services / Azure / Kubernetes PodSecurityPolicies (AKS aiManagers)
PodSecurityPolicies are Kubernetes cluster-scoped admission-control resources (in the aiManagers AKS data plane) that constrain the security context of pods, such as whether privileged, hostPath, or host-network pods are permitted.
As an admission/security-enforcement control, this resource type governs the cluster's defensive posture against privileged-workload escalation; modifying or removing it weakens cluster security.
Microsoft.ContainerService/aiManagers/extensions/podsecuritypolicies/write
Creating/updating a PodSecurityPolicy lets an attacker relax pod-admission constraints (allow privileged/hostPath/host-network pods), disabling the security defense and enabling privileged workloads that escalate to node/cluster compromise.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security