services / Azure / Kubernetes group impersonation (AKS fleet member)
The Kubernetes impersonation capability for group identities on a member cluster of an AKS fleet. The impersonate verb on groups lets a caller issue API requests claiming membership in arbitrary groups.
Impersonating a privileged group such as system:masters yields full cluster-admin access, hence CRITICAL.
Microsoft.ContainerService/fleets/members/groups/impersonate/action
Impersonating groups lets an attacker assume the aggregate RBAC permissions of any group (e.g. system:masters), enabling lateral movement and privilege escalation.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog