There is a ClusterRole in piraeus-operator v2.5.0 and earlier which has been granted list secrets permission, which allows an attacker to impersonate the service account bound to this ClusterRole and use its high-risk privileges to list confidential information across the cluster.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.