9 Service Accounts
1 Workloads
108 Bindings
7 Critical
16 High
10 Medium
75 Low
Description
File, Block, and Object Storage Services for your Cloud-Native Environment
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
rook-ceph-mgr | default | ❌ | — | 9 | 0 | Critical |
rook-ceph-system | default | ❌ | — | 41 | 1 | Critical |
rook-csi-rbd-provisioner-sa | default | ❌ | — | 19 | 0 | Critical |
rook-ceph-admission-controller | default | ❌ | — | 1 | 0 | High |
rook-ceph-cmd-reporter | default | ❌ | — | 2 | 0 | High |
rook-ceph-osd | default | ❌ | — | 4 | 0 | Medium |
rook-csi-cephfs-provisioner-sa | default | ❌ | — | 19 | 0 | Medium |
rook-csi-cephfs-plugin-sa | default | ❌ | — | 6 | 0 | Low |
rook-csi-rbd-plugin-sa | default | ❌ | — | 7 | 0 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 rook-ceph-system
Namespace: default | Automount: ❌
🔑 Permissions (41)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole rook-ceph-object-bucket | core/configmaps | * | Critical | ClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more) |
ClusterRole rook-ceph-global | apps/deployments | * | Critical | ClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more) |
ClusterRole rook-ceph-global | core/endpoints | create · delete · get · list · patch · update · watch | Critical | DenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection |
ClusterRole rook-ceph-global | core/nodes/proxy | get · list · watch | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole rook-ceph-object-bucket | core/secrets | * | Critical | ClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more) |
ClusterRole rook-ceph-global | ceph.rook.io/* | * | High | ClusterWideAccess |
ClusterRole rook-ceph-object-bucket | objectbucket.io/* | * | High | ClusterWideAccess |
ClusterRole rook-ceph-global | rook.io/* | * | High | ClusterWideAccess |
Role rook-ceph-system | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
ClusterRole rook-ceph-global | extensions/deployments | * | High | ClusterWideAccess |
ClusterRole rook-ceph-global | policy/deployments | * | High | ClusterWideAccess |
ClusterRole rook-ceph-global | apps/poddisruptionbudgets | * | High | ClusterWideAccess |
ClusterRole rook-ceph-global | extensions/poddisruptionbudgets | * | High | ClusterWideAccess |
Role rook-ceph-system | core/pods | create · delete · get · list · patch · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution |
ClusterRole rook-ceph-global | apps/replicasets | * | High | ClusterWideAccess |
ClusterRole rook-ceph-global | extensions/replicasets | * | High | ClusterWideAccess |
ClusterRole rook-ceph-global | policy/replicasets | * | High | ClusterWideAccess |
Role rook-ceph-system | core/services | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole rook-ceph-global | core/events | create · delete · get · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole rook-ceph-global | policy/poddisruptionbudgets | * | Medium | AvailabilityImpact ClusterWideAccess DenialOfService Tampering |
ClusterRole rook-ceph-global | storage.k8s.io/csidrivers | create · delete · get · update | Low | |
Role rook-ceph-system | apps/daemonsets | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | extensions/daemonsets | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | apps/deployments | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | extensions/deployments | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | batch/jobs | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | healthchecking.openshift.io/machinedisruptionbudgets | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | machine.openshift.io/machines | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | k8s.cni.cncf.io/network-attachment-definitions | get | Low | |
ClusterRole rook-ceph-global | core/nodes | get · list · watch | Low | |
ClusterRole rook-ceph-global | core/persistentvolumeclaims | create · delete · get · list · patch · update · watch | Low | |
ClusterRole rook-ceph-global | core/persistentvolumes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole rook-ceph-global | core/pods | get · list · watch | Low | |
Role rook-ceph-system | monitoring.coreos.com/prometheusrules | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | monitoring.coreos.com/servicemonitors | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | core/services | get · list · watch | Low | |
Role rook-ceph-system | apps/statefulsets | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | extensions/statefulsets | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | storage.k8s.io/storageclasses | get · list · watch | Low | |
ClusterRole rook-ceph-object-bucket | storage.k8s.io/storageclasses | get · list · watch | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-ceph-operator) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (21)
The following security risks were found based on the above permissions:
- Create pods in a namespace
- Update/Patch pods in a namespace
- Read secrets cluster-wide
- Read secrets in a namespace
- Modify secrets cluster-wide
- Modify secrets in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps cluster-wide
- Modify ConfigMaps in a namespace
- Manage Deployments cluster-wide (potential for privileged pod execution)
- Manage Deployments in a namespace (potential for privileged pod execution)
- Read events cluster-wide
- Manage Endpoints or EndpointSlices cluster-wide
- Manage Endpoints or EndpointSlices in a namespace
- Manage Services in a namespace
- Use privileged PodSecurityPolicy (deprecated)
- Manage PodDisruptionBudgets cluster-wide
- Node proxy GET RCE via WebSocket
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | rook-ceph-operator | rook-ceph-operator | rook/ceph:v1.5.6 |
🤖 rook-csi-rbd-provisioner-sa
Namespace: default | Automount: ❌
🔑 Permissions (19)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole rbd-external-provisioner-runner | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role rbd-external-provisioner-cfg | core/configmaps | create · delete · get · list · update · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole rbd-external-provisioner-runner | core/events | create · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole rbd-external-provisioner-runner | apiextensions.k8s.io/customresourcedefinitions | create · delete · get · list · update · watch | Low | |
Role rbd-external-provisioner-cfg | core/endpoints | create · delete · get · list · update · watch | Low | |
Role rbd-external-provisioner-cfg | coordination.k8s.io/leases | create · delete · get · list · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | core/nodes | get · list · watch | Low | |
ClusterRole rbd-external-provisioner-runner | core/persistentvolumeclaims | get · list · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | core/persistentvolumeclaims/status | patch · update | Low | |
ClusterRole rbd-external-provisioner-runner | core/persistentvolumes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | storage.k8s.io/storageclasses | get · list · watch | Low | |
ClusterRole rbd-external-provisioner-runner | storage.k8s.io/volumeattachments | get · list · patch · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | storage.k8s.io/volumeattachments/status | patch | Low | |
ClusterRole rbd-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotclasses | get · list · watch | Low | |
ClusterRole rbd-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotcontents | create · delete · get · list · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotcontents/status | update | Low | |
ClusterRole rbd-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshots | get · list · patch · watch | Low | |
ClusterRole rbd-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshots/status | update | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-ceph-operator) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (6)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- Read events cluster-wide
- Use privileged PodSecurityPolicy (deprecated)
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-ceph-mgr
Namespace: default | Automount: ❌
🔑 Permissions (9)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole rook-ceph-mgr-cluster | core/nodes/proxy | get · list · watch | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole rook-ceph-mgr-cluster | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
Role rook-ceph-mgr | ceph.rook.io/* | * | Medium | NamespaceAdmin NamespaceWideAccess |
ClusterRole rook-ceph-mgr-cluster | core/events | create · get · list · patch · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
Role rook-ceph-mgr | core/pods/log | delete · get · list · watch | Medium | DataExposure InformationDisclosure LogAccess |
Role rook-ceph-mgr | batch/jobs | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-mgr-cluster | core/nodes | get · list · watch | Low | |
Role rook-ceph-mgr | core/pods | delete · get · list · watch | Low | |
Role rook-ceph-mgr | core/services | delete · get · list · watch | Low |
⚠️ Potential Abuse (7)
The following security risks were found based on the above permissions:
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Read events cluster-wide
- Node proxy GET RCE via WebSocket
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-ceph-cmd-reporter
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role rook-ceph-cmd-reporter | core/pods | create · delete · get · list · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation WorkloadExecution |
Role rook-ceph-cmd-reporter | core/configmaps | create · delete · get · list · update · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-ceph-admission-controller
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole rook-ceph-admission-controller-role | ceph.rook.io/* | get · list · watch | High | ClusterWideAccess |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-csi-cephfs-provisioner-sa
Namespace: default | Automount: ❌
🔑 Permissions (19)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cephfs-external-provisioner-runner | core/events | create · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
Role cephfs-external-provisioner-cfg | core/configmaps | create · delete · get · list | Low | |
ClusterRole cephfs-external-provisioner-runner | apiextensions.k8s.io/customresourcedefinitions | create · delete · get · list · update · watch | Low | |
Role cephfs-external-provisioner-cfg | core/endpoints | create · delete · get · list · update · watch | Low | |
Role cephfs-external-provisioner-cfg | coordination.k8s.io/leases | create · delete · get · list · update · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | core/nodes | get · list · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | core/persistentvolumeclaims | get · list · update · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | core/persistentvolumeclaims/status | patch · update | Low | |
ClusterRole cephfs-external-provisioner-runner | core/persistentvolumes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | core/secrets | get · list | Low | |
ClusterRole cephfs-external-provisioner-runner | storage.k8s.io/storageclasses | get · list · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | storage.k8s.io/volumeattachments | get · list · patch · update · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | storage.k8s.io/volumeattachments/status | patch | Low | |
ClusterRole cephfs-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotclasses | get · list · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotcontents | create · delete · get · list · update · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotcontents/status | update | Low | |
ClusterRole cephfs-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshots | get · list · patch · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshots/status | update | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-ceph-operator) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-ceph-osd
Namespace: default | Automount: ❌
🔑 Permissions (4)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role rook-ceph-osd | core/configmaps | create · delete · get · list · update · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
Role rook-ceph-osd | ceph.rook.io/cephclusters | create · delete · get · list · update | Low | |
Role rook-ceph-osd | ceph.rook.io/cephclusters/finalizers | create · delete · get · list · update | Low | |
ClusterRole rook-ceph-osd | core/nodes | get · list | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-csi-rbd-plugin-sa
Namespace: default | Automount: ❌
🔑 Permissions (7)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole rbd-csi-nodeplugin | core/configmaps | get · list | Low | |
ClusterRole rbd-csi-nodeplugin | core/namespaces | get · list | Low | |
ClusterRole rbd-csi-nodeplugin | core/nodes | get · list · update | Low | |
ClusterRole rbd-csi-nodeplugin | core/persistentvolumes | get · list · update · watch | Low | |
ClusterRole rbd-csi-nodeplugin | core/secrets | get · list | Low | |
ClusterRole rbd-csi-nodeplugin | storage.k8s.io/volumeattachments | get · list · update · watch | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-ceph-operator) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-csi-cephfs-plugin-sa
Namespace: default | Automount: ❌
🔑 Permissions (6)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cephfs-csi-nodeplugin | core/configmaps | get · list | Low | |
ClusterRole cephfs-csi-nodeplugin | core/namespaces | get · list | Low | |
ClusterRole cephfs-csi-nodeplugin | core/nodes | get · list · update | Low | |
ClusterRole cephfs-csi-nodeplugin | core/persistentvolumes | get · list · update · watch | Low | |
ClusterRole cephfs-csi-nodeplugin | storage.k8s.io/volumeattachments | get · list · update · watch | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-ceph-operator) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.