services / Azure / Kubernetes service accounts (Fleet member)
Kubernetes ServiceAccount objects in a namespace of an AKS Fleet member cluster. They represent in-cluster workload identities that pods authenticate as and that can be bound to RBAC roles and cloud (workload-identity) credentials.
ServiceAccounts are identity objects; creating, deleting, or impersonating them directly affects who can act in the cluster.
Microsoft.ContainerService/fleets/members/serviceaccounts/delete
Deleting ServiceAccounts removes the in-cluster identities workloads authenticate as, destroying accounts and denying service to pods that can no longer obtain valid tokens.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security