services / Azure / Kubernetes PodSecurityPolicies (Fleet)
Kubernetes PodSecurityPolicy objects governed by Azure Kubernetes Fleet Manager. These are admission-control rules that constrain pod privileges (privileged containers, host mounts, host networking/namespaces), acting as a security-enforcement defense against privileged workload deployment.
PSPs are a security/admission defense whose relaxation enables container breakout and node/cluster privilege escalation.
Microsoft.ContainerService/fleets/extensions/podsecuritypolicies/write
Creating/updating a PodSecurityPolicy can relax admission controls to permit privileged/host-mounted pods, disabling a security defense and opening a workload-to-node privilege-escalation path while altering policy state.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security