minkms-operator :: RBAC ATLAS

Description

Helm chart for MinIO AIStor Key Manager operator

https://min.io/product/aistor/key-management-server

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`minkms`	default	❌	—	30	1	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `minkms`

Namespace: default | Automount: ❌

🔑 Permissions (30)

Role	Resource	Verbs	Risk	Tags
ClusterRole `minkms`	core/configmaps	create · delete · deletecollection · get · list · patch · update · watch	Critical	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole `minkms`	apps/daemonsets	create · delete · get · list · patch · update · watch	Critical	NodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `minkms`	apps/deployments	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `minkms`	batch/jobs	create · delete · get · list · patch · update · watch	Critical	PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `minkms`	core/pods	create · delete · deletecollection · get · list · patch · update · watch	Critical	LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more)
ClusterRole `minkms`	core/secrets	create · delete · deletecollection · get · list · update · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `minkms`	core/services	create · delete · deletecollection · get · list · patch · update · watch	Critical	DenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole `minkms`	apps/statefulsets	create · delete · get · list · patch · update · watch	Critical	Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole `minkms`	min.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `minkms`	minkms.min.io/*	*	High	ClusterWideAccess WildcardPermission
ClusterRole `minkms`	monitoring.coreos.com/prometheuses	*	High	ClusterWideAccess WildcardPermission
ClusterRole `minkms`	rbac.authorization.k8s.io/rolebindings	create · delete · get · list · patch · update · watch	High	BindingToPrivilegedRole InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery (+1 more)
ClusterRole `minkms`	rbac.authorization.k8s.io/roles	create · delete · get · list · patch · update · watch	High	InformationDisclosure PrivilegeEscalation RBACManipulation RBACQuery Reconnaissance
ClusterRole `minkms`	core/serviceaccounts	create · delete · get · list · patch · update · watch	High	IdentityManagement PotentialPrivilegeEscalation Tampering
ClusterRole `minkms`	certificates.k8s.io/certificatesigningrequests	create · delete · get · list · update · watch	Medium	CSRCreation DenialOfService InformationDisclosure PotentialPrivilegeEscalation Spoofing (+1 more)
ClusterRole `minkms`	core/events	create · delete · deletecollection · get · list · patch · update · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `minkms`	policy/poddisruptionbudgets	create · delete · deletecollection · get · list · patch · update · watch	Medium	AvailabilityImpact DenialOfService Tampering
ClusterRole `minkms`	certificates.k8s.io/certificatesigningrequests/approval	create · delete · get · list · update · watch	Low
ClusterRole `minkms`	certificates.k8s.io/certificatesigningrequests/status	create · delete · get · list · update · watch	Low
ClusterRole `minkms`	rbac.authorization.k8s.io/clusterrolebindings	create · get · update	Low
ClusterRole `minkms`	apiextensions.k8s.io/customresourcedefinitions	get · list · update · watch	Low
ClusterRole `minkms`	apps/deployments/finalizers	create · delete · get · list · patch · update · watch	Low
ClusterRole `minkms`	coordination.k8s.io/leases	create · get · update	Low
ClusterRole `minkms`	core/namespaces	get · list · watch	Low	ClusterStructure InformationDisclosure Reconnaissance
ClusterRole `minkms`	core/nodes	get · list · watch	Low
ClusterRole `minkms`	core/persistentvolumeclaims	get · list · update	Low
ClusterRole `minkms`	certificates.k8s.io/signers (restricted to: beta.eks.amazonaws.com/app-serving)	approve · sign	Low	ResourceNameRestricted
ClusterRole `minkms`	certificates.k8s.io/signers (restricted to: kubernetes.io/kube-apiserver-client)	approve · sign	Low	ResourceNameRestricted
ClusterRole `minkms`	certificates.k8s.io/signers (restricted to: kubernetes.io/kubelet-serving)	approve · sign	Low	ResourceNameRestricted
ClusterRole `minkms`	certificates.k8s.io/signers (restricted to: kubernetes.io/legacy-unknown)	approve · sign	Low	ResourceNameRestricted

⚠️ Potential Abuse (32)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	minkms-operator	controller	quay.io/minio/aistor/operator:RELEASE.2026-02-09T03-12-43Z

minkms-operator

Description

Overview

Identities

🤖 minkms

🔑 Permissions (30)

⚠️ Potential Abuse (32)

📦 Workloads (1)

🤖 `minkms`