komodor-agent

Description

Watches and sends kubernetes resource-related events

Overview

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 komodor-agent

Namespace: default  |  Automount: ❌

🔑 Permissions (83)

⚠️ Potential Abuse (59)

The following security risks were found based on the above permissions:

• Cluster-wide pod exec
• Namespaced pod exec
• Cluster-wide pod port-forward
• Namespaced pod port-forward
• Create pods cluster-wide
• Create pods in a namespace
• Update/Patch pods cluster-wide
• Update/Patch pods in a namespace
• Read secrets cluster-wide
• Read secrets in a namespace
• Modify secrets cluster-wide
• Modify secrets in a namespace
• Read pod logs cluster-wide
• Read pod logs in a namespace
• Read ConfigMaps cluster-wide
• Read ConfigMaps in a namespace
• Modify ConfigMaps cluster-wide
• Modify ConfigMaps in a namespace
• Delete namespaces
• Manage ClusterRoles (create, update, patch, delete)
• Manage ClusterRoleBindings (create, update, patch, delete)
• Manage Roles in a namespace (create, update, patch, delete)
• Manage RoleBindings in a namespace (create, update, patch, delete)
• Escalate privileges via ClusterRoles (escalate verb)
• Bind ClusterRoles to identities (bind verb)
• Manage Deployments cluster-wide (potential for privileged pod execution)
• Manage Deployments in a namespace (potential for privileged pod execution)
• Manage DaemonSets cluster-wide (runs on all nodes, high impact)
• Manage DaemonSets in a namespace (runs on nodes, high impact)
• Manage StatefulSets cluster-wide
• Manage StatefulSets in a namespace
• Manage CronJobs cluster-wide (scheduled privileged execution, persistence)
• Manage CronJobs in a namespace (scheduled privileged execution, persistence)
• Manage Jobs cluster-wide (one-off privileged execution)
• Manage Jobs in a namespace (one-off privileged execution)
• Manage (get, list, watch, delete) CertificateSigningRequests
• Impersonate users, groups, or service accounts (cluster-wide)
• Manage ServiceAccounts cluster-wide
• Manage ServiceAccounts in a namespace
• Read events cluster-wide
• Manage NetworkPolicies cluster-wide
• Manage NetworkPolicies in a namespace
• Manage Services cluster-wide
• Manage Services in a namespace
• Read RBAC configuration cluster-wide
• List Namespaces (Cluster Reconnaissance)
• List ValidatingWebhookConfigurations (Reconnaissance)
• List MutatingWebhookConfigurations (Reconnaissance)
• Read LimitRanges (Namespace Information Disclosure)
• Read ResourceQuotas (Namespace Information Disclosure)
• Read All ResourceQuotas (Cluster-wide Information Disclosure)
• Manage Ingresses (Namespace Service Exposure/Traffic Redirection)
• Read ComponentStatuses (Control Plane Reconnaissance)
• Read CSINode Objects (Node & Storage Reconnaissance)
• Read CSIStorageCapacities (Namespace Storage Reconnaissance)
• Watch All Resources in a Namespace (Broad Information Disclosure)
• Node proxy GET RCE via WebSocket

📦 Workloads (11)

🤖 komodor-agent-admission-controller

Namespace: default  |  Automount: ❌

🔑 Permissions (17)

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

• Read pod logs cluster-wide
• Read pod logs in a namespace
• Node proxy GET RCE via WebSocket

📦 Workloads (1)