4 Service Accounts
5 Workloads
56 Bindings
3 Critical
3 High
7 Medium
43 Low
Description
Kubecost Helm chart - monitor your cloud costs!
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
cost-analyzer-finops-agent | default | ✅ | — | 21 | 1 | Critical |
cost-analyzer-prometheus-server | default | ❌ | — | 10 | 1 | Critical |
cost-analyzer | default | ❌ | — | 24 | 4 | High |
cost-analyzer-grafana | default | ❌ | — | 1 | 2 | High |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 cost-analyzer-finops-agent
Namespace: default | Automount: ✅
🔑 Permissions (21)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cost-analyzer-finops-agent-cluster-role | core/nodes/proxy | get · list · watch | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
Role cost-analyzer-finops-agent-role | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role cost-analyzer-finops-agent-role | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole cost-analyzer-finops-agent-cluster-role | core/resourcequotas | get · list · watch | Medium | InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration |
ClusterRole cost-analyzer-finops-agent-cluster-role | batch/cronjobs | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | apps/daemonsets | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | apps/deployments | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | batch/jobs | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole cost-analyzer-finops-agent-cluster-role | core/nodes | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | core/nodes/metrics | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | core/nodes/stats | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | core/persistentvolumeclaims | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | core/persistentvolumes | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | policy/poddisruptionbudgets | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | core/pods | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | apps/replicasets | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | core/services | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | apps/statefulsets | get · list · watch | Low | |
ClusterRole cost-analyzer-finops-agent-cluster-role | storage.k8s.io/storageclasses | get · list · watch | Low |
⚠️ Potential Abuse (7)
The following security risks were found based on the above permissions:
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- List Namespaces (Cluster Reconnaissance)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
- Node proxy GET RCE via WebSocket
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cost-analyzer-finops-agent | finops-agent | icr.io/ibm-finops/agent:v1.0.8 |
🤖 cost-analyzer-prometheus-server
Namespace: default | Automount: ❌
🔑 Permissions (10)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cost-analyzer-prometheus-server | core/nodes/proxy | get · list · watch | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole cost-analyzer-prometheus-server | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole cost-analyzer-prometheus-server | core/endpoints | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | core/ingresses | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | networking.k8s.io/ingresses | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | networking.k8s.io/ingresses/status | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | core/nodes | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | core/nodes/metrics | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | core/pods | get · list · watch | Low | |
ClusterRole cost-analyzer-prometheus-server | core/services | get · list · watch | Low |
⚠️ Potential Abuse (4)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cost-analyzer-prometheus-server | prometheus-server | quay.io/prometheus/prometheus:v3.9.1 |
🤖 cost-analyzer
Namespace: default | Automount: ❌
🔑 Permissions (24)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cost-analyzer | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
Role cost-analyzer | core/configmaps | get · list · update · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole cost-analyzer | core/events | get · list · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole cost-analyzer | events.k8s.io/events | get · list · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
Role cost-analyzer | core/pods/log | get · list · watch | Medium | DataExposure InformationDisclosure LogAccess |
ClusterRole cost-analyzer | core/resourcequotas | get · list · watch | Medium | InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration |
ClusterRole cost-analyzer | batch/cronjobs | get · list · watch | Low | |
ClusterRole cost-analyzer | apps/daemonsets | get · list · watch | Low | |
ClusterRole cost-analyzer | apps/deployments | get · list · watch | Low | |
ClusterRole cost-analyzer | core/endpoints | get · list · watch | Low | |
ClusterRole cost-analyzer | autoscaling/horizontalpodautoscalers | get · list · watch | Low | |
ClusterRole cost-analyzer | batch/jobs | get · list · watch | Low | |
ClusterRole cost-analyzer | core/limitranges | get · list · watch | Low | InformationDisclosure Reconnaissance ResourceConfiguration |
ClusterRole cost-analyzer | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole cost-analyzer | core/nodes | get · list · watch | Low | |
ClusterRole cost-analyzer | core/persistentvolumeclaims | get · list · watch | Low | |
ClusterRole cost-analyzer | core/persistentvolumes | get · list · watch | Low | |
ClusterRole cost-analyzer | policy/poddisruptionbudgets | get · list · watch | Low | |
ClusterRole cost-analyzer | core/pods | get · list · watch | Low | |
ClusterRole cost-analyzer | apps/replicasets | get · list · watch | Low | |
ClusterRole cost-analyzer | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole cost-analyzer | core/services | get · list · watch | Low | |
ClusterRole cost-analyzer | apps/statefulsets | get · list · watch | Low | |
ClusterRole cost-analyzer | storage.k8s.io/storageclasses | get · list · watch | Low |
⚠️ Potential Abuse (9)
The following security risks were found based on the above permissions:
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Read events cluster-wide
- List Namespaces (Cluster Reconnaissance)
- Read LimitRanges (Namespace Information Disclosure)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
📦 Workloads (4)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cost-analyzer | aggregator | gcr.io/kubecost1/cost-model:prod-2.9.6 |
| Deployment | cost-analyzer | cloud-cost | gcr.io/kubecost1/cost-model:prod-2.9.6 |
| Deployment | cost-analyzer | cost-analyzer-frontend | gcr.io/kubecost1/frontend:prod-2.9.6 |
| Deployment | cost-analyzer | cost-model | gcr.io/kubecost1/cost-model:prod-2.9.6 |
🤖 cost-analyzer-grafana
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cost-analyzer-grafana-clusterrole | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | cost-analyzer-grafana | grafana | grafana/grafana:12.3.1 |
| Deployment | cost-analyzer-grafana | grafana-sc-dashboard | ghcr.io/kiwigrid/k8s-sidecar:2.2.3 |