4 Service Accounts
5 Workloads
30 Bindings
3 Critical
2 High
25 Low
Description
Falco
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
falco-talon | default | ❌ | — | 20 | 1 | Critical |
falco | default | ❌ | — | 1 | 2 | Low |
falco-k8s-metacollector | default | ❌ | — | 9 | 1 | Low |
falco-falcosidekick | default | ❌ | — | 0 | 1 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 falco-talon
Namespace: default | Automount: ❌
🔑 Permissions (20)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole falco-talon | core/nodes | create · get · patch · update · watch | Critical | DenialOfService NodeAccess PotentialPrivilegeEscalation Tampering |
ClusterRole falco-talon | core/pods | delete · get · list · patch · update | Critical | PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadExecution |
ClusterRole falco-talon | core/pods/exec | create · get | Critical | ClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement PodExec (+1 more) |
ClusterRole falco-talon | core/namespaces | delete · get | High | DenialOfService NamespaceLifecycle ResourceDeletion |
ClusterRole falco-talon | core/pods/log | get | High | ClusterWideLogAccess DataExposure InformationDisclosure LogAccess |
ClusterRole falco-talon | projectcalico.org/caliconetworkpolicies | create · get · patch · update | Low | |
ClusterRole falco-talon | cilium.io/ciliumnetworkpolicies | create · get · patch · update | Low | |
ClusterRole falco-talon | rbac.authorization.k8s.io/clusterroles | delete · get | Low | |
ClusterRole falco-talon | core/configmaps | delete · get | Low | |
ClusterRole falco-talon | apps/daemonsets | delete · get | Low | |
ClusterRole falco-talon | apps/deployments | delete · get | Low | |
ClusterRole falco-talon | core/events | create · get · patch · update | Low | |
ClusterRole falco-talon | coordination.k8s.io/leases | create · get · patch · update · watch | Low | |
ClusterRole falco-talon | networking.k8s.io/networkpolicies | create · get · patch · update | Low | |
ClusterRole falco-talon | core/pods/ephemeralcontainers | create · patch | Low | |
ClusterRole falco-talon | core/pods/eviction | create · get | Low | |
ClusterRole falco-talon | apps/replicasets | delete · get | Low | |
ClusterRole falco-talon | rbac.authorization.k8s.io/roles | delete · get | Low | |
ClusterRole falco-talon | core/secrets | delete · get | Low | |
ClusterRole falco-talon | apps/statefulsets | delete · get | Low |
⚠️ Potential Abuse (9)
The following security risks were found based on the above permissions:
- Cluster-wide pod exec
- Namespaced pod exec
- Update/Patch pods cluster-wide
- Update/Patch pods in a namespace
- Modify node configuration (labels, taints)
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Delete namespaces
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | falco-talon | falco-talon | falco.docker.scarf.sh/falcosecurity/falco-talon:0.3.0 |
🤖 falco-k8s-metacollector
Namespace: default | Automount: ❌
🔑 Permissions (9)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole falco-k8s-metacollector | apps/daemonsets | get · list · watch | Low | |
ClusterRole falco-k8s-metacollector | apps/deployments | get · list · watch | Low | |
ClusterRole falco-k8s-metacollector | core/endpoints | get · list · watch | Low | |
ClusterRole falco-k8s-metacollector | discovery.k8s.io/endpointslices | get · list · watch | Low | |
ClusterRole falco-k8s-metacollector | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole falco-k8s-metacollector | core/pods | get · list · watch | Low | |
ClusterRole falco-k8s-metacollector | apps/replicasets | get · list · watch | Low | |
ClusterRole falco-k8s-metacollector | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole falco-k8s-metacollector | core/services | get · list · watch | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | falco-k8s-metacollector | k8s-metacollector | docker.io/falcosecurity/k8s-metacollector:0.1.1 |
🤖 falco
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role falco | core/configmaps | get · list · update | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | falco | falco | docker.io/falcosecurity/falco:0.41.1 |
| DaemonSet | falco | falcoctl-artifact-follow | docker.io/falcosecurity/falcoctl:0.11.2 |
🤖 falco-falcosidekick
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | falco-falcosidekick | falcosidekick | docker.io/falcosecurity/falcosidekick:2.31.1 |