k8up
v4.8.4
2 Service Accounts
2 Workloads
40 Bindings
2 Critical
1 Medium
37 Low
Description
Kubernetes and OpenShift Backup Operator based on restic
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
k8up | default | ❌ | — | 37 | 1 | Critical |
cleanup-service-account | default | ❌ | — | 3 | 1 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 k8up
Namespace: default | Automount: ❌
🔑 Permissions (37)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole k8up-manager | apps/deployments | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole k8up-manager | batch/jobs | create · delete · get · list · patch · update · watch | Critical | PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole k8up-manager | rbac.authorization.k8s.io/rolebindings | create · delete · get · list · update · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole k8up-manager | k8up.io/archives | create · delete · get · list · patch · update · watch | Low | |
ClusterRole k8up-manager | k8up.io/archives/finalizers | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/archives/status | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/backups | create · delete · get · list · patch · update · watch | Low | |
ClusterRole k8up-manager | k8up.io/backups/finalizers | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/backups/status | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/checks | create · delete · get · list · patch · update · watch | Low | |
ClusterRole k8up-manager | k8up.io/checks/finalizers | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/checks/status | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/effectiveschedules | create · delete · get · list · patch · update · watch | Low | |
ClusterRole k8up-manager | k8up.io/effectiveschedules/finalizers | update | Low | |
ClusterRole k8up-manager | core/events | create · patch | Low | |
ClusterRole k8up-manager | coordination.k8s.io/leases | create · get · list · update | Low | |
ClusterRole k8up-manager | core/persistentvolumeclaims | get · list · watch | Low | |
ClusterRole k8up-manager | core/persistentvolumes | get · list · watch | Low | |
ClusterRole k8up-manager | k8up.io/podconfigs | get · list · watch | Low | |
ClusterRole k8up-manager | core/pods | get · list · watch | Low | |
ClusterRole k8up-manager | k8up.io/prebackuppods | create · delete · get · list · patch · update · watch | Low | |
ClusterRole k8up-manager | k8up.io/prebackuppods/finalizers | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/prebackuppods/status | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/prunes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole k8up-manager | k8up.io/prunes/finalizers | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/prunes/status | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/restores | create · delete · get · list · patch · update · watch | Low | |
ClusterRole k8up-manager | k8up.io/restores/finalizers | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/restores/status | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/schedules | create · delete · get · list · patch · update · watch | Low | |
ClusterRole k8up-manager | k8up.io/schedules/finalizers | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/schedules/status | get · patch · update | Low | |
ClusterRole k8up-manager | core/serviceaccounts | create · delete · get · list · watch | Low | |
ClusterRole k8up-manager | k8up.io/snapshots | create · delete · get · list · patch · update · watch | Low | |
ClusterRole k8up-manager | k8up.io/snapshots/finalizers | get · patch · update | Low | |
ClusterRole k8up-manager | k8up.io/snapshots/status | get · patch · update | Low | |
ClusterRole k8up-manager | rbac.authorization.k8s.io/clusterroles (restricted to: k8up-executor) | bind | Low | BindingToPrivilegedRole ClusterAdminAccess PrivilegeEscalation RBACManipulation ResourceNameRestricted |
⚠️ Potential Abuse (7)
The following security risks were found based on the above permissions:
- Bind ClusterRoles to identities (bind verb)
- Manage Deployments cluster-wide (potential for privileged pod execution)
- Manage Deployments in a namespace (potential for privileged pod execution)
- Manage Jobs cluster-wide (one-off privileged execution)
- Manage Jobs in a namespace (one-off privileged execution)
- Read RBAC configuration cluster-wide
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | k8up | k8up-operator | ghcr.io/k8up-io/k8up:v2.12.0 |
🤖 cleanup-service-account
Namespace: default | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole k8up-cleanup-roles | core/namespaces | get · list | Low | |
ClusterRole k8up-cleanup-roles | rbac.authorization.k8s.io/rolebindings | delete | Low | |
ClusterRole k8up-cleanup-roles | rbac.authorization.k8s.io/roles | delete | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | k8up-cleanup | k8up-cleanup | docker.io/bitnami/kubectl:latest |