1 Service Accounts
1 Workloads
87 Bindings
14 Critical
3 High
9 Medium
61 Low
Description
Watches and sends kubernetes resource-related events
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
k8s-watcher | komodor | ❌ | — | 87 | 6 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 k8s-watcher
Namespace: komodor | Automount: ❌
🔑 Permissions (87)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole k8s-watcher | * | get · list · watch | Critical | ClusterAdminAccess ClusterStructure ClusterWideAccess ClusterWideLogAccess (+20 more) |
ClusterRole network-mapper- | * | get · list · watch | Critical | ClusterAdminAccess ClusterStructure ClusterWideAccess ClusterWideLogAccess (+20 more) |
ClusterRole k8s-watcher | core/configmaps | create · delete · get · list · patch · update · watch | Critical | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole k8s-watcher | batch/cronjobs | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole k8s-watcher | apps/daemonsets | create · delete · get · list · patch · update · watch | Critical | NodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole k8s-watcher | apps/deployments | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole k8s-watcher | batch/jobs | create · delete · get · list · patch · update · watch | Critical | PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole k8s-watcher | networking.k8s.io/networkpolicies | create · delete · get · list · patch · update · watch | Critical | DenialOfService LateralMovement NetworkManipulation NetworkPolicyManagement Tampering |
ClusterRole k8s-watcher | core/nodes/proxy | get · list | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole k8s-watcher | core/pods | create · delete · get · list · patch · update · watch | Critical | LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more) |
ClusterRole k8s-watcher | core/pods/exec | create | Critical | ClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement PodExec (+1 more) |
ClusterRole k8s-watcher | core/secrets | create · delete · get · list · update · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole k8s-watcher | core/services | create · delete · get · list · patch · update · watch | Critical | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole k8s-watcher | apps/statefulsets | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole k8s-watcher | networking.k8s.io/ingresses | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole k8s-watcher | core/pods/log | get · list | High | ClusterWideLogAccess DataExposure InformationDisclosure LogAccess |
ClusterRole k8s-watcher | core/pods/portforward | create | High | ClusterWidePodPortForward LateralMovement NetworkManipulation PodPortForward |
ClusterRole k8s-watcher | rbac.authorization.k8s.io/clusterrolebindings | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole k8s-watcher | rbac.authorization.k8s.io/clusterroles | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole k8s-watcher | storage.k8s.io/csinodes | get · list · watch | Medium | InformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure |
ClusterRole k8s-watcher | core/events | get · list · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole k8s-watcher | admissionregistration.k8s.io/mutatingwebhookconfigurations | get · list · watch | Medium | InformationDisclosure Reconnaissance WebhookReconnaissance |
ClusterRole k8s-watcher | core/resourcequotas | get · list · watch | Medium | InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration |
ClusterRole k8s-watcher | rbac.authorization.k8s.io/rolebindings | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole k8s-watcher | rbac.authorization.k8s.io/roles | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole k8s-watcher | admissionregistration.k8s.io/validatingwebhookconfigurations | get · list · watch | Medium | InformationDisclosure Reconnaissance WebhookReconnaissance |
