2 Service Accounts
1 Workloads
12 Bindings
2 Critical
1 High
9 Low
Description
Real-time performance monitoring, done right!
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
netdata | default | ❌ | — | 12 | 3 | Critical |
netdata-opentelemetry-collector | default | ❌ | — | 0 | 0 | — |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 netdata
Namespace: default | Automount: ❌
🔑 Permissions (12)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole netdata | core/nodes/proxy | get · list · watch | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole netdata | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole netdata | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole netdata | batch/cronjobs | get · list · watch | Low | |
ClusterRole netdata | apps/deployments | get · list · watch | Low | |
ClusterRole netdata | batch/jobs | get · list · watch | Low | |
ClusterRole netdata | core/namespaces | get | Low | |
ClusterRole netdata | core/nodes | get · list · watch | Low | |
ClusterRole netdata | core/nodes/metrics | get · list · watch | Low | |
ClusterRole netdata | core/pods | get · list · watch | Low | |
ClusterRole netdata | core/services | get · list · watch | Low | |
ClusterRole netdata-psp | policy/podsecuritypolicies (restricted to: netdata-psp) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (7)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Use privileged PodSecurityPolicy (deprecated)
- Node proxy GET RCE via WebSocket
📦 Workloads (3)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | netdata-child | netdata | netdata/netdata:v2.10.3 |
| Deployment | netdata-k8s-state | netdata | netdata/netdata:v2.10.3 |
| Deployment | netdata-parent | netdata | netdata/netdata:v2.10.3 |
🤖 netdata-opentelemetry-collector
Namespace: default | Automount: ❌
🔑 Permissions (0)
No explicit RBAC bindings.
📦 Workloads (0)
No workloads use this ServiceAccount.