Description

Containerized Attached Storage for Kubernetes

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
openebsdefault363Critical
openebs-cstor-csi-controller-sadefault366Critical
openebs-cstor-operatordefault354Critical
openebs-grafanadefault32Critical
openebs-jaeger-operatordefault261Critical
openebs-jiva-csi-controller-sadefault365Critical
openebs-jiva-operatordefault181Critical
openebs-localpv-provisionerdefault133Critical
openebs-lvm-controller-sadefault265Critical
openebs-ndmdefault810Critical
openebs-nfs-provisionerdefault301Critical
openebs-zfs-controller-sadefault185Critical
openebs-cstor-csi-node-sadefault72High
openebs-jiva-csi-node-sadefault53High
openebs-prometheus-serverdefault122High
openebs-kube-state-metricsdefault311Medium
openebs-lvm-node-sadefault72Medium
openebs-service-accountdefault212Medium
openebs-filebeatdefault51Low
openebs-fluent-bit-lokidefault21Low
openebs-grafana-testdefault11Low
openebs-promtaildefault51Low
openebs-lokidefault01
openebs-natsdefault03
openebs-prometheus-alertmanagerdefault02
openebs-prometheus-node-exporterdefault01
openebs-prometheus-pushgatewaydefault01

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 openebs

Namespace: default  |  Automount:

🔑 Permissions (36)

RoleResourceVerbsRiskTags
ClusterRole openebs*/configmaps*CriticalClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole openebs*/cronjobs*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole openebsapiextensions.k8s.io/customresourcedefinitionscreate · delete · get · list · patch · updateCriticalCRDManipulation PotentialPrivilegeEscalation Tampering
ClusterRole openebs*/daemonsets*CriticalClusterWideAccess NodeAccess Persistence PrivilegeEscalation Tampering (+2 more)
ClusterRole openebs*/deployments*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole openebs*/endpoints*CriticalClusterWideAccess DenialOfService ManInTheMiddle NetworkManipulation Tampering (+2 more)
ClusterRole openebs*/jobs*CriticalClusterWideAccess PotentialPrivilegeEscalation PrivilegeEscalation Tampering WildcardPermission (+1 more)
ClusterRole openebsadmissionregistration.k8s.io/mutatingwebhookconfigurationscreate · delete · get · list · patch · updateCriticalDenialOfService PrivilegeEscalation Tampering WebhookManipulation
ClusterRole openebs*/nodes*CriticalClusterWideAccess DenialOfService NodeAccess PotentialPrivilegeEscalation ResourceDeletion (+2 more)
ClusterRole openebs*/nodes/proxy*CriticalClusterAdminAccess ClusterWideAccess CodeExecution DataExposure LateralMovement (+3 more)
ClusterRole openebs*/persistentvolumes*CriticalClusterWideAccess DataExposure DataLoss DenialOfService StorageManipulation (+2 more)
ClusterRole openebs*/pods*CriticalClusterWideAccess LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation (+3 more)
ClusterRole openebs*/pods/exec*CriticalClusterWideAccess ClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement (+3 more)
ClusterRole openebs*/secrets*CriticalClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole openebs*/services*CriticalClusterWideAccess DenialOfService NetworkManipulation ServiceExposure Tampering (+1 more)
ClusterRole openebs*/statefulsets*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole openebsadmissionregistration.k8s.io/validatingwebhookconfigurationscreate · delete · get · list · patch · updateCriticalDenialOfService Tampering WebhookManipulation
ClusterRole openebscstor.openebs.io/**HighClusterWideAccess WildcardPermission
ClusterRole openebsopenebs.io/**HighClusterWideAccess WildcardPermission
ClusterRole openebs*/certificatesigningrequestslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs*/deployments/finalizers*HighClusterWideAccess WildcardPermission
ClusterRole openebs*/horizontalpodautoscalerslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs*/ingresseslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs*/limitrangeslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs*/namespaces*HighClusterStructure ClusterWideAccess DenialOfService InformationDisclosure NamespaceLifecycle (+3 more)
ClusterRole openebs*/persistentvolumeclaims*HighClusterWideAccess WildcardPermission
ClusterRole openebs*/poddisruptionbudgetslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs*/replicasets*HighClusterWideAccess WildcardPermission
ClusterRole openebs*/replicationcontrollers*HighClusterWideAccess WildcardPermission
ClusterRole openebs*/resourcequotaslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs*/storageclasses*HighClusterWideAccess DenialOfService StorageManipulation Tampering WildcardPermission
ClusterRole openebs*/verticalpodautoscalerslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs*/events*MediumClusterWideAccess InformationDisclosure OperationalData Reconnaissance WildcardPermission
ClusterRole openebscoordination.k8s.io/leasescreate · delete · get · list · update · watchLow
ClusterRole openebsvolumesnapshot.external-storage.k8s.io/volumesnapshotdatascreate · delete · get · list · patch · update · watchLow
ClusterRole openebsvolumesnapshot.external-storage.k8s.io/volumesnapshotscreate · delete · get · list · patch · update · watchLow

⚠️ Potential Abuse (41)

The following security risks were found based on the above permissions:

📦 Workloads (3)

KindNameContainerImage
DaemonSetopenebs-ndmopenebs-ndmopenebs/node-disk-manager:2.1.0
Deploymentopenebs-localpv-provisioneropenebs-localpv-provisioneropenebs/provisioner-localpv:3.5.0
Deploymentopenebs-ndm-operatoropenebs-ndm-operatoropenebs/node-disk-operator:2.1.0

🤖 openebs-cstor-csi-controller-sa

Namespace: default  |  Automount:

🔑 Permissions (36)

RoleResourceVerbsRiskTags
ClusterRole openebs-cstor-csi-provisioner-rolecoordination.k8s.io/leases*CriticalClusterWideAccess ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse (+2 more)
ClusterRole openebs-cstor-csi-provisioner-rolecore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole openebs-cstor-csi-provisioner-rolestorage.k8s.io/volumeattachmentscreate · delete · get · list · patch · update · watchCriticalDataExposure DenialOfService NodeAccess PotentialPrivilegeEscalation StorageManipulation (+1 more)
ClusterRole openebs-cstor-csi-provisioner-role*/cstorvolumeattachments*HighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-csi-provisioner-role*/cstorvolumeconfigs*HighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-csi-provisioner-role*/cstorvolumes*HighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-csi-attacher-rolestorage.k8s.io/csinodesget · list · update · watchMediumInformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole openebs-cstor-csi-provisioner-rolestorage.k8s.io/csinodesget · list · watchMediumInformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole openebs-cstor-csi-cluster-registrar-rolecsi.storage.k8s.io/csidriverscreate · deleteLow
ClusterRole openebs-cstor-csi-attacher-rolecsi.storage.k8s.io/csinodeinfosget · list · watchLow
ClusterRole openebs-cstor-csi-snapshotter-roleapiextensions.k8s.io/customresourcedefinitionscreate · delete · get · list · update · watchLow
ClusterRole openebs-cstor-csi-provisioner-rolecore/eventscreate · list · patch · update · watchLow
ClusterRole openebs-cstor-csi-snapshotter-rolecore/eventscreate · list · patch · update · watchLow
ClusterRole openebs-cstor-csi-snapshotter-rolecoordination.k8s.io/leasescreate · delete · get · list · update · watchLow
ClusterRole openebs-cstor-csi-provisioner-rolecore/namespacesget · listLow
ClusterRole openebs-cstor-csi-attacher-rolecore/nodesget · list · watchLow
ClusterRole openebs-cstor-csi-provisioner-rolecore/persistentvolumeclaimsget · list · update · watchLow
ClusterRole openebs-cstor-csi-snapshotter-rolecore/persistentvolumeclaimsget · list · watchLow
ClusterRole openebs-cstor-csi-provisioner-rolecore/persistentvolumeclaims/statuspatch · updateLow
ClusterRole openebs-cstor-csi-attacher-rolecore/persistentvolumesget · list · update · watchLow
ClusterRole openebs-cstor-csi-provisioner-rolecore/persistentvolumescreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-cstor-csi-snapshotter-rolecore/persistentvolumesget · list · watchLow
ClusterRole openebs-cstor-csi-provisioner-rolecore/podsget · list · watchLow
ClusterRole openebs-cstor-csi-provisioner-rolecore/secretsget · listLow
ClusterRole openebs-cstor-csi-snapshotter-rolecore/secretsget · listLow
ClusterRole openebs-cstor-csi-provisioner-rolestorage.k8s.io/storageclassesget · list · watchLow
ClusterRole openebs-cstor-csi-snapshotter-rolestorage.k8s.io/storageclassesget · list · watchLow
ClusterRole openebs-cstor-csi-attacher-rolestorage.k8s.io/volumeattachmentsget · list · update · watchLow
ClusterRole openebs-cstor-csi-attacher-rolestorage.k8s.io/volumeattachments/statuspatchLow
ClusterRole openebs-cstor-csi-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotclassesget · list · watchLow
ClusterRole openebs-cstor-csi-provisioner-rolesnapshot.storage.k8s.io/volumesnapshotcontentsget · listLow
ClusterRole openebs-cstor-csi-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotcontentscreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-cstor-csi-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotcontents/statusupdateLow
ClusterRole openebs-cstor-csi-provisioner-rolesnapshot.storage.k8s.io/volumesnapshotsget · listLow
ClusterRole openebs-cstor-csi-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotsget · list · patch · update · watchLow
ClusterRole openebs-cstor-csi-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshots/statusupdateLow

⚠️ Potential Abuse (8)

The following security risks were found based on the above permissions:

📦 Workloads (6)

KindNameContainerImage
StatefulSetopenebs-cstor-csi-controllercsi-attacherregistry.k8s.io/sig-storage/csi-attacher:v4.3.0
StatefulSetopenebs-cstor-csi-controllercsi-provisionerregistry.k8s.io/sig-storage/csi-provisioner:v3.5.0
StatefulSetopenebs-cstor-csi-controllercsi-resizerregistry.k8s.io/sig-storage/csi-resizer:v1.8.0
StatefulSetopenebs-cstor-csi-controllercsi-snapshotterregistry.k8s.io/sig-storage/csi-snapshotter:v6.2.2
StatefulSetopenebs-cstor-csi-controllercstor-csi-pluginopenebs/cstor-csi-driver:3.6.0
StatefulSetopenebs-cstor-csi-controllersnapshot-controllerregistry.k8s.io/sig-storage/snapshot-controller:v6.2.2

🤖 openebs-jiva-csi-controller-sa

Namespace: default  |  Automount:

🔑 Permissions (36)

RoleResourceVerbsRiskTags
ClusterRole openebs-jiva-csi-provisioner-rolecoordination.k8s.io/leases*CriticalClusterWideAccess ControlPlaneDisruption CriticalNamespace DenialOfService LeaderElectionAbuse (+2 more)
ClusterRole openebs-jiva-csi-provisioner-rolecore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole openebs-jiva-csi-provisioner-rolestorage.k8s.io/volumeattachmentscreate · delete · get · list · patch · update · watchCriticalDataExposure DenialOfService NodeAccess PotentialPrivilegeEscalation StorageManipulation (+1 more)
ClusterRole openebs-jiva-csi-provisioner-role*/jivavolumeattachments*HighClusterWideAccess WildcardPermission
ClusterRole openebs-jiva-csi-provisioner-role*/jivavolumeconfigs*HighClusterWideAccess WildcardPermission
ClusterRole openebs-jiva-csi-provisioner-role*/jivavolumes*HighClusterWideAccess WildcardPermission
ClusterRole openebs-jiva-csi-attacher-rolestorage.k8s.io/csinodesget · list · update · watchMediumInformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole openebs-jiva-csi-provisioner-rolestorage.k8s.io/csinodesget · list · watchMediumInformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole openebs-jiva-csi-cluster-registrar-rolecsi.storage.k8s.io/csidriverscreate · deleteLow
ClusterRole openebs-jiva-csi-attacher-rolecsi.storage.k8s.io/csinodeinfosget · list · watchLow
ClusterRole openebs-jiva-csi-snapshotter-roleapiextensions.k8s.io/customresourcedefinitionscreate · delete · get · list · update · watchLow
ClusterRole openebs-jiva-csi-provisioner-rolecore/eventscreate · list · patch · update · watchLow
ClusterRole openebs-jiva-csi-snapshotter-rolecore/eventscreate · list · patch · update · watchLow
ClusterRole openebs-jiva-csi-snapshotter-rolecoordination.k8s.io/leasescreate · delete · get · list · update · watchLow
ClusterRole openebs-jiva-csi-provisioner-rolecore/namespacesget · listLow
ClusterRole openebs-jiva-csi-attacher-rolecore/nodesget · list · watchLow
ClusterRole openebs-jiva-csi-provisioner-rolecore/persistentvolumeclaimsget · list · update · watchLow
ClusterRole openebs-jiva-csi-snapshotter-rolecore/persistentvolumeclaimsget · list · watchLow
ClusterRole openebs-jiva-csi-provisioner-rolecore/persistentvolumeclaims/statuspatch · updateLow
ClusterRole openebs-jiva-csi-attacher-rolecore/persistentvolumesget · list · update · watchLow
ClusterRole openebs-jiva-csi-provisioner-rolecore/persistentvolumescreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-jiva-csi-snapshotter-rolecore/persistentvolumesget · list · watchLow
ClusterRole openebs-jiva-csi-provisioner-rolecore/podsget · list · watchLow
ClusterRole openebs-jiva-csi-provisioner-rolecore/secretsget · listLow
ClusterRole openebs-jiva-csi-snapshotter-rolecore/secretsget · listLow
ClusterRole openebs-jiva-csi-provisioner-rolestorage.k8s.io/storageclassesget · list · watchLow
ClusterRole openebs-jiva-csi-snapshotter-rolestorage.k8s.io/storageclassesget · list · watchLow
ClusterRole openebs-jiva-csi-attacher-rolestorage.k8s.io/volumeattachmentsget · list · update · watchLow
ClusterRole openebs-jiva-csi-attacher-rolestorage.k8s.io/volumeattachments/statuspatchLow
ClusterRole openebs-jiva-csi-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotclassesget · list · watchLow
ClusterRole openebs-jiva-csi-provisioner-rolesnapshot.storage.k8s.io/volumesnapshotcontentsget · listLow
ClusterRole openebs-jiva-csi-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotcontentscreate · delete · get · list · update · watchLow
ClusterRole openebs-jiva-csi-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotcontents/statusupdateLow
ClusterRole openebs-jiva-csi-provisioner-rolesnapshot.storage.k8s.io/volumesnapshotsget · listLow
ClusterRole openebs-jiva-csi-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotsget · list · update · watchLow
ClusterRole openebs-jiva-csi-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshots/statusupdateLow

⚠️ Potential Abuse (8)

The following security risks were found based on the above permissions:

📦 Workloads (5)

KindNameContainerImage
StatefulSetopenebs-jiva-csi-controllercsi-attacherregistry.k8s.io/sig-storage/csi-attacher:v4.3.0
StatefulSetopenebs-jiva-csi-controllercsi-provisionerregistry.k8s.io/sig-storage/csi-provisioner:v3.5.0
StatefulSetopenebs-jiva-csi-controllercsi-resizerregistry.k8s.io/sig-storage/csi-resizer:v1.8.0
StatefulSetopenebs-jiva-csi-controllerjiva-csi-pluginopenebs/jiva-csi:3.6.0
StatefulSetopenebs-jiva-csi-controllerliveness-proberegistry.k8s.io/sig-storage/livenessprobe:v2.10.0

🤖 openebs-cstor-operator

Namespace: default  |  Automount:

🔑 Permissions (35)

RoleResourceVerbsRiskTags
ClusterRole openebs-cstor-operator*/configmaps*CriticalClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole openebs-cstor-operator*/cronjobs*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole openebs-cstor-operatorapiextensions.k8s.io/customresourcedefinitionscreate · delete · get · list · patch · updateCriticalCRDManipulation PotentialPrivilegeEscalation Tampering
ClusterRole openebs-cstor-operator*/daemonsets*CriticalClusterWideAccess NodeAccess Persistence PrivilegeEscalation Tampering (+2 more)
ClusterRole openebs-cstor-operator*/deployments*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole openebs-cstor-operator*/endpoints*CriticalClusterWideAccess DenialOfService ManInTheMiddle NetworkManipulation Tampering (+2 more)
ClusterRole openebs-cstor-operator*/jobs*CriticalClusterWideAccess PotentialPrivilegeEscalation PrivilegeEscalation Tampering WildcardPermission (+1 more)
ClusterRole openebs-cstor-operatoradmissionregistration.k8s.io/mutatingwebhookconfigurationscreate · delete · get · list · patch · updateCriticalDenialOfService PrivilegeEscalation Tampering WebhookManipulation
ClusterRole openebs-cstor-operator*/nodes*CriticalClusterWideAccess DenialOfService NodeAccess PotentialPrivilegeEscalation ResourceDeletion (+2 more)
ClusterRole openebs-cstor-operator*/nodes/proxy*CriticalClusterAdminAccess ClusterWideAccess CodeExecution DataExposure LateralMovement (+3 more)
ClusterRole openebs-cstor-operator*/persistentvolumes*CriticalClusterWideAccess DataExposure DataLoss DenialOfService StorageManipulation (+2 more)
ClusterRole openebs-cstor-operator*/pods*CriticalClusterWideAccess LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation (+3 more)
ClusterRole openebs-cstor-operator*/secrets*CriticalClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole openebs-cstor-operator*/services*CriticalClusterWideAccess DenialOfService NetworkManipulation ServiceExposure Tampering (+1 more)
ClusterRole openebs-cstor-operator*/statefulsets*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole openebs-cstor-operatoradmissionregistration.k8s.io/validatingwebhookconfigurationscreate · delete · get · list · patch · updateCriticalDenialOfService Tampering WebhookManipulation
ClusterRole openebs-cstor-operatorcstor.openebs.io/**HighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operatoropenebs.io/**HighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operator*/certificatesigningrequestslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operator*/deployments/finalizers*HighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operator*/limitrangeslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operator*/migrationtasks*HighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operator*/namespaces*HighClusterStructure ClusterWideAccess DenialOfService InformationDisclosure NamespaceLifecycle (+3 more)
ClusterRole openebs-cstor-operator*/persistentvolumeclaims*HighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operator*/poddisruptionbudgetscreate · delete · get · list · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operator*/replicasets*HighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operator*/replicationcontrollers*HighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operator*/resourcequotaslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operator*/storageclasses*HighClusterWideAccess DenialOfService StorageManipulation Tampering WildcardPermission
ClusterRole openebs-cstor-operator*/upgradetasks*HighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-operator*/events*MediumClusterWideAccess InformationDisclosure OperationalData Reconnaissance WildcardPermission
ClusterRole openebs-cstor-operatorcoordination.k8s.io/leasescreate · delete · get · list · update · watchLow
ClusterRole openebs-cstor-migrationsnapshot.storage.k8s.io/volumesnapshotclassesget · listLow
ClusterRole openebs-cstor-migrationsnapshot.storage.k8s.io/volumesnapshotcontentscreate · get · listLow
ClusterRole openebs-cstor-migrationsnapshot.storage.k8s.io/volumesnapshotscreate · get · listLow

⚠️ Potential Abuse (39)

The following security risks were found based on the above permissions:

📦 Workloads (4)

KindNameContainerImage
Deploymentopenebs-cstor-admission-serveropenebs-cstor-admission-webhookopenebs/cstor-webhook:3.6.0
Deploymentopenebs-cstor-cspc-operatoropenebs-cstor-cspc-operatoropenebs/cspc-operator:3.6.0
Deploymentopenebs-cstor-cvc-operatoropenebs-cstor-cvc-operatoropenebs/cvc-operator:3.6.0
Jobopenebs-cstor-webhook-cleanupkubectlbitnami/kubectl:1.20

🤖 openebs-nfs-provisioner

Namespace: default  |  Automount:

🔑 Permissions (30)

