services / Azure / AKS AI Managers Kubernetes pods
Kubernetes Pod objects within an AKS AI Managers cluster, representing running containerized workloads. Pod specs include container images, environment variables, mounted volumes, and references to secrets and service-account tokens.
Data-plane access to pods is equivalent to control over the workloads of a single cluster/application function; pod specs frequently embed sensitive configuration and credential references.
Microsoft.ContainerService/aiManagers/pods/write
Creating/updating pods lets an attacker run arbitrary containers (cryptomining/workloads), mount secrets or service-account tokens to assume in-cluster identities, and alter existing workload configuration.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security