aistor-operator :: RBAC ATLAS

Description

Helm chart for MinIO AIStor operators

https://min.io/product/aistor-overview

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`adminjob`	default	❌	—	12	1	Critical
`object-store`	default	❌	—	33	1	Critical
`object-store-webhook`	default	❌	—	11	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `object-store`

Namespace: default | Automount: ❌

🔑 Permissions (33)

Role	Resource	Verbs	Risk	Tags
ClusterRole `aistor:object-store`	core/secrets	create · delete · get · list · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
Role `object-store-operator`	core/secrets	create · delete · get · list · update · watch	Critical	CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `aistor:object-store`	apps/statefulsets	create · delete · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `aistor:object-store`	core/configmaps	get · list · watch	High	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `aistor:certificate-management`	certificates.k8s.io/certificatesigningrequests	create · delete · get · list · watch	Medium	CSRCreation DenialOfService InformationDisclosure PotentialPrivilegeEscalation Spoofing (+1 more)
Role `object-store-operator`	core/configmaps	get · list · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `aistor:object-store`	rbac.authorization.k8s.io/rolebindings	create · delete · list · update · watch	Medium	InformationDisclosure RBACQuery Reconnaissance
ClusterRole `aistor:certificate-management`	certificates.k8s.io/certificatesigningrequests/approval	get · update	Low
ClusterRole `aistor:certificate-management`	certificates.k8s.io/certificatesigningrequests/status	get	Low
ClusterRole `aistor:object-store`	rbac.authorization.k8s.io/clusterrolebindings	create · delete · get · update	Low
ClusterRole `aistor:object-store`	apiextensions.k8s.io/customresourcedefinitions	get	Low
ClusterRole `aistor:object-store`	apps/deployments	create · list · update · watch	Low
Role `object-store-operator`	apps/deployments	get	Low
ClusterRole `aistor:object-store`	core/events	create · patch	Low
Role `object-store-operator`	coordination.k8s.io/leases	create · get · update	Low
ClusterRole `aistor:certificate-management`	core/nodes	list	Low
ClusterRole `aistor:object-store`	core/nodes	get · list	Low
ClusterRole `aistor:object-store`	aistor.min.io/objectstores	get · list · watch	Low
ClusterRole `aistor:object-store`	aistor.min.io/objectstores/finalizers	update	Low
ClusterRole `aistor:object-store`	aistor.min.io/objectstores/status	update	Low
ClusterRole `aistor:object-store`	core/persistentvolumeclaims	list · update	Low
ClusterRole `aistor:object-store`	policy/poddisruptionbudgets	create · list · update · watch	Low
ClusterRole `aistor:object-store`	core/pods	delete · deletecollection · list · watch	Low
Role `object-store-operator`	core/pods	get · patch	Low
ClusterRole `aistor:object-store`	sts.min.io/policybindings	create · list · update · watch	Low
ClusterRole `aistor:object-store`	monitoring.coreos.com/prometheuses	get · list · update · watch	Low
ClusterRole `aistor:object-store`	aistor.min.io/prompts	get · list · watch	Low
ClusterRole `aistor:object-store`	core/serviceaccounts	create · list · update · watch	Low
ClusterRole `aistor:object-store`	core/services	create · delete · list · update · watch	Low
ClusterRole `aistor:certificate-management`	certificates.k8s.io/signers	approve	Low
ClusterRole `aistor:object-store`	apps/statefulsets/finalizers	update	Low
ClusterRole `aistor:object-store`	rbac.authorization.k8s.io/clusterroles (restricted to: aistor:object-store:pods)	bind	Low	BindingToPrivilegedRole ClusterAdminAccess PrivilegeEscalation RBACManipulation ResourceNameRestricted
ClusterRole `aistor:object-store`	rbac.authorization.k8s.io/clusterroles (restricted to: aistor:tokenreview)	bind	Low	BindingToPrivilegedRole ClusterAdminAccess PrivilegeEscalation RBACManipulation ResourceNameRestricted

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	object-store-operator	controller	quay.io/minio/aistor/operator:RELEASE.2026-06-10T05-02-21Z

🤖 `adminjob`

Namespace: default | Automount: ❌

🔑 Permissions (12)

Role	Resource	Verbs	Risk	Tags
ClusterRole `aistor:adminjob`	core/secrets	create · delete · get · list · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
Role `adminjob-operator`	core/secrets	delete · get · list · watch	Critical	CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `aistor:adminjob`	core/configmaps	get · list · watch	High	ConfigMapAccess DataExposure InformationDisclosure
Role `adminjob-operator`	core/configmaps	get · list · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `aistor:adminjob`	aistor.min.io/adminjobs	delete · get · list · watch	Low
ClusterRole `aistor:adminjob`	aistor.min.io/adminjobs/status	update	Low
ClusterRole `aistor:adminjob`	core/events	create · patch	Low
ClusterRole `aistor:adminjob`	batch/jobs	create · list · watch	Low
Role `adminjob-operator`	coordination.k8s.io/leases	create · get · update	Low
ClusterRole `aistor:adminjob`	aistor.min.io/objectstores	get · list · watch	Low
Role `adminjob-operator`	core/pods	patch	Low
ClusterRole `aistor:adminjob`	sts.min.io/policybindings	list · watch	Low

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	adminjob-operator	controller	quay.io/minio/aistor/operator:RELEASE.2026-06-10T05-02-21Z

🤖 `object-store-webhook`

Namespace: default | Automount: ❌

🔑 Permissions (11)

Role	Resource	Verbs	Risk	Tags
Role `object-store-webhook`	core/secrets	create · delete · get · list · update · watch	Critical	CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `aistor:certificate-management`	certificates.k8s.io/certificatesigningrequests	create · delete · get · list · watch	Medium	CSRCreation DenialOfService InformationDisclosure PotentialPrivilegeEscalation Spoofing (+1 more)
Role `object-store-webhook`	core/configmaps	get · list · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure
ClusterRole `aistor:certificate-management`	certificates.k8s.io/certificatesigningrequests/approval	get · update	Low
ClusterRole `aistor:certificate-management`	certificates.k8s.io/certificatesigningrequests/status	get	Low
Role `object-store-webhook`	apps/deployments	get	Low
ClusterRole `aistor:object-store-webhook-cluster`	admissionregistration.k8s.io/mutatingwebhookconfigurations	get · update	Low
ClusterRole `aistor:certificate-management`	core/nodes	list	Low
ClusterRole `aistor:object-store-webhook-cluster`	core/nodes	list	Low
ClusterRole `aistor:object-store-webhook`	aistor.min.io/objectstores	get	Low
ClusterRole `aistor:certificate-management`	certificates.k8s.io/signers	approve	Low

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	object-store-webhook	controller	quay.io/minio/aistor/operator:RELEASE.2026-06-10T05-02-21Z

aistor-operator

Description

Overview

Identities

🤖 object-store

🔑 Permissions (33)

⚠️ Potential Abuse (11)

📦 Workloads (1)

🤖 adminjob

🔑 Permissions (12)

⚠️ Potential Abuse (5)

📦 Workloads (1)

🤖 object-store-webhook

🔑 Permissions (11)

⚠️ Potential Abuse (5)

📦 Workloads (1)

🤖 `object-store`

🤖 `adminjob`

🤖 `object-store-webhook`