kube-prometheus-stack

Description

kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`kube-prometheus-stack-grafana`	default	✅	—	2	3	Critical
`kube-prometheus-stack-operator`	default	✅	—	30	1	Critical
`kube-prometheus-stack-kube-state-metrics`	default	✅	—	28	1	Medium
`kube-prometheus-stack-admission`	default	✅	—	3	2	Low
`kube-prometheus-stack-prometheus`	default	✅	—	7	0	Low
`kube-prometheus-stack-alertmanager`	default	✅	—	0	0	—
`kube-prometheus-stack-grafana-test`	default	❌	—	0	1	—
`kube-prometheus-stack-prometheus-node-exporter`	default	❌	—	0	1	—
`kube-prometheus-stack-prometheus-windows-exporter`	default	❌	—	0	1	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `kube-prometheus-stack-operator`

Namespace: default | Automount: ✅

🔑 Permissions (30)

Role	Resource	Verbs	Risk	Tags
ClusterRole `kube-prometheus-stack-operator`	core/configmaps	*	Critical	ClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole `kube-prometheus-stack-operator`	core/secrets	*	Critical	ClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole `kube-prometheus-stack-operator`	apps/statefulsets	*	Critical	ClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/alertmanagerconfigs	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/alertmanagers	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/alertmanagers/finalizers	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/alertmanagers/status	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/podmonitors	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/probes	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/prometheusagents	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/prometheusagents/finalizers	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/prometheusagents/status	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/prometheuses	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/prometheuses/finalizers	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/prometheuses/status	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/prometheusrules	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/scrapeconfigs	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/servicemonitors	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/thanosrulers	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/thanosrulers/finalizers	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	monitoring.coreos.com/thanosrulers/status	*	High	ClusterWideAccess WildcardPermission
ClusterRole `kube-prometheus-stack-operator`	core/endpoints	create · delete · get · update	Low
ClusterRole `kube-prometheus-stack-operator`	core/events	create · patch	Low
ClusterRole `kube-prometheus-stack-operator`	networking.k8s.io/ingresses	get · list · watch	Low
ClusterRole `kube-prometheus-stack-operator`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `kube-prometheus-stack-operator`	core/nodes	list · watch	Low
ClusterRole `kube-prometheus-stack-operator`	core/pods	delete · list	Low
ClusterRole `kube-prometheus-stack-operator`	core/services	create · delete · get · update	Low
ClusterRole `kube-prometheus-stack-operator`	core/services/finalizers	create · delete · get · update	Low
ClusterRole `kube-prometheus-stack-operator`	storage.k8s.io/storageclasses	get	Low

⚠️ Potential Abuse (13)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kube-prometheus-stack-operator	kube-prometheus-stack	quay.io/prometheus-operator/prometheus-operator:v0.83.0

🤖 `kube-prometheus-stack-grafana`

Namespace: default | Automount: ✅

🔑 Permissions (2)

Role	Resource	Verbs	Risk	Tags
ClusterRole `kube-prometheus-stack-grafana-clusterrole`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `kube-prometheus-stack-grafana-clusterrole`	core/configmaps	get · list · watch	High	ConfigMapAccess DataExposure InformationDisclosure

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

📦 Workloads (3)

Kind	Name	Container	Image
Deployment	kube-prometheus-stack-grafana	grafana	docker.io/grafana/grafana:12.0.1
Deployment	kube-prometheus-stack-grafana	grafana-sc-dashboard	quay.io/kiwigrid/k8s-sidecar:1.30.0
Deployment	kube-prometheus-stack-grafana	grafana-sc-datasources	quay.io/kiwigrid/k8s-sidecar:1.30.0

🤖 `kube-prometheus-stack-kube-state-metrics`

Namespace: default | Automount: ✅

🔑 Permissions (28)

Role	Resource	Verbs	Risk	Tags
ClusterRole `kube-prometheus-stack-kube-state-metrics`	admissionregistration.k8s.io/mutatingwebhookconfigurations	list · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `kube-prometheus-stack-kube-state-metrics`	admissionregistration.k8s.io/validatingwebhookconfigurations	list · watch	Medium	InformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole `kube-prometheus-stack-kube-state-metrics`	certificates.k8s.io/certificatesigningrequests	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/configmaps	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	batch/cronjobs	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	apps/daemonsets	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	apps/deployments	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/endpoints	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	autoscaling/horizontalpodautoscalers	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	networking.k8s.io/ingresses	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	batch/jobs	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	coordination.k8s.io/leases	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/limitranges	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/namespaces	list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `kube-prometheus-stack-kube-state-metrics`	networking.k8s.io/networkpolicies	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/nodes	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/persistentvolumeclaims	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/persistentvolumes	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	policy/poddisruptionbudgets	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/pods	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	apps/replicasets	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/replicationcontrollers	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/resourcequotas	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/secrets	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	core/services	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	apps/statefulsets	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	storage.k8s.io/storageclasses	list · watch	Low
ClusterRole `kube-prometheus-stack-kube-state-metrics`	storage.k8s.io/volumeattachments	list · watch	Low

⚠️ Potential Abuse (4)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	kube-prometheus-stack-kube-state-metrics	kube-state-metrics	registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.15.0

🤖 `kube-prometheus-stack-prometheus`

Namespace: default | Automount: ✅

🔑 Permissions (7)

Role	Resource	Verbs	Risk
ClusterRole `kube-prometheus-stack-prometheus`	core/endpoints	get · list · watch	Low
ClusterRole `kube-prometheus-stack-prometheus`	discovery.k8s.io/endpointslices	get · list · watch	Low
ClusterRole `kube-prometheus-stack-prometheus`	networking.k8s.io/ingresses	get · list · watch	Low
ClusterRole `kube-prometheus-stack-prometheus`	core/nodes	get · list · watch	Low
ClusterRole `kube-prometheus-stack-prometheus`	core/nodes/metrics	get · list · watch	Low
ClusterRole `kube-prometheus-stack-prometheus`	core/pods	get · list · watch	Low
ClusterRole `kube-prometheus-stack-prometheus`	core/services	get · list · watch	Low

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `kube-prometheus-stack-admission`

Namespace: default | Automount: ✅

🔑 Permissions (3)

Role	Resource	Verbs	Risk
ClusterRole `kube-prometheus-stack-admission`	admissionregistration.k8s.io/mutatingwebhookconfigurations	get · update	Low
Role `kube-prometheus-stack-admission`	core/secrets	create · get	Low
ClusterRole `kube-prometheus-stack-admission`	admissionregistration.k8s.io/validatingwebhookconfigurations	get · update	Low

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (2)

Kind	Name	Container	Image
Job	kube-prometheus-stack-admission-create	create	registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.4
Job	kube-prometheus-stack-admission-patch	patch	registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.4

🤖 `kube-prometheus-stack-alertmanager`

Namespace: default | Automount: ✅

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `kube-prometheus-stack-grafana-test`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
Pod	kube-prometheus-stack-grafana-test	kube-prometheus-stack-test	docker.io/bats/bats:v1.4.1

🤖 `kube-prometheus-stack-prometheus-node-exporter`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
DaemonSet	kube-prometheus-stack-prometheus-node-exporter	node-exporter	quay.io/prometheus/node-exporter:v1.9.1

🤖 `kube-prometheus-stack-prometheus-windows-exporter`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

Kind	Name	Container	Image
DaemonSet	kube-prometheus-stack-prometheus-windows-exporter	windows-exporter	ghcr.io/prometheus-community/windows-exporter:0.30.7

kube-prometheus-stack

Description

Overview

Identities

🤖 kube-prometheus-stack-operator

🔑 Permissions (30)

⚠️ Potential Abuse (13)

📦 Workloads (1)

🤖 kube-prometheus-stack-grafana

🔑 Permissions (2)

⚠️ Potential Abuse (5)

📦 Workloads (3)

🤖 kube-prometheus-stack-kube-state-metrics

🔑 Permissions (28)

⚠️ Potential Abuse (4)

📦 Workloads (1)

🤖 kube-prometheus-stack-prometheus

🔑 Permissions (7)

⚠️ Potential Abuse (1)

📦 Workloads (0)

🤖 kube-prometheus-stack-admission

🔑 Permissions (3)

⚠️ Potential Abuse (1)

📦 Workloads (2)

🤖 kube-prometheus-stack-alertmanager

🔑 Permissions (0)

📦 Workloads (0)

🤖 kube-prometheus-stack-grafana-test

🔑 Permissions (0)

📦 Workloads (1)

🤖 kube-prometheus-stack-prometheus-node-exporter

🔑 Permissions (0)

📦 Workloads (1)

🤖 kube-prometheus-stack-prometheus-windows-exporter

🔑 Permissions (0)

📦 Workloads (1)

🤖 `kube-prometheus-stack-operator`

🤖 `kube-prometheus-stack-grafana`

🤖 `kube-prometheus-stack-kube-state-metrics`

🤖 `kube-prometheus-stack-prometheus`

🤖 `kube-prometheus-stack-admission`

🤖 `kube-prometheus-stack-alertmanager`

🤖 `kube-prometheus-stack-grafana-test`

🤖 `kube-prometheus-stack-prometheus-node-exporter`

🤖 `kube-prometheus-stack-prometheus-windows-exporter`