rook-ceph :: RBAC ATLAS

Description

File, Block, and Object Storage Services for your Cloud-Native Environment

https://github.com/rook/rook

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`rook-ceph-system`	default	❌	—	116	1	Critical
`rook-csi-rbd-provisioner-sa`	default	❌	—	24	0	Critical
`rook-ceph-cmd-reporter`	default	❌	—	2	0	High
`rook-ceph-mgr`	default	❌	—	30	0	High
`rook-ceph-osd`	default	❌	—	5	0	Medium
`rook-csi-cephfs-provisioner-sa`	default	❌	—	22	0	Medium
`rook-csi-rbd-plugin-sa`	default	❌	—	8	0	Medium
`objectstorage-provisioner`	default	❌	—	11	0	Low
`rook-ceph-purge-osd`	default	❌	—	4	0	Low
`rook-csi-cephfs-plugin-sa`	default	❌	—	5	0	Low
`rook-ceph-default`	default	❌	—	0	0	—
`rook-ceph-rgw`	default	❌	—	0	0	—

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `rook-ceph-system`

Namespace: default | Automount: ❌

🔑 Permissions (116)

Role	Resource	Verbs	Risk	Tags
ClusterRole `rook-ceph-global`	core/endpoints	create · delete · get · list · patch · update · watch	Critical	DenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection
ClusterRole `rook-ceph-global`	discovery.k8s.io/endpoints	create · delete · get · list · patch · update · watch	Critical	DenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection
ClusterRole `rook-ceph-global`	core/endpointslices	create · delete · get · list · patch · update · watch	Critical	DenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection
ClusterRole `rook-ceph-global`	discovery.k8s.io/endpointslices	create · delete · get · list · patch · update · watch	Critical	DenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection
ClusterRole `rook-ceph-system`	core/pods/exec	create	Critical	ClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement PodExec (+1 more)
ClusterRole `rook-ceph-global`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `rook-ceph-global`	core/services	create · delete · get · list · patch · update · watch	Critical	DenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole `rook-ceph-global`	core/configmaps	get · list · watch	High	ConfigMapAccess DataExposure InformationDisclosure
Role `rook-ceph-system`	core/configmaps	create · delete · get · list · patch · update · watch	High	ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
Role `rook-ceph-system`	core/pods	create · delete · get · list · patch · update · watch	High	LateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution
ClusterRole `rook-ceph-system`	core/pods/log	get · list	High	ClusterWideLogAccess DataExposure InformationDisclosure LogAccess
Role `rook-ceph-system`	core/services	create · delete · get · list · patch · update · watch	High	DenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole `rook-ceph-global`	core/events	create · delete · get · list · patch · update · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `rook-ceph-global`	ceph.rook.io/cephblockpoolradosnamespaces	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephblockpoolradosnamespaces/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephblockpoolradosnamespaces/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephblockpools	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephblockpools/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephblockpools/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephbucketnotifications	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephbucketnotifications/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephbucketnotifications/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephbuckettopics	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephbuckettopics/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephbuckettopics/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephclients	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephclients/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephclients/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephclusters	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephclusters/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephclusters/status	update	Low
ClusterRole `rook-ceph-system`	csi.ceph.io/cephconnections	create · delete · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephcosidrivers	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephfilesystemmirrors	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephfilesystemmirrors/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephfilesystemmirrors/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephfilesystems	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephfilesystems/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephfilesystems/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephfilesystemsubvolumegroups	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephfilesystemsubvolumegroups/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephfilesystemsubvolumegroups/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephnfses	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephnfses/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephnfses/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectrealms	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectrealms/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectrealms/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectstores	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectstores/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectstores/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectstoreusers	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectstoreusers/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectstoreusers/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectzonegroups	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectzonegroups/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectzonegroups/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectzones	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectzones/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephobjectzones/status	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephrbdmirrors	get · list · update · watch	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephrbdmirrors/finalizers	update	Low
ClusterRole `rook-ceph-global`	ceph.rook.io/cephrbdmirrors/status	update	Low
Role `rook-ceph-system`	cert-manager.io/certificates	create · delete · get	Low
ClusterRole `rook-ceph-system`	csi.ceph.io/clientprofiles	create · delete · get · list · update · watch	Low
ClusterRole `rook-ceph-object-bucket`	core/configmaps	create · delete · get · update	Low
ClusterRole `rook-ceph-global`	batch/cronjobs	create · delete · deletecollection · get · list · update · watch	Low
Role `rook-ceph-system`	batch/cronjobs	delete	Low
ClusterRole `rook-ceph-global`	storage.k8s.io/csidrivers	create · delete · get · update	Low
ClusterRole `rook-ceph-system`	apiextensions.k8s.io/customresourcedefinitions	get	Low
Role `rook-ceph-system`	apps/daemonsets	create · delete · deletecollection · get · list · update · watch	Low
Role `rook-ceph-system`	extensions/daemonsets	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	apps/deployments	create · delete · deletecollection · get · list · update · watch	Low
Role `rook-ceph-system`	apps/deployments	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	extensions/deployments	create · delete · deletecollection · get · list · update · watch	Low
Role `rook-ceph-system`	extensions/deployments	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	policy/deployments	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	apps/deployments/finalizers	update	Low
ClusterRole `rook-ceph-system`	csi.ceph.io/drivers	create · delete · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	core/endpointslices/restricted	create · delete · get · list · patch · update · watch	Low
ClusterRole `rook-ceph-global`	discovery.k8s.io/endpointslices/restricted	create · delete · get · list · patch · update · watch	Low
ClusterRole `rook-ceph-global`	discovery.k8s.io/events	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-system`	cert-manager.io/issuers	create · delete · get	Low
ClusterRole `rook-ceph-global`	batch/jobs	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	healthchecking.openshift.io/machinedisruptionbudgets	create · delete · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	machine.openshift.io/machines	create · delete · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	k8s.cni.cncf.io/network-attachment-definitions	get	Low
ClusterRole `rook-ceph-system`	csiaddons.openshift.io/networkfences	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	core/nodes	get · list · watch	Low
ClusterRole `rook-ceph-global`	core/nodes/proxy	get · list · watch	Low
ClusterRole `rook-ceph-object-bucket`	objectbucket.io/objectbucketclaims	get · list · update · watch	Low
ClusterRole `rook-ceph-object-bucket`	objectbucket.io/objectbucketclaims/finalizers	update	Low
ClusterRole `rook-ceph-object-bucket`	objectbucket.io/objectbucketclaims/status	update	Low
ClusterRole `rook-ceph-object-bucket`	objectbucket.io/objectbuckets	create · delete · get · list · update · watch	Low
ClusterRole `rook-ceph-object-bucket`	objectbucket.io/objectbuckets/finalizers	update	Low
ClusterRole `rook-ceph-object-bucket`	objectbucket.io/objectbuckets/status	update	Low
ClusterRole `rook-ceph-system`	csi.ceph.io/operatorconfigs	create · delete · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	core/persistentvolumeclaims	create · delete · get · list · patch · update · watch	Low
ClusterRole `rook-ceph-global`	discovery.k8s.io/persistentvolumeclaims	create · delete · get · list · patch · update · watch	Low
ClusterRole `rook-ceph-global`	core/persistentvolumes	create · delete · get · list · patch · update · watch	Low
ClusterRole `rook-ceph-global`	discovery.k8s.io/persistentvolumes	create · delete · get · list · patch · update · watch	Low
ClusterRole `rook-ceph-global`	apps/poddisruptionbudgets	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	extensions/poddisruptionbudgets	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	policy/poddisruptionbudgets	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	core/pods	get · list · watch	Low
ClusterRole `rook-ceph-system`	core/pods	get · list	Low
ClusterRole `rook-ceph-global`	apps/replicasets	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	extensions/replicasets	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	policy/replicasets	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-object-bucket`	core/secrets	create · delete · get · update	Low
Role `rook-ceph-system`	multicluster.x-k8s.io/serviceexports	create · get	Low
ClusterRole `rook-ceph-global`	discovery.k8s.io/services	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-system`	apps/statefulsets	create · delete · deletecollection · get · list · update · watch	Low
Role `rook-ceph-system`	extensions/statefulsets	create · delete · deletecollection · get · list · update · watch	Low
ClusterRole `rook-ceph-global`	storage.k8s.io/storageclasses	get · list · watch	Low
ClusterRole `rook-ceph-object-bucket`	storage.k8s.io/storageclasses	get	Low

⚠️ Potential Abuse (17)

The following security risks were found based on the above permissions:

📦 Workloads (1)

Kind	Name	Container	Image
Deployment	rook-ceph-operator	rook-ceph-operator	docker.io/rook/ceph:v1.17.4

🤖 `rook-csi-rbd-provisioner-sa`

Namespace: default | Automount: ❌

🔑 Permissions (24)

Role	Resource	Verbs	Risk	Tags
ClusterRole `rbd-external-provisioner-runner`	core/secrets	get · list · watch	Critical	ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
ClusterRole `rbd-external-provisioner-runner`	storage.k8s.io/csinodes	get · list · watch	Medium	InformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole `rbd-external-provisioner-runner`	authentication.k8s.io/tokenreviews	create	Medium	CredentialAccess InformationDisclosure RBACQuery
ClusterRole `rbd-external-provisioner-runner`	core/configmaps	get	Low
ClusterRole `rbd-external-provisioner-runner`	core/events	create · list · patch · update · watch	Low
Role `rbd-external-provisioner-cfg`	coordination.k8s.io/leases	create · delete · get · list · update · watch	Low
ClusterRole `rbd-external-provisioner-runner`	core/nodes	get · list · watch	Low
ClusterRole `rbd-external-provisioner-runner`	core/persistentvolumeclaims	get · list · update · watch	Low
ClusterRole `rbd-external-provisioner-runner`	core/persistentvolumeclaims/status	patch	Low
ClusterRole `rbd-external-provisioner-runner`	core/persistentvolumes	create · delete · get · list · patch · update · watch	Low
ClusterRole `rbd-external-provisioner-runner`	core/serviceaccounts	get	Low
ClusterRole `rbd-external-provisioner-runner`	core/serviceaccounts/token	create	Low
ClusterRole `rbd-external-provisioner-runner`	storage.k8s.io/storageclasses	get · list · watch	Low
ClusterRole `rbd-external-provisioner-runner`	storage.k8s.io/volumeattachments	get · list · patch · watch	Low
ClusterRole `rbd-external-provisioner-runner`	storage.k8s.io/volumeattachments/status	patch	Low
ClusterRole `rbd-external-provisioner-runner`	replication.storage.openshift.io/volumegroupreplicationclasses	get · list · watch	Low
ClusterRole `rbd-external-provisioner-runner`	replication.storage.openshift.io/volumegroupreplicationcontents	get · list · watch	Low
ClusterRole `rbd-external-provisioner-runner`	groupsnapshot.storage.k8s.io/volumegroupsnapshotclasses	get · list · watch	Low
ClusterRole `rbd-external-provisioner-runner`	groupsnapshot.storage.k8s.io/volumegroupsnapshotcontents	get · list · patch · update · watch	Low
ClusterRole `rbd-external-provisioner-runner`	groupsnapshot.storage.k8s.io/volumegroupsnapshotcontents/status	patch · update	Low
ClusterRole `rbd-external-provisioner-runner`	snapshot.storage.k8s.io/volumesnapshotclasses	get · list · watch	Low
ClusterRole `rbd-external-provisioner-runner`	snapshot.storage.k8s.io/volumesnapshotcontents	get · list · patch · update · watch	Low
ClusterRole `rbd-external-provisioner-runner`	snapshot.storage.k8s.io/volumesnapshotcontents/status	patch · update	Low
ClusterRole `rbd-external-provisioner-runner`	snapshot.storage.k8s.io/volumesnapshots	get · list · watch	Low

⚠️ Potential Abuse (5)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `rook-ceph-mgr`

Namespace: default | Automount: ❌

🔑 Permissions (30)

Role	Resource	Verbs	Risk	Tags
ClusterRole `rook-ceph-mgr-cluster`	core/configmaps	get · list · watch	High	ConfigMapAccess DataExposure InformationDisclosure
Role `rook-ceph-mgr`	core/pods	create · delete · get · list · update · watch	High	LateralMovement Persistence PotentialPrivilegeEscalation WorkloadExecution
ClusterRole `rook-ceph-mgr-cluster`	core/events	create · get · list · patch · watch	Medium	InformationDisclosure OperationalData Reconnaissance
Role `rook-ceph-mgr`	core/pods/log	create · delete · get · list · update · watch	Medium	DataExposure InformationDisclosure LogAccess
Role `rook-ceph-mgr`	ceph.rook.io/cephblockpoolradosnamespaces	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephblockpools	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephbucketnotifications	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephbuckettopics	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephclients	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephclusters	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephcosidrivers	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephfilesystemmirrors	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephfilesystems	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephfilesystemsubvolumegroups	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephnfses	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephobjectrealms	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephobjectstores	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephobjectstoreusers	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephobjectzonegroups	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephobjectzones	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	ceph.rook.io/cephrbdmirrors	create · delete · get · list · patch · update · watch	Low
Role `rook-ceph-mgr`	apps/deployments	delete · patch	Low
Role `rook-ceph-mgr`	apps/deployments/scale	delete · patch	Low
Role `rook-ceph-mgr`	batch/jobs	create · delete · get · list · update · watch	Low
ClusterRole `rook-ceph-mgr-cluster`	core/nodes	get · list · watch	Low
ClusterRole `rook-ceph-mgr-cluster`	core/nodes/proxy	get · list · watch	Low
Role `rook-ceph-mgr`	core/persistentvolumeclaims	delete	Low
ClusterRole `rook-ceph-mgr-cluster`	core/persistentvolumes	get · list · watch	Low
Role `rook-ceph-mgr`	core/services	create · delete · get · list · update · watch	Low
ClusterRole `rook-ceph-mgr-cluster`	storage.k8s.io/storageclasses	get · list · watch	Low

⚠️ Potential Abuse (6)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `rook-ceph-cmd-reporter`

Namespace: default | Automount: ❌

🔑 Permissions (2)

Role	Resource	Verbs	Risk	Tags
Role `rook-ceph-cmd-reporter`	core/pods	create · delete · get · list · update · watch	High	LateralMovement Persistence PotentialPrivilegeEscalation WorkloadExecution
Role `rook-ceph-cmd-reporter`	core/configmaps	create · delete · get · list · update · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `rook-csi-cephfs-provisioner-sa`

Namespace: default | Automount: ❌

🔑 Permissions (22)

Role	Resource	Verbs	Risk	Tags
ClusterRole `cephfs-external-provisioner-runner`	storage.k8s.io/csinodes	get · list · watch	Medium	InformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole `cephfs-external-provisioner-runner`	authentication.k8s.io/tokenreviews	create	Medium	CredentialAccess InformationDisclosure RBACQuery
ClusterRole `cephfs-external-provisioner-runner`	core/configmaps	get	Low
ClusterRole `cephfs-external-provisioner-runner`	core/events	create · list · patch · update · watch	Low
Role `cephfs-external-provisioner-cfg`	coordination.k8s.io/leases	create · delete · get · list · update · watch	Low
ClusterRole `cephfs-external-provisioner-runner`	core/nodes	get · list · watch	Low
ClusterRole `cephfs-external-provisioner-runner`	core/persistentvolumeclaims	get · list · patch · update · watch	Low
ClusterRole `cephfs-external-provisioner-runner`	core/persistentvolumeclaims/status	patch	Low
ClusterRole `cephfs-external-provisioner-runner`	core/persistentvolumes	create · delete · get · list · patch · update · watch	Low
ClusterRole `cephfs-external-provisioner-runner`	core/secrets	get · list	Low
ClusterRole `cephfs-external-provisioner-runner`	core/serviceaccounts	get	Low
ClusterRole `cephfs-external-provisioner-runner`	core/serviceaccounts/token	create	Low
ClusterRole `cephfs-external-provisioner-runner`	storage.k8s.io/storageclasses	get · list · watch	Low
ClusterRole `cephfs-external-provisioner-runner`	storage.k8s.io/volumeattachments	get · list · patch · watch	Low
ClusterRole `cephfs-external-provisioner-runner`	storage.k8s.io/volumeattachments/status	patch	Low
ClusterRole `cephfs-external-provisioner-runner`	groupsnapshot.storage.k8s.io/volumegroupsnapshotclasses	get · list · watch	Low
ClusterRole `cephfs-external-provisioner-runner`	groupsnapshot.storage.k8s.io/volumegroupsnapshotcontents	get · list · patch · update · watch	Low
ClusterRole `cephfs-external-provisioner-runner`	groupsnapshot.storage.k8s.io/volumegroupsnapshotcontents/status	patch · update	Low
ClusterRole `cephfs-external-provisioner-runner`	snapshot.storage.k8s.io/volumesnapshotclasses	get · list · watch	Low
ClusterRole `cephfs-external-provisioner-runner`	snapshot.storage.k8s.io/volumesnapshotcontents	get · list · patch · update · watch	Low
ClusterRole `cephfs-external-provisioner-runner`	snapshot.storage.k8s.io/volumesnapshotcontents/status	patch · update	Low
ClusterRole `cephfs-external-provisioner-runner`	snapshot.storage.k8s.io/volumesnapshots	get · list · watch	Low