RoleResourceVerbsRiskTags
ClusterRole openebs-nfs-provisioner*/configmaps*CriticalClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole openebs-nfs-provisioner*/cronjobs*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole openebs-nfs-provisionerapiextensions.k8s.io/customresourcedefinitionscreate · delete · get · list · patch · updateCriticalCRDManipulation PotentialPrivilegeEscalation Tampering
ClusterRole openebs-nfs-provisioner*/daemonsets*CriticalClusterWideAccess NodeAccess Persistence PrivilegeEscalation Tampering (+2 more)
ClusterRole openebs-nfs-provisioner*/deployments*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole openebs-nfs-provisioner*/endpoints*CriticalClusterWideAccess DenialOfService ManInTheMiddle NetworkManipulation Tampering (+2 more)
ClusterRole openebs-nfs-provisioner*/jobs*CriticalClusterWideAccess PotentialPrivilegeEscalation PrivilegeEscalation Tampering WildcardPermission (+1 more)
ClusterRole openebs-nfs-provisioner*/nodes*CriticalClusterWideAccess DenialOfService NodeAccess PotentialPrivilegeEscalation ResourceDeletion (+2 more)
ClusterRole openebs-nfs-provisioner*/nodes/proxy*CriticalClusterAdminAccess ClusterWideAccess CodeExecution DataExposure LateralMovement (+3 more)
ClusterRole openebs-nfs-provisioner*/persistentvolumes*CriticalClusterWideAccess DataExposure DataLoss DenialOfService StorageManipulation (+2 more)
ClusterRole openebs-nfs-provisioner*/pods*CriticalClusterWideAccess LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation (+3 more)
ClusterRole openebs-nfs-provisioner*/pods/exec*CriticalClusterWideAccess ClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement (+3 more)
ClusterRole openebs-nfs-provisioner*/secrets*CriticalClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole openebs-nfs-provisioner*/services*CriticalClusterWideAccess DenialOfService NetworkManipulation ServiceExposure Tampering (+1 more)
ClusterRole openebs-nfs-provisioner*/statefulsets*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole openebs-nfs-provisioneropenebs.io/**HighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/certificatesigningrequestslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/deployments/finalizers*HighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/horizontalpodautoscalerslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/ingresseslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/limitrangeslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/namespaces*HighClusterStructure ClusterWideAccess DenialOfService InformationDisclosure NamespaceLifecycle (+3 more)
ClusterRole openebs-nfs-provisioner*/persistentvolumeclaims*HighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/poddisruptionbudgetslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/replicasets*HighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/replicationcontrollers*HighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/resourcequotaslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/storageclasses*HighClusterWideAccess DenialOfService StorageManipulation Tampering WildcardPermission
ClusterRole openebs-nfs-provisioner*/verticalpodautoscalerslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-nfs-provisioner*/events*MediumClusterWideAccess InformationDisclosure OperationalData Reconnaissance WildcardPermission

⚠️ Potential Abuse (39)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentopenebs-nfs-provisioneropenebs-nfs-provisioneropenebs/provisioner-nfs:0.11.0

🤖 openebs-jaeger-operator

Namespace: default  |  Automount:

🔑 Permissions (26)

RoleResourceVerbsRiskTags
ClusterRole openebs-jaeger-operatorrbac.authorization.k8s.io/clusterrolebindingscreate · delete · get · list · patch · update · watchCriticalBindingToPrivilegedRole ClusterAdminAccess InformationDisclosure PrivilegeEscalation RBACManipulation (+2 more)
ClusterRole openebs-jaeger-operatorcore/configmapscreate · delete · get · list · patch · update · watchCriticalConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole openebs-jaeger-operatorbatch/cronjobscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole openebs-jaeger-operatorapps/daemonsetscreate · delete · get · list · patch · update · watchCriticalNodeAccess Persistence PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole openebs-jaeger-operatorapps/deploymentscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole openebs-jaeger-operatorbatch/jobscreate · delete · get · list · patch · update · watchCriticalPotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole openebs-jaeger-operatorcore/podscreate · delete · get · list · patch · update · watchCriticalLateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+1 more)
ClusterRole openebs-jaeger-operatorcore/secretscreate · delete · get · list · patch · update · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure Persistence (+4 more)
ClusterRole openebs-jaeger-operatorcore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole openebs-jaeger-operatorapps/statefulsetscreate · delete · get · list · patch · update · watchCriticalPersistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadLifecycle
ClusterRole openebs-jaeger-operatorjaegertracing.io/*create · delete · get · list · patch · update · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-jaeger-operatornetworking.k8s.io/ingressescreate · delete · get · list · patch · update · watchHighDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole openebs-jaeger-operatorcore/serviceaccountscreate · delete · get · list · patch · update · watchHighIdentityManagement PotentialPrivilegeEscalation Tampering
ClusterRole openebs-jaeger-operatorconsole.openshift.io/consolelinkscreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-jaeger-operatorapps/deployments/finalizersupdateLow
ClusterRole openebs-jaeger-operatorlogging.openshift.io/elasticsearchescreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-jaeger-operatorautoscaling/horizontalpodautoscalerscreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-jaeger-operatorextensions/ingressescreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-jaeger-operatorkafka.strimzi.io/kafkascreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-jaeger-operatorkafka.strimzi.io/kafkauserscreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-jaeger-operatorcore/namespacesget · list · watchLowClusterStructure InformationDisclosure Reconnaissance
ClusterRole openebs-jaeger-operatorcore/persistentvolumeclaimscreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-jaeger-operatorapps/replicasetscreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-jaeger-operatorroute.openshift.io/routescreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-jaeger-operatormonitoring.coreos.com/servicemonitorscreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-jaeger-operatorcore/services/finalizerscreate · delete · get · list · patch · update · watchLow

⚠️ Potential Abuse (32)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentopenebs-jaeger-operatoropenebs-jaeger-operatorjaegertracing/jaeger-operator:1.24.0

🤖 openebs-lvm-controller-sa

Namespace: default  |  Automount:

🔑 Permissions (26)

RoleResourceVerbsRiskTags
ClusterRole openebs-lvm-provisioner-rolecore/podsget · list · patch · update · watchCriticalPotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadExecution
ClusterRole openebs-lvm-provisioner-rolecore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole openebs-lvm-provisioner-rolelocal.openebs.io/lvmnodes*HighClusterWideAccess WildcardPermission
ClusterRole openebs-lvm-provisioner-rolelocal.openebs.io/lvmsnapshots*HighClusterWideAccess WildcardPermission
ClusterRole openebs-lvm-provisioner-rolelocal.openebs.io/lvmvolumes*HighClusterWideAccess WildcardPermission
ClusterRole openebs-lvm-provisioner-rolestorage.k8s.io/csinodesget · list · watchMediumInformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole openebs-lvm-provisioner-rolestorage.k8s.io/csistoragecapacities*LowClusterWideAccess InformationDisclosure Reconnaissance StorageDetailsDisclosure WildcardPermission
ClusterRole openebs-lvm-snapshotter-roleapiextensions.k8s.io/customresourcedefinitionscreate · delete · list · watchLow
ClusterRole openebs-lvm-provisioner-rolecore/eventscreate · list · patch · update · watchLow
ClusterRole openebs-lvm-snapshotter-rolecore/eventscreate · list · patch · update · watchLow
ClusterRole openebs-lvm-provisioner-rolecoordination.k8s.io/leasescreate · delete · get · list · update · watchLow
ClusterRole openebs-lvm-provisioner-rolecore/namespacesget · list · watchLowClusterStructure InformationDisclosure Reconnaissance
ClusterRole openebs-lvm-provisioner-rolecore/nodesget · list · watchLow
ClusterRole openebs-lvm-provisioner-rolecore/persistentvolumeclaimsget · list · update · watchLow
ClusterRole openebs-lvm-snapshotter-rolecore/persistentvolumeclaimsget · list · watchLow
ClusterRole openebs-lvm-provisioner-rolecore/persistentvolumeclaims/statuspatch · updateLow
ClusterRole openebs-lvm-provisioner-rolecore/persistentvolumescreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-lvm-snapshotter-rolecore/persistentvolumesget · list · watchLow
ClusterRole openebs-lvm-snapshotter-rolecore/secretsget · listLow
ClusterRole openebs-lvm-provisioner-rolestorage.k8s.io/storageclassesget · list · watchLow
ClusterRole openebs-lvm-snapshotter-rolestorage.k8s.io/storageclassesget · list · watchLow
ClusterRole openebs-lvm-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotclassesget · list · watchLow
ClusterRole openebs-lvm-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotcontentscreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-lvm-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotcontents/statusupdateLow
ClusterRole openebs-lvm-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshotsget · list · patch · update · watchLow
ClusterRole openebs-lvm-snapshotter-rolesnapshot.storage.k8s.io/volumesnapshots/statusupdateLow

⚠️ Potential Abuse (9)

The following security risks were found based on the above permissions:

📦 Workloads (5)

KindNameContainerImage
StatefulSetopenebs-lvm-localpv-controllercsi-provisionerregistry.k8s.io/sig-storage/csi-provisioner:v3.5.0
StatefulSetopenebs-lvm-localpv-controllercsi-resizerregistry.k8s.io/sig-storage/csi-resizer:v1.8.0
StatefulSetopenebs-lvm-localpv-controllercsi-snapshotterregistry.k8s.io/sig-storage/csi-snapshotter:v6.2.2
StatefulSetopenebs-lvm-localpv-controlleropenebs-lvm-pluginopenebs/lvm-driver:1.4.0
StatefulSetopenebs-lvm-localpv-controllersnapshot-controllerregistry.k8s.io/sig-storage/snapshot-controller:v6.2.2

🤖 openebs-jiva-operator

Namespace: default  |  Automount:

🔑 Permissions (18)

RoleResourceVerbsRiskTags
ClusterRole jiva-operatorcore/configmaps*CriticalClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole jiva-operatorapps/daemonsets*CriticalClusterWideAccess NodeAccess Persistence PrivilegeEscalation Tampering (+2 more)
ClusterRole jiva-operatorapps/deployments*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole jiva-operatorcore/endpoints*CriticalClusterWideAccess DenialOfService ManInTheMiddle NetworkManipulation Tampering (+2 more)
ClusterRole jiva-operatorcore/persistentvolumes*CriticalClusterWideAccess DataExposure DataLoss DenialOfService StorageManipulation (+2 more)
ClusterRole jiva-operatorcore/pods*CriticalClusterWideAccess LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation (+3 more)
ClusterRole jiva-operatorcore/secrets*CriticalClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole jiva-operatorcore/services*CriticalClusterWideAccess DenialOfService NetworkManipulation ServiceExposure Tampering (+1 more)
ClusterRole jiva-operatorapps/statefulsets*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole jiva-operatoropenebs.io/**HighClusterWideAccess WildcardPermission
ClusterRole jiva-operatorcore/persistentvolumeclaims*HighClusterWideAccess WildcardPermission
ClusterRole jiva-operatorapps/replicasets* · getHighClusterWideAccess WildcardPermission
ClusterRole jiva-operatorcore/services/finalizers*HighClusterWideAccess WildcardPermission
ClusterRole jiva-operatorcore/events*MediumClusterWideAccess InformationDisclosure OperationalData Reconnaissance WildcardPermission
ClusterRole jiva-operatorpolicy/poddisruptionbudgets*MediumAvailabilityImpact ClusterWideAccess DenialOfService Tampering WildcardPermission
ClusterRole jiva-operatorapps/deployments/finalizersupdateLow
ClusterRole jiva-operatorcore/nodesget · list · watchLow
ClusterRole jiva-operatormonitoring.coreos.com/servicemonitorscreate · getLow

⚠️ Potential Abuse (27)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentopenebs-jiva-operatoropenebs-jiva-operatoropenebs/jiva-operator:3.6.0

🤖 openebs-zfs-controller-sa

Namespace: default  |  Automount:

🔑 Permissions (18)

RoleResourceVerbsRiskTags
ClusterRole openebs-zfs-provisioner-rolecore/podsget · list · patch · update · watchCriticalPotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadExecution
ClusterRole openebs-zfs-provisioner-rolecore/servicescreate · delete · get · list · patch · update · watchCriticalDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole openebs-zfs-provisioner-rolecore/namespaces*HighClusterStructure ClusterWideAccess DenialOfService InformationDisclosure NamespaceLifecycle (+3 more)
ClusterRole openebs-zfs-provisioner-role*/zfsbackups*HighClusterWideAccess WildcardPermission
ClusterRole openebs-zfs-provisioner-role*/zfsnodes*HighClusterWideAccess WildcardPermission
ClusterRole openebs-zfs-provisioner-role*/zfsrestores*HighClusterWideAccess WildcardPermission
ClusterRole openebs-zfs-provisioner-role*/zfssnapshots*HighClusterWideAccess WildcardPermission
ClusterRole openebs-zfs-provisioner-role*/zfsvolumes*HighClusterWideAccess WildcardPermission
ClusterRole openebs-zfs-provisioner-rolestorage.k8s.io/csinodesget · list · watchMediumInformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole openebs-zfs-provisioner-rolestorage.k8s.io/csistoragecapacities*LowClusterWideAccess InformationDisclosure Reconnaissance StorageDetailsDisclosure WildcardPermission
ClusterRole openebs-zfs-provisioner-rolecore/eventscreate · list · patch · update · watchLow
ClusterRole openebs-zfs-provisioner-rolecoordination.k8s.io/leasescreate · delete · get · list · update · watchLow
ClusterRole openebs-zfs-provisioner-rolecore/nodesget · list · watchLow
ClusterRole openebs-zfs-provisioner-rolecore/persistentvolumeclaimsget · list · update · watchLow
ClusterRole openebs-zfs-provisioner-rolecore/persistentvolumeclaims/statuspatch · updateLow
ClusterRole openebs-zfs-provisioner-rolecore/persistentvolumescreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-zfs-provisioner-rolecore/secretsget · listLow
ClusterRole openebs-zfs-provisioner-rolestorage.k8s.io/storageclassesget · list · watchLow

⚠️ Potential Abuse (10)

The following security risks were found based on the above permissions:

📦 Workloads (5)

KindNameContainerImage
StatefulSetopenebs-zfs-localpv-controllercsi-provisionerregistry.k8s.io/sig-storage/csi-provisioner:v3.5.0
StatefulSetopenebs-zfs-localpv-controllercsi-resizerregistry.k8s.io/sig-storage/csi-resizer:v1.8.0
StatefulSetopenebs-zfs-localpv-controllercsi-snapshotterregistry.k8s.io/sig-storage/csi-snapshotter:v6.2.2
StatefulSetopenebs-zfs-localpv-controlleropenebs-zfs-pluginopenebs/zfs-driver:2.4.0
StatefulSetopenebs-zfs-localpv-controllersnapshot-controllerregistry.k8s.io/sig-storage/snapshot-controller:v6.2.2

🤖 openebs-localpv-provisioner

Namespace: default  |  Automount:

🔑 Permissions (13)

RoleResourceVerbsRiskTags
ClusterRole openebs-localpv-provisionerapiextensions.k8s.io/customresourcedefinitionscreate · delete · get · list · patch · updateCriticalCRDManipulation PotentialPrivilegeEscalation Tampering
ClusterRole openebs-localpv-provisioner*/endpoints*CriticalClusterWideAccess DenialOfService ManInTheMiddle NetworkManipulation Tampering (+2 more)
ClusterRole openebs-localpv-provisioner*/persistentvolumes*CriticalClusterWideAccess DataExposure DataLoss DenialOfService StorageManipulation (+2 more)
ClusterRole openebs-localpv-provisioner*/pods*CriticalClusterWideAccess LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation (+3 more)
ClusterRole openebs-localpv-provisioneropenebs.io/**HighClusterWideAccess WildcardPermission
ClusterRole openebs-localpv-provisioner*/limitrangeslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-localpv-provisioner*/namespaces*HighClusterStructure ClusterWideAccess DenialOfService InformationDisclosure NamespaceLifecycle (+3 more)
ClusterRole openebs-localpv-provisioner*/nodesget · list · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-localpv-provisioner*/persistentvolumeclaims*HighClusterWideAccess WildcardPermission
ClusterRole openebs-localpv-provisioner*/resourcequotaslist · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-localpv-provisioner*/storageclasses*HighClusterWideAccess DenialOfService StorageManipulation Tampering WildcardPermission
ClusterRole openebs-localpv-provisioner*/events*MediumClusterWideAccess InformationDisclosure OperationalData Reconnaissance WildcardPermission
ClusterRole openebs-localpv-provisionercoordination.k8s.io/leasescreate · get · updateLow

⚠️ Potential Abuse (14)

The following security risks were found based on the above permissions:

📦 Workloads (3)

KindNameContainerImage
Deploymentopenebs-localpv-provisioneropenebs-localpv-provisioneropenebs/provisioner-localpv:3.5.0
Deploymentopenebs-localpv-provisioneropenebs-localpv-provisioneropenebs/provisioner-localpv:3.5.0
Deploymentopenebs-localpv-provisioneropenebs-localpv-provisioneropenebs/provisioner-localpv:3.5.0

🤖 openebs-ndm

Namespace: default  |  Automount:

🔑 Permissions (8)

RoleResourceVerbsRiskTags
ClusterRole openebs-ndm*/configmaps*CriticalClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole openebs-ndmapiextensions.k8s.io/customresourcedefinitions*CriticalCRDManipulation ClusterWideAccess PotentialPrivilegeEscalation Tampering WildcardPermission
ClusterRole openebs-ndm*/jobs*CriticalClusterWideAccess PotentialPrivilegeEscalation PrivilegeEscalation Tampering WildcardPermission (+1 more)
ClusterRole openebs-ndm*/nodes*CriticalClusterWideAccess DenialOfService NodeAccess PotentialPrivilegeEscalation ResourceDeletion (+2 more)
ClusterRole openebs-ndm*/pods*CriticalClusterWideAccess LateralMovement Persistence PotentialPrivilegeEscalation PrivilegeEscalation (+3 more)
ClusterRole openebs-ndmopenebs.io/blockdeviceclaims*HighClusterWideAccess WildcardPermission
ClusterRole openebs-ndmopenebs.io/blockdevices*HighClusterWideAccess WildcardPermission
ClusterRole openebs-ndm*/events*MediumClusterWideAccess InformationDisclosure OperationalData Reconnaissance WildcardPermission

⚠️ Potential Abuse (15)

The following security risks were found based on the above permissions:

📦 Workloads (10)

KindNameContainerImage
DaemonSetopenebs-ndmopenebs-ndmopenebs/node-disk-manager:2.1.0
DaemonSetopenebs-ndmopenebs-ndmopenebs/node-disk-manager:2.1.0
DaemonSetopenebs-ndmopenebs-ndmopenebs/node-disk-manager:2.1.0
DaemonSetopenebs-ndmopenebs-ndmopenebs/node-disk-manager:2.1.0
DaemonSetopenebs-ndmopenebs-ndmopenebs/node-disk-manager:2.1.0
Deploymentopenebs-ndm-operatoropenebs-ndm-operatoropenebs/node-disk-operator:2.1.0
Deploymentopenebs-ndm-operatoropenebs-ndm-operatoropenebs/node-disk-operator:2.1.0
Deploymentopenebs-ndm-operatoropenebs-ndm-operatoropenebs/node-disk-operator:2.1.0
Deploymentopenebs-ndm-operatoropenebs-ndm-operatoropenebs/node-disk-operator:2.1.0
Deploymentopenebs-ndm-operatoropenebs-ndm-operatoropenebs/node-disk-operator:2.1.0

🤖 openebs-grafana

Namespace: default  |  Automount:

🔑 Permissions (3)

RoleResourceVerbsRiskTags
ClusterRole openebs-grafana-clusterrolecore/secretsget · list · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole openebs-grafana-clusterrolecore/configmapsget · list · watchHighConfigMapAccess DataExposure InformationDisclosure
Role openebs-grafanaextensions/podsecuritypoliciesuseLow

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
Deploymentopenebs-grafanagrafanagrafana/grafana:8.3.5
Deploymentopenebs-grafanagrafana-sc-datasourcesquay.io/kiwigrid/k8s-sidecar:1.15.6

🤖 openebs-prometheus-server

Namespace: default  |  Automount:

🔑 Permissions (12)

