-default | networking.k8s.io/networkpolicies | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | core/nodes | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | core/persistentvolumeclaims | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | core/persistentvolumes | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | policy/poddisruptionbudgets | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | core/pods | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | apps/replicasets | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | extensions/replicasets | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | core/replicationcontrollers | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | core/services | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | apps/statefulsets | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | storage.k8s.io/storageclasses | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default | storage.k8s.io/volumeattachments | list · watch | Low | |
ClusterRole wavefront-kube-state-metrics-default-psp | extensions/podsecuritypolicies (restricted to: wavefront-kube-state-metrics-default) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (11)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Use privileged PodSecurityPolicy (deprecated)
- List Namespaces (Cluster Reconnaissance)
- List MutatingWebhookConfigurations (Reconnaissance)
- Read LimitRanges (Namespace Information Disclosure)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | wavefront-kube-state-metrics | kube-state-metrics | docker.io/bitnami/kube-state-metrics:2.8.2-debian-11-r14 |
🤖 wavefront-collector
Namespace: default | Automount: ✅
🔑 Permissions (17)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole wavefront-collector | core/nodes/proxy | get · list · watch | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole wavefront-collector | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole wavefront-collector | core/configmaps | create · get · list · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole wavefront-collector | core/events | get · list · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole wavefront-collector | batch/cronjobs | get · list · watch | Low | |
ClusterRole wavefront-collector | apps/daemonsets | get · list · watch | Low | |
ClusterRole wavefront-collector | apps/deployments | get · list · watch | Low | |
ClusterRole wavefront-collector | autoscaling/horizontalpodautoscalers | get · list · watch | Low | |
ClusterRole wavefront-collector | batch/jobs | get · list · watch | Low | |
ClusterRole wavefront-collector | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole wavefront-collector | core/nodes | get · list · watch | Low | |
ClusterRole wavefront-collector | core/nodes/stats | get · list · watch | Low | |
ClusterRole wavefront-collector | core/pods | get · list · watch | Low | |
ClusterRole wavefront-collector | apps/replicasets | get · list · watch | Low | |
ClusterRole wavefront-collector | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole wavefront-collector | core/services | get · list · watch | Low | |
ClusterRole wavefront-collector | apps/statefulsets | get · list · watch | Low |
⚠️ Potential Abuse (8)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Read events cluster-wide
- List Namespaces (Cluster Reconnaissance)
- Node proxy GET RCE via WebSocket
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | wavefront-collector | wavefront-collector | docker.io/bitnami/wavefront-kubernetes-collector:1.13.0-scratch-r16 |