cost-analyzer
v2.7.2
3 Service Accounts
4 Workloads
35 Bindings
3 High
5 Medium
27 Low
Description
Kubecost Helm chart - monitor your cloud costs!
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
cost-analyzer | default | ❌ | — | 24 | 4 | High |
cost-analyzer-grafana | default | ❌ | — | 1 | 2 | High |
cost-analyzer-prometheus-server | default | ❌ | — | 10 | 1 | High |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 cost-analyzer
Namespace: default | Automount: ❌
🔑 Permissions (24)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cost-analyzer | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
Role cost-analyzer | core/configmaps | get · list · update · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole cost-analyzer | core/events | get · list · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole cost-analyzer | events.k8s.io/events | get · list · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
Role cost-analyzer | core/pods/log | get · list · watch | Medium | DataExposure InformationDisclosure LogAccess |
ClusterRole cost-analyzer | core/resourcequotas | get · list · watch | Medium | InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration |
ClusterRole cost-analyzer | batch/cronjobs | get · list · watch | Low | |
ClusterRole cost-analyzer | apps/daemonsets | get · list · watch | Low | |
ClusterRole cost-analyzer | apps/deployments | get · list · watch | Low | |
ClusterRole cost-analyzer | core/endpoints | get · list · watch | Low | |
ClusterRole cost-analyzer | autoscaling/horizontalpodautoscalers | get · list · watch | Low | |
ClusterRole cost-analyzer | batch/jobs | get · list · watch | Low | |
ClusterRole cost-analyzer | core/limitranges | get · list · watch | Low | InformationDisclosure Reconnaissance ResourceConfiguration |
ClusterRole cost-analyzer | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole cost-analyzer | core/nodes | get · list · watch | Low | |
ClusterRole cost-analyzer | core/persistentvolumeclaims | get · list · watch | Low | |
ClusterRole cost-analyzer | core/persistentvolumes | get · list · watch | Low | |
ClusterRole cost-analyzer | policy/poddisruptionbudgets | get · list · watch | Low | |
ClusterRole cost-analyzer | core/pods | get · list · watch | Low | |
ClusterRole cost-analyzer | apps/replicasets | get · list · watch | Low | |
ClusterRole cost-analyzer | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole cost-analyzer | core/services | get · list · watch | Low | |
ClusterRole cost-analyzer | apps/statefulsets | get · list · watch | Low | |
ClusterRole cost-analyzer | storage.k8s.io/storageclasses | get · list · watch | Low |
⚠️ Potential Abuse (9)
The following security risks were found based on the above permissions:
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Read events cluster-wide
- List Namespaces (Cluster Reconnaissance)
- Read LimitRanges (Namespace Information Disclosure)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
📦 Workloads (4)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cost-analyzer | aggregator | gcr.io/kubecost1/cost-model:prod-2.7.2 |
| Deployment | cost-analyzer | cloud-cost | gcr.io/kubecost1/cost-model:prod-2.7.2 |
| Deployment | cost-analyzer | cost-analyzer-frontend | gcr.io/kubecost1/frontend:prod-2.7.2 |
| Deployment | cost-analyzer | cost-model | gcr.io/kubecost1/cost-model:prod-2.7.2 |
🤖 cost-analyzer-prometheus-server
Namespace: default | Automount: ❌
🔑 Permissions (10)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cost-analyzer-prometheus-server | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole cost-analyzer-prometheus-server | core/endpoints | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | core/ingresses | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | networking.k8s.io/ingresses | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | networking.k8s.io/ingresses/status | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | core/nodes | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | core/nodes/metrics | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | core/nodes/proxy | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | core/pods | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | core/services | get · list · watch | Low |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cost-analyzer-prometheus-server | prometheus-server | quay.io/prometheus/prometheus:v3.3.0 |
🤖 cost-analyzer-grafana
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cost-analyzer-grafana-clusterrole | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cost-analyzer-grafana | grafana | grafana/grafana:11.6.1 |
| Deployment | cost-analyzer-grafana | grafana-sc-dashboard | ghcr.io/kiwigrid/k8s-sidecar:1.30.3 |