ClusterRole k8s-watcher | argoproj.io/analysistemplates | get · list · watch | Low | |
ClusterRole k8s-watcher | certificates.k8s.io/certificatesigningrequests | get · list · watch | Low | |
ClusterRole k8s-watcher | argoproj.io/clusteranalysistemplates | get · list · watch | Low | |
ClusterRole k8s-watcher | rbac/clusterrolebindings | get · list · watch | Low | |
ClusterRole k8s-watcher | rbac/clusterroles | get · list · watch | Low | |
ClusterRole k8s-watcher | argoproj.io/clusterworkflowtemplates | get · list · watch | Low | |
ClusterRole k8s-watcher | apps/controllerrevisions | get · list · watch | Low | |
ClusterRole k8s-watcher | argoproj.io/cronworkflows | get · list · watch | Low | |
ClusterRole k8s-watcher | storage.k8s.io/csidrivers | get · list · watch | Low | |
ClusterRole k8s-watcher | storage.k8s.io/csistoragecapacities | get · list · watch | Low | InformationDisclosure Reconnaissance StorageDetailsDisclosure |
ClusterRole k8s-watcher | apiextensions.k8s.io/customresourcedefinitions | get · list · watch | Low | |
ClusterRole network-mapper- | apps/daemonsets | get | Low | |
ClusterRole network-mapper- | apps/deployments | get | Low | |
ClusterRole k8s-watcher | apps/deployments/scale | patch | Low | |
ClusterRole k8s-watcher | core/endpoints | get · list · watch | Low | |
ClusterRole network-mapper- | core/endpoints | get · list · watch | Low | |
ClusterRole k8s-watcher | discovery.k8s.io/endpointslices | get · list · watch | Low | |
ClusterRole k8s-watcher | flowcontrol.apiserver.k8s.io/flowschemas | get · list · watch | Low | |
ClusterRole k8s-watcher | autoscaling/horizontalpodautoscalers | get · list · watch | Low | |
ClusterRole k8s-watcher | extensions/ingressclasses | get · list · watch | Low | |
ClusterRole k8s-watcher | networking.k8s.io/ingressclasses | get · list · watch | Low | |
ClusterRole k8s-watcher | extensions/ingresses | get · list · watch | Low | |
ClusterRole k8s-watcher | coordination.k8s.io/leases | get · list · watch | Low | |
ClusterRole k8s-watcher | core/limitranges | get · list · watch | Low | InformationDisclosure Reconnaissance ResourceConfiguration |
ClusterRole k8s-watcher | authorization.k8s.io/localsubjectaccessreviews | get · list · watch | Low | |
ClusterRole k8s-watcher | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole k8s-watcher | extensions/networkpolicies | get · list · watch | Low | |
ClusterRole k8s-watcher | core/nodes | get · list · patch · watch | Low | |
ClusterRole k8s-watcher | metrics.k8s.io/nodes | get · list · watch | Low | |
ClusterRole k8s-watcher | core/nodes/stats | get · list | Low | |
ClusterRole k8s-watcher | core/persistentvolumeclaims | create · delete · get · list · patch · update · watch | Low | |
ClusterRole k8s-watcher | core/persistentvolumes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole k8s-watcher | policy/poddisruptionbudgets | get · list · watch | Low | |
ClusterRole network-mapper- | core/pods | get · list · watch | Low | |
ClusterRole k8s-watcher | metrics.k8s.io/pods | get · list · watch | Low | |
ClusterRole k8s-watcher | core/pods/eviction | create | Low | |
ClusterRole k8s-watcher | policy/podsecuritypolicies | get · list · watch | Low | |
ClusterRole k8s-watcher | core/podtemplates | get · list · watch | Low | |
ClusterRole k8s-watcher | scheduling.k8s.io/priorityclasses | get · list · watch | Low | |
ClusterRole k8s-watcher | flowcontrol.apiserver.k8s.io/prioritylevelconfigurations | get · list · watch | Low | |
ClusterRole k8s-watcher | apps/replicasets | create · delete · get · list · patch · update · watch | Low | |
ClusterRole network-mapper- | apps/replicasets | get | Low | |
ClusterRole k8s-watcher | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole k8s-watcher | rbac/rolebindings | get · list · watch | Low | |
ClusterRole k8s-watcher | rbac/roles | get · list · watch | Low | |
ClusterRole k8s-watcher | argoproj.io/rollouts | get · list · watch | Low | |
ClusterRole k8s-watcher | argoproj.io/rollouts/finalizers | get · list · watch | Low | |
ClusterRole k8s-watcher | argoproj.io/rollouts/status | get · list · watch | Low | |
ClusterRole k8s-watcher | node.k8s.io/runtimeclasses | get · list · watch | Low | |
ClusterRole k8s-watcher | authorization.k8s.io/selfsubjectaccessreviews | get · list · watch | Low | |
ClusterRole k8s-watcher | authorization.k8s.io/selfsubjectrulesreviews | get · list · watch | Low | |
ClusterRole k8s-watcher | core/serviceaccounts | get · list · watch | Low | |
ClusterRole network-mapper- | apps/statefulsets | get | Low | |
ClusterRole k8s-watcher | apps/statefulsets/scale | patch | Low | |
ClusterRole k8s-watcher | core/storageclasses | create · delete · patch · update | Low | |
ClusterRole k8s-watcher | storage.k8s.io/storageclasses | get · list · watch | Low | |
ClusterRole k8s-watcher | authorization.k8s.io/subjectaccessreviews | get · list · watch | Low | |
ClusterRole k8s-watcher | storage.k8s.io/volumeattachments | get · list · watch | Low | |
ClusterRole k8s-watcher | argoproj.io/workflows | get · list · watch | Low | |
ClusterRole k8s-watcher | argoproj.io/workflowtemplates | get · list · watch | Low | |
Role network-mapper- | core/configmaps (restricted to: network-mapper-store-) | get · update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (46)
The following security risks were found based on the above permissions:
- Cluster-wide pod exec
- Namespaced pod exec
- Cluster-wide pod port-forward
- Namespaced pod port-forward
- Create pods cluster-wide
- Create pods in a namespace
- Update/Patch pods cluster-wide
- Update/Patch pods in a namespace
- Read secrets cluster-wide
- Read secrets in a namespace
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage Deployments cluster-wide (potential for privileged pod execution)
- Manage Deployments in a namespace (potential for privileged pod execution)
- Manage DaemonSets cluster-wide (runs on all nodes, high impact)
- Manage DaemonSets in a namespace (runs on nodes, high impact)
- Manage StatefulSets cluster-wide
- Manage StatefulSets in a namespace
- Manage CronJobs cluster-wide (scheduled privileged execution, persistence)
- Manage CronJobs in a namespace (scheduled privileged execution, persistence)
- Manage Jobs cluster-wide (one-off privileged execution)
- Manage Jobs in a namespace (one-off privileged execution)
- Read events cluster-wide
- Manage NetworkPolicies cluster-wide
- Manage NetworkPolicies in a namespace
- Manage Services cluster-wide
- Manage Services in a namespace
- Read RBAC configuration cluster-wide
- List Namespaces (Cluster Reconnaissance)
- List ValidatingWebhookConfigurations (Reconnaissance)
- List MutatingWebhookConfigurations (Reconnaissance)
- Read LimitRanges (Namespace Information Disclosure)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
- Manage Ingresses (Namespace Service Exposure/Traffic Redirection)
- Read ComponentStatuses (Control Plane Reconnaissance)
- Read CSINode Objects (Node & Storage Reconnaissance)
- Read CSIStorageCapacities (Namespace Storage Reconnaissance)
- Watch All Resources in a Namespace (Broad Information Disclosure)
- Node proxy GET RCE via WebSocket
📦 Workloads (6)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | k8s-watcher-daemon | daemon | public.ecr.aws/komodor-public/telegraf:1.27 |
| DaemonSet | k8s-watcher-daemon | network-sniffer- | public.ecr.aws/komodor-public/network-mapper-sniffer:v1.0.3 |
| Deployment | k8s-watcher | k8s-watcher | public.ecr.aws/komodor-public/komodor-agent:0.2.79 |
| Deployment | k8s-watcher | metrics | public.ecr.aws/komodor-public/telegraf:1.27 |
| Deployment | k8s-watcher | network-mapper- | public.ecr.aws/komodor-public/network-mapper:v1.0.3 |
| Deployment | k8s-watcher | supervisor | public.ecr.aws/komodor-public/komodor-agent:0.2.79 |