services / Azure / AI Manager namespaces
Kubernetes-style namespaces for an AKS AI Manager, the logical workload-isolation/tenancy boundaries within which AI workloads, configuration, and access objects are organized.
Namespaces are tenancy boundaries; the credential action on this resource type exposes usable cluster access, raising its sensitivity.
Microsoft.ContainerService/aiManagers/namespaces/listCredential/action
This action returns usable namespace credential material (e.g. a kubeconfig/access token), directly exfiltrating secret material and granting identity-bearing lateral access into the namespace and its workloads.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security