1 Service Accounts
1 Workloads
14 Bindings
3 Critical
1 Medium
10 Low
Description
The Kubedoop Secret Operator
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
secret-operator | default | ❌ | — | 14 | 4 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 secret-operator
Namespace: default | Automount: ❌
🔑 Permissions (14)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole secret-operator-daemonset | storage.k8s.io/csidrivers | create · delete · get · list · patch · update · watch | Critical | NodeAccess PrivilegeEscalation StorageManipulation Tampering |
ClusterRole secret-operator-daemonset | core/pods | create · get · list · patch · update · watch | Critical | LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more) |
ClusterRole secret-operator-daemonset | core/secrets | create · get · list · patch · update · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole secret-operator-daemonset | core/events | create · get · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole secret-operator-daemonset | core/nodes | get · list · watch | Low | |
ClusterRole secret-operator-daemonset | core/persistentvolumeclaims | get · list · watch | Low | |
ClusterRole secret-operator-daemonset | core/persistentvolumes | create · delete · get · list · patch · watch | Low | |
ClusterRole secret-operator-daemonset | secrets.kubedoop.dev/secretclasses | create · delete · get · list · patch · update · watch | Low | |
ClusterRole secret-operator-daemonset | secrets.kubedoop.dev/secretclasses/finalizers | update | Low | |
ClusterRole secret-operator-daemonset | secrets.kubedoop.dev/secretclasses/status | get · patch · update | Low | |
ClusterRole secret-operator-daemonset | secrets.kubedoop.dev/secretcsis | create · delete · get · list · patch · update · watch | Low | |
ClusterRole secret-operator-daemonset | secrets.kubedoop.dev/secretcsis/finalizers | update | Low | |
ClusterRole secret-operator-daemonset | secrets.kubedoop.dev/secretcsis/status | get · patch · update | Low | |
ClusterRole secret-operator-daemonset | storage.k8s.io/storageclasses | get · list · watch | Low |
⚠️ Potential Abuse (9)
The following security risks were found based on the above permissions:
- Create pods cluster-wide
- Create pods in a namespace
- Update/Patch pods cluster-wide
- Update/Patch pods in a namespace
- Read secrets cluster-wide
- Read secrets in a namespace
- Manage CSIDrivers (potential node compromise)
- Read events cluster-wide
📦 Workloads (4)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | secret-operator-daemonset | csi-provisioner | registry.k8s.io/sig-storage/csi-provisioner:v5.1.0 |
| DaemonSet | secret-operator-daemonset | liveness-probe | registry.k8s.io/sig-storage/livenessprobe:v2.14.0 |
| DaemonSet | secret-operator-daemonset | node-driver-registrar | registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 |
| DaemonSet | secret-operator-daemonset | secret-operator | quay.io/zncdatadev/secret-csi-driver:0.1.0 |