services / Azure / Kubernetes service accounts (Fleet member)
Kubernetes ServiceAccount objects in a namespace of an AKS Fleet member cluster. They represent in-cluster workload identities that pods authenticate as and that can be bound to RBAC roles and cloud (workload-identity) credentials.
ServiceAccounts are identity objects; creating, deleting, or impersonating them directly affects who can act in the cluster.
Microsoft.ContainerService/fleets/members/serviceaccounts/write
Creating/updating ServiceAccounts lets an attacker mint new in-cluster identities or rebind them (including workload-identity annotations), establishing persistent accounts and enabling privilege escalation and lateral movement via the new identity.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security