RoleResourceVerbsRiskTags
ClusterRole openebs-prometheus-servercore/configmapsget · list · watchHighConfigMapAccess DataExposure InformationDisclosure
ClusterRole openebs-prometheus-servercore/endpointsget · list · watchLow
ClusterRole openebs-prometheus-servercore/ingressesget · list · watchLow
ClusterRole openebs-prometheus-serverextensions/ingressesget · list · watchLow
ClusterRole openebs-prometheus-servernetworking.k8s.io/ingressesget · list · watchLow
ClusterRole openebs-prometheus-serverextensions/ingresses/statusget · list · watchLow
ClusterRole openebs-prometheus-servernetworking.k8s.io/ingresses/statusget · list · watchLow
ClusterRole openebs-prometheus-servercore/nodesget · list · watchLow
ClusterRole openebs-prometheus-servercore/nodes/metricsget · list · watchLow
ClusterRole openebs-prometheus-servercore/nodes/proxyget · list · watchLow
ClusterRole openebs-prometheus-servercore/podsget · list · watchLow
ClusterRole openebs-prometheus-servercore/servicesget · list · watchLow

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
Deploymentopenebs-prometheus-serverprometheus-serverquay.io/prometheus/prometheus:v2.34.0
Deploymentopenebs-prometheus-serverprometheus-server-configmap-reloadjimmidyson/configmap-reload:v0.5.0

🤖 openebs-cstor-csi-node-sa

Namespace: default  |  Automount:

🔑 Permissions (7)

RoleResourceVerbsRiskTags
ClusterRole openebs-cstor-csi-registrar-role*/cstorvolumeattachmentscreate · delete · get · list · patch · update · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-csi-registrar-role*/cstorvolumeconfigscreate · delete · get · list · patch · update · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-csi-registrar-role*/cstorvolumescreate · delete · get · list · patch · update · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-cstor-csi-registrar-rolecore/eventscreate · get · list · patch · update · watchMediumInformationDisclosure OperationalData Reconnaissance
ClusterRole openebs-cstor-csi-registrar-rolecore/nodesget · list · patchLow
ClusterRole openebs-cstor-csi-registrar-rolecore/persistentvolumesget · list · patchLow
ClusterRole openebs-cstor-csi-registrar-rolecore/servicesget · list · patchLow

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
DaemonSetopenebs-cstor-csi-nodecsi-node-driver-registrarregistry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0
DaemonSetopenebs-cstor-csi-nodecstor-csi-pluginopenebs/cstor-csi-driver:3.6.0

🤖 openebs-jiva-csi-node-sa

Namespace: default  |  Automount:

🔑 Permissions (5)

RoleResourceVerbsRiskTags
ClusterRole openebs-jiva-csi-registrar-role*/jivavolumescreate · delete · get · list · patch · update · watchHighClusterWideAccess WildcardPermission
ClusterRole openebs-jiva-csi-registrar-rolecore/eventscreate · get · list · patch · update · watchMediumInformationDisclosure OperationalData Reconnaissance
ClusterRole openebs-jiva-csi-registrar-rolecore/nodesget · list · patchLow
ClusterRole openebs-jiva-csi-registrar-rolecore/persistentvolumesget · list · patchLow
ClusterRole openebs-jiva-csi-registrar-rolecore/servicesget · list · patchLow

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (3)

KindNameContainerImage
DaemonSetopenebs-jiva-csi-nodecsi-node-driver-registrarregistry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0
DaemonSetopenebs-jiva-csi-nodejiva-csi-pluginopenebs/jiva-csi:3.6.0
DaemonSetopenebs-jiva-csi-nodeliveness-proberegistry.k8s.io/sig-storage/livenessprobe:v2.10.0

🤖 openebs-kube-state-metrics

Namespace: default  |  Automount:

🔑 Permissions (31)

RoleResourceVerbsRiskTags
ClusterRole openebs-kube-state-metricsadmissionregistration.k8s.io/mutatingwebhookconfigurationslist · watchMediumInformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole openebs-kube-state-metricsadmissionregistration.k8s.io/validatingwebhookconfigurationslist · watchMediumInformationDisclosure Reconnaissance WebhookReconnaissance
ClusterRole openebs-kube-state-metricscertificates.k8s.io/certificatesigningrequestslist · watchLow
ClusterRole openebs-kube-state-metricscore/configmapslist · watchLow
ClusterRole openebs-kube-state-metricsbatch/cronjobslist · watchLow
ClusterRole openebs-kube-state-metricsapps/daemonsetslist · watchLow
ClusterRole openebs-kube-state-metricsextensions/daemonsetslist · watchLow
ClusterRole openebs-kube-state-metricsapps/deploymentslist · watchLow
ClusterRole openebs-kube-state-metricsextensions/deploymentslist · watchLow
ClusterRole openebs-kube-state-metricscore/endpointslist · watchLow
ClusterRole openebs-kube-state-metricsautoscaling/horizontalpodautoscalerslist · watchLow
ClusterRole openebs-kube-state-metricsextensions/ingresseslist · watchLow
ClusterRole openebs-kube-state-metricsnetworking.k8s.io/ingresseslist · watchLow
ClusterRole openebs-kube-state-metricsbatch/jobslist · watchLow
ClusterRole openebs-kube-state-metricscore/limitrangeslist · watchLow
ClusterRole openebs-kube-state-metricscore/namespaceslist · watchLowClusterStructure InformationDisclosure Reconnaissance
ClusterRole openebs-kube-state-metricsnetworking.k8s.io/networkpolicieslist · watchLow
ClusterRole openebs-kube-state-metricscore/nodeslist · watchLow
ClusterRole openebs-kube-state-metricscore/persistentvolumeclaimslist · watchLow
ClusterRole openebs-kube-state-metricscore/persistentvolumeslist · watchLow
ClusterRole openebs-kube-state-metricspolicy/poddisruptionbudgetslist · watchLow
ClusterRole openebs-kube-state-metricscore/podslist · watchLow
ClusterRole openebs-kube-state-metricsapps/replicasetslist · watchLow
ClusterRole openebs-kube-state-metricsextensions/replicasetslist · watchLow
ClusterRole openebs-kube-state-metricscore/replicationcontrollerslist · watchLow
ClusterRole openebs-kube-state-metricscore/resourcequotaslist · watchLow
ClusterRole openebs-kube-state-metricscore/secretslist · watchLow
ClusterRole openebs-kube-state-metricscore/serviceslist · watchLow
ClusterRole openebs-kube-state-metricsapps/statefulsetslist · watchLow
ClusterRole openebs-kube-state-metricsstorage.k8s.io/storageclasseslist · watchLow
ClusterRole openebs-kube-state-metricsstorage.k8s.io/volumeattachmentslist · watchLow

⚠️ Potential Abuse (4)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentopenebs-kube-state-metricskube-state-metricsk8s.gcr.io/kube-state-metrics/kube-state-metrics:v2.3.0

🤖 openebs-service-account

Namespace: default  |  Automount:

🔑 Permissions (21)

RoleResourceVerbsRiskTags
ClusterRole openebs-cluster-rolestorage.k8s.io/csinodesget · list · watchMediumInformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole openebs-cluster-rolecore/configmapscreate · get · patch · updateLow
ClusterRole openebs-cluster-roleapiextensions.k8s.io/customresourcedefinitionscreate · get · list · patch · replace · updateLow
ClusterRole openebs-cluster-roleapiextensions.k8s.io/customresourcedefinitions/statusget · patch · updateLow
ClusterRole openebs-cluster-roleapps/deploymentsget · listLow
ClusterRole openebs-cluster-roleopenebs.io/diskpoolscreate · get · list · patch · replace · update · watchLow
ClusterRole openebs-cluster-roleopenebs.io/diskpools/statuspatch · updateLow
ClusterRole openebs-cluster-rolecore/eventscreate · list · patch · update · watchLow
ClusterRole openebs-cluster-roleopenebs.io/mayastorpoolsdelete · deletecollection · get · list · patchLow
ClusterRole openebs-cluster-rolecore/namespacesgetLow
ClusterRole openebs-cluster-rolecore/nodesget · list · patch · watchLow
ClusterRole openebs-cluster-rolecore/persistentvolumeclaimsget · list · update · watchLow
ClusterRole openebs-cluster-rolecore/persistentvolumescreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-cluster-rolestorage.k8s.io/storageclassesget · list · watchLow
ClusterRole openebs-cluster-rolestorage.k8s.io/volumeattachmentsget · list · patch · update · watchLow
ClusterRole openebs-cluster-rolestorage.k8s.io/volumeattachments/statuspatchLow
ClusterRole openebs-cluster-rolesnapshot.storage.k8s.io/volumesnapshotclassesget · list · watchLow
ClusterRole openebs-cluster-rolesnapshot.storage.k8s.io/volumesnapshotcontentscreate · delete · get · list · patch · update · watchLow
ClusterRole openebs-cluster-rolesnapshot.storage.k8s.io/volumesnapshotcontents/statuspatch · updateLow
ClusterRole openebs-cluster-rolesnapshot.storage.k8s.io/volumesnapshotsdelete · get · list · patch · update · watchLow
ClusterRole openebs-cluster-rolesnapshot.storage.k8s.io/volumesnapshots/statuspatch · updateLow

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
Deploymentopenebs-obs-callhomeobs-callhomedocker.io/openebs/mayastor-obs-callhome:v2.5.0
Deploymentopenebs-obs-callhomeobs-callhome-statsdocker.io/openebs/mayastor-obs-callhome-stats:v2.5.0

🤖 openebs-lvm-node-sa

Namespace: default  |  Automount:

🔑 Permissions (7)

RoleResourceVerbsRiskTags
ClusterRole openebs-lvm-driver-registrar-rolecore/eventscreate · get · list · patch · update · watchMediumInformationDisclosure OperationalData Reconnaissance
ClusterRole openebs-lvm-driver-registrar-rolelocal.openebs.io/lvmnodescreate · get · list · patch · update · watchLow
ClusterRole openebs-lvm-driver-registrar-rolelocal.openebs.io/lvmsnapshotscreate · get · list · patch · update · watchLow
ClusterRole openebs-lvm-driver-registrar-rolelocal.openebs.io/lvmvolumescreate · get · list · patch · update · watchLow
ClusterRole openebs-lvm-driver-registrar-rolecore/nodesget · listLow
ClusterRole openebs-lvm-driver-registrar-rolecore/persistentvolumesget · listLow
ClusterRole openebs-lvm-driver-registrar-rolecore/servicesget · listLow

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (2)

KindNameContainerImage
DaemonSetopenebs-lvm-localpv-nodecsi-node-driver-registrarregistry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0
DaemonSetopenebs-lvm-localpv-nodeopenebs-lvm-pluginopenebs/lvm-driver:1.4.0

🤖 openebs-filebeat

Namespace: default  |  Automount:

🔑 Permissions (5)

RoleResourceVerbsRiskTags
Role openebs-filebeat-rolecoordination.k8s.io/leasescreate · get · updateLow
ClusterRole openebs-filebeat-cluster-rolecore/namespacesget · list · watchLowClusterStructure InformationDisclosure Reconnaissance
ClusterRole openebs-filebeat-cluster-rolecore/nodesget · list · watchLow
ClusterRole openebs-filebeat-cluster-rolecore/podsget · list · watchLow
ClusterRole openebs-filebeat-cluster-roleapps/replicasetsget · list · watchLow

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
DaemonSetopenebs-filebeatfilebeatdocker.elastic.co/beats/filebeat:7.17.1

🤖 openebs-promtail

Namespace: default  |  Automount:

🔑 Permissions (5)

RoleResourceVerbsRiskTags
ClusterRole openebs-promtailcore/endpointsget · list · watchLow
ClusterRole openebs-promtailcore/nodesget · list · watchLow
ClusterRole openebs-promtailcore/nodes/proxyget · list · watchLow
ClusterRole openebs-promtailcore/podsget · list · watchLow
ClusterRole openebs-promtailcore/servicesget · list · watchLow

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
DaemonSetopenebs-promtailpromtaildocker.io/grafana/promtail:2.4.2

🤖 openebs-fluent-bit-loki

Namespace: default  |  Automount:

🔑 Permissions (2)

RoleResourceVerbsRiskTags
ClusterRole openebs-fluent-bit-loki-clusterrolecore/namespacesget · list · watchLowClusterStructure InformationDisclosure Reconnaissance
ClusterRole openebs-fluent-bit-loki-clusterrolecore/podsget · list · watchLow

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
DaemonSetopenebs-fluent-bit-lokifluent-bit-lokigrafana/fluent-bit-plugin-loki:2.1.0-amd64

🤖 openebs-grafana-test

Namespace: default  |  Automount:

🔑 Permissions (1)

RoleResourceVerbsRiskTags
Role openebs-grafana-testpolicy/podsecuritypoliciesuseLow

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Podopenebs-grafana-testopenebs-testbats/bats:v1.4.1

🤖 openebs-loki

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

KindNameContainerImage
StatefulSetopenebs-lokilokigrafana/loki:2.5.0

🤖 openebs-nats

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (3)

KindNameContainerImage
StatefulSetopenebs-natsmetricsnatsio/prometheus-nats-exporter:0.11.0
StatefulSetopenebs-natsnatsnats:2.9.17-alpine
StatefulSetopenebs-natsreloadernatsio/nats-server-config-reloader:0.10.1

🤖 openebs-prometheus-alertmanager

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (2)

KindNameContainerImage
Deploymentopenebs-prometheus-alertmanagerprometheus-alertmanagerquay.io/prometheus/alertmanager:v0.23.0
Deploymentopenebs-prometheus-alertmanagerprometheus-alertmanager-configmap-reloadjimmidyson/configmap-reload:v0.5.0

🤖 openebs-prometheus-node-exporter

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

KindNameContainerImage
DaemonSetopenebs-prometheus-node-exporterprometheus-node-exporterquay.io/prometheus/node-exporter:v1.3.0

🤖 openebs-prometheus-pushgateway

Namespace: default  |  Automount:

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (1)

KindNameContainerImage
Deploymentopenebs-prometheus-pushgatewayprometheus-pushgatewayprom/pushgateway:v1.4.2