1 Service Accounts
1 Workloads
43 Bindings
2 High
6 Medium
35 Low
Description
Keeps security report resources updated
Overview
| Identity | Namespace | Automount | Secrets | Permissions | Workloads | Risk |
|---|---|---|---|---|---|---|
trivy-operator | default | ❌ | — | 43 | 1 | High |
Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.
Identities
🤖 trivy-operator
Namespace: default | Automount: ❌
🔑 Permissions (43)
| Role | Resource | Verbs | Risk | Tags |
|---|---|---|---|---|
ClusterRole trivy-operator | core/configmaps | get · list · watch | High | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole trivy-operator | core/pods/log | get · list | High | ClusterWideLogAccess DataExposure InformationDisclosure LogAccess |
ClusterRole trivy-operator | rbac.authorization.k8s.io/clusterrolebindings | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole trivy-operator | rbac.authorization.k8s.io/clusterroles | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
Role trivy-operator | core/configmaps | create · get · list · watch | Medium | ConfigMapAccess DataExposure InformationDisclosure |
ClusterRole trivy-operator | core/resourcequotas | get · list · watch | Medium | InformationDisclosure QuotaTampering Reconnaissance ResourceConfiguration |
ClusterRole trivy-operator | rbac.authorization.k8s.io/rolebindings | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole trivy-operator | rbac.authorization.k8s.io/roles | get · list · watch | Medium | InformationDisclosure RBACQuery Reconnaissance |
ClusterRole trivy-operator | aquasecurity.github.io/clustercompliancedetailreports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/clustercompliancereports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/clustercompliancereports/status | get · patch · update | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/clusterconfigauditreports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/clusterinfraassessmentreports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/clusterrbacassessmentreports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/clustersbomreports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/clustervulnerabilityreports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/configauditreports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | batch/cronjobs | get · list · watch | Low | |
ClusterRole trivy-operator | apiextensions.k8s.io/customresourcedefinitions | get · list · watch | Low | |
ClusterRole trivy-operator | apps/daemonsets | get · list · watch | Low | |
ClusterRole trivy-operator | apps.openshift.io/deploymentconfigs | get · list · watch | Low | |
ClusterRole trivy-operator | apps/deployments | get · list · watch | Low | |
Role trivy-operator-leader-election | core/events | create | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/exposedsecretreports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/infraassessmentreports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | networking.k8s.io/ingresses | get · list · watch | Low | |
ClusterRole trivy-operator | batch/jobs | create · delete · get · list · watch | Low | |
Role trivy-operator-leader-election | coordination.k8s.io/leases | create · get · update | Low | |
ClusterRole trivy-operator | core/limitranges | get · list · watch | Low | InformationDisclosure Reconnaissance ResourceConfiguration |
ClusterRole trivy-operator | networking.k8s.io/networkpolicies | get · list · watch | Low | |
ClusterRole trivy-operator | core/nodes | get · list · watch | Low | |
ClusterRole trivy-operator | core/nodes/proxy | get | Low | |
ClusterRole trivy-operator | core/pods | get · list · watch | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/rbacassessmentreports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | apps/replicasets | get · list · watch | Low | |
ClusterRole trivy-operator | core/replicationcontrollers | get · list · watch | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/sbomreports | create · delete · get · list · patch · update · watch | Low | |
ClusterRole trivy-operator | core/secrets | create · get · update | Low | |
Role trivy-operator | core/secrets | create · delete · get · update | Low | |
ClusterRole trivy-operator | core/serviceaccounts | get | Low | |
ClusterRole trivy-operator | core/services | get · list · watch | Low | |
ClusterRole trivy-operator | apps/statefulsets | get · list · watch | Low | |
ClusterRole trivy-operator | aquasecurity.github.io/vulnerabilityreports | create · delete · get · list · patch · update · watch | Low |
⚠️ Potential Abuse (9)
The following security risks were found based on the above permissions:
- Read pod logs cluster-wide
- Read pod logs in a namespace
- Read ConfigMaps cluster-wide
- Read ConfigMaps in a namespace
- Read RBAC configuration cluster-wide
- Read LimitRanges (Namespace Information Disclosure)
- Read ResourceQuotas (Namespace Information Disclosure)
- Read All ResourceQuotas (Cluster-wide Information Disclosure)
📦 Workloads (1)
| Kind | Name | Container | Image |
|---|---|---|---|
| Deployment | trivy-operator | trivy-operator | mirror.gcr.io/aquasec/trivy-operator:0.27.0 |