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `rook-csi-rbd-plugin-sa`

Namespace: default | Automount: ❌

🔑 Permissions (8)

Role	Resource	Verbs	Risk	Tags
ClusterRole `rbd-csi-nodeplugin`	authentication.k8s.io/tokenreviews	create	Medium	CredentialAccess InformationDisclosure RBACQuery
ClusterRole `rbd-csi-nodeplugin`	core/configmaps	get	Low
ClusterRole `rbd-csi-nodeplugin`	core/nodes	get	Low
ClusterRole `rbd-csi-nodeplugin`	core/persistentvolumes	get · list	Low
ClusterRole `rbd-csi-nodeplugin`	core/secrets	get · list	Low
ClusterRole `rbd-csi-nodeplugin`	core/serviceaccounts	get	Low
ClusterRole `rbd-csi-nodeplugin`	core/serviceaccounts/token	create	Low
ClusterRole `rbd-csi-nodeplugin`	storage.k8s.io/volumeattachments	get · list	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Create TokenReviews (validate arbitrary tokens)

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `rook-ceph-osd`

Namespace: default | Automount: ❌

🔑 Permissions (5)

Role	Resource	Verbs	Risk	Tags
Role `rook-ceph-osd`	core/configmaps	create · delete · get · list · update · watch	Medium	ConfigMapAccess DataExposure InformationDisclosure
Role `rook-ceph-osd`	ceph.rook.io/cephclusters	create · delete · get · list · update	Low
Role `rook-ceph-osd`	ceph.rook.io/cephclusters/finalizers	create · delete · get · list · update	Low
ClusterRole `rook-ceph-osd`	core/nodes	get · list	Low
Role `rook-ceph-osd`	core/secrets	get · update	Low

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

Read ConfigMaps in a namespace

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `objectstorage-provisioner`

Namespace: default | Automount: ❌

🔑 Permissions (11)

Role	Resource	Verbs	Risk
ClusterRole `objectstorage-provisioner-role`	objectstorage.k8s.io/bucketaccessclasses	create · delete · get · list · update · watch	Low
ClusterRole `objectstorage-provisioner-role`	objectstorage.k8s.io/bucketaccessclasses/status	create · delete · get · list · update · watch	Low
ClusterRole `objectstorage-provisioner-role`	objectstorage.k8s.io/bucketaccesses	create · delete · get · list · update · watch	Low
ClusterRole `objectstorage-provisioner-role`	objectstorage.k8s.io/bucketaccesses/status	create · delete · get · list · update · watch	Low
ClusterRole `objectstorage-provisioner-role`	objectstorage.k8s.io/bucketclaims	create · delete · get · list · update · watch	Low
ClusterRole `objectstorage-provisioner-role`	objectstorage.k8s.io/bucketclaims/status	create · delete · get · list · update · watch	Low
ClusterRole `objectstorage-provisioner-role`	objectstorage.k8s.io/buckets	create · delete · get · list · update · watch	Low
ClusterRole `objectstorage-provisioner-role`	objectstorage.k8s.io/buckets/status	create · delete · get · list · update · watch	Low
ClusterRole `objectstorage-provisioner-role`	core/events	create · delete · get · update	Low
ClusterRole `objectstorage-provisioner-role`	coordination.k8s.io/leases	create · delete · get · list · update · watch	Low
ClusterRole `objectstorage-provisioner-role`	core/secrets	create · delete · get · update	Low

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `rook-csi-cephfs-plugin-sa`

Namespace: default | Automount: ❌

🔑 Permissions (5)

Role	Resource	Verbs	Risk
ClusterRole `cephfs-csi-nodeplugin`	core/configmaps	get	Low
ClusterRole `cephfs-csi-nodeplugin`	core/nodes	get	Low
ClusterRole `cephfs-csi-nodeplugin`	core/secrets	get	Low
ClusterRole `cephfs-csi-nodeplugin`	core/serviceaccounts	get	Low
ClusterRole `cephfs-csi-nodeplugin`	core/serviceaccounts/token	create	Low

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `rook-ceph-purge-osd`

Namespace: default | Automount: ❌

🔑 Permissions (4)

Role	Resource	Verbs	Risk
Role `rook-ceph-purge-osd`	core/configmaps	get	Low
Role `rook-ceph-purge-osd`	apps/deployments	delete · get	Low
Role `rook-ceph-purge-osd`	batch/jobs	delete · get · list	Low
Role `rook-ceph-purge-osd`	core/persistentvolumeclaims	delete · get · list · update	Low

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `rook-ceph-default`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 `rook-ceph-rgw`

Namespace: default | Automount: ❌

🔑 Permissions (0)

No explicit RBAC bindings.

📦 Workloads (0)

No workloads use this ServiceAccount.

rook-ceph

Description

Overview

Identities

🤖 rook-ceph-system

🔑 Permissions (116)

⚠️ Potential Abuse (17)

📦 Workloads (1)

🤖 rook-csi-rbd-provisioner-sa

🔑 Permissions (24)

⚠️ Potential Abuse (5)

📦 Workloads (0)

🤖 rook-ceph-mgr

🔑 Permissions (30)

⚠️ Potential Abuse (6)

📦 Workloads (0)

🤖 rook-ceph-cmd-reporter

🔑 Permissions (2)

⚠️ Potential Abuse (3)

📦 Workloads (0)

🤖 rook-csi-cephfs-provisioner-sa

🔑 Permissions (22)

⚠️ Potential Abuse (3)

📦 Workloads (0)

🤖 rook-csi-rbd-plugin-sa

🔑 Permissions (8)

⚠️ Potential Abuse (2)

📦 Workloads (0)

🤖 rook-ceph-osd

🔑 Permissions (5)

⚠️ Potential Abuse (2)

📦 Workloads (0)

🤖 objectstorage-provisioner

🔑 Permissions (11)

⚠️ Potential Abuse (1)

📦 Workloads (0)

🤖 rook-csi-cephfs-plugin-sa

🔑 Permissions (5)

⚠️ Potential Abuse (1)

📦 Workloads (0)

🤖 rook-ceph-purge-osd

🔑 Permissions (4)

⚠️ Potential Abuse (1)

📦 Workloads (0)

🤖 rook-ceph-default

🔑 Permissions (0)

📦 Workloads (0)

🤖 rook-ceph-rgw

🔑 Permissions (0)

📦 Workloads (0)

🤖 `rook-ceph-system`

🤖 `rook-csi-rbd-provisioner-sa`

🤖 `rook-ceph-mgr`

🤖 `rook-ceph-cmd-reporter`

🤖 `rook-csi-cephfs-provisioner-sa`

🤖 `rook-csi-rbd-plugin-sa`

🤖 `rook-ceph-osd`

🤖 `objectstorage-provisioner`

🤖 `rook-csi-cephfs-plugin-sa`

🤖 `rook-ceph-purge-osd`

🤖 `rook-ceph-default`

🤖 `rook-ceph-rgw`