vcluster-pro-k8s
v0.2.1-alpha.0
3 Service Accounts
2 Workloads
21 Bindings
1 Critical
6 High
2 Medium
12 Low
Description
vcluster-pro - Virtual Kubernetes Clusters (k8s)
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
vc-vcluster-pro-k8s | default | ❌ | — | 18 | 4 | Critical |
vcluster-pro-k8s-job | default | ❌ | — | 3 | 1 | Low |
vc-workload-vcluster-pro-k8s | default | ❌ | — | 0 | 0 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 vc-vcluster-pro-k8s
Namespace: default | Automount: ❌
🔑 Permissions (18)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role vcluster-pro-k8s | core/secrets | create · delete · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more) |
Role vcluster-pro-k8s | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
Role vcluster-pro-k8s | core/endpoints | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation Tampering TrafficRedirection |
Role vcluster-pro-k8s | core/pods | create · delete · get · list · patch · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution |
Role vcluster-pro-k8s | core/pods/attach | create · delete · get · list · patch · update · watch | High | CodeExecution LateralMovement PodAttach PotentialPrivilegeEscalation |
Role vcluster-pro-k8s | core/pods/exec | create · delete · get · list · patch · update · watch | High | CodeExecution LateralMovement PodExec PotentialPrivilegeEscalation |
Role vcluster-pro-k8s | core/services | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation ServiceExposure Tampering |
Role vcluster-pro-k8s | core/pods/log | get · list · watch | Medium | DataExposure InformationDisclosure LogAccess |
Role vcluster-pro-k8s | core/pods/portforward | create · delete · get · list · patch · update · watch | Medium | LateralMovement NetworkManipulation PodPortForward |
Role vcluster-pro-k8s | apps/deployments | get · list · watch | Low | |
Role vcluster-pro-k8s | core/events | get · list · watch | Low | |
ClusterRole vc-vcluster-pro-k8s-v-default | cluster.loft.sh/features | get · list · watch | Low | |
ClusterRole vc-vcluster-pro-k8s-v-default | storage.loft.sh/features | get · list · watch | Low | |
Role vcluster-pro-k8s | core/persistentvolumeclaims | create · delete · get · list · patch · update · watch | Low | |
Role vcluster-pro-k8s | apps/replicasets | get · list · watch | Low | |
Role vcluster-pro-k8s | apps/statefulsets | get · list · watch | Low | |
ClusterRole vc-vcluster-pro-k8s-v-default | cluster.loft.sh/virtualclusters | get · list · watch | Low | |
ClusterRole vc-vcluster-pro-k8s-v-default | storage.loft.sh/virtualclusters | get · list · watch | Low |
⚠️ Potential Abuse (13)
The following security risks were found based on the above permissions:
- Namespaced pod exec
- Namespaced pod attach
- Namespaced pod port-forward
- Create pods in a namespace
- Update/Patch pods in a namespace
- Read secrets in a namespace
- Modify secrets in a namespace
- Read pod logs in a namespace
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Manage Endpoints or EndpointSlices in a namespace
- Manage Services in a namespace
📦 Workloads (4)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | vcluster-pro-k8s | syncer | ghcr.io/loft-sh/vcluster-pro:0.2.1-alpha.0 |
| Deployment | vcluster-pro-k8s-api | kube-apiserver | registry.k8s.io/kube-apiserver:v1.28.0 |
| Deployment | vcluster-pro-k8s-controller | kube-controller-manager | registry.k8s.io/kube-controller-manager:v1.28.0 |
| StatefulSet | vcluster-pro-k8s-etcd | etcd | registry.k8s.io/etcd:3.5.9-0 |
🤖 vcluster-pro-k8s-job
Namespace: default | Automount: ❌
🔑 Permissions (3)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role vcluster-pro-k8s-job | core/configmaps | create · get · list | Low | |
Role vcluster-pro-k8s-job | core/secrets | create · get · list | Low | |
Role vcluster-pro-k8s-job | core/services | create · get · list | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | vcluster-pro-k8s-job | certs | ghcr.io/loft-sh/vcluster-pro:0.2.1-alpha.0 |
🤖 vc-workload-vcluster-pro-k8s
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.