zfs-localpv :: RBAC ATLAS

Description

Helm chart for CSI Driver for dynamic provisioning of ZFS Persistent Local Volumes. For instructions on how to use this helm chart, see - https://openebs.github.io/zfs-localpv/

https://github.com/openebs/zfs-localpv

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`openebs-zfs-controller-sa`	default	❌	—	18	5	Critical

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `openebs-zfs-controller-sa`

Namespace: default | Automount: ❌

🔑 Permissions (18)

Role	Resource	Verbs	Risk	Tags
ClusterRole `openebs-zfs-provisioner-role`	core/pods	get · list · patch · update · watch	Critical	PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadExecution
ClusterRole `openebs-zfs-provisioner-role`	core/services	create · delete · get · list · patch · update · watch	Critical	DenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole `openebs-zfs-provisioner-role`	core/namespaces	*	High	ClusterStructure ClusterWideAccess DenialOfService InformationDisclosure NamespaceLifecycle (+3 more)
ClusterRole `openebs-zfs-provisioner-role`	*/zfsbackups	*	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-provisioner-role`	*/zfsnodes	*	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-provisioner-role`	*/zfsrestores	*	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-provisioner-role`	*/zfssnapshots	*	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-provisioner-role`	*/zfsvolumes	*	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-provisioner-role`	storage.k8s.io/csinodes	get · list · watch	Medium	InformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole `openebs-zfs-provisioner-role`	core/events	create · list · patch · update · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `openebs-zfs-provisioner-role`	storage.k8s.io/csistoragecapacities	*	Low	ClusterWideAccess InformationDisclosure Reconnaissance StorageDetailsDisclosure WildcardPermission
ClusterRole `openebs-zfs-provisioner-role`	coordination.k8s.io/leases	create · delete · get · list · update · watch	Low
ClusterRole `openebs-zfs-provisioner-role`	core/nodes	get · list · watch	Low
ClusterRole `openebs-zfs-provisioner-role`	core/persistentvolumeclaims	get · list · update · watch	Low
ClusterRole `openebs-zfs-provisioner-role`	core/persistentvolumeclaims/status	patch · update	Low
ClusterRole `openebs-zfs-provisioner-role`	core/persistentvolumes	create · delete · get · list · patch · update · watch	Low
ClusterRole `openebs-zfs-provisioner-role`	core/secrets	get · list	Low
ClusterRole `openebs-zfs-provisioner-role`	storage.k8s.io/storageclasses	get · list · watch	Low

⚠️ Potential Abuse (11)

The following security risks were found based on the above permissions:

📦 Workloads (5)

Kind	Name	Container	Image
StatefulSet	zfs-localpv-controller	csi-provisioner	registry.k8s.io/sig-storage/csi-provisioner:v3.5.0
StatefulSet	zfs-localpv-controller	csi-resizer	registry.k8s.io/sig-storage/csi-resizer:v1.8.0
StatefulSet	zfs-localpv-controller	csi-snapshotter	registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2
StatefulSet	zfs-localpv-controller	openebs-zfs-plugin	openebs/zfs-driver:2.4.0
StatefulSet	zfs-localpv-controller	snapshot-controller	registry.k8s.io/sig-storage/snapshot-controller:v6.2.2

zfs-localpv