grafana-agent :: RBAC ATLAS

Description

Grafana Agent

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`grafana-agent`	default	❌	—	36	2	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `grafana-agent`

Namespace: default | Automount: ❌

🔑 Permissions (36)

Role	Resource	Verbs	Risk	Tags
ClusterRole `grafana-agent`	core/nodes/proxy	get · list · watch	Critical	AuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole `grafana-agent`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `grafana-agent`	core/configmaps	get · list · watch	High	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `grafana-agent`	core/pods/log	get · list · watch	High	ClusterWideLogAccess DataExposure InformationDisclosure LogAccess
ClusterRole `grafana-agent`	core/events	get · list · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `grafana-agent`	core/endpoints	get · list · watch	Low
ClusterRole `grafana-agent`	discovery.k8s.io/endpoints	get · list · watch	Low
ClusterRole `grafana-agent`	networking.k8s.io/endpoints	get · list · watch	Low
ClusterRole `grafana-agent`	core/endpointslices	get · list · watch	Low
ClusterRole `grafana-agent`	discovery.k8s.io/endpointslices	get · list · watch	Low
ClusterRole `grafana-agent`	networking.k8s.io/endpointslices	get · list · watch	Low
ClusterRole `grafana-agent`	core/ingresses	get · list · watch	Low
ClusterRole `grafana-agent`	discovery.k8s.io/ingresses	get · list · watch	Low
ClusterRole `grafana-agent`	networking.k8s.io/ingresses	get · list · watch	Low
ClusterRole `grafana-agent`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `grafana-agent`	core/nodes	get · list · watch	Low
ClusterRole `grafana-agent`	discovery.k8s.io/nodes	get · list · watch	Low
ClusterRole `grafana-agent`	networking.k8s.io/nodes	get · list · watch	Low
ClusterRole `grafana-agent`	core/nodes/metrics	get · list · watch	Low
ClusterRole `grafana-agent`	discovery.k8s.io/nodes/metrics	get · list · watch	Low
ClusterRole `grafana-agent`	networking.k8s.io/nodes/metrics	get · list · watch	Low
ClusterRole `grafana-agent`	discovery.k8s.io/nodes/proxy	get · list · watch	Low
ClusterRole `grafana-agent`	networking.k8s.io/nodes/proxy	get · list · watch	Low
ClusterRole `grafana-agent`	monitoring.grafana.com/podlogs	get · list · watch	Low
ClusterRole `grafana-agent`	monitoring.coreos.com/podmonitors	get · list · watch	Low
ClusterRole `grafana-agent`	core/pods	get · list · watch	Low
ClusterRole `grafana-agent`	discovery.k8s.io/pods	get · list · watch	Low
ClusterRole `grafana-agent`	networking.k8s.io/pods	get · list · watch	Low
ClusterRole `grafana-agent`	monitoring.coreos.com/probes	get · list · watch	Low
ClusterRole `grafana-agent`	monitoring.coreos.com/prometheusrules	get · list · watch	Low
ClusterRole `grafana-agent`	apps/replicasets	get · list · watch	Low
ClusterRole `grafana-agent`	extensions/replicasets	get · list · watch	Low
ClusterRole `grafana-agent`	monitoring.coreos.com/servicemonitors	get · list · watch	Low
ClusterRole `grafana-agent`	core/services	get · list · watch	Low
ClusterRole `grafana-agent`	discovery.k8s.io/services	get · list · watch	Low
ClusterRole `grafana-agent`	networking.k8s.io/services	get · list · watch	Low

⚠️ Potential Abuse (10)

The following security risks were found based on the above permissions:

📦 Workloads (2)

Kind	Name	Container	Image
DaemonSet	grafana-agent	config-reloader	ghcr.io/jimmidyson/configmap-reload:v0.12.0
DaemonSet	grafana-agent	grafana-agent	docker.io/grafana/agent:v0.44.2

grafana-agent

Description

Overview

Identities

🤖 grafana-agent

🔑 Permissions (36)

⚠️ Potential Abuse (10)

📦 Workloads (2)

🤖 `grafana-agent`