4 Service Accounts
3 Workloads
39 Bindings
4 Critical
18 High
2 Medium
15 Low
Description
Event-based autoscaler for workloads on Kubernetes
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
keda-operator | default | ✅ | — | 33 | 1 | Critical |
keda-webhook | default | ✅ | — | 5 | 1 | Low |
keda-metrics-server | default | ✅ | — | 0 | 1 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 keda-operator
Namespace: default | Automount: ✅
🔑 Permissions (33)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole keda-operator | * | get | Critical | ClusterAdminAccess ClusterWideAccess ClusterWideLogAccess CodeExecution (+7 more) |
ClusterRole keda-operator | batch/jobs | * | Critical | ClusterWideAccess PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more) |
Role keda-operator-certs | coordination.k8s.io/leases | * | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService NamespaceAdmin NamespaceWideAccess (+2 more) |
ClusterRole keda-operator | core/secrets | list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole keda-operator | //scale | get · list · patch · update · watch | High | ClusterWideAccess |
ClusterRole keda-operator | eventing.keda.sh/cloudeventsources | * | High | ClusterWideAccess |
ClusterRole keda-operator | eventing.keda.sh/cloudeventsources/status | * | High | ClusterWideAccess |
ClusterRole keda-operator-minimal-cluster-role | keda.sh/clustertriggerauthentications | * | High | ClusterWideAccess |
ClusterRole keda-operator-minimal-cluster-role | keda.sh/clustertriggerauthentications/status | * | High | ClusterWideAccess |
ClusterRole keda-operator | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole keda-operator | apps/deployments/scale | get · list · patch · update · watch | High | DenialOfService ResourceModification Tampering WorkloadLifecycle |
ClusterRole keda-operator | autoscaling/horizontalpodautoscalers | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledjobs | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledjobs/finalizers | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledjobs/status | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledobjects | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledobjects/finalizers | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/scaledobjects/status | * | High | ClusterWideAccess |
ClusterRole keda-operator | apps/statefulsets/scale | get · list · patch · update · watch | High | DataLoss DenialOfService ResourceModification Tampering WorkloadLifecycle |
ClusterRole keda-operator | keda.sh/triggerauthentications | * | High | ClusterWideAccess |
ClusterRole keda-operator | keda.sh/triggerauthentications/status | * | High | ClusterWideAccess |
ClusterRole keda-operator | core/events | * | Medium | ClusterWideAccess InformationDisclosure OperationalData Reconnaissance |
ClusterRole keda-operator-minimal-cluster-role | admissionregistration.k8s.io/validatingwebhookconfigurations | get · list · patch · update · watch | Medium | InformationDisclosure Reconnaissance WebhookReconnaissance |
ClusterRole keda-operator-minimal-cluster-role | apiregistration.k8s.io/apiservices | get · list · patch · update · watch | Low | |
ClusterRole keda-operator | core/configmaps/status | get · list · watch | Low | |
ClusterRole keda-operator | apps/deployments | get · list · watch | Low | |
ClusterRole keda-operator | core/limitranges | get · list · watch | Low | InformationDisclosure Reconnaissance ResourceConfiguration |
ClusterRole keda-operator | core/pods | get · list · watch | Low | |
Role keda-operator-certs | core/secrets | create · update | Low | |
ClusterRole keda-operator | core/serviceaccounts | get · list · watch | Low | |
ClusterRole keda-operator | core/services | get · list · watch | Low | |
ClusterRole keda-operator | apps/statefulsets | get · list · watch | Low | |
Role keda-operator-certs | core/secrets (restricted to: kedaorg-certs) | get | Low | ResourceNameRestricted |
⚠️ Potential Abuse (18)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Manage Jobs cluster-wide (one-off privileged execution)
- Manage Jobs in a namespace (one-off privileged execution)
- Read events cluster-wide
- Manage Leases in kube-system or kube-node-lease namespace
- List ValidatingWebhookConfigurations (Reconnaissance)
- Read LimitRanges (Namespace Information Disclosure)
- Update Deployment Scale (Resource Abuse/DoS)
- Update StatefulSet Scale (Resource Abuse/DoS)
- Node proxy GET RCE via WebSocket
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | keda-operator | keda-operator | ghcr.io/kedacore/keda:2.15.1 |
🤖 keda-webhook
Namespace: default | Automount: ✅
🔑 Permissions (5)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole keda-operator-webhook | apps/deployments | get · list · watch | Low | |
ClusterRole keda-operator-webhook | autoscaling/horizontalpodautoscalers | list · watch | Low | |
ClusterRole keda-operator-webhook | core/limitranges | list | Low | |
ClusterRole keda-operator-webhook | keda.sh/scaledobjects | list · watch | Low | |
ClusterRole keda-operator-webhook | apps/statefulsets | get · list · watch | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | keda-admission-webhooks | keda-admission-webhooks | ghcr.io/kedacore/keda-admission-webhooks:2.15.1 |
🤖 keda-metrics-server
Namespace: default | Automount: ✅
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | keda-operator-metrics-apiserver | keda-operator-metrics-apiserver | ghcr.io/kedacore/keda-metrics-apiserver:2.15.1 |