services / Azure / AKS AI Manager service accounts
Kubernetes ServiceAccount objects within an AKS AI Manager namespace that represent workload identities used by pods to authenticate to the cluster API.
ServiceAccounts are workload identities; impersonating one lets a caller act as that identity with its bound RBAC permissions and can enable lateral movement and privilege escalation up to cluster-admin.
Microsoft.ContainerService/aiManagers/serviceaccounts/impersonate/action
Impersonating a service account lets an attacker act as that workload identity with its (potentially broader) RBAC permissions, the canonical lateral-movement and privilege-escalation primitive.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security