8 Service Accounts
1 Workloads
36 Bindings
2 Critical
5 High
5 Medium
24 Low
Description
File, Block, and Object Storage Services for your Cloud-Native Environment
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
rook-ceph-system | default | ❌ | — | 15 | 1 | Critical |
rook-ceph-cmd-reporter | default | ❌ | — | 2 | 0 | High |
rook-ceph-mgr | default | ❌ | — | 5 | 0 | Medium |
rook-ceph-osd | default | ❌ | — | 4 | 0 | Medium |
rook-csi-rbd-provisioner-sa | default | ❌ | — | 4 | 0 | Medium |
rook-csi-cephfs-plugin-sa | default | ❌ | — | 1 | 0 | Low |
rook-csi-cephfs-provisioner-sa | default | ❌ | — | 4 | 0 | Low |
rook-csi-rbd-plugin-sa | default | ❌ | — | 1 | 0 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 rook-ceph-system
Namespace: default | Automount: ❌
🔑 Permissions (15)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole rook-ceph-object-bucket | core/configmaps | * | Critical | ClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more) |
ClusterRole rook-ceph-object-bucket | core/secrets | * | Critical | ClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more) |
ClusterRole rook-ceph-object-bucket | objectbucket.io/* | * | High | ClusterWideAccess |
Role rook-ceph-system | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
Role rook-ceph-system | core/pods | create · delete · get · list · patch · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution |
Role rook-ceph-system | core/services | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation ServiceExposure Tampering |
Role rook-ceph-system | apps/daemonsets | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | extensions/daemonsets | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | apps/deployments | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | extensions/deployments | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | k8s.cni.cncf.io/network-attachment-definitions | get | Low | |
Role rook-ceph-system | apps/statefulsets | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | extensions/statefulsets | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-object-bucket | storage.k8s.io/storageclasses | get · list · watch | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-ceph-operator) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (14)
The following security risks were found based on the above permissions:
- Create pods in a namespace
- Update/Patch pods in a namespace
- Read secrets cluster-wide
- Read secrets in a namespace
- Modify secrets cluster-wide
- Modify secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage Services in a namespace
- Use privileged PodSecurityPolicy (deprecated)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | rook-ceph-operator | rook-ceph-operator | rook/ceph:v1.3.9 |
🤖 rook-ceph-cmd-reporter
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role rook-ceph-cmd-reporter | core/pods | create · delete · get · list · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation WorkloadExecution |
Role rook-ceph-cmd-reporter | core/configmaps | create · delete · get · list · update · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-ceph-mgr
Namespace: default | Automount: ❌
🔑 Permissions (5)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role rook-ceph-mgr | ceph.rook.io/* | * | Medium | NamespaceAdmin NamespaceWideAccess |
Role rook-ceph-mgr | core/pods/log | delete · get · list · watch | Medium | DataExposure InformationDisclosure LogAccess |
Role rook-ceph-mgr | batch/jobs | create · delete · get · list · update · watch | Low | |
Role rook-ceph-mgr | core/pods | delete · get · list · watch | Low | |
Role rook-ceph-mgr | core/services | delete · get · list · watch | Low |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-ceph-osd
Namespace: default | Automount: ❌
🔑 Permissions (4)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role rook-ceph-osd | core/configmaps | create · delete · get · list · update · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
Role rook-ceph-osd | ceph.rook.io/cephclusters | create · delete · get · list · update | Low | |
Role rook-ceph-osd | ceph.rook.io/cephclusters/finalizers | create · delete · get · list · update | Low | |
ClusterRole rook-ceph-osd | core/nodes | get · list | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-csi-rbd-provisioner-sa
Namespace: default | Automount: ❌
🔑 Permissions (4)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role rbd-external-provisioner-cfg | core/configmaps | create · delete · get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
Role rbd-external-provisioner-cfg | core/endpoints | create · delete · get · list · update · watch | Low | |
Role rbd-external-provisioner-cfg | coordination.k8s.io/leases | create · delete · get · list · update · watch | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-ceph-operator) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-csi-cephfs-provisioner-sa
Namespace: default | Automount: ❌
🔑 Permissions (4)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role cephfs-external-provisioner-cfg | core/configmaps | create · delete · get · list | Low | |
Role cephfs-external-provisioner-cfg | core/endpoints | create · delete · get · list · update · watch | Low | |
Role cephfs-external-provisioner-cfg | coordination.k8s.io/leases | create · delete · get · list · update · watch | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-ceph-operator) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-csi-cephfs-plugin-sa
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-ceph-operator) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-csi-rbd-plugin-sa
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-ceph-operator) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.