5 Service Accounts
6 Workloads
28 Bindings
4 Critical
2 High
1 Medium
21 Low
Description
Kubernetes Native Policy Management
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
kyverno-admission-controller | default | ❌ | — | 7 | 4 | Critical |
kyverno-background-controller | default | ❌ | — | 5 | 1 | Critical |
kyverno-reports-controller | default | ❌ | — | 5 | 1 | Critical |
kyverno-migrate-resources | default | ❌ | — | 3 | 1 | High |
kyverno-cleanup-controller | default | ❌ | — | 8 | 1 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 kyverno-admission-controller
Namespace: default | Automount: ❌
🔑 Permissions (7)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role kyverno:admission-controller | coordination.k8s.io/leases | create · delete · get · patch · update | Critical | ControlPlaneDisruption CriticalNamespace DenialOfService Tampering |
Role kyverno:admission-controller | core/secrets | create · delete · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more) |
Role kyverno:admission-controller | apps/deployments/scale | get · list · patch · update · watch | High | DenialOfService ResourceModification Tampering WorkloadLifecycle |
Role kyverno:admission-controller | core/serviceaccounts | create · delete · get · list · patch · update · watch | Medium | IdentityManagement PotentialPrivilegeEscalation Tampering |
Role kyverno:admission-controller | apps/deployments | get · list · patch · update · watch | Low | |
Role kyverno:admission-controller | core/configmaps (restricted to: kyverno) | get · list · watch | Low | ConfigMapAccess DataExposure InformationDisclosure ResourceNameRestricted |
Role kyverno:admission-controller | core/configmaps (restricted to: kyverno-metrics) | get · list · watch | Low | ConfigMapAccess DataExposure InformationDisclosure ResourceNameRestricted |
⚠️ Potential Abuse (7)
The following security risks were found based on the above permissions:
- Read secrets in a namespace
- Modify secrets in a namespace
- Read ConfigMaps in a namespace
- Manage ServiceAccounts in a namespace
- Manage Leases in kube-system or kube-node-lease namespace
- Update Deployment Scale (Resource Abuse/DoS)
📦 Workloads (4)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | kyverno-admission-controller | kyverno | reg.kyverno.io/kyverno/kyverno:v1.15.2-rc.1 |
| Job | kyverno-rm-mutatingwhconfig | kubectl | registry.k8s.io/kubectl:v1.32.7 |
| Job | kyverno-rm-validatingwhconfig | kubectl | registry.k8s.io/kubectl:v1.32.7 |
| Job | kyverno-scale-to-zero | kubectl | registry.k8s.io/kubectl:v1.32.7 |
🤖 kyverno-background-controller
Namespace: default | Automount: ❌
🔑 Permissions (5)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role kyverno:background-controller | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role kyverno:background-controller | coordination.k8s.io/leases | create | Low | |
Role kyverno:background-controller | core/configmaps (restricted to: kyverno) | get · list · watch | Low | ConfigMapAccess DataExposure InformationDisclosure ResourceNameRestricted |
Role kyverno:background-controller | coordination.k8s.io/leases (restricted to: kyverno-background-controller) | delete · get · patch · update | Low | ResourceNameRestricted |
Role kyverno:background-controller | core/configmaps (restricted to: kyverno-metrics) | get · list · watch | Low | ConfigMapAccess DataExposure InformationDisclosure ResourceNameRestricted |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | kyverno-background-controller | controller | reg.kyverno.io/kyverno/background-controller:v1.15.2-rc.1 |
🤖 kyverno-reports-controller
Namespace: default | Automount: ❌
🔑 Permissions (5)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role kyverno:reports-controller | core/secrets | get · list · watch | Critical | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role kyverno:reports-controller | coordination.k8s.io/leases | create | Low | |
Role kyverno:reports-controller | core/configmaps (restricted to: kyverno) | get · list · watch | Low | ConfigMapAccess DataExposure InformationDisclosure ResourceNameRestricted |
Role kyverno:reports-controller | core/configmaps (restricted to: kyverno-metrics) | get · list · watch | Low | ConfigMapAccess DataExposure InformationDisclosure ResourceNameRestricted |
Role kyverno:reports-controller | coordination.k8s.io/leases (restricted to: kyverno-reports-controller) | delete · get · patch · update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | kyverno-reports-controller | controller | reg.kyverno.io/kyverno/reports-controller:v1.15.2-rc.1 |
🤖 kyverno-migrate-resources
Namespace: default | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole kyverno:migrate-resources | kyverno.io/* | get · list · update | High | ClusterWideAccess |
ClusterRole kyverno:migrate-resources | apiextensions.k8s.io/customresourcedefinitions | get | Low | |
ClusterRole kyverno:migrate-resources | apiextensions.k8s.io/customresourcedefinitions/status | update | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | kyverno-migrate-resources | kubectl | reg.kyverno.io/kyverno/kyverno-cli:v1.15.2-rc.1 |
🤖 kyverno-cleanup-controller
Namespace: default | Automount: ❌
🔑 Permissions (8)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role kyverno:cleanup-controller | apps/deployments | get · list · watch | Low | |
Role kyverno:cleanup-controller | coordination.k8s.io/leases | create | Low | |
Role kyverno:cleanup-controller | core/secrets | create | Low | |
Role kyverno:cleanup-controller | core/configmaps (restricted to: kyverno) | get · list · watch | Low | ConfigMapAccess DataExposure InformationDisclosure ResourceNameRestricted |
Role kyverno:cleanup-controller | coordination.k8s.io/leases (restricted to: kyverno-cleanup-controller) | delete · get · patch · update | Low | ResourceNameRestricted |
Role kyverno:cleanup-controller | core/secrets (restricted to: kyverno-cleanup-controller.default.svc.kyverno-tls-ca) | delete · get · list · update · watch | Low | CredentialAccess DataExposure InformationDisclosure ResourceNameRestricted SecretAccess |
Role kyverno:cleanup-controller | core/secrets (restricted to: kyverno-cleanup-controller.default.svc.kyverno-tls-pair) | delete · get · list · update · watch | Low | CredentialAccess DataExposure InformationDisclosure ResourceNameRestricted SecretAccess |
Role kyverno:cleanup-controller | core/configmaps (restricted to: kyverno-metrics) | get · list · watch | Low | ConfigMapAccess DataExposure InformationDisclosure ResourceNameRestricted |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | kyverno-cleanup-controller | controller | reg.kyverno.io/kyverno/cleanup-controller:v1.15.2-rc.1 |