vcluster :: RBAC ATLAS

Description

vcluster - Virtual Kubernetes Clusters

https://github.com/loft-sh/vcluster

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`vc-vcluster`	default	❌	—	21	1	Critical
`vc-workload-vcluster`	default	❌	—	0	0	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `vc-vcluster`

Namespace: default | Automount: ❌

🔑 Permissions (21)

Role	Resource	Verbs	Risk	Tags
Role `vc-vcluster`	core/secrets	create · delete · get · list · patch · update · watch	Critical	CredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more)
Role `vc-vcluster`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
Role `vc-vcluster`	core/endpoints	create · delete · get · list · patch · update · watch	High	DenialOfService NetworkManipulation Tampering TrafficRedirection
Role `vc-vcluster`	discovery.k8s.io/endpointslices	create · delete · get · list · patch · update · watch	High	DenialOfService NetworkManipulation Tampering TrafficRedirection
Role `vc-vcluster`	core/pods	create · delete · get · list · patch · update · watch	High	LateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution
Role `vc-vcluster`	core/pods/attach	create · delete · get · list · patch · update · watch	High	CodeExecution LateralMovement PodAttach PotentialPrivilegeEscalation
Role `vc-vcluster`	core/pods/ephemeralcontainers	patch · update	High	CodeExecution LateralMovement PotentialPrivilegeEscalation Tampering WorkloadExecution
Role `vc-vcluster`	core/pods/exec	create · delete · get · list · patch · update · watch	High	CodeExecution LateralMovement PodExec PotentialPrivilegeEscalation
Role `vc-vcluster`	core/services	create · delete · get · list · patch · update · watch	High	DenialOfService NetworkManipulation ServiceExposure Tampering
Role `vc-vcluster`	core/pods/log	get · list · watch	Medium	DataExposure InformationDisclosure LogAccess
Role `vc-vcluster`	core/pods/portforward	create · delete · get · list · patch · update · watch	Medium	LateralMovement NetworkManipulation PodPortForward
Role `vc-vcluster`	apps/deployments	get · list · watch	Low
Role `vc-vcluster`	core/events	create · get · list · watch	Low
Role `vc-vcluster`	core/persistentvolumeclaims	create · delete · get · list · patch · update · watch	Low
ClusterRole `vc-vcluster-v-default`	core/persistentvolumes	get · list	Low
Role `vc-vcluster`	core/pods/status	patch · update	Low
Role `vc-vcluster`	apps/replicasets	get · list · watch	Low
Role `vc-vcluster`	apps/statefulsets	get · list · watch	Low
ClusterRole `vc-vcluster-v-default`	snapshot.storage.k8s.io/volumesnapshotclasses	get · list	Low
ClusterRole `vc-vcluster-v-default`	snapshot.storage.k8s.io/volumesnapshotcontents	create · delete · get · list · patch · update	Low
Role `vc-vcluster`	snapshot.storage.k8s.io/volumesnapshots	create · delete · get · list · patch · update	Low

⚠️ Potential Abuse (14)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
StatefulSet	vcluster	syncer	ghcr.io/loft-sh/vcluster-pro:0.32.0-next.0

🤖 `vc-workload-vcluster`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (0)

No workloads use this ServiceAccount.

vcluster