kyverno
v3.4.2
6 Service Accounts
7 Workloads
20 Bindings
8 Critical
2 High
5 Medium
5 Low
Description
Kubernetes Native Policy Management
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
kyverno-admission-controller | default | ❌ | — | 6 | 3 | Critical |
kyverno-background-controller | default | ❌ | — | 3 | 1 | Critical |
kyverno-cleanup-controller | default | ❌ | — | 4 | 1 | Critical |
kyverno-reports-controller | default | ❌ | — | 3 | 1 | Critical |
kyverno-migrate-resources | default | ❌ | — | 3 | 1 | High |
kyverno-remove-configmap | default | ❌ | — | 1 | 1 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 kyverno-admission-controller
Namespace: default | Automount: ❌
🔑 Permissions (6)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role kyverno:admission-controller | coordination.k8s.io/leases | create · delete · get · patch · update | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
Role kyverno:admission-controller | core/secrets | create · delete · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more) |
Role kyverno:admission-controller | apps/deployments/scale | get · list · patch · update · watch | High | DenialOfService ResourceModification Tampering WorkloadLifecycle |
Role kyverno:admission-controller | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
Role kyverno:admission-controller | core/serviceaccounts | create · delete · get · list · patch · update · watch | Medium | IdentityManagement PotentialPrivilegeEscalation Tampering |
Role kyverno:admission-controller | apps/deployments | get · list · patch · update · watch | Low |
⚠️ Potential Abuse (7)
The following security risks were found based on the above permissions:
- Read secrets in a namespace
- Modify secrets in a namespace
- Read ConfigMaps in a namespace
- Manage ServiceAccounts in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
- Update Deployment Scale (Resource Abuse/DoS)
📦 Workloads (3)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | kyverno-admission-controller | kyverno | reg.kyverno.io/kyverno/kyverno:v1.14.2 |
| Job | kyverno-clean-reports | kubectl | bitnami/kubectl:1.32.3 |
| Job | kyverno-scale-to-zero | kubectl | bitnami/kubectl:1.32.3 |
🤖 kyverno-cleanup-controller
Namespace: default | Automount: ❌
🔑 Permissions (4)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role kyverno:cleanup-controller | coordination.k8s.io/leases | create · delete · get · patch · update | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
Role kyverno:cleanup-controller | core/secrets | create · delete · get · list · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role kyverno:cleanup-controller | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
Role kyverno:cleanup-controller | apps/deployments | get · list · watch | Low |
⚠️ Potential Abuse (4)
The following security risks were found based on the above permissions:
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | kyverno-cleanup-controller | controller | reg.kyverno.io/kyverno/cleanup-controller:v1.14.2 |
🤖 kyverno-background-controller
Namespace: default | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role kyverno:background-controller | coordination.k8s.io/leases | create · delete · get · patch · update | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
Role kyverno:background-controller | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role kyverno:background-controller | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
⚠️ Potential Abuse (4)
The following security risks were found based on the above permissions:
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | kyverno-background-controller | controller | reg.kyverno.io/kyverno/background-controller:v1.14.2 |
🤖 kyverno-reports-controller
Namespace: default | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role kyverno:reports-controller | coordination.k8s.io/leases | create · delete · get · patch · update | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
Role kyverno:reports-controller | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role kyverno:reports-controller | core/configmaps | get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
⚠️ Potential Abuse (4)
The following security risks were found based on the above permissions:
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | kyverno-reports-controller | controller | reg.kyverno.io/kyverno/reports-controller:v1.14.2 |
🤖 kyverno-migrate-resources
Namespace: default | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole kyverno:migrate-resources | kyverno.io/* | get · list · update | High | ClusterWideAccess |
ClusterRole kyverno:migrate-resources | apiextensions.k8s.io/customresourcedefinitions | get | Low | |
ClusterRole kyverno:migrate-resources | apiextensions.k8s.io/customresourcedefinitions/status | update | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | kyverno-migrate-resources | kubectl | reg.kyverno.io/kyverno/kyverno-cli:v1.14.2 |
🤖 kyverno-remove-configmap
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role kyverno:remove-configmap | core/configmaps | delete · get · list | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | kyverno-remove-configmap | kubectl | bitnami/kubectl:1.32.3 |