services / Azure / AKS AI Managers Kubernetes pods

Kubernetes Pod objects within an AKS AI Managers cluster, representing running containerized workloads. Pod specs include container images, environment variables, mounted volumes, and references to secrets and service-account tokens.

Data-plane access to pods is equivalent to control over the workloads of a single cluster/application function; pod specs frequently embed sensitive configuration and credential references.


Microsoft.​ContainerService/​aiManagers/​pods/​write

Creating/updating pods lets an attacker run arbitrary containers (cryptomining/workloads), mount secrets or service-account tokens to assume in-cluster identities, and alter existing workload configuration.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerService
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog