4 Service Accounts
4 Workloads
22 Bindings
3 Critical
11 High
8 Low
Description
Netchecks proactively verifies whether your security controls are working as intended.
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
netcheck-operator | default | ❌ | — | 9 | 1 | Critical |
netchecks-kyverno-plugin | default | ❌ | — | 7 | 1 | High |
netchecks-policy-reporter | default | ❌ | — | 5 | 1 | High |
netchecks-ui | default | ❌ | — | 1 | 1 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 netcheck-operator
Namespace: default | Automount: ❌
🔑 Permissions (9)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole netchecks | core/configmaps | create · delete · get · list · patch · update | Critical | ConfigMapAccess PotentialPrivilegeEscalation Tampering |
ClusterRole netchecks | batch/cronjobs | create · delete · get · list · patch · update · watch | Critical | Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole netchecks | batch/jobs | create · delete · get · list · patch · update · watch | Critical | PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle |
ClusterRole netchecks | core/pods/log | get · list | High | ClusterWideLogAccess DataExposure InformationDisclosure LogAccess |
ClusterRole netchecks | core/events | create | Low | |
ClusterRole netchecks | netchecks.io/networkassertions | get · list · patch · update · watch | Low | |
ClusterRole netchecks | netchecks.io/networkassertions/status | patch · update | Low | |
ClusterRole netchecks | core/pods | get · list · watch | Low | |
ClusterRole netchecks | wgpolicyk8s.io/policyreports | create · get · list · patch · update · watch | Low |
⚠️ Potential Abuse (9)
The following security risks were found based on the above permissions:
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage CronJobs cluster-wide (scheduled privileged execution, persistence)
- Manage CronJobs in a namespace (scheduled privileged execution, persistence)
- Manage Jobs cluster-wide (one-off privileged execution)
- Manage Jobs in a namespace (one-off privileged execution)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | netchecks | netchecks | ghcr.io/hardbyte/netchecks-operator:0.7.0 |
🤖 netchecks-kyverno-plugin
Namespace: default | Automount: ❌
🔑 Permissions (7)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole netchecks-kyverno-plugin | */clusterpolicies | get · list · watch | High | ClusterWideAccess |
ClusterRole netchecks-kyverno-plugin | */clusterpolicies/status | get · list · watch | High | ClusterWideAccess |
ClusterRole netchecks-kyverno-plugin | */clusterpolicyreports | get · list | High | ClusterWideAccess |
ClusterRole netchecks-kyverno-plugin | */policies | get · list · watch | High | ClusterWideAccess |
ClusterRole netchecks-kyverno-plugin | */policies/status | get · list · watch | High | ClusterWideAccess |
ClusterRole netchecks-kyverno-plugin | */policyreports | get · list | High | ClusterWideAccess |
Role netchecks-kyverno-plugin-secret-reader | core/secrets | get | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | netchecks-kyverno-plugin | kyverno-plugin | ghcr.io/kyverno/policy-reporter-kyverno-plugin:1.6.3 |
🤖 netchecks-policy-reporter
Namespace: default | Automount: ❌
🔑 Permissions (5)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole netchecks-policy-reporter | */clusterpolicyreports | get · list · watch | High | ClusterWideAccess |
ClusterRole netchecks-policy-reporter | */clusterpolicyreports/status | get · list · watch | High | ClusterWideAccess |
ClusterRole netchecks-policy-reporter | */policyreports | get · list · watch | High | ClusterWideAccess |
ClusterRole netchecks-policy-reporter | */policyreports/status | get · list · watch | High | ClusterWideAccess |
Role netchecks-policy-reporter-secret-reader | core/secrets | get | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | netchecks-policy-reporter | policy-reporter | ghcr.io/kyverno/policy-reporter:2.18.1 |
🤖 netchecks-ui
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role netchecks-ui-secret-reader | core/secrets | get | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | netchecks-ui | ui | ghcr.io/kyverno/policy-reporter-ui:1.9.2 |