keda
v2.17.1
4 Service Accounts
3 Workloads
44 Bindings
2 Critical
5 High
1 Medium
36 Low
Description
Event-based autoscaler for workloads on Kubernetes
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
keda-operator | default | ✅ | — | 38 | 1 | Critical |
keda-webhook | default | ✅ | — | 5 | 1 | Low |
keda-metrics-server | default | ✅ | — | 0 | 1 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 keda-operator
Namespace: default | Automount: ✅
🔑 Permissions (38)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole keda-operator | batch/jobs | create · delete · get · list · patch · update · watch | Critical | PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
Role keda-operator-certs | coordination.k8s.io/leases | create · delete · get · list · patch · update · watch | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
ClusterRole keda-operator | / | get | High | ClusterWideAccess ClusterWideLogAccess DataExposure InformationDisclosure LogAccess (+1 more) |
ClusterRole keda-operator | //scale | get · list · patch · update · watch | High | ClusterWideAccess |
ClusterRole keda-operator | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole keda-operator | apps/deployments/scale | get · list · patch · update · watch | High | DenialOfService ResourceModification Tampering WorkloadLifecycle |
ClusterRole keda-operator | apps/statefulsets/scale | get · list · patch · update · watch | High | DataLoss DenialOfService ResourceModification Tampering WorkloadLifecycle |
ClusterRole keda-operator-minimal-cluster-role | admissionregistration.k8s.io/validatingwebhookconfigurations | get · list · patch · update · watch | Medium | InformationDisclosure Reconnaissance WebhookReconnaissance |
ClusterRole keda-operator-minimal-cluster-role | apiregistration.k8s.io/apiservices | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | eventing.keda.sh/cloudeventsources | get · list · patch · update · watch | Low | |
ClusterRole keda-operator-minimal-cluster-role | eventing.keda.sh/cloudeventsources | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | eventing.keda.sh/cloudeventsources/status | get · list · patch · update · watch | Low | |
ClusterRole keda-operator-minimal-cluster-role | eventing.keda.sh/cloudeventsources/status | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | eventing.keda.sh/clustercloudeventsources | get · list · patch · update · watch | Low | |
ClusterRole keda-operator-minimal-cluster-role | eventing.keda.sh/clustercloudeventsources | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | eventing.keda.sh/clustercloudeventsources/status | get · list · patch · update · watch | Low | |
ClusterRole keda-operator-minimal-cluster-role | eventing.keda.sh/clustercloudeventsources/status | get · list · patch · update · watch | Low | |
ClusterRole keda-operator-minimal-cluster-role | keda.sh/clustertriggerauthentications | get · list · patch · update · watch | Low | |
ClusterRole keda-operator-minimal-cluster-role | keda.sh/clustertriggerauthentications/status | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | core/configmaps/status | get · list · watch | Low | |
ClusterRole keda-operator | apps/deployments | get · list · watch | Low | |
ClusterRole keda-operator | core/events | create · patch | Low | |
ClusterRole keda-operator | autoscaling/horizontalpodautoscalers | create · delete · get · list · patch · update · watch | Low | |
ClusterRole keda-operator | core/limitranges | get · list · watch | Low | InformationDisclosure Reconnaissance ResourceConfiguration |
ClusterRole keda-operator | core/pods | get · list · watch | Low | |
ClusterRole keda-operator | keda.sh/scaledjobs | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | keda.sh/scaledjobs/finalizers | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | keda.sh/scaledjobs/status | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | keda.sh/scaledobjects | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | keda.sh/scaledobjects/finalizers | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | keda.sh/scaledobjects/status | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | core/secrets | list · watch | Low | |
Role keda-operator-certs | core/secrets | create · get · update | Low | |
ClusterRole keda-operator | core/serviceaccounts | get · list · watch | Low | |
ClusterRole keda-operator | core/services | get · list · watch | Low | |
ClusterRole keda-operator | apps/statefulsets | get · list · watch | Low | |
ClusterRole keda-operator | keda.sh/triggerauthentications | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | keda.sh/triggerauthentications/status | get · list · patch · update · watch | Low |
⚠️ Potential Abuse (13)
The following security risks were found based on the above permissions:
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Manage Jobs cluster-wide (one-off privileged execution)
- Manage Jobs in a namespace (one-off privileged execution)
- Manage Leases in kube-system or kube-node-lease namespace
- List ValidatingWebhookConfigurations (Reconnaissance)
- Read LimitRanges (Namespace Information Disclosure)
- Update Deployment Scale (Resource Abuse/DoS)
- Update StatefulSet Scale (Resource Abuse/DoS)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | keda-operator | keda-operator | ghcr.io/kedacore/keda:2.17.1 |
🤖 keda-webhook
Namespace: default | Automount: ✅
🔑 Permissions (5)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole keda-operator-webhook | apps/deployments | get · list · watch | Low | |
ClusterRole keda-operator-webhook | autoscaling/horizontalpodautoscalers | list · watch | Low | |
ClusterRole keda-operator-webhook | core/limitranges | list | Low | |
ClusterRole keda-operator-webhook | keda.sh/scaledobjects | list · watch | Low | |
ClusterRole keda-operator-webhook | apps/statefulsets | get · list · watch | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | keda-admission-webhooks | keda-admission-webhooks | ghcr.io/kedacore/keda-admission-webhooks:2.17.1 |
🤖 keda-metrics-server
Namespace: default | Automount: ✅
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | keda-operator-metrics-apiserver | keda-operator-metrics-apiserver | ghcr.io/kedacore/keda-metrics-apiserver:2.17.1 |