2 Service Accounts
1 Workloads
29 Bindings
7 Critical
13 High
2 Medium
7 Low
Description
Event-based autoscaler for workloads on Kubernetes
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
keda-operator | default | ✅ | — | 28 | 3 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 keda-operator
Namespace: default | Automount: ✅
🔑 Permissions (28)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole keda-operator | * | get | Critical | ClusterAdminAccess ClusterWideAccess ClusterWideLogAccess CodeExecution (+7 more) |
ClusterRole keda-operator | //scale | * | Critical | ClusterAdminAccess ClusterWideAccess |
ClusterRole keda-operator | core/configmaps | * | Critical | ClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more) |
ClusterRole keda-operator | batch/jobs | * | Critical | ClusterWideAccess PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more) |
ClusterRole keda-operator | coordination.k8s.io/leases | * | Critical | ClusterWideAccess ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse (+2 more) |
ClusterRole keda-operator | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role keda-operator | core/secrets | create · delete · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more) |
ClusterRole keda-operator | keda.sh/clustertriggerauthentications | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/clustertriggerauthentications/status | * | High | ClusterWideAccess |
ClusterRole keda-operator | core/configmaps/status | * | High | ClusterWideAccess |
ClusterRole keda-operator | autoscaling/horizontalpodautoscalers | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledjobs | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledjobs/finalizers | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledjobs/status | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledobjects | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledobjects/finalizers | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledobjects/status | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/triggerauthentications | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/triggerauthentications/status | * | High | ClusterWideAccess |
ClusterRole keda-operator | core/events | * | Medium | ClusterWideAccess InformationDisclosure OperationalData Reconnaissance |
ClusterRole keda-operator | admissionregistration.k8s.io/validatingwebhookconfigurations | get · list · patch · update · watch | Medium | InformationDisclosure Reconnaissance WebhookReconnaissance |
ClusterRole keda-operator | apiregistration.k8s.io/apiservices | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | apps/deployments | list · watch | Low | |
ClusterRole keda-operator | core/external | get · list · watch | Low | |
ClusterRole keda-operator | core/pods | get · list · watch | Low | |
ClusterRole keda-operator | core/serviceaccounts | list · watch | Low | |
ClusterRole keda-operator | core/services | get · list · watch | Low | |
ClusterRole keda-operator | apps/statefulsets | list · watch | Low |
⚠️ Potential Abuse (19)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Modify secrets in a namespace
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage Jobs cluster-wide (one-off privileged execution)
- Manage Jobs in a namespace (one-off privileged execution)
- Read events cluster-wide
- Manage Leases cluster-wide
- Manage Leases in kube-system or kube-node-lease namespace
- List ValidatingWebhookConfigurations (Reconnaissance)
- Node proxy GET RCE via WebSocket
📦 Workloads (3)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | keda-admission-webhooks | keda-admission-webhooks | ghcr.io/kedacore/keda-admission-webhooks:2.10.1 |
| Deployment | keda-operator | keda-operator | ghcr.io/kedacore/keda:2.10.1 |
| Deployment | keda-operator-metrics-apiserver | keda-operator-metrics-apiserver | ghcr.io/kedacore/keda-metrics-apiserver:2.10.1 |