services / Azure / Kubernetes user impersonation
The Kubernetes user-impersonation capability on an AKS-managed aiManagers cluster, which lets a caller issue API requests as an arbitrary user identity via the impersonate verb.
Impersonation lets the holder assume any identity's RBAC permissions, equivalent to a master skeleton key over cluster access control.
Microsoft.ContainerService/aiManagers/users/impersonate/action
Impersonating users lets an attacker act as any cluster user, assuming that identity's (potentially cluster-admin) privileges and moving laterally.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog