vcluster-k0s
v0.19.10
2 Service Accounts
1 Workloads
14 Bindings
1 Critical
6 High
2 Medium
5 Low
Description
vcluster - Virtual Kubernetes Clusters (k0s)
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
vc-vcluster-k0s | default | ❌ | — | 14 | 1 | Critical |
vc-workload-vcluster-k0s | default | ❌ | — | 0 | 0 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 vc-vcluster-k0s
Namespace: default | Automount: ❌
🔑 Permissions (14)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role vcluster-k0s | core/secrets | create · delete · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more) |
Role vcluster-k0s | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
Role vcluster-k0s | core/endpoints | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation Tampering TrafficRedirection |
Role vcluster-k0s | core/pods | create · delete · get · list · patch · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution |
Role vcluster-k0s | core/pods/attach | create · delete · get · list · patch · update · watch | High | CodeExecution LateralMovement PodAttach PotentialPrivilegeEscalation |
Role vcluster-k0s | core/pods/exec | create · delete · get · list · patch · update · watch | High | CodeExecution LateralMovement PodExec PotentialPrivilegeEscalation |
Role vcluster-k0s | core/services | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation ServiceExposure Tampering |
Role vcluster-k0s | core/pods/log | get · list · watch | Medium | DataExposure InformationDisclosure LogAccess |
Role vcluster-k0s | core/pods/portforward | create · delete · get · list · patch · update · watch | Medium | LateralMovement NetworkManipulation PodPortForward |
Role vcluster-k0s | apps/deployments | get · list · watch | Low | |
Role vcluster-k0s | core/events | get · list · watch | Low | |
Role vcluster-k0s | core/persistentvolumeclaims | create · delete · get · list · patch · update · watch | Low | |
Role vcluster-k0s | apps/replicasets | get · list · watch | Low | |
Role vcluster-k0s | apps/statefulsets | get · list · watch | Low |
⚠️ Potential Abuse (13)
The following security risks were found based on the above permissions:
- Namespaced pod exec
- Namespaced pod attach
- Namespaced pod port-forward
- Create pods in a namespace
- Update/Patch pods in a namespace
- Read secrets in a namespace
- Modify secrets in a namespace
- Read pod logs in a namespace
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Manage Endpoints or EndpointSlices in a namespace
- Manage Services in a namespace
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| StatefulSet | vcluster-k0s | syncer | ghcr.io/loft-sh/vcluster:0.19.10 |
🤖 vc-workload-vcluster-k0s
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.