zfs-localpv :: RBAC ATLAS

Description

Helm chart for CSI Driver for dynamic provisioning of ZFS Persistent Local Volumes. For instructions on how to use this helm chart, see - https://openebs.github.io/zfs-localpv/

https://github.com/openebs/zfs-localpv

Overview

Identity	Namespace	Automount	Secrets	Permissions	Workloads	Risk
`openebs-zfs-controller-sa`	default	❌	—	29	5	Critical
`openebs-zfs-node-sa`	default	❌	—	9	2	High

Numbers in the last two columns indicate how many bindings or workloads involve each ServiceAccount.

Identities

🤖 `openebs-zfs-controller-sa`

Namespace: default | Automount: ❌

🔑 Permissions (29)

Role	Resource	Verbs	Risk	Tags
ClusterRole `openebs-zfs-provisioner-role`	core/pods	get · list · patch · update · watch	Critical	PotentialPrivilegeEscalation PrivilegeEscalation Tampering WorkloadExecution
ClusterRole `openebs-zfs-provisioner-role`	core/services	create · delete · get · list · patch · update · watch	Critical	DenialOfService NetworkManipulation ServiceExposure Tampering
ClusterRole `openebs-zfs-provisioner-role`	core/namespaces	*	High	ClusterStructure ClusterWideAccess DenialOfService InformationDisclosure NamespaceLifecycle (+3 more)
ClusterRole `openebs-zfs-provisioner-role`	*/zfsbackups	*	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-provisioner-role`	*/zfsnodes	*	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-provisioner-role`	*/zfsrestores	*	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-provisioner-role`	*/zfssnapshots	*	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-provisioner-role`	*/zfsvolumes	*	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-provisioner-role`	storage.k8s.io/csinodes	get · list · watch	Medium	InformationDisclosure NodeAccess Reconnaissance StorageDetailsDisclosure
ClusterRole `openebs-zfs-provisioner-role`	storage.k8s.io/csistoragecapacities	*	Low	ClusterWideAccess InformationDisclosure Reconnaissance StorageDetailsDisclosure WildcardPermission
ClusterRole `openebs-zfs-snapshotter-role`	apiextensions.k8s.io/customresourcedefinitions	create · delete · list · watch	Low
ClusterRole `openebs-zfs-provisioner-role`	core/events	create · list · patch · update · watch	Low
ClusterRole `openebs-zfs-snapshotter-role`	core/events	create · list · patch · update · watch	Low
ClusterRole `openebs-zfs-provisioner-role`	coordination.k8s.io/leases	create · delete · get · list · update · watch	Low
ClusterRole `openebs-zfs-provisioner-role`	core/nodes	get · list · watch	Low
ClusterRole `openebs-zfs-provisioner-role`	core/persistentvolumeclaims	get · list · update · watch	Low
ClusterRole `openebs-zfs-snapshotter-role`	core/persistentvolumeclaims	get · list · watch	Low
ClusterRole `openebs-zfs-provisioner-role`	core/persistentvolumeclaims/status	patch · update	Low
ClusterRole `openebs-zfs-provisioner-role`	core/persistentvolumes	create · delete · get · list · patch · update · watch	Low
ClusterRole `openebs-zfs-snapshotter-role`	core/persistentvolumes	get · list · watch	Low
ClusterRole `openebs-zfs-provisioner-role`	core/secrets	get · list	Low
ClusterRole `openebs-zfs-snapshotter-role`	core/secrets	get · list	Low
ClusterRole `openebs-zfs-provisioner-role`	storage.k8s.io/storageclasses	get · list · watch	Low
ClusterRole `openebs-zfs-snapshotter-role`	storage.k8s.io/storageclasses	get · list · watch	Low
ClusterRole `openebs-zfs-snapshotter-role`	snapshot.storage.k8s.io/volumesnapshotclasses	get · list · watch	Low
ClusterRole `openebs-zfs-snapshotter-role`	snapshot.storage.k8s.io/volumesnapshotcontents	create · delete · get · list · patch · update · watch	Low
ClusterRole `openebs-zfs-snapshotter-role`	snapshot.storage.k8s.io/volumesnapshotcontents/status	patch · update	Low
ClusterRole `openebs-zfs-snapshotter-role`	snapshot.storage.k8s.io/volumesnapshots	get · list · patch · update · watch	Low
ClusterRole `openebs-zfs-snapshotter-role`	snapshot.storage.k8s.io/volumesnapshots/status	update	Low

⚠️ Potential Abuse (10)

The following security risks were found based on the above permissions:

📦 Workloads (5)

Kind	Name	Container	Image
Deployment	zfs-localpv-controller	csi-provisioner	registry.k8s.io/sig-storage/csi-provisioner:v5.2.0
Deployment	zfs-localpv-controller	csi-resizer	registry.k8s.io/sig-storage/csi-resizer:v1.13.2
Deployment	zfs-localpv-controller	csi-snapshotter	registry.k8s.io/sig-storage/csi-snapshotter:v8.2.0
Deployment	zfs-localpv-controller	openebs-zfs-plugin	openebs/zfs-driver:2.8.0
Deployment	zfs-localpv-controller	snapshot-controller	registry.k8s.io/sig-storage/snapshot-controller:v8.2.0

🤖 `openebs-zfs-node-sa`

Namespace: default | Automount: ❌

🔑 Permissions (9)

Role	Resource	Verbs	Risk	Tags
ClusterRole `openebs-zfs-driver-registrar-role`	*/zfsbackups	create · get · list · patch · update · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-driver-registrar-role`	*/zfsnodes	create · get · list · patch · update · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-driver-registrar-role`	*/zfsrestores	create · get · list · patch · update · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-driver-registrar-role`	*/zfssnapshots	create · get · list · patch · update · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-driver-registrar-role`	*/zfsvolumes	create · get · list · patch · update · watch	High	ClusterWideAccess WildcardPermission
ClusterRole `openebs-zfs-driver-registrar-role`	core/events	create · get · list · patch · update · watch	Medium	InformationDisclosure OperationalData Reconnaissance
ClusterRole `openebs-zfs-driver-registrar-role`	core/nodes	get · list	Low
ClusterRole `openebs-zfs-driver-registrar-role`	core/persistentvolumes	get · list	Low
ClusterRole `openebs-zfs-driver-registrar-role`	core/services	get · list	Low

⚠️ Potential Abuse (3)