k10 :: RBAC ATLAS

Description

Kasten’s K10 Data Management Platform

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`prometheus-server`	default	❌	—	12	2	Medium
`k10-grafana`	default	❌	—	0	1	—
`k10-k10`	default	❌	—	0	21	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `prometheus-server`

Namespace: default | Automount: ❌

🔑 Permissions (12)

Role	Resource	Verbs	Risk	Tags
Role `k10-prometheus-server`	core/configmaps	get · list · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure
Role `k10-prometheus-server`	core/endpoints	get · list · watch	Low
Role `k10-prometheus-server`	core/ingresses	get · list · watch	Low
Role `k10-prometheus-server`	extensions/ingresses	get · list · watch	Low
Role `k10-prometheus-server`	networking.k8s.io/ingresses	get · list · watch	Low
Role `k10-prometheus-server`	extensions/ingresses/status	get · list · watch	Low
Role `k10-prometheus-server`	networking.k8s.io/ingresses/status	get · list · watch	Low
Role `k10-prometheus-server`	core/nodes	get · list · watch	Low
Role `k10-prometheus-server`	core/nodes/metrics	get · list · watch	Low
Role `k10-prometheus-server`	core/nodes/proxy	get · list · watch	Low
Role `k10-prometheus-server`	core/pods	get · list · watch	Low
Role `k10-prometheus-server`	core/services	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Read ConfigMaps in a namespace

📦 Workloads (2)

Kind	Name	Container	Image
Deployment	prometheus-server	prometheus-server	gcr.io/kasten-images/prometheus:6.0.1
Deployment	prometheus-server	prometheus-server-configmap-reload	gcr.io/kasten-images/configmap-reload:6.0.1

🤖 `k10-grafana`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	k10-grafana	grafana	gcr.io/kasten-images/grafana:6.0.1

🤖 `k10-k10`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (21)

Kind	Name	Container	Image
Deployment	aggregatedapis-svc	aggregatedapis-svc	gcr.io/kasten-images/aggregatedapis:6.0.1
Deployment	auth-svc	auth-svc	gcr.io/kasten-images/auth:6.0.1
Deployment	catalog-svc	catalog-svc	gcr.io/kasten-images/catalog:6.0.1
Deployment	catalog-svc	kanister-sidecar	ghcr.io/kanisterio/kanister-tools:0.92.0
Deployment	controllermanager-svc	controllermanager-svc	gcr.io/kasten-images/controllermanager:6.0.1
Deployment	crypto-svc	bloblifecyclemanager-svc	gcr.io/kasten-images/bloblifecyclemanager:6.0.1
Deployment	crypto-svc	crypto-svc	gcr.io/kasten-images/crypto:6.0.1
Deployment	crypto-svc	events-svc	gcr.io/kasten-images/events:6.0.1
Deployment	crypto-svc	garbagecollector-svc	gcr.io/kasten-images/garbagecollector:6.0.1
Deployment	dashboardbff-svc	dashboardbff-svc	gcr.io/kasten-images/dashboardbff:6.0.1
Deployment	dashboardbff-svc	vbrintegrationapi-svc	gcr.io/kasten-images/vbrintegrationapi:6.0.1
Deployment	executor-svc	executor-svc	gcr.io/kasten-images/executor:6.0.1
Deployment	executor-svc	tools	gcr.io/kasten-images/cephtool:6.0.1
Deployment	frontend-svc	frontend-svc	gcr.io/kasten-images/frontend:6.0.1
Deployment	gateway	ambassador	gcr.io/kasten-images/emissary:6.0.1
Deployment	jobs-svc	jobs-svc	gcr.io/kasten-images/jobs:6.0.1
Deployment	kanister-svc	kanister-svc	gcr.io/kasten-images/kanister:6.0.1
Deployment	logging-svc	logging-svc	gcr.io/kasten-images/logging:6.0.1
Deployment	metering-svc	metering-svc	gcr.io/kasten-images/metering:6.0.1
Deployment	state-svc	admin-svc	gcr.io/kasten-images/admin:6.0.1
Deployment	state-svc	state-svc	gcr.io/kasten-images/state:6.0.1

k10

Description

Overview

Identities

🤖 prometheus-server

🔑 Permissions (12)

⚠️ Potential Abuse (2)

📦 Workloads (2)

🤖 k10-grafana

🔑 Permissions (0)

📦 Workloads (1)

🤖 k10-k10

🔑 Permissions (0)

📦 Workloads (21)

🤖 `prometheus-server`

🤖 `k10-grafana`

🤖 `k10-k10`