aistor-volumemanager

1 Service Accounts

1 Workloads

19 Bindings

3 Critical

2 Medium

14 Low

CRDManipulation ClusterWideSecretAccess CredentialAccess DataExposure DeprecatedFeature InformationDisclosure NodeAccess OperationalData PodSecurityPolicy PotentialPrivilegeEscalation

Description

DirectPV - AIStor Volume Manager

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`directpv-min-io`	directpv	❌	—	19	7	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `directpv-min-io`

Namespace: directpv | Automount: ❌

🔑 Permissions (19)

Role	Resource	Verbs	Risk	Tags
ClusterRole `directpv-min-io`	apiextensions.k8s.io/customresourcedefinitions	create · delete · get · list · patch · update · watch	Critical	CRDManipulation PotentialPrivilegeEscalation Tampering
ClusterRole `directpv-min-io`	policy/podsecuritypolicies	use	Critical	DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation
ClusterRole `directpv-min-io`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `directpv-min-io`	storage.k8s.io/csinodes	get · list · watch	Medium	InformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole `directpv-min-io`	core/events	create · list · patch · update · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `directpv-min-io`	directpv.min.io/directpvdrives	create · delete · get · list · update · watch	Low
ClusterRole `directpv-min-io`	directpv.min.io/directpvinitrequests	create · delete · get · list · update · watch	Low
ClusterRole `directpv-min-io`	directpv.min.io/directpvnodes	create · delete · get · list · update · watch	Low
ClusterRole `directpv-min-io`	directpv.min.io/directpvvolumes	create · delete · get · list · update · watch	Low
ClusterRole `directpv-min-io`	core/endpoints	create · delete · get · list · update · watch	Low
ClusterRole `directpv-min-io`	coordination.k8s.io/leases	create · delete · get · list · update · watch	Low
Role `directpv-min-io`	coordination.k8s.io/leases	create · delete · get · list · update · watch	Low
ClusterRole `directpv-min-io`	core/nodes	get · list · watch	Low
ClusterRole `directpv-min-io`	core/persistentvolumeclaims	get · list · update · watch	Low
ClusterRole `directpv-min-io`	core/persistentvolumeclaims/status	patch	Low
ClusterRole `directpv-min-io`	core/persistentvolumes	create · delete · get · list · patch · watch	Low
ClusterRole `directpv-min-io`	core/pods	get · list · watch	Low
ClusterRole `directpv-min-io`	storage.k8s.io/storageclasses	get · list · watch	Low
ClusterRole `directpv-min-io`	storage.k8s.io/volumeattachments	get · list · watch	Low

⚠️ Potential Abuse (7)

The following security risks were found based on the above permissions:

📦 Workloads (7)

Kind	Name	Container	Image
DaemonSet	node-server	liveness-probe	quay.io/minio/livenessprobe:v2.15.0-0
DaemonSet	node-server	node-controller	quay.io/minio/directpv:v5.0.2
DaemonSet	node-server	node-driver-registrar	quay.io/minio/csi-node-driver-registrar:v2.13.0-0
DaemonSet	node-server	node-server	quay.io/minio/directpv:v5.0.2
Deployment	controller	controller	quay.io/minio/directpv:v5.0.2
Deployment	controller	csi-provisioner	quay.io/minio/csi-provisioner:v5.2.0-0
Deployment	controller	csi-resizer	quay.io/minio/csi-resizer:v1.13.1-0