services / Azure / Kubernetes group impersonation (Fleet)
The Kubernetes group-impersonation privilege on an AKS Fleet, which allows a caller to issue API requests as a member of any group (the RBAC impersonate verb on groups).
Impersonating groups such as system:masters yields the aggregated RBAC of any privileged group, equivalent to full cluster-admin escalation.
Microsoft.ContainerService/fleets/groups/impersonate/action
Group impersonation lets an attacker assume membership in any group (e.g. system:masters), inheriting that group's RBAC for full privilege escalation and lateral movement.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog