services / Azure / Kubernetes custom resources (fleet)
This data-plane permission covers reading arbitrary Kubernetes custom resources (CRD-backed objects) across the fleet's member clusters, which can hold operator/controller configuration, application state, policy, and frequently secret-adjacent or credential-bearing data.
A wildcard over custom resources spans whatever CRDs are installed; CR specs/status routinely embed connection details, configuration, and sensitive operational data, making the asset broadly sensitive across the fleet.
Microsoft.ContainerService/fleets/customresources/read
A data-plane read of arbitrary custom resources can return the full contents of operator/CRD objects, which frequently hold sensitive operational configuration and credential-adjacent data, constituting data exfiltration beyond mere enumeration.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security