services / Azure / Fleet Work

A Kubernetes Fleet Manager Work resource is the envelope that carries the concrete, rendered set of Kubernetes manifests the fleet agent reconciles onto a specific member cluster; it is the unit of actual manifest application.

Because Work objects embed the full manifest payload deployed to member clusters, they can contain inline configuration and secret-bearing objects, and writing them directly controls what runs on member clusters.


Microsoft.​ContainerService/​fleets/​placement.​kubernetes-​fleet.​io/​works/​delete

Deleting a Work object removes the manifest bundle being reconciled onto a member cluster, tearing down the deployed workloads (denial of service) and disrupting the fleet deployment state on that cluster.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerService
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog