10 Service Accounts
1 Workloads
185 Bindings
6 Critical
8 High
9 Medium
162 Low
Description
File, Block, and Object Storage Services for your Cloud-Native Environment
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
rook-ceph-mgr | default | ❌ | — | 14 | 0 | Critical |
rook-ceph-system | default | ❌ | — | 100 | 1 | Critical |
rook-csi-rbd-provisioner-sa | default | ❌ | — | 26 | 0 | Critical |
rook-ceph-cmd-reporter | default | ❌ | — | 2 | 0 | High |
rook-ceph-osd | default | ❌ | — | 5 | 0 | Medium |
rook-csi-cephfs-provisioner-sa | default | ❌ | — | 18 | 0 | Medium |
rook-ceph-purge-osd | default | ❌ | — | 4 | 0 | Low |
rook-ceph-rgw | default | ❌ | — | 1 | 0 | Low |
rook-csi-cephfs-plugin-sa | default | ❌ | — | 6 | 0 | Low |
rook-csi-rbd-plugin-sa | default | ❌ | — | 9 | 0 | Low |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 rook-ceph-system
Namespace: default | Automount: ❌
🔑 Permissions (100)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole rook-ceph-global | core/endpoints | create · delete · get · list · patch · update · watch | Critical | DenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection |
ClusterRole rook-ceph-global | core/nodes/proxy | get · list · watch | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole rook-ceph-system | core/pods/exec | create | Critical | ClusterWidePodExec CodeExecution ElevationOfPrivilege LateralMovement PodExec (+1 more) |
ClusterRole rook-ceph-global | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
ClusterRole rook-ceph-global | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
Role rook-ceph-system | core/configmaps | create · delete · get · list · patch · update · watch | High | ConfigMapAccess DataExposure InformationDisclosure PotentialPrivilegeEscalation Tampering |
Role rook-ceph-system | core/pods | create · delete · get · list · patch · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation Tampering WorkloadExecution |
ClusterRole rook-ceph-system | core/pods/log | get · list | High | ClusterWideLogAccess DataExposure InformationDisclosure LogAccess |
Role rook-ceph-system | core/services | create · delete · get · list · patch · update · watch | High | DenialOfService NetworkManipulation ServiceExposure Tampering |
ClusterRole rook-ceph-global | core/events | create · delete · get · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole rook-ceph-global | ceph.rook.io/cephblockpoolradosnamespaces | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephblockpoolradosnamespaces/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephblockpoolradosnamespaces/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephblockpools | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephblockpools/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephblockpools/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephbucketnotifications | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephbucketnotifications/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephbucketnotifications/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephbuckettopics | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephbuckettopics/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephbuckettopics/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephclients | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephclients/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephclients/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephclusters | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephclusters/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephclusters/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephfilesystemmirrors | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephfilesystemmirrors/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephfilesystemmirrors/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephfilesystems | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephfilesystems/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephfilesystems/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephfilesystemsubvolumegroups | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephfilesystemsubvolumegroups/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephfilesystemsubvolumegroups/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephnfses | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephnfses/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephnfses/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectrealms | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectrealms/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectrealms/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectstores | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectstores/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectstores/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectstoreusers | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectstoreusers/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectstoreusers/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectzonegroups | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectzonegroups/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectzonegroups/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectzones | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectzones/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephobjectzones/status | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephrbdmirrors | get · list · update · watch | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephrbdmirrors/finalizers | update | Low | |
ClusterRole rook-ceph-global | ceph.rook.io/cephrbdmirrors/status | update | Low | |
Role rook-ceph-system | cert-manager.io/certificates | create · delete · get | Low | |
ClusterRole rook-ceph-object-bucket | core/configmaps | create · delete · get · update | Low | |
ClusterRole rook-ceph-global | batch/cronjobs | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | batch/cronjobs | delete | Low | |
ClusterRole rook-ceph-global | storage.k8s.io/csidrivers | create · delete · get · update | Low | |
Role rook-ceph-system | apps/daemonsets | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | extensions/daemonsets | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | apps/deployments | create · delete · deletecollection · get · list · update · watch | Low | |
Role rook-ceph-system | apps/deployments | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | extensions/deployments | create · delete · deletecollection · get · list · update · watch | Low | |
Role rook-ceph-system | extensions/deployments | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | policy/deployments | create · delete · deletecollection · get · list · update · watch | Low | |
Role rook-ceph-system | cert-manager.io/issuers | create · delete · get | Low | |
ClusterRole rook-ceph-global | batch/jobs | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | healthchecking.openshift.io/machinedisruptionbudgets | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | machine.openshift.io/machines | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | k8s.cni.cncf.io/network-attachment-definitions | get | Low | |
ClusterRole rook-ceph-global | core/nodes | get · list · watch | Low | |
ClusterRole rook-ceph-object-bucket | objectbucket.io/objectbucketclaims | get · list · update · watch | Low | |
ClusterRole rook-ceph-object-bucket | objectbucket.io/objectbucketclaims/finalizers | update | Low | |
ClusterRole rook-ceph-object-bucket | objectbucket.io/objectbucketclaims/status | update | Low | |
ClusterRole rook-ceph-object-bucket | objectbucket.io/objectbuckets | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-object-bucket | objectbucket.io/objectbuckets/finalizers | update | Low | |
ClusterRole rook-ceph-object-bucket | objectbucket.io/objectbuckets/status | update | Low | |
ClusterRole rook-ceph-global | core/persistentvolumeclaims | create · delete · get · list · patch · update · watch | Low | |
ClusterRole rook-ceph-global | core/persistentvolumes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole rook-ceph-global | apps/poddisruptionbudgets | create · delete · deletecollection · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | extensions/poddisruptionbudgets | create · delete · deletecollection · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | policy/poddisruptionbudgets | create · delete · deletecollection · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | core/pods | get · list · watch | Low | |
ClusterRole rook-ceph-system | core/pods | get · list | Low | |
ClusterRole rook-ceph-global | apps/replicasets | create · delete · deletecollection · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | extensions/replicasets | create · delete · deletecollection · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | policy/replicasets | create · delete · deletecollection · get · list · update · watch | Low | |
ClusterRole rook-ceph-object-bucket | core/secrets | create · delete · get · update | Low | |
ClusterRole rook-ceph-global | core/services | get · list · watch | Low | |
Role rook-ceph-system | apps/statefulsets | create · delete · get · list · update · watch | Low | |
Role rook-ceph-system | extensions/statefulsets | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-global | storage.k8s.io/storageclasses | get · list · watch | Low | |
ClusterRole rook-ceph-object-bucket | storage.k8s.io/storageclasses | get | Low | |
ClusterRole rook-ceph-system | admissionregistration.k8s.io/validatingwebhookconfigurations | create · delete · get · update | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-privileged) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (18)
The following security risks were found based on the above permissions:
- Cluster-wide pod exec
- Namespaced pod exec
- Create pods in a namespace
- Update/Patch pods in a namespace
- Read secrets cluster-wide
- Read secrets in a namespace
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Modify ConfigMaps in a namespace
- Read events cluster-wide
- Manage Endpoints or EndpointSlices cluster-wide
- Manage Endpoints or EndpointSlices in a namespace
- Manage Services in a namespace
- Use privileged PodSecurityPolicy (deprecated)
- Node proxy GET RCE via WebSocket
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | rook-ceph-operator | rook-ceph-operator | rook/ceph:v1.9.12 |
🤖 rook-csi-rbd-provisioner-sa
Namespace: default | Automount: ❌
🔑 Permissions (26)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole rbd-external-provisioner-runner | core/secrets | get · list · watch | Critical | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure SecretAccess |
Role rbd-external-provisioner-cfg | core/configmaps | create · delete · get · list · update · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole rbd-external-provisioner-runner | core/events | create · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
ClusterRole rbd-external-provisioner-runner | core/configmaps | get | Low | |
Role rbd-external-provisioner-cfg | core/endpoints | create · delete · get · list · update · watch | Low | |
Role rbd-external-provisioner-cfg | coordination.k8s.io/leases | create · delete · get · list · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | core/nodes | get · list · watch | Low | |
ClusterRole rbd-external-provisioner-runner | core/persistentvolumeclaims | get · list · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | core/persistentvolumeclaims/status | patch · update | Low | |
ClusterRole rbd-external-provisioner-runner | core/persistentvolumes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | core/serviceaccounts | get | Low | |
ClusterRole rbd-external-provisioner-runner | core/serviceaccounts/token | create | Low | |
ClusterRole rbd-external-provisioner-runner | storage.k8s.io/storageclasses | get · list · watch | Low | |
ClusterRole rbd-external-provisioner-runner | storage.k8s.io/volumeattachments | get · list · patch · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | storage.k8s.io/volumeattachments/status | patch | Low | |
ClusterRole rbd-external-provisioner-runner | replication.storage.openshift.io/volumereplicationclasses | create · delete · get · list · patch · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | replication.storage.openshift.io/volumereplicationclasses/status | get | Low | |
ClusterRole rbd-external-provisioner-runner | replication.storage.openshift.io/volumereplications | create · delete · get · list · patch · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | replication.storage.openshift.io/volumereplications/finalizers | update | Low | |
ClusterRole rbd-external-provisioner-runner | replication.storage.openshift.io/volumereplications/status | get · patch · update | Low | |
ClusterRole rbd-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotclasses | get · list · watch | Low | |
ClusterRole rbd-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotcontents | create · delete · get · list · patch · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotcontents/status | patch · update | Low | |
ClusterRole rbd-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshots | get · list · patch · update · watch | Low | |
ClusterRole rbd-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshots/status | patch · update | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-privileged) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (6)
The following security risks were found based on the above permissions:
- Read secrets cluster-wide
- Read secrets in a namespace
- Read ConfigMaps in a namespace
- Read events cluster-wide
- Use privileged PodSecurityPolicy (deprecated)
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-ceph-mgr
Namespace: default | Automount: ❌
🔑 Permissions (14)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole rook-ceph-mgr-cluster | core/nodes/proxy | get · list · watch | Critical | ClusterAdminAccess CodeExecution ElevationOfPrivilege LateralMovement (+1 more) |
ClusterRole rook-ceph-mgr-cluster | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
Role rook-ceph-mgr | core/pods | create · delete · get · list · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation WorkloadExecution |
Role rook-ceph-mgr | ceph.rook.io/* | * | Medium | NamespaceAdmin NamespaceWideAccess |
ClusterRole rook-ceph-mgr-cluster | core/events | create · get · list · patch · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
Role rook-ceph-mgr | core/pods/log | create · delete · get · list · update · watch | Medium | DataExposure InformationDisclosure LogAccess |
Role rook-ceph-mgr | apps/deployments | delete · patch | Low | |
Role rook-ceph-mgr | apps/deployments/scale | delete · patch | Low | |
Role rook-ceph-mgr | batch/jobs | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-mgr-cluster | core/nodes | get · list · watch | Low | |
Role rook-ceph-mgr | core/persistentvolumeclaims | delete | Low | |
ClusterRole rook-ceph-mgr-cluster | core/persistentvolumes | get · list · watch | Low | |
Role rook-ceph-mgr | core/services | create · delete · get · list · update · watch | Low | |
ClusterRole rook-ceph-mgr-cluster | storage.k8s.io/storageclasses | get · list · watch | Low |
⚠️ Potential Abuse (8)
The following security risks were found based on the above permissions:
- Create pods in a namespace
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Read events cluster-wide
- Node proxy GET RCE via WebSocket
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-ceph-cmd-reporter
Namespace: default | Automount: ❌
🔑 Permissions (2)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role rook-ceph-cmd-reporter | core/pods | create · delete · get · list · update · watch | High | LateralMovement Persistence PotentialPrivilegeEscalation WorkloadExecution |
Role rook-ceph-cmd-reporter | core/configmaps | create · delete · get · list · update · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-csi-cephfs-provisioner-sa
Namespace: default | Automount: ❌
🔑 Permissions (18)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cephfs-external-provisioner-runner | core/events | create · list · patch · update · watch | Medium | InformationDisclosure OperationalData Reconnaissance |
Role cephfs-external-provisioner-cfg | core/configmaps | create · delete · get · list | Low | |
Role cephfs-external-provisioner-cfg | core/endpoints | create · delete · get · list · update · watch | Low | |
Role cephfs-external-provisioner-cfg | coordination.k8s.io/leases | create · delete · get · list · update · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | core/nodes | get · list · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | core/persistentvolumeclaims | get · list · update · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | core/persistentvolumeclaims/status | patch · update | Low | |
ClusterRole cephfs-external-provisioner-runner | core/persistentvolumes | create · delete · get · list · patch · update · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | core/secrets | get · list | Low | |
ClusterRole cephfs-external-provisioner-runner | storage.k8s.io/storageclasses | get · list · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | storage.k8s.io/volumeattachments | get · list · patch · update · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | storage.k8s.io/volumeattachments/status | patch | Low | |
ClusterRole cephfs-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotclasses | get · list · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotcontents | create · delete · get · list · patch · update · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshotcontents/status | patch · update | Low | |
ClusterRole cephfs-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshots | get · list · patch · update · watch | Low | |
ClusterRole cephfs-external-provisioner-runner | snapshot.storage.k8s.io/volumesnapshots/status | patch · update | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-privileged) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (3)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-ceph-osd
Namespace: default | Automount: ❌
🔑 Permissions (5)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role rook-ceph-osd | core/configmaps | create · delete · get · list · update · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
Role rook-ceph-osd | ceph.rook.io/cephclusters | create · delete · get · list · update | Low | |
Role rook-ceph-osd | ceph.rook.io/cephclusters/finalizers | create · delete · get · list · update | Low | |
ClusterRole rook-ceph-osd | core/nodes | get · list | Low | |
Role rook-ceph-osd | core/secrets | get | Low |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-csi-rbd-plugin-sa
Namespace: default | Automount: ❌
🔑 Permissions (9)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole rbd-csi-nodeplugin | core/configmaps | get · list | Low | |
ClusterRole rbd-csi-nodeplugin | core/namespaces | get · list | Low | |
ClusterRole rbd-csi-nodeplugin | core/nodes | get · list · watch | Low | |
ClusterRole rbd-csi-nodeplugin | core/persistentvolumes | get · list · update · watch | Low | |
ClusterRole rbd-csi-nodeplugin | core/secrets | get · list | Low | |
ClusterRole rbd-csi-nodeplugin | core/serviceaccounts | get | Low | |
ClusterRole rbd-csi-nodeplugin | core/serviceaccounts/token | create | Low | |
ClusterRole rbd-csi-nodeplugin | storage.k8s.io/volumeattachments | get · list · update · watch | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-privileged) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-csi-cephfs-plugin-sa
Namespace: default | Automount: ❌
🔑 Permissions (6)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole cephfs-csi-nodeplugin | core/configmaps | get · list | Low | |
ClusterRole cephfs-csi-nodeplugin | core/namespaces | get · list | Low | |
ClusterRole cephfs-csi-nodeplugin | core/nodes | get · list · watch | Low | |
ClusterRole cephfs-csi-nodeplugin | core/persistentvolumes | get · list · update · watch | Low | |
ClusterRole cephfs-csi-nodeplugin | storage.k8s.io/volumeattachments | get · list · update · watch | Low | |
ClusterRole psp:rook | policy/podsecuritypolicies (restricted to: 00-rook-privileged) | use | Low | DeprecatedFeature NodeAccess PodSecurityPolicy PrivilegeEscalation ResourceNameRestricted |
⚠️ Potential Abuse (2)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-ceph-purge-osd
Namespace: default | Automount: ❌
🔑 Permissions (4)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role rook-ceph-purge-osd | core/configmaps | get | Low | |
Role rook-ceph-purge-osd | apps/deployments | delete · get | Low | |
Role rook-ceph-purge-osd | batch/jobs | delete · get · list | Low | |
Role rook-ceph-purge-osd | core/persistentvolumeclaims | delete · get · list · update | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.
🤖 rook-ceph-rgw
Namespace: default | Automount: ❌
🔑 Permissions (1)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
Role rook-ceph-rgw | core/configmaps | get | Low |
⚠️ Potential Abuse (1)
The following security risks were found based on the above permissions:
📦 Workloads (0)
No workloads use this ServiceAccount.