4 Service Accounts
5 Workloads
17 Bindings
3 Critical
2 High
12 Low
Description
A Helm chart for the nvidia-device-plugin on Kubernetes
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
nvidia-device-plugin-node-feature-discovery | default | ❌ | — | 9 | 1 | Critical |
nvidia-device-plugin-node-feature-discovery-gc | default | ❌ | — | 4 | 1 | Critical |
nvidia-device-plugin-node-feature-discovery-prune | default | ❌ | — | 2 | 1 | Critical |
nvidia-device-plugin-node-feature-discovery-worker | default | ❌ | — | 2 | 1 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 nvidia-device-plugin-node-feature-discovery
Namespace: default | Automount: ❌
🔑 Permissions (9)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole nvidia-device-plugin-node-feature-discovery | core/nodes | get · list · patch · update | Critical | DenialOfService NodeAccess PotentialPrivilegeEscalation Tampering |
ClusterRole nvidia-device-plugin-node-feature-discovery | core/nodes/status | get · list · patch · update | High | DenialOfService NodeManipulation SchedulingAbuse Tampering |
ClusterRole nvidia-device-plugin-node-feature-discovery | coordination.k8s.io/leases | create | Low | |
ClusterRole nvidia-device-plugin-node-feature-discovery | core/namespaces | list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole nvidia-device-plugin-node-feature-discovery | nfd.k8s-sigs.io/nodefeaturegroups | get · list · watch | Low | |
ClusterRole nvidia-device-plugin-node-feature-discovery | nfd.k8s-sigs.io/nodefeaturegroups/status | patch · update | Low | |
ClusterRole nvidia-device-plugin-node-feature-discovery | nfd.k8s-sigs.io/nodefeaturerules | get · list · watch | Low | |
ClusterRole nvidia-device-plugin-node-feature-discovery | nfd.k8s-sigs.io/nodefeatures | get · list · watch | Low | |
ClusterRole nvidia-device-plugin-node-feature-discovery | coordination.k8s.io/leases (restricted to: nfd-master.nfd.kubernetes.io) | get · update | Low | ResourceNameRestricted |
⚠️ Potential Abuse (4)
The following security risks were found based on the above permissions:
- Modify node configuration (labels, taints)
- Patch node status cluster-wide
- List Namespaces (Cluster Reconnaissance)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | nvidia-device-plugin-node-feature-discovery-master | master | registry.k8s.io/nfd/node-feature-discovery:v0.17.3 |
🤖 nvidia-device-plugin-node-feature-discovery-gc
Namespace: default | Automount: ❌
🔑 Permissions (4)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole nvidia-device-plugin-node-feature-discovery-gc | core/nodes/proxy | get | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole nvidia-device-plugin-node-feature-discovery-gc | nfd.k8s-sigs.io/nodefeatures | delete · list | Low | |
ClusterRole nvidia-device-plugin-node-feature-discovery-gc | topology.node.k8s.io/noderesourcetopologies | delete · list | Low | |
ClusterRole nvidia-device-plugin-node-feature-discovery-gc | core/nodes | list · watch | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | nvidia-device-plugin-node-feature-discovery-gc | gc | registry.k8s.io/nfd/node-feature-discovery:v0.17.3 |
🤖 nvidia-device-plugin-node-feature-discovery-prune
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole nvidia-device-plugin-node-feature-discovery-prune | core/nodes | get · list · patch · update | Critical | DenialOfService NodeAccess PotentialPrivilegeEscalation Tampering |
ClusterRole nvidia-device-plugin-node-feature-discovery-prune | core/nodes/status | get · list · patch · update | High | DenialOfService NodeManipulation SchedulingAbuse Tampering |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Job | nvidia-device-plugin-node-feature-discovery-prune | nfd-master | registry.k8s.io/nfd/node-feature-discovery:v0.17.3 |
🤖 nvidia-device-plugin-node-feature-discovery-worker
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role nvidia-device-plugin-node-feature-discovery-worker | nfd.k8s-sigs.io/nodefeatures | create · delete · get · update | Low | |
Role nvidia-device-plugin-node-feature-discovery-worker | core/pods | get | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| DaemonSet | nvidia-device-plugin-node-feature-discovery-worker | worker | registry.k8s.io/nfd/node-feature-discovery:v0.17.3 |