1 Service Accounts
1 Workloads
15 Bindings
1 Critical
7 High
2 Medium
5 Low
Description
vcluster - Virtual Kubernetes Clusters
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
vc-vcluster | default | ❌ | — | 15 | 2 | Critical |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 vc-vcluster
Namespace: default | Automount: ❌
🔑 Permissions (15)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role vcluster | core/secrets | create · delete · get · list · patch · update · watch | Critical | CredentialAccess DataExposure InformationDisclosure Persistence PotentialPrivilegeEscalation (+2 more) |
Role vcluster | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
Role vcluster | core/endpoints | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation Tampering TrafficRedirection |
Role vcluster | networking.k8s.io/ingresses | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation ServiceExposure Tampering |
Role vcluster | core/pods | create · delete · get · list · patch · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution |
Role vcluster | core/pods/attach | create · delete · get · list · patch · update · watch | High | CodeExecution LateralMovement PodAttach PotentialPrivilegeEscalation |
Role vcluster | core/pods/exec | create · delete · get · list · patch · update · watch | High | CodeExecution LateralMovement PodExec PotentialPrivilegeEscalation |
Role vcluster | core/services | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation ServiceExposure Tampering |
Role vcluster | core/pods/log | get · list · watch | Medium | DataExposure InformationDisclosure LogAccess |
Role vcluster | core/pods/portforward | create · delete · get · list · patch · update · watch | Medium | LateralMovement NetworkManipulation PodPortForward |
Role vcluster | apps/deployments | get · list · watch | Low | |
Role vcluster | core/events | get · list · watch | Low | |
Role vcluster | core/persistentvolumeclaims | create · delete · get · list · patch · update · watch | Low | |
Role vcluster | apps/replicasets | get · list · watch | Low | |
Role vcluster | apps/statefulsets | get · list · watch | Low |
⚠️ Potential Abuse (14)
The following security risks were found based on the above permissions:
- Namespaced pod exec
- Namespaced pod attach
- Namespaced pod port-forward
- Create pods in a namespace
- Update/Patch pods in a namespace
- Read secrets in a namespace
- Modify secrets in a namespace
- Read pod logs in a namespace
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Manage Endpoints or EndpointSlices in a namespace
- Manage Services in a namespace
- Manage Ingresses (Namespace Service Exposure/Traffic Redirection)
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| StatefulSet | vcluster | syncer | loftsh/vcluster:0.5.0 |
| StatefulSet | vcluster | vcluster | rancher/k3s:v1.22.2-k3s1 |