1 Service Accounts
1 Workloads
24 Bindings
1 High
1 Medium
22 Low
Description
OpenCost and OpenCost UI
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
opencost | default | ✅ | — | 24 | 2 | High |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 opencost
Namespace: default | Automount: ✅
🔑 Permissions (24)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole opencost | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole opencost | core/resourcequotas | get · list · watch | Medium | InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration |
ClusterRole opencost | batch/cronjobs | get · list · watch | Low | |
ClusterRole opencost | apps/daemonsets | list · watch | Low | |
ClusterRole opencost | extensions/daemonsets | get · list · watch | Low | |
ClusterRole opencost | apps/deployments | list · watch | Low | |
ClusterRole opencost | core/deployments | get · list · watch | Low | |
ClusterRole opencost | extensions/deployments | get · list · watch | Low | |
ClusterRole opencost | core/endpoints | get · list · watch | Low | |
ClusterRole opencost | autoscaling/horizontalpodautoscalers | get · list · watch | Low | |
ClusterRole opencost | batch/jobs | get · list · watch | Low | |
ClusterRole opencost | core/limitranges | get · list · watch | Low | InformationDisclosure Reconnaissance ResourceConfiguration |
ClusterRole opencost | core/namespaces | get · list · watch | Low | ClusterStructure InformationDisclosure Reconnaissance |
ClusterRole opencost | core/nodes | get · list · watch | Low | |
ClusterRole opencost | core/persistentvolumeclaims | get · list · watch | Low | |
ClusterRole opencost | core/persistentvolumes | get · list · watch | Low | |
ClusterRole opencost | policy/poddisruptionbudgets | get · list · watch | Low | |
ClusterRole opencost | core/pods | get · list · watch | Low | |
ClusterRole opencost | apps/replicasets | list · watch | Low | |
ClusterRole opencost | extensions/replicasets | get · list · watch | Low | |
ClusterRole opencost | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole opencost | core/services | get · list · watch | Low | |
ClusterRole opencost | apps/statefulsets | list · watch | Low | |
ClusterRole opencost | storage.k8s.io/storageclasses | get · list · watch | Low |
⚠️ Potential Abuse (7)
The following security risks were found based on the above permissions:
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- List Namespaces (Cluster Reconnaissance)
- Read LimitRanges (Namespace Information Disclosure)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
📦 Workloads (2)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | opencost | opencost | ghcr.io/opencost/opencost:1.120.0@sha256:c4fbe5f8fad2bc54872350460e705bf9ab43c90efa784a0cdf3a2a39a66b3b82 |
| Deployment | opencost | opencost-ui | ghcr.io/opencost/opencost-ui:1.120.0@sha256:2a2ed5d423402b1d3f104398971191618a91bfc293f53c704606bbbd39b2652c |