services / Azure / AKS AI Managers Kubernetes pods
Kubernetes Pod objects within an AKS AI Managers cluster, representing running containerized workloads. Pod specs include container images, environment variables, mounted volumes, and references to secrets and service-account tokens.
Data-plane access to pods is equivalent to control over the workloads of a single cluster/application function; pod specs frequently embed sensitive configuration and credential references.
Microsoft.ContainerService/aiManagers/pods/exec/action
Exec grants interactive command execution (RCE) inside a running container, giving the pod's mounted service-account identity and secrets, access to in-container data, the ability to run attacker code, and tampering with the workload.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security