resource-binding-operator

Description

bind a resource to a resource

• https://gitlab.com/bitspur/rock8s/resource-binding-operator.git

Overview

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 resource-binding-operator

Namespace: default  |  Automount: ❌

🔑 Permissions (9)

⚠️ Potential Abuse (26)

The following security risks were found based on the above permissions:

• Read secrets cluster-wide
• Read secrets in a namespace
• Read pod logs cluster-wide
• Read pod logs in a namespace
• Read ConfigMaps cluster-wide
• Read ConfigMaps in a namespace
• Modify ConfigMaps cluster-wide
• Modify ConfigMaps in a namespace
• Create TokenReviews (validate arbitrary tokens)
• Create SubjectAccessReviews (check arbitrary permissions)
• Read events cluster-wide
• Read RBAC configuration cluster-wide
• Manage Leases cluster-wide
• Manage Leases in kube-system or kube-node-lease namespace
• List Namespaces (Cluster Reconnaissance)
• List ValidatingWebhookConfigurations (Reconnaissance)
• List MutatingWebhookConfigurations (Reconnaissance)
• Read LimitRanges (Namespace Information Disclosure)
• Read ResourceQuotas (Namespace Information Disclosure)
• Read All ResourceQuotas (Cluster-wide Information Disclosure)
• Read ComponentStatuses (Control Plane Reconnaissance)
• Read CSINode Objects (Node & Storage Reconnaissance)
• Read CSIStorageCapacities (Namespace Storage Reconnaissance)
• Watch All Resources in a Namespace (Broad Information Disclosure)

📦 Workloads (1)