services / Azure / Kubernetes custom resources (fleet)
This data-plane permission covers reading arbitrary Kubernetes custom resources (CRD-backed objects) across the fleet's member clusters, which can hold operator/controller configuration, application state, policy, and frequently secret-adjacent or credential-bearing data.
A wildcard over custom resources spans whatever CRDs are installed; CR specs/status routinely embed connection details, configuration, and sensitive operational data, making the asset broadly sensitive across the fleet.
Microsoft.ContainerService/fleets/customresources/write
Writing arbitrary custom resources lets an attacker mutate operator/controller-driven state across the fleet; since CRDs back RBAC/policy/operator objects, crafted CRs can be reconciled into privilege grants or attacker-controlled workloads.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security