Description

Grafana Mimir

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
grafana-agent-test-sadefault70Critical
mimir-distributed-grafana-agent-operatordefault251Critical
mimir-distributed-rollout-operatordefault41Medium
mimir-distributeddefault017
minio-sadefault03

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 mimir-distributed-grafana-agent-operator

Namespace: default  |  Automount:

🔑 Permissions (25)

RoleResourceVerbsRiskTags
ClusterRole mimir-distributed-grafana-agent-operatorcore/configmapscreate · delete · get · list · patch · update · watchCriticalConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole mimir-distributed-grafana-agent-operatorapps/daemonsetscreate · delete · get · list · patch · update · watchCriticalNodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole mimir-distributed-grafana-agent-operatorapps/deploymentscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole mimir-distributed-grafana-agent-operatorcore/endpointscreate · delete · get · list · patch · update · watchCriticalDenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection
ClusterRole mimir-distributed-grafana-agent-operatorcore/secretscreate · delete · get · list · patch · update · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole mimir-distributed-grafana-agent-operatorcore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole mimir-distributed-grafana-agent-operatorapps/statefulsetscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.grafana.com/grafanaagentsget · list · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.grafana.com/grafanaagents/finalizersget · list · update · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.grafana.com/integrationsget · list · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.grafana.com/integrations/finalizersget · list · update · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.grafana.com/logsinstancesget · list · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.grafana.com/logsinstances/finalizersget · list · update · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.grafana.com/metricsinstancesget · list · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.grafana.com/metricsinstances/finalizersget · list · update · watchLow
ClusterRole mimir-distributed-grafana-agent-operatorcore/namespacesget · list · watchLowClusterStructure InformationDisclosure Reconnaissance
ClusterRole mimir-distributed-grafana-agent-operatorcore/nodesget · list · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.grafana.com/podlogsget · list · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.grafana.com/podlogs/finalizersget · list · update · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.coreos.com/podmonitorsget · list · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.coreos.com/podmonitors/finalizersget · list · update · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.coreos.com/probesget · list · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.coreos.com/probes/finalizersget · list · update · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.coreos.com/servicemonitorsget · list · watchLow
ClusterRole mimir-distributed-grafana-agent-operatormonitoring.coreos.com/servicemonitors/finalizersget · list · update · watchLow

⚠️ Potential Abuse (20)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentmimir-distributed-grafana-agent-operatorgrafana-agent-operatordocker.io/grafana/agent-operator:v0.44.2

🤖 grafana-agent-test-sa

Namespace: default  |  Automount:

🔑 Permissions (7)

RoleResourceVerbsRiskTags
ClusterRole grafana-agent-test-crcore/nodes/proxyget · list · watchCriticalAuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole grafana-agent-test-crcore/endpointsget · list · watchLow
ClusterRole grafana-agent-test-crnetworking.k8s.io/ingressesget · list · watchLow
ClusterRole grafana-agent-test-crcore/nodesget · list · watchLow
ClusterRole grafana-agent-test-crcore/nodes/metricsget · list · watchLow
ClusterRole grafana-agent-test-crcore/podsget · list · watchLow
ClusterRole grafana-agent-test-crcore/servicesget · list · watchLow

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 mimir-distributed-rollout-operator

Namespace: default  |  Automount:

🔑 Permissions (4)

RoleResourceVerbsRiskTags
ClusterRole mimir-distributed-rollout-operator-webhook-clusterroleadmissionregistration.k8s.io/mutatingwebhookconfigurationslist · patch · watchMediumInformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole mimir-distributed-rollout-operator-webhook-clusterroleadmissionregistration.k8s.io/validatingwebhookconfigurationslist · patch · watchMediumInformationDisclosure Reconnaissance WebhookReconnaissance
Role mimir-distributed-rollout-operator-webhook-rolecore/secretscreateLow
Role mimir-distributed-rollout-operator-webhook-rolecore/secrets (restricted to: certificate)get · updateLowResourceNameRestricted

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentmimir-distributed-rollout-operatorrollout-operatorgrafana/rollout-operator:v0.32.0

🤖 mimir-distributed

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (17)

KindNameContainerImage
Deploymentmimir-distributed-distributordistributorgrafana/mimir:r366-febf61b9
Deploymentmimir-distributed-gatewaygatewaydocker.io/nginxinc/nginx-unprivileged:1.29-alpine
Deploymentmimir-distributed-overrides-exporteroverrides-exportergrafana/mimir:r366-febf61b9
Deploymentmimir-distributed-querierqueriergrafana/mimir:r366-febf61b9
Deploymentmimir-distributed-query-frontendquery-frontendgrafana/mimir:r366-febf61b9
Deploymentmimir-distributed-query-schedulerquery-schedulergrafana/mimir:r366-febf61b9
Deploymentmimir-distributed-rulerrulergrafana/mimir:r366-febf61b9
Jobmimir-distributed-smoke-testsmoke-testgrafana/mimir:r366-febf61b9
StatefulSetmimir-distributed-alertmanageralertmanagergrafana/mimir:r366-febf61b9
StatefulSetmimir-distributed-compactorcompactorgrafana/mimir:r366-febf61b9
StatefulSetmimir-distributed-ingester-zone-aingestergrafana/mimir:r366-febf61b9
StatefulSetmimir-distributed-ingester-zone-bingestergrafana/mimir:r366-febf61b9
StatefulSetmimir-distributed-ingester-zone-cingestergrafana/mimir:r366-febf61b9
StatefulSetmimir-distributed-kafkakafkaapache/kafka-native:4.1.0
StatefulSetmimir-distributed-store-gateway-zone-astore-gatewaygrafana/mimir:r366-febf61b9
StatefulSetmimir-distributed-store-gateway-zone-bstore-gatewaygrafana/mimir:r366-febf61b9
StatefulSetmimir-distributed-store-gateway-zone-cstore-gatewaygrafana/mimir:r366-febf61b9

🤖 minio-sa

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (3)

KindNameContainerImage
Deploymentmimir-distributed-miniominioquay.io/minio/minio:RELEASE.2024-12-18T13-15-44Z
Jobmimir-distributed-minio-post-jobminio-make-bucketquay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z
Jobmimir-distributed-minio-post-jobminio-make-userquay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z