services / Azure / AKS AI Managers Kubernetes pods

Kubernetes Pod objects within an AKS AI Managers cluster, representing running containerized workloads. Pod specs include container images, environment variables, mounted volumes, and references to secrets and service-account tokens.

Data-plane access to pods is equivalent to control over the workloads of a single cluster/application function; pod specs frequently embed sensitive configuration and credential references.


Microsoft.​ContainerService/​aiManagers/​pods/​exec/​action

Exec grants interactive command execution (RCE) inside a running container, giving the pod's mounted service-account identity and secrets, access to in-container data, the ability to run attacker code, and tampering with the workload.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerService
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog