services / Azure / Kubernetes group impersonation
The Kubernetes group-impersonation capability on an AKS-managed aiManagers cluster, which lets a caller assert arbitrary group memberships (e.g. system:masters) on impersonated requests.
Group impersonation grants the aggregated RBAC permissions of any group, including privileged built-in groups; equivalent to cluster-admin.
Microsoft.ContainerService/aiManagers/groups/impersonate/action
Impersonating groups lets an attacker assume membership in privileged groups like system:masters, inheriting their RBAC grants to escalate and move laterally.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security