Description

File, Block, and Object Storage Services for your Cloud-Native Environment

Overview

IdentityNamespaceAutomountSecretsPermissionsWorkloadsRisk
rook-ceph-mgrdefault90Critical
rook-ceph-systemdefault461Critical
rook-csi-rbd-provisioner-sadefault250Critical
rook-ceph-admission-controllerdefault10High
rook-ceph-cmd-reporterdefault20High
rook-ceph-osddefault40Medium
rook-csi-cephfs-provisioner-sadefault190Medium
rook-csi-cephfs-plugin-sadefault60Low
rook-csi-rbd-plugin-sadefault70Low

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 rook-ceph-system

Namespace: default  |  Automount:

🔑 Permissions (46)

RoleResourceVerbsRiskTags
ClusterRole rook-ceph-object-bucketcore/configmaps*CriticalClusterWideAccess ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation (+2 more)
ClusterRole rook-ceph-globalapps/deployments*CriticalClusterWideAccess Persistence PotentialPrivilegeEscalation PrivilegeEscalation Tampering (+2 more)
ClusterRole rook-ceph-globalcore/endpointscreate · delete · get · list · patch · update · watchCriticalDenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection
ClusterRole rook-ceph-globalcore/nodes/proxyget · list · watchCriticalAuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole rook-ceph-systemcore/pods/execcreateCriticalClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement PodExec (+1 more)
ClusterRole rook-ceph-object-bucketcore/secrets*CriticalClusterWideAccess ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure (+6 more)
ClusterRole rook-ceph-globalceph.rook.io/**HighClusterWideAccess WildcardPermission
ClusterRole rook-ceph-object-bucketobjectbucket.io/**HighClusterWideAccess WildcardPermission
ClusterRole rook-ceph-globalrook.io/**HighClusterWideAccess WildcardPermission
Role rook-ceph-systemcore/configmapscreate · delete · get · list · patch · update · watchHighConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering
ClusterRole rook-ceph-globalextensions/deployments*HighClusterWideAccess WildcardPermission
ClusterRole rook-ceph-globalpolicy/deployments*HighClusterWideAccess WildcardPermission
ClusterRole rook-ceph-globalapps/poddisruptionbudgets*HighClusterWideAccess WildcardPermission
ClusterRole rook-ceph-globalextensions/poddisruptionbudgets*HighClusterWideAccess WildcardPermission
Role rook-ceph-systemcore/podscreate · delete · get · list · patch · update · watchHighLateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution
ClusterRole rook-ceph-systemcore/pods/logget · listHighClusterWideLogAccess DataExposure InformationDisclosure LogAccess
ClusterRole rook-ceph-globalapps/replicasets*HighClusterWideAccess WildcardPermission
ClusterRole rook-ceph-globalextensions/replicasets*HighClusterWideAccess WildcardPermission
ClusterRole rook-ceph-globalpolicy/replicasets*HighClusterWideAccess WildcardPermission
Role rook-ceph-systemcore/servicescreate · delete · get · list · patch · update · watchHighDenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole rook-ceph-globalcore/eventscreate · delete · get · list · patch · update · watchMediumInformationDisclosure OperationalData Reconnaissance
ClusterRole rook-ceph-globalpolicy/poddisruptionbudgets*MediumAvailabilityImpact ClusterWideAccess DenialOfService Tampering WildcardPermission
ClusterRole rook-ceph-globalbatch/cronjobscreate · delete · get · list · update · watchLow
Role rook-ceph-systembatch/cronjobsdeleteLow
ClusterRole rook-ceph-globalstorage.k8s.io/csidriverscreate · delete · get · updateLow
Role rook-ceph-systemapps/daemonsetscreate · delete · get · list · update · watchLow
Role rook-ceph-systemextensions/daemonsetscreate · delete · get · list · update · watchLow
Role rook-ceph-systemapps/deploymentscreate · delete · get · list · update · watchLow
Role rook-ceph-systemextensions/deploymentscreate · delete · get · list · update · watchLow
ClusterRole rook-ceph-globalbatch/jobscreate · delete · get · list · update · watchLow
ClusterRole rook-ceph-globalhealthchecking.openshift.io/machinedisruptionbudgetscreate · delete · get · list · update · watchLow
ClusterRole rook-ceph-globalmachine.openshift.io/machinescreate · delete · get · list · update · watchLow
ClusterRole rook-ceph-globalk8s.cni.cncf.io/network-attachment-definitionsgetLow
ClusterRole rook-ceph-globalcore/nodesget · list · watchLow
ClusterRole rook-ceph-globalcore/persistentvolumeclaimscreate · delete · get · list · patch · update · watchLow
ClusterRole rook-ceph-globalcore/persistentvolumescreate · delete · get · list · patch · update · watchLow
ClusterRole rook-ceph-globalcore/podsget · list · watchLow
ClusterRole rook-ceph-systemcore/podsget · listLow
Role rook-ceph-systemmonitoring.coreos.com/prometheusrulescreate · delete · get · list · update · watchLow
Role rook-ceph-systemmonitoring.coreos.com/servicemonitorscreate · delete · get · list · update · watchLow
ClusterRole rook-ceph-globalcore/servicesget · list · watchLow
Role rook-ceph-systemapps/statefulsetscreate · delete · get · list · update · watchLow
Role rook-ceph-systemextensions/statefulsetscreate · delete · get · list · update · watchLow
ClusterRole rook-ceph-globalstorage.k8s.io/storageclassesget · list · watchLow
ClusterRole rook-ceph-object-bucketstorage.k8s.io/storageclassesget · list · watchLow
ClusterRole psp:rookpolicy/podsecuritypolicies (restricted to: 00-rook-ceph-operator)useLowDeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted

⚠️ Potential Abuse (25)

The following security risks were found based on the above permissions:

📦 Workloads (1)

KindNameContainerImage
Deploymentrook-ceph-operatorrook-ceph-operatorrook/ceph:v1.6.8

🤖 rook-csi-rbd-provisioner-sa

Namespace: default  |  Automount:

🔑 Permissions (25)

RoleResourceVerbsRiskTags
ClusterRole rbd-external-provisioner-runnercore/secretsget · list · watchCriticalClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess
Role rbd-external-provisioner-cfgcore/configmapscreate · delete · get · list · update · watchMediumConfigMapAccess DataExposure InformationDisclosure
ClusterRole rbd-external-provisioner-runnercore/eventscreate · list · patch · update · watchMediumInformationDisclosure OperationalData Reconnaissance
ClusterRole rbd-external-provisioner-runnercore/configmapsgetLow
ClusterRole rbd-external-provisioner-runnerapiextensions.k8s.io/customresourcedefinitionscreate · delete · get · list · update · watchLow
Role rbd-external-provisioner-cfgcore/endpointscreate · delete · get · list · update · watchLow
Role rbd-external-provisioner-cfgcoordination.k8s.io/leasescreate · delete · get · list · update · watchLow
ClusterRole rbd-external-provisioner-runnercore/nodesget · list · watchLow
ClusterRole rbd-external-provisioner-runnercore/persistentvolumeclaimsget · list · update · watchLow
ClusterRole rbd-external-provisioner-runnercore/persistentvolumeclaims/statuspatch · updateLow
ClusterRole rbd-external-provisioner-runnercore/persistentvolumescreate · delete · get · list · patch · update · watchLow
ClusterRole rbd-external-provisioner-runnerstorage.k8s.io/storageclassesget · list · watchLow
ClusterRole rbd-external-provisioner-runnerstorage.k8s.io/volumeattachmentsget · list · patch · update · watchLow
ClusterRole rbd-external-provisioner-runnerstorage.k8s.io/volumeattachments/statuspatchLow
ClusterRole rbd-external-provisioner-runnerreplication.storage.openshift.io/volumereplicationclassescreate · delete · get · list · patch · update · watchLow
ClusterRole rbd-external-provisioner-runnerreplication.storage.openshift.io/volumereplicationclasses/statusgetLow
ClusterRole rbd-external-provisioner-runnerreplication.storage.openshift.io/volumereplicationscreate · delete · get · list · patch · update · watchLow
ClusterRole rbd-external-provisioner-runnerreplication.storage.openshift.io/volumereplications/finalizersupdateLow
ClusterRole rbd-external-provisioner-runnerreplication.storage.openshift.io/volumereplications/statusget · patch · updateLow
ClusterRole rbd-external-provisioner-runnersnapshot.storage.k8s.io/volumesnapshotclassesget · list · watchLow
ClusterRole rbd-external-provisioner-runnersnapshot.storage.k8s.io/volumesnapshotcontentscreate · delete · get · list · update · watchLow
ClusterRole rbd-external-provisioner-runnersnapshot.storage.k8s.io/volumesnapshotcontents/statusupdateLow
ClusterRole rbd-external-provisioner-runnersnapshot.storage.k8s.io/volumesnapshotsget · list · patch · watchLow
ClusterRole rbd-external-provisioner-runnersnapshot.storage.k8s.io/volumesnapshots/statusupdateLow
ClusterRole psp:rookpolicy/podsecuritypolicies (restricted to: 00-rook-ceph-operator)useLowDeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted

⚠️ Potential Abuse (6)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 rook-ceph-mgr

Namespace: default  |  Automount:

🔑 Permissions (9)

RoleResourceVerbsRiskTags
ClusterRole rook-ceph-mgr-clustercore/nodes/proxyget · list · watchCriticalAuthorizationBypass ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more)
ClusterRole rook-ceph-mgr-clustercore/configmapsget · list · watchHighConfigMapAccess DataExposure InformationDisclosure
Role rook-ceph-mgrcore/podscreate · delete · get · list · update · watchHighLateralMovement Persistence PotentialPrivilegeEscalation WorkloadExecution
Role rook-ceph-mgrceph.rook.io/**MediumNamespaceAdmin NamespaceWideAccess WildcardPermission
ClusterRole rook-ceph-mgr-clustercore/eventscreate · get · list · patch · watchMediumInformationDisclosure OperationalData Reconnaissance
Role rook-ceph-mgrcore/pods/logcreate · delete · get · list · update · watchMediumDataExposure InformationDisclosure LogAccess
Role rook-ceph-mgrbatch/jobscreate · delete · get · list · update · watchLow
ClusterRole rook-ceph-mgr-clustercore/nodesget · list · watchLow
Role rook-ceph-mgrcore/servicescreate · delete · get · list · update · watchLow

⚠️ Potential Abuse (8)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 rook-ceph-cmd-reporter

Namespace: default  |  Automount:

🔑 Permissions (2)

RoleResourceVerbsRiskTags
Role rook-ceph-cmd-reportercore/podscreate · delete · get · list · update · watchHighLateralMovement Persistence PotentialPrivilegeEscalation WorkloadExecution
Role rook-ceph-cmd-reportercore/configmapscreate · delete · get · list · update · watchMediumConfigMapAccess DataExposure InformationDisclosure

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 rook-ceph-admission-controller

Namespace: default  |  Automount:

🔑 Permissions (1)

RoleResourceVerbsRiskTags
ClusterRole rook-ceph-admission-controller-roleceph.rook.io/*get · list · watchHighClusterWideAccess WildcardPermission

⚠️ Potential Abuse (1)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 rook-csi-cephfs-provisioner-sa

Namespace: default  |  Automount:

🔑 Permissions (19)

RoleResourceVerbsRiskTags
ClusterRole cephfs-external-provisioner-runnercore/eventscreate · list · patch · update · watchMediumInformationDisclosure OperationalData Reconnaissance
Role cephfs-external-provisioner-cfgcore/configmapscreate · delete · get · listLow
ClusterRole cephfs-external-provisioner-runnerapiextensions.k8s.io/customresourcedefinitionscreate · delete · get · list · update · watchLow
Role cephfs-external-provisioner-cfgcore/endpointscreate · delete · get · list · update · watchLow
Role cephfs-external-provisioner-cfgcoordination.k8s.io/leasescreate · delete · get · list · update · watchLow
ClusterRole cephfs-external-provisioner-runnercore/nodesget · list · watchLow
ClusterRole cephfs-external-provisioner-runnercore/persistentvolumeclaimsget · list · update · watchLow
ClusterRole cephfs-external-provisioner-runnercore/persistentvolumeclaims/statuspatch · updateLow
ClusterRole cephfs-external-provisioner-runnercore/persistentvolumescreate · delete · get · list · patch · update · watchLow
ClusterRole cephfs-external-provisioner-runnercore/secretsget · listLow
ClusterRole cephfs-external-provisioner-runnerstorage.k8s.io/storageclassesget · list · watchLow
ClusterRole cephfs-external-provisioner-runnerstorage.k8s.io/volumeattachmentsget · list · patch · update · watchLow
ClusterRole cephfs-external-provisioner-runnerstorage.k8s.io/volumeattachments/statuspatchLow
ClusterRole cephfs-external-provisioner-runnersnapshot.storage.k8s.io/volumesnapshotclassesget · list · watchLow
ClusterRole cephfs-external-provisioner-runnersnapshot.storage.k8s.io/volumesnapshotcontentscreate · delete · get · list · update · watchLow
ClusterRole cephfs-external-provisioner-runnersnapshot.storage.k8s.io/volumesnapshotcontents/statusupdateLow
ClusterRole cephfs-external-provisioner-runnersnapshot.storage.k8s.io/volumesnapshotsget · list · patch · watchLow
ClusterRole cephfs-external-provisioner-runnersnapshot.storage.k8s.io/volumesnapshots/statusupdateLow
ClusterRole psp:rookpolicy/podsecuritypolicies (restricted to: 00-rook-ceph-operator)useLowDeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted

⚠️ Potential Abuse (3)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 rook-ceph-osd

Namespace: default  |  Automount:

🔑 Permissions (4)

RoleResourceVerbsRiskTags
Role rook-ceph-osdcore/configmapscreate · delete · get · list · update · watchMediumConfigMapAccess DataExposure InformationDisclosure
Role rook-ceph-osdceph.rook.io/cephclusterscreate · delete · get · list · updateLow
Role rook-ceph-osdceph.rook.io/cephclusters/finalizerscreate · delete · get · list · updateLow
ClusterRole rook-ceph-osdcore/nodesget · listLow

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 rook-csi-rbd-plugin-sa

Namespace: default  |  Automount:

🔑 Permissions (7)

RoleResourceVerbsRiskTags
ClusterRole rbd-csi-nodeplugincore/configmapsget · listLow
ClusterRole rbd-csi-nodeplugincore/namespacesget · listLow
ClusterRole rbd-csi-nodeplugincore/nodesget · list · updateLow
ClusterRole rbd-csi-nodeplugincore/persistentvolumesget · list · update · watchLow
ClusterRole rbd-csi-nodeplugincore/secretsget · listLow
ClusterRole rbd-csi-nodepluginstorage.k8s.io/volumeattachmentsget · list · update · watchLow
ClusterRole psp:rookpolicy/podsecuritypolicies (restricted to: 00-rook-ceph-operator)useLowDeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.

🤖 rook-csi-cephfs-plugin-sa

Namespace: default  |  Automount:

🔑 Permissions (6)

RoleResourceVerbsRiskTags
ClusterRole cephfs-csi-nodeplugincore/configmapsget · listLow
ClusterRole cephfs-csi-nodeplugincore/namespacesget · listLow
ClusterRole cephfs-csi-nodeplugincore/nodesget · list · updateLow
ClusterRole cephfs-csi-nodeplugincore/persistentvolumesget · list · update · watchLow
ClusterRole cephfs-csi-nodepluginstorage.k8s.io/volumeattachmentsget · list · update · watchLow
ClusterRole psp:rookpolicy/podsecuritypolicies (restricted to: 00-rook-ceph-operator)useLowDeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted

⚠️ Potential Abuse (2)

The following security risks were found based on the above permissions:

📦 Workloads (0)

No workloads use this ServiceAccount.