k10 :: RBAC ATLAS

Description

Kasten’s K10 Data Management Platform

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`aggregatedapis-svc`	default	❌	—	42	1	Critical
`auth-svc`	default	❌	—	17	1	Critical
`catalog-svc`	default	❌	—	15	2	Critical
`crypto-svc`	default	❌	—	19	4	Critical
`frontend-svc`	default	❌	—	13	1	Critical
`gateway`	default	❌	—	13	1	Critical
`jobs-svc`	default	❌	—	14	1	Critical
`k10-kube-state-metrics`	default	✅	—	32	1	Critical
`logging-svc`	default	❌	—	13	1	Critical
`metering-svc`	default	❌	—	18	1	Critical
`state-svc`	default	❌	—	18	2	Critical
`prometheus-server`	default	❌	—	12	2	Medium
`controllermanager-svc`	default	❌	—	0	1	—
`dashboardbff-svc`	default	❌	—	0	2	—
`executor-svc`	default	❌	—	0	1	—
`k10-alertmanager`	default	✅	—	0	1	—
`k10-prometheus-node-exporter`	default	❌	—	0	1	—
`k10-prometheus-pushgateway`	default	✅	—	0	1	—
`kanister-svc`	default	❌	—	0	1	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `aggregatedapis-svc`

Namespace: default | Automount: ❌

🔑 Permissions (42)

Role	Resource	Verbs	Risk	Tags
ClusterRole `kasten-aggregatedapis-svc`	*	list · watch	Critical	ClusterStructure ClusterWideAccess ClusterWideSecretAccess ConfigMapAccess CredentialAccess (+12 more)
Role `kasten-admin`	*	*	Critical	AvailabilityImpact BindingToPrivilegedRole CodeExecution ConfigMapAccess ControlPlaneDisruption (+40 more)
ClusterRole `kasten-aggregatedapis-svc`	core/secrets	*	Critical	ClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole `kasten-svc-admin`	actions.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	apps.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	auth.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	config.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	cr.kanister.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	datamover.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dist.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dr.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	reporting.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	repositories.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	vault.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-aggregatedapis-svc`	authorization.k8s.io/subjectaccessreviews	create · update	Medium	InformationDisclosure RBACQuery
ClusterRole `kasten-aggregatedapis-svc`	apiregistration.k8s.io/apiservices	create · update	Low
ClusterRole `kasten-aggregatedapis-svc`	core/configmaps	get · list	Low
ClusterRole `kasten-aggregatedapis-svc`	apiextensions.k8s.io/customresourcedefinitions	list	Low
ClusterRole `kasten-aggregatedapis-svc`	apps.openshift.io/deploymentconfigs	get · list	Low
ClusterRole `kasten-aggregatedapis-svc`	apps/deployments	get · list	Low
ClusterRole `kasten-aggregatedapis-svc`	networking.k8s.io/ingresses	list	Low
ClusterRole `kasten-aggregatedapis-svc`	core/namespaces	get · list	Low
Role `kasten-default`	core/namespaces	get	Low
ClusterRole `kasten-aggregatedapis-svc`	core/nodes	list	Low
ClusterRole `kasten-aggregatedapis-svc`	core/persistentvolumeclaims	get · list	Low
ClusterRole `kasten-aggregatedapis-svc`	core/persistentvolumes	create · get · list · update	Low
ClusterRole `kasten-aggregatedapis-svc`	core/pods	list	Low
ClusterRole `kasten-aggregatedapis-svc`	networking.k8s.aws/policyendpoints	list	Low
ClusterRole `kasten-aggregatedapis-svc`	apps/replicasets	list	Low
ClusterRole `kasten-aggregatedapis-svc`	core/replicationcontrollers	list	Low
ClusterRole `kasten-aggregatedapis-svc`	rbac.authorization.k8s.io/rolebindings	create · update	Low
ClusterRole `kasten-aggregatedapis-svc`	vpcresources.k8s.aws/securitygrouppolicies	list	Low
ClusterRole `kasten-aggregatedapis-svc`	authorization.k8s.io/selfsubjectaccessreviews	create · update	Low
ClusterRole `kasten-aggregatedapis-svc`	core/services	list	Low
ClusterRole `kasten-aggregatedapis-svc`	apps/statefulsets	get · list	Low
ClusterRole `kasten-aggregatedapis-svc`	storage.k8s.io/storageclasses	get	Low
ClusterRole `kasten-aggregatedapis-svc`	kubevirt.io/virtualmachineinstances	get	Low
ClusterRole `kasten-aggregatedapis-svc`	kubevirt.io/virtualmachines	get · list	Low
ClusterRole `kasten-aggregatedapis-svc`	snapshot.storage.k8s.io/volumesnapshotclasses	create · get · update	Low
ClusterRole `kasten-aggregatedapis-svc`	snapshot.storage.k8s.io/volumesnapshotcontents	create · get · update	Low
ClusterRole `kasten-aggregatedapis-svc`	snapshot.storage.k8s.io/volumesnapshots	list	Low

⚠️ Potential Abuse (52)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	aggregatedapis-svc	aggregatedapis-svc	gcr.io/kasten-images/aggregatedapis:8.5.1

🤖 `k10-kube-state-metrics`

Namespace: default | Automount: ✅

🔑 Permissions (32)

Role	Resource	Verbs	Risk	Tags
ClusterRole `k10-kube-state-metrics`	core/secrets	list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `k10-kube-state-metrics`	core/configmaps	list · watch	High	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `k10-kube-state-metrics`	admissionregistration.k8s.io/mutatingwebhookconfigurations	list · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `k10-kube-state-metrics`	core/resourcequotas	list · watch	Medium	InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration
ClusterRole `k10-kube-state-metrics`	admissionregistration.k8s.io/validatingwebhookconfigurations	list · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `k10-kube-state-metrics`	certificates.k8s.io/certificatesigningrequests	list · watch	Low
ClusterRole `k10-kube-state-metrics`	batch/cronjobs	list · watch	Low
ClusterRole `k10-kube-state-metrics`	apps/daemonsets	list · watch	Low
ClusterRole `k10-kube-state-metrics`	extensions/daemonsets	list · watch	Low
ClusterRole `k10-kube-state-metrics`	apps/deployments	list · watch	Low
ClusterRole `k10-kube-state-metrics`	extensions/deployments	list · watch	Low
ClusterRole `k10-kube-state-metrics`	core/endpoints	list · watch	Low
ClusterRole `k10-kube-state-metrics`	autoscaling/horizontalpodautoscalers	list · watch	Low
ClusterRole `k10-kube-state-metrics`	extensions/ingresses	list · watch	Low
ClusterRole `k10-kube-state-metrics`	networking.k8s.io/ingresses	list · watch	Low
ClusterRole `k10-kube-state-metrics`	batch/jobs	list · watch	Low
ClusterRole `k10-kube-state-metrics`	coordination.k8s.io/leases	list · watch	Low
ClusterRole `k10-kube-state-metrics`	core/limitranges	list · watch	Low	InformationDisclosure Reconnaissance ResourceConfiguration
ClusterRole `k10-kube-state-metrics`	core/namespaces	list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `k10-kube-state-metrics`	networking.k8s.io/networkpolicies	list · watch	Low
ClusterRole `k10-kube-state-metrics`	core/nodes	list · watch	Low
ClusterRole `k10-kube-state-metrics`	core/persistentvolumeclaims	list · watch	Low
ClusterRole `k10-kube-state-metrics`	core/persistentvolumes	list · watch	Low
ClusterRole `k10-kube-state-metrics`	policy/poddisruptionbudgets	list · watch	Low
ClusterRole `k10-kube-state-metrics`	core/pods	list · watch	Low
ClusterRole `k10-kube-state-metrics`	apps/replicasets	list · watch	Low
ClusterRole `k10-kube-state-metrics`	extensions/replicasets	list · watch	Low
ClusterRole `k10-kube-state-metrics`	core/replicationcontrollers	list · watch	Low
ClusterRole `k10-kube-state-metrics`	core/services	list · watch	Low
ClusterRole `k10-kube-state-metrics`	apps/statefulsets	list · watch	Low
ClusterRole `k10-kube-state-metrics`	storage.k8s.io/storageclasses	list · watch	Low
ClusterRole `k10-kube-state-metrics`	storage.k8s.io/volumeattachments	list · watch	Low

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	k10-kube-state-metrics	kube-state-metrics	registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.15.0

🤖 `crypto-svc`

Namespace: default | Automount: ❌

🔑 Permissions (19)

Role	Resource	Verbs	Risk	Tags
Role `kasten-admin`	*	*	Critical	AvailabilityImpact BindingToPrivilegedRole CodeExecution ConfigMapAccess ControlPlaneDisruption (+40 more)
ClusterRole `kasten-svc-admin`	actions.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	apps.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	auth.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	config.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	cr.kanister.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	datamover.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dist.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dr.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	reporting.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	repositories.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	vault.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-crypto-svc`	core/namespaces	list	Low
Role `kasten-default`	core/namespaces	get	Low
ClusterRole `kasten-crypto-svc`	core/nodes	get	Low
ClusterRole `kasten-crypto-svc`	core/persistentvolumes	delete · list	Low
ClusterRole `kasten-crypto-svc`	snapshot.storage.k8s.io/volumesnapshotcontents	delete	Low
ClusterRole `kasten-crypto-svc`	snapshot.storage.k8s.io/volumesnapshots	list	Low

⚠️ Potential Abuse (41)

The following security risks were found based on the above permissions:

📦 Workloads (4)

Kind	Name	Container	Image
Deployment	crypto-svc	bloblifecyclemanager-svc	gcr.io/kasten-images/bloblifecyclemanager:8.5.1
Deployment	crypto-svc	crypto-svc	gcr.io/kasten-images/crypto:8.5.1
Deployment	crypto-svc	garbagecollector-svc	gcr.io/kasten-images/garbagecollector:8.5.1
Deployment	crypto-svc	repositories-svc	gcr.io/kasten-images/repositories:8.5.1

🤖 `metering-svc`

Namespace: default | Automount: ❌

🔑 Permissions (18)

Role	Resource	Verbs	Risk	Tags
Role `kasten-admin`	*	*	Critical	AvailabilityImpact BindingToPrivilegedRole CodeExecution ConfigMapAccess ControlPlaneDisruption (+40 more)
ClusterRole `kasten-svc-admin`	actions.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	apps.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	auth.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	config.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	cr.kanister.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	datamover.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dist.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dr.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	reporting.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	repositories.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	vault.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-metering-svc`	core/namespaces	list	Low
Role `kasten-default`	core/namespaces	get	Low
ClusterRole `kasten-metering-svc`	core/nodes	list	Low
ClusterRole `kasten-metering-svc`	core/persistentvolumeclaims	list · watch	Low
ClusterRole `kasten-metering-svc`	storage.k8s.io/storageclasses	list	Low

⚠️ Potential Abuse (41)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	metering-svc	metering-svc	gcr.io/kasten-images/metering:8.5.1

🤖 `state-svc`

Namespace: default | Automount: ❌

🔑 Permissions (18)

Role	Resource	Verbs	Risk	Tags
Role `kasten-admin`	*	*	Critical	AvailabilityImpact BindingToPrivilegedRole CodeExecution ConfigMapAccess ControlPlaneDisruption (+40 more)
ClusterRole `kasten-svc-admin`	actions.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	apps.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	auth.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	config.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	cr.kanister.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	datamover.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dist.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dr.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	reporting.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	repositories.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	vault.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-state-svc`	apps.openshift.io/deploymentconfigs	list · watch	Low
ClusterRole `kasten-state-svc`	apps/deployments	list · watch	Low
ClusterRole `kasten-state-svc`	core/namespaces	list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `kasten-state-svc`	apps/statefulsets	list · watch	Low
ClusterRole `kasten-state-svc`	kubevirt.io/virtualmachines	list · watch	Low

⚠️ Potential Abuse (42)

The following security risks were found based on the above permissions:

📦 Workloads (2)

Kind	Name	Container	Image
Deployment	state-svc	events-svc	gcr.io/kasten-images/events:8.5.1
Deployment	state-svc	state-svc	gcr.io/kasten-images/state:8.5.1

🤖 `auth-svc`

Namespace: default | Automount: ❌

🔑 Permissions (17)

Role	Resource	Verbs	Risk	Tags
Role `kasten-admin`	*	*	Critical	AvailabilityImpact BindingToPrivilegedRole CodeExecution ConfigMapAccess ControlPlaneDisruption (+40 more)
ClusterRole `kasten-auth-svc`	core/secrets	create · get · list · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `kasten-svc-admin`	actions.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	apps.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	auth.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	config.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	cr.kanister.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	datamover.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dist.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dr.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	reporting.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	repositories.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	vault.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-auth-svc`	authentication.k8s.io/tokenreviews	create · update	Medium	CredentialAccess InformationDisclosure RBACQuery
Role `kasten-default`	core/namespaces	get	Low
ClusterRole `kasten-auth-svc`	core/serviceaccounts/token	create · update	Low

⚠️ Potential Abuse (43)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	auth-svc	auth-svc	gcr.io/kasten-images/auth:8.5.1

🤖 `catalog-svc`

Namespace: default | Automount: ❌

🔑 Permissions (15)

Role	Resource	Verbs	Risk	Tags
Role `kasten-admin`	*	*	Critical	AvailabilityImpact BindingToPrivilegedRole CodeExecution ConfigMapAccess ControlPlaneDisruption (+40 more)
ClusterRole `kasten-svc-admin`	actions.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	apps.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	auth.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	config.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	cr.kanister.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	datamover.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dist.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dr.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	reporting.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	repositories.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	vault.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-catalog-svc`	core/namespaces	list	Low
Role `kasten-default`	core/namespaces	get	Low

⚠️ Potential Abuse (41)

The following security risks were found based on the above permissions:

📦 Workloads (2)

Kind	Name	Container	Image
Deployment	catalog-svc	catalog-svc	gcr.io/kasten-images/catalog:8.5.1
Deployment	catalog-svc	kanister-sidecar	gcr.io/kasten-images/kanister-tools:8.5.1

🤖 `jobs-svc`

Namespace: default | Automount: ❌

🔑 Permissions (14)

Role	Resource	Verbs	Risk	Tags
Role `kasten-admin`	*	*	Critical	AvailabilityImpact BindingToPrivilegedRole CodeExecution ConfigMapAccess ControlPlaneDisruption (+40 more)
ClusterRole `kasten-svc-admin`	actions.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	apps.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	auth.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	config.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	cr.kanister.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	datamover.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dist.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dr.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	reporting.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	repositories.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	vault.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
Role `kasten-default`	core/namespaces	get	Low

⚠️ Potential Abuse (41)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	jobs-svc	jobs-svc	gcr.io/kasten-images/jobs:8.5.1

🤖 `frontend-svc`

Namespace: default | Automount: ❌

🔑 Permissions (13)

Role	Resource	Verbs	Risk	Tags
Role `kasten-admin`	*	*	Critical	AvailabilityImpact BindingToPrivilegedRole CodeExecution ConfigMapAccess ControlPlaneDisruption (+40 more)
ClusterRole `kasten-svc-admin`	actions.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	apps.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	auth.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	config.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	cr.kanister.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	datamover.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dist.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dr.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	reporting.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	repositories.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	vault.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission

⚠️ Potential Abuse (40)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	frontend-svc	frontend-svc	gcr.io/kasten-images/frontend:8.5.1

🤖 `gateway`

Namespace: default | Automount: ❌

🔑 Permissions (13)

Role	Resource	Verbs	Risk	Tags
Role `kasten-admin`	*	*	Critical	AvailabilityImpact BindingToPrivilegedRole CodeExecution ConfigMapAccess ControlPlaneDisruption (+40 more)
ClusterRole `kasten-svc-admin`	actions.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	apps.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	auth.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	config.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	cr.kanister.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	datamover.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dist.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dr.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	reporting.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	repositories.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	vault.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission

⚠️ Potential Abuse (40)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	gateway	gateway	gcr.io/kasten-images/gateway:8.5.1

🤖 `logging-svc`

Namespace: default | Automount: ❌

🔑 Permissions (13)

Role	Resource	Verbs	Risk	Tags
Role `kasten-admin`	*	*	Critical	AvailabilityImpact BindingToPrivilegedRole CodeExecution ConfigMapAccess ControlPlaneDisruption (+40 more)
ClusterRole `kasten-svc-admin`	actions.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	apps.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	auth.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	config.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	cr.kanister.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	datamover.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dist.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	dr.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	reporting.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	repositories.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kasten-svc-admin`	vault.kio.kasten.io/*	*	High	ClusterWideAccess WildcardPermission

⚠️ Potential Abuse (40)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	logging-svc	logging-svc	gcr.io/kasten-images/logging:8.5.1

🤖 `prometheus-server`

Namespace: default | Automount: ❌

🔑 Permissions (12)

Role	Resource	Verbs	Risk	Tags
Role `k10-prometheus-server`	core/configmaps	get · list · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure
Role `k10-prometheus-server`	core/endpoints	get · list · watch	Low
Role `k10-prometheus-server`	core/ingresses	get · list · watch	Low
Role `k10-prometheus-server`	extensions/ingresses	get · list · watch	Low
Role `k10-prometheus-server`	networking.k8s.io/ingresses	get · list · watch	Low
Role `k10-prometheus-server`	extensions/ingresses/status	get · list · watch	Low
Role `k10-prometheus-server`	networking.k8s.io/ingresses/status	get · list · watch	Low
Role `k10-prometheus-server`	core/nodes	get · list · watch	Low
Role `k10-prometheus-server`	core/nodes/metrics	get · list · watch	Low
Role `k10-prometheus-server`	core/nodes/proxy	get · list · watch	Low
Role `k10-prometheus-server`	core/pods	get · list · watch	Low
Role `k10-prometheus-server`	core/services	get · list · watch	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Read ConfigMaps in a namespace

📦 Workloads (2)

Kind	Name	Container	Image
Deployment	prometheus-server	prometheus-server	gcr.io/kasten-images/prometheus:8.5.1
Deployment	prometheus-server	prometheus-server-configmap-reload	gcr.io/kasten-images/configmap-reload:8.5.1

🤖 `controllermanager-svc`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	controllermanager-svc	controllermanager-svc	gcr.io/kasten-images/controllermanager:8.5.1

🤖 `dashboardbff-svc`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (2)

Kind	Name	Container	Image
Deployment	dashboardbff-svc	dashboardbff-svc	gcr.io/kasten-images/dashboardbff:8.5.1
Deployment	dashboardbff-svc	vbrintegrationapi-svc	gcr.io/kasten-images/vbrintegrationapi:8.5.1

🤖 `executor-svc`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	executor-svc	executor-svc	gcr.io/kasten-images/executor:8.5.1

🤖 `k10-alertmanager`

Namespace: default | Automount: ✅

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
StatefulSet	k10-alertmanager	alertmanager	quay.io/prometheus/alertmanager:v0.28.1

🤖 `k10-prometheus-node-exporter`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
DaemonSet	k10-prometheus-node-exporter	node-exporter	quay.io/prometheus/node-exporter:v1.9.1

🤖 `k10-prometheus-pushgateway`

Namespace: default | Automount: ✅

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	k10-prometheus-pushgateway	pushgateway	quay.io/prometheus/pushgateway:v1.11.1

🤖 `kanister-svc`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kanister-svc	kanister-svc	gcr.io/kasten-images/kanister:8.5.1

k10

Description

Overview

Identities

🤖 aggregatedapis-svc

🔑 Permissions (42)

⚠️ Potential Abuse (52)

📦 Workloads (1)

🤖 k10-kube-state-metrics

🔑 Permissions (32)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 crypto-svc

🔑 Permissions (19)

⚠️ Potential Abuse (41)

📦 Workloads (4)

🤖 metering-svc

🔑 Permissions (18)

⚠️ Potential Abuse (41)

📦 Workloads (1)

🤖 state-svc

🔑 Permissions (18)

⚠️ Potential Abuse (42)

📦 Workloads (2)

🤖 auth-svc

🔑 Permissions (17)

⚠️ Potential Abuse (43)

📦 Workloads (1)

🤖 catalog-svc

🔑 Permissions (15)

⚠️ Potential Abuse (41)

📦 Workloads (2)

🤖 jobs-svc

🔑 Permissions (14)

⚠️ Potential Abuse (41)

📦 Workloads (1)

🤖 frontend-svc

🔑 Permissions (13)

⚠️ Potential Abuse (40)

📦 Workloads (1)

🤖 gateway

🔑 Permissions (13)

⚠️ Potential Abuse (40)

📦 Workloads (1)

🤖 logging-svc

🔑 Permissions (13)

⚠️ Potential Abuse (40)

📦 Workloads (1)

🤖 prometheus-server

🔑 Permissions (12)

⚠️ Potential Abuse (2)

📦 Workloads (2)

🤖 controllermanager-svc

🔑 Permissions (0)

📦 Workloads (1)

🤖 dashboardbff-svc

🔑 Permissions (0)

📦 Workloads (2)

🤖 executor-svc

🔑 Permissions (0)

📦 Workloads (1)

🤖 k10-alertmanager

🔑 Permissions (0)

📦 Workloads (1)

🤖 k10-prometheus-node-exporter

🔑 Permissions (0)

📦 Workloads (1)

🤖 k10-prometheus-pushgateway

🔑 Permissions (0)

📦 Workloads (1)

🤖 kanister-svc

🔑 Permissions (0)

📦 Workloads (1)

🤖 `aggregatedapis-svc`

🤖 `k10-kube-state-metrics`

🤖 `crypto-svc`

🤖 `metering-svc`

🤖 `state-svc`

🤖 `auth-svc`

🤖 `catalog-svc`

🤖 `jobs-svc`

🤖 `frontend-svc`

🤖 `gateway`

🤖 `logging-svc`

🤖 `prometheus-server`

🤖 `controllermanager-svc`

🤖 `dashboardbff-svc`

🤖 `executor-svc`

🤖 `k10-alertmanager`

🤖 `k10-prometheus-node-exporter`

🤖 `k10-prometheus-pushgateway`

🤖 `kanister-